Qwizflow collects minimal data required to facilitate personalized learning. This includes:
Grade level, content level preference (beginner through expert), learning interests (selected from a fixed list), and academic challenges to customize the AI's tone and content. Your content level preference is used to adjust mastery pass-thresholds, making progression requirements slightly easier or harder based on your selected level.
Text and images from uploaded study materials used exclusively to generate your personalized learning paths.
Short, written notes that a linked parent or a verified classroom teacher may leave on a student's learner profile (for example, context about a recent exam, a known accessibility need, or a goal). Annotations are stored as text only and are never processed as raw content by the AI; they are read alongside the learner profile to personalize the tone and pacing of AI responses. Each student has a maximum of 25 active annotations. Annotations are visible per their author-set visibility (parent-only, teacher-only, student-visible, or private). Students can request removal of any annotation about them.
All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. This ensures that even in the unlikely event of data interception, the information remains unreadable.
Before any curriculum data is sent to our AI engines (Google Gemini or Azure), we apply a PII Scrubbing layer. This removes names, addresses, and contact info, ensuring the AI only sees educational concepts, not your identity.
Qwizflow enforces strict role-based access controls to limit who can see what data:
Can view and manage only their own learning data, progress, and AI consent settings. Students aged 16 and above may manage their own AI consent; students under 16 require parental consent.
Can view their linked child's progress summaries and manage AI consent via the AI Consent Centre. Parents never have access to raw AI conversation transcripts. Consent audit logs are visible to linked parents for transparency.
Can view aggregated classroom analytics and safety flag summaries for duty-of-care obligations. Teachers have read-only access to consent status and never see raw AI conversation transcripts or individual student consent settings.
Can manage school-wide policies and approve teacher registrations. School administrators do not have access to individual student AI conversation transcripts.
Where multiple parents or guardians are linked to a student account, each parent can independently manage AI feature consent settings. When parents set conflicting preferences, the most restrictive setting is applied to protect the student. When one parent changes a consent setting, the other linked parent is notified of the change.
We partner with industry leaders to host your data under strict educational privacy agreements:
Data is stored in Google Cloud Firestore and Google Cloud Storage (Australian Regions prioritized).
Qwizflow does NOT sell, rent, or trade student data to third-party advertisers or data brokers.
If we relocate or expand our cloud infrastructure to a different country, or change personnel with access to unencrypted customer data, we will notify affected customers and school administrators at least 30 days prior to the change.
Qwizflow uses the following sub-processors to deliver our service. Personal information may be disclosed to these providers as described below. The lawful basis for all processing is explicit user consent (Australian Privacy Principle 3, APP 8.2(b)), obtained through session-based AI consent and the per-feature AI Consent Centre.
Google LLC
https://cloud.google.com/contact | privacy-questions@google.com
Student profiles, learning progress, quiz results, uploaded documents, consent records
Primary database and file storage for all user data
Australia (australia-southeast2, Melbourne)
Google LLC
https://cloud.google.com/contact | privacy-questions@google.com
Educational content prompts, topic names, education level (PII scrubbed)
AI quiz generation, quiz question image generation, study guides, tutoring, explanations, audio-style two-voice discussions of a quiz question when a student is stuck, kid-friendly vocabulary look-ups for words inside quiz questions, weekly portfolio captions (short AI summaries of work the student has saved that week), and AI-generated context briefs for student-initiated 'Ask my Teacher' help requests (the brief gives the teacher a PII-scrubbed summary of where the student is stuck, drawn from their learner model, recent errors, and the question they were on)
Australia (australia-southeast1, Sydney)
Google LLC
https://cloud.google.com/contact | privacy-questions@google.com
Bidirectional voice tutoring on a quiz question (live microphone audio in, AI voice response out, live transcription)
Microphone audio, live turn transcripts, and derived affective labels (confident / frustrated / confused / engaged / disengaged / curious)
United States — Google Gemini Live Audio has no Australian region, so voice bytes transit the United States for the duration of the call only.
Qwizflow does NOT persist raw audio or live transcripts; only derived affective labels are stored (and can be erased via the Parent Transparency Ledger). Google retains per its Data Processing Addendum.
Daily cap of 10 minutes of live voice per student. Gated under the existing AI Quiz Generation consent — turning that off immediately disables the voice tutor.
Google LLC (no separate sub-processor — relayed from the student's existing voice tutor session)
https://cloud.google.com/contact | privacy-questions@google.com
Allows a linked parent or guardian to listen in to their child's live voice tutor session and, optionally, send a short typed whisper to gently steer the tutor (e.g. 'remind them about long division'). Whispers are sent as system notes — the AI never reads them aloud. Parents do NOT see derived affective labels in the listen-in surface.
The parent device receives a relayed copy of the student's audio and live transcript stream from the active voice tutor session. No additional data is sent to Google — the listen-in stream is a server-side fan-out of the existing student-side Gemini Live call. Parent-typed whispers are server-side scrubbed for prompt-injection patterns and length-capped at 500 characters before being relayed to the tutor as a system note.
