Privacy policy
**Last updated: 29 June 2026**
**Version: 2.0**
## 1. About this policy
This policy explains how First Six Pty Ltd First Six Technologies Pty Ltd (ACN 699 938 817, ABN 19 699 938 817) ("First Six", "we", "us") handles personal information, in line with the *Privacy Act 1988* (Cth) and the Australian Privacy Principles (APPs).
**Our roles.** For student and staff data processed in delivering the Service, your Institution is the data controller and First Six is the processor, acting on the Institution's instructions under our Data Processing Agreement. This policy also covers personal information we collect directly (for example, website enquiries), where we are the controller.
Our guiding principle is **belonging without surveillance**: we collect the minimum needed to support students, and we never sell personal information.
## 2. Personal information we collect
- **Institution-provided (roster) data:** name, institutional email, enrolment, program, campus, and cohort, used to set up accounts and target relevant content.
- **Student-generated data:** workspace notes, to-dos, timetable entries, wellbeing check-in responses, and help-inbox messages.
- **Operational data:** sign-in events, audit logs of sensitive actions, and basic technical logs needed to run and secure the Service.
- **Website enquiry data:** name, email, organisation, and message, where you contact us or request a demo.
We do not use advertising trackers or third-party profiling. We do not knowingly collect information from anyone under 13 years of age.
## 3. How we use personal information
- to provide the Service — deliver weekly content, run wellbeing check-ins, route help requests, and produce aggregate, privacy-safe cohort insights;
- to support a student in difficulty, including following an Institution's defined crisis protocol;
- to secure, maintain, and improve the Service;
- to respond to enquiries and meet legal obligations.
Wellbeing data is never used to rank, score, or build watchlists of students, nor for any decision with legal or similarly significant effect on a student. Individual responses stay private to the student and route them to support; staff see aggregate trends only, with small groups suppressed so individuals cannot be identified.
## 4. Disclosure and our service providers (subprocessors)
We share personal information only with service providers that help us run the Service, each bound by a written contract incorporating obligations consistent with the APPs and scoped to a specific job:
| Provider | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage — the system of record | Australia (Sydney, ap-southeast-2) |
| Vercel | Application hosting & content delivery | Sydney compute; global CDN |
| SendGrid | Transactional email | United States |
| Twilio | Crisis SMS (where enabled) | United States |
| Sentry | Error monitoring; PII-scrubbed before transmission | United States |
| Anthropic | Staff-facing AI assistant; staff input only; provider contractually prohibited from training models on customer data | United States |
| Upstash | Rate-limit counters that throttle abusive traffic before it reaches the database; sees visitor IP and route key only | Global edge (multi-region) |
| BetterStack | Uptime monitoring and the public status page at status.firstsix.com.au; server-to-server probes carry no personal data | European Union |
Your Institution's identity provider (for SSO) is your system, not our subprocessor — we never receive your password. The current subprocessor list is maintained at our subprocessor page.
## 5. Overseas disclosure
The system of record stays in Australia. The limited set of subprocessors above operate in the United States for transactional email, optional crisis SMS, scrubbed diagnostics, and the staff-facing AI assistant. Each overseas subprocessor is engaged under a written contract incorporating data-protection obligations consistent with the APPs, and we minimise the personal information disclosed to them. Diagnostics are stripped of personal information before they leave the Service. Before disclosing personal information overseas we take reasonable steps consistent with APP 8.
## 6. Storage and security
Application data is stored in Australia (AWS Sydney). Security measures include per-tenant isolation enforced by database row-level security, single sign-on through your Institution's identity provider, encryption in transit and at rest, least-privilege access, immutable audit logging of sensitive actions, rate limiting, and hardened endpoints. See our [Security](/trust/security) and [Data residency](/trust/data-residency) trust pages.
## 7. Retention
- **Operational data** (sign-in events, technical logs) is retained for no more than **90 days after the Institution's term with First Six ends**.
- **Personal information** (roster data and student-generated content) is retained for no more than **24 months after the Institution's term with First Six ends**, unless the Institution requests earlier deletion or a longer period is required by law.
- **Aggregate, de-identified statistics** that cannot be linked back to a person may be retained indefinitely.
Cohorts may be archived at any time. **Deletion is authorised by the Institution as data controller; First Six does not delete student or staff accounts on its own.** A right-to-be-forgotten deletion is raised through the Institution's privacy contact; First Six actions the deletion within 30 days of receiving the Institution's instruction. Student requests received directly at [privacy@firstsix.com.au](mailto:privacy@firstsix.com.au) are routed to the Institution's privacy contact.
## 8. Your rights
Because your Institution controls student and staff data, direct requests for **access, correction, or deletion** to your Institution; First Six will assist them. **First Six does not delete student or staff accounts on its own** — only the Institution can authorise deletion, and First Six executes only on that explicit instruction. For information we hold as controller (for example, website-enquiry data), you may request access or correction, request a **machine-readable export** of your data (provided as JSON), or make a complaint, by contacting us at [privacy@firstsix.com.au](mailto:privacy@firstsix.com.au). If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at [oaic.gov.au](https://www.oaic.gov.au).
## 9. Cookies
We use only the cookies needed to keep you signed in and run the Service securely. We do not use advertising or cross-site tracking cookies. We honour Global Privacy Control signals from your browser. For detail, see our [Cookie Policy](/legal/cookie-policy).
## 10. Children and young people
The Service is used by university students, who may include people under 18. For users aged 13–17, processing relies on the Institution's enrolment authority and parental notice handled at the Institution level. We do not knowingly collect information from anyone under 13. We handle young people's information with the same minimisation and privacy safeguards, and wellbeing features are designed to route to support rather than to monitor.
## 11. Changes and contact
We may update this policy and will note the "last updated" date above. Material changes affecting Institutions will be notified in writing at least 30 days in advance.
**Contact:** [privacy@firstsix.com.au](mailto:privacy@firstsix.com.au) — First Six Pty Ltd, [Registered office to be confirmed on registration].
**Related:** [Terms of Service](/legal/terms-of-service) · [Data Processing Agreement](/legal/data-processing-agreement) · [Cookie Policy](/legal/cookie-policy)
---