Privacy Policy

1. Introduction

Sprout Lessons (“Sprout Lessons”, “Sprout”, “we”, “us”, or “our”) is a product operated by ROOTECH SOLUTIONS (ABN 28 315 635 680). We are committed to protecting your privacy and handling personal information in an open and transparent way. This Privacy Policy explains how we collect, use, disclose, and store personal information when you use Sprout to generate interactive lessons and videos.

This policy is written in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using Sprout, you agree to the handling of your personal information as described in this policy.

2. Personal Information We Collect

Account and identity information

When you create an account we collect:

• Full name and email address
• Subscription tier and status (Substitute, Educator, or Professor)
• One-off credit-pack purchases and your current credit balance
• Stripe customer ID and subscription reference (not your card details)
• Subscription period dates and renewal preferences
• The date your account was created

Lesson inputs

When you generate a lesson we collect and store the information you provide to create it, including the topic, subject, year level or age band, learning goals, and any interests or preferences you enter to personalise the lesson, along with the effort tier you select.

Generated lesson content

The interactive HTML lessons, lesson titles, and short videos generated on your behalf are stored in our database and file storage so you can revisit, edit, and share them.

Payment information

When you purchase credits or a subscription we store the plan or pack name and payment status, the Stripe session ID and payment-intent reference, and subscription duration. Full payment card details are never stored by Sprout — all card processing is handled by Stripe.

Usage and analytics data

We collect internal usage events to operate and improve the service and to diagnose issues. This may include event types (such as lesson generation started or completed), job and generation records, the measured cost of each generation, event properties and timestamps, and internal error logs referencing your user ID for debugging only. This data is used internally and is not shared with third parties for advertising.

Automatically collected technical information

When you use Sprout we may automatically collect limited technical information including device and browser type, operating system, IP address, and cookies or similar technologies, to operate, secure, and improve the service.

3. How We Use Your Information

We collect and use personal information only for purposes reasonably necessary to operate Sprout, including to:

• Provide and manage your account
• Generate interactive lessons and videos using AI services
• Process payments and prevent fraud
• Communicate with you about your account, purchases, or support requests
• Diagnose errors and improve the service
• Send marketing communications where you have opted in
• Meet legal and regulatory obligations

We do not sell your personal information.

4. Disclosure of Personal Information

We share information with the following service providers to operate Sprout:

• Supabase — database hosting, user authentication, and file storage. Data is stored in cloud infrastructure operated by Amazon Web Services (AWS).
• Stripe — payment processing. Stripe handles card details directly; Sprout receives only non-sensitive references (customer ID, session ID).
• Anthropic — AI lesson generation. The lesson inputs you provide (topic, year level, and any interests you enter) are sent to Anthropic’s Claude models to generate lesson content.
• OpenRouter — AI request routing used to generate parts of lessons (including via Qwen models). The same lesson inputs may be sent through OpenRouter to the model that fulfils the request.
• Vercel — application hosting and content delivery.

These providers handle personal information in accordance with their own privacy policies and applicable laws. We may also disclose personal information where required or authorised by law, including to comply with legal obligations or respond to lawful requests by authorities.

5. Overseas Disclosure and Your Consent (APP 8)

6. Data Security

We take reasonable steps consistent with APP 11 to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include:

• Row-level security (RLS) policies enforced at the database level so each user can only access their own data
• Encryption of data in transit (TLS)
• Restricted API access using service-role keys in server-side routes only
• Industry-standard authentication via Supabase Auth

Our database and file storage are hosted by Supabase (on AWS); the security of that infrastructure, including physical security and encryption at rest, is managed by Supabase and AWS under their respective security programmes. No system is completely secure, and we cannot guarantee absolute security of information stored or transmitted via our service or its underlying infrastructure.

7. Notifiable Data Breaches

Sprout is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach likely to result in serious harm to any individual, we will assess the breach as quickly as possible; notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable; and provide guidance on steps you can take to reduce any risk of harm. Where a breach originates from an overseas provider (such as Supabase, Anthropic, OpenRouter, or Stripe), our notification obligations are triggered once we become aware of it, regardless of its source.

8. Data Retention

We retain personal information only for as long as necessary to provide the service and fulfil the purposes in this policy. You may request deletion of your account and associated personal information. Some information may be retained where required by law or for legitimate business purposes — for example, financial records, which we retain for 7 years in accordance with Australian tax law requirements.

9. Your Rights Under Australian Law

Under the Privacy Act 1988 (Cth) and the APPs you have the right to:

• Request access to personal information we hold about you (APP 12)
• Request correction of inaccurate, out-of-date, or incomplete information (APP 13)
• Request deletion of your account and associated data
• Make a complaint about how we handle your personal information

Requests can be made using the contact details below; we will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au.

10. Children’s Privacy

Sprout is a tool for adults — teachers, educators, and parents aged 18 or over. Accounts must be held by an adult, and the service is not intended for use by children. While Sprout helps you create lessons for students, you must not submit a child’s full name, contact details, photographs, or other directly identifying information as lesson input; interest and year-level information should be kept non-identifying. We do not knowingly collect personal information directly from children. If you believe a child’s identifying information has been provided to us, please contact us and we will take reasonable steps to remove it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Continued use of the service after changes indicates acceptance of the updated policy.

12. Contact Us

If you have questions, requests, or complaints regarding this Privacy Policy or how we handle personal information, please contact us at contact@sproutlessons.com.