United States (the underlying Gemini Live call's region is unchanged; Qwizflow's relay runs in the same Australian region as the rest of the backend)
Qwizflow does NOT persist raw audio or transcripts on the parent listen-in stream. Parent whisper text is also not persisted; it is forwarded to the tutor session and discarded.
Inherits the student's AI Quiz Generation consent and the same 10-minute daily voice budget — no separate consent toggle. Parent listen-in is surfaced as a distinct row (live_tutor_voice_parent) in the Parent Transparency Ledger so you can see when it was used.
Google LLC
https://cloud.google.com/contact | privacy-questions@google.com
Server-side text-to-speech synthesis of already-consented content (quiz explanations, hints, study guides, tutor responses, mnemonics, story content, AI-generated guides). The TTS service does NOT generate AI content — it converts existing student-consented text into audio.
UTF-8 text only (no audio uploads from student devices). No PII in synthesis bodies — the text is server-built from already-consented AI outputs.
Australia (australia-southeast1)
90-day GCS audio cache at tts-cache/{sha256}.mp3; cache key derived from voice / mood / text SHA-256. Google retains per its Data Processing Addendum.
Per-student usage cap of 50,000 characters per day, enforced atomically server-side.
Google LLC
https://cloud.google.com/contact | privacy-questions@google.com
Educational content prompts only — no student PII
Quiz question images, comics, and visual learning content
United States (us-central1)
Google LLC
https://firebase.google.com/support | firebase-support@google.com
Email address, display name, profile photo URL, authentication tokens
User authentication via Google OAuth
United States (global service)
Functional Software, Inc. (Sentry)
https://sentry.io/contact/ | privacy@sentry.io
JavaScript error stack traces, redacted URLs (query strings stripped), redacted breadcrumbs (fetch/xhr/navigation), SHA-256 hashed user id (first 16 hex chars only — never the raw uid). Email, name, DOB, authentication tokens, and Authorization headers are stripped before transmission via the client-side scrubber.
Production browser-error visibility (lazy-loaded SDK; only initialised when VITE_SENTRY_DSN is set). Performance tracing and session replay are disabled (tracesSampleRate = 0, replaysSessionSampleRate = 0).
AU/EU residency required for student deployments. The operator MUST configure VITE_SENTRY_DSN against a Sentry organisation provisioned in the EU region (de.sentry.io) or an AU region; US-residency DSNs are not deployed to Qwizflow.
Per Sentry's default retention policy (90 days for error events on the standard plan). Qwizflow does not extend retention.
Qwizflow publishes its blog content to a small set of public developer / professional / social platforms as a growth channel. This is author tooling — only the platform team is authenticated against these services, and only blog post content (which contains no student personal information by design) is transmitted. No student account data, learning data, or identifiers are ever sent to these platforms.
Blog post markdown + tags + canonical URL → published under the author persona's dev.to account. United States. https://dev.to/privacy
Blog post markdown + tags + canonical URL → uploaded as a draft via the Medium Integration API. United States. https://policy.medium.com/medium-privacy-policy-f03bf92035c9
Long-form post text + canonical URL → posted to the author persona's LinkedIn account via the UGC API. United States. https://www.linkedin.com/legal/privacy-policy
Blog post markdown + tags + canonical URL → published to the author persona's Hashnode publication via GraphQL. United States. https://hashnode.com/privacy
Numbered thread text staged on disk for manual copy-paste (export-only in v1; no API publishing). United States. https://twitter.com/en/privacy
Author tooling — the team posts under named author personas (with AI-assisted disclosure on each byline). No student personal information is ever transmitted to these platforms.
Google services are operated by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and processing is governed by the Google Cloud Data Processing Addendum. Ready Player Me (Wolf3D OÜ, Estonia) was a sub-processor for the Custom Character Creator feature until 2026-01-31, when the Ready Player Me service was shut down following Wolf3D OÜ's December 2025 acquisition by Netflix Inc.; the feature and its sub-processor entry were fully retired on 2026-05-09 and there is no active data flow to Ready Player Me, Wolf3D OÜ, or Netflix Inc. No student personally identifiable information was ever transmitted to Ready Player Me — only avatar design configuration. Content syndication platforms (dev.to, Medium, LinkedIn, Hashnode, X/Twitter) are listed as author-tooling sub-processors above and are governed by their own privacy policies linked in the same list. Qwizflow does not use any other sub-processors beyond those listed above.
As a linked parent or guardian, you have the right to see what the AI knows about your child's learning and how our sub-processors are used on their behalf. The AI Transparency Ledger surfaces, for each of your linked children:
Access is strictly limited to verified linked parents and is enforced by ownership checks at the API layer. Teachers, school administrators, and other parents never see this surface for your child.
Under the Australian Privacy Principles, you have the right to:
If you believe your privacy has been breached, or you wish to make a complaint about how we handle your personal information, please contact us through the in-app feedback portal. We will acknowledge your complaint within 5 business days and provide a written response within 30 business days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au/privacy/privacy-complaints.