Privacy Policy

The Epistemika platform is operated by Dennis Price, trading as RetailBricks.com (ABN 35 109 205 014), based in New South Wales, Australia.

In the context of this policy, “we”, “us”, and “our” refer to Dennis Price / RetailBricks.com as the platform operator.

Tenants as Data Controllers.Schools and academies (“Tenants”) that operate on the Epistemika platform are independent Data Controllers with respect to their students' personal data. Epistemika acts as a Data Processor on behalf of Tenants for that data. This policy primarily covers data we collect in our capacity as a platform operator (Tenant account data, usage analytics, billing).

We collect the following categories of personal data:

• To provide, operate, and improve the Epistemika platform.
• To authenticate users and manage access controls.
• To process subscription billing via Paddle.
• To send transactional emails (enrolment confirmations, safeguarding alerts, at-risk notifications) via Emailit.
• To detect and respond to safeguarding concerns in student dialogue sessions.
• To calculate Monthly Active User counts for billing purposes.
• To provide customer support and respond to enquiries.
• To comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

We process personal data on the following legal bases:

• Contract — processing necessary to provide the platform services you have subscribed to.
• Legitimate interests — security monitoring, fraud prevention, platform improvement, and safeguarding.
• Legal obligation — compliance with applicable Australian and international laws.
• Consent — where we explicitly request it (e.g. marketing communications, if introduced in future).

For EU/EEA residents, processing is governed by GDPR. Tenants processing EEA student data should request a Data Processing Agreement (DPA) by contacting us at the address below.

We share data with the following sub-processors to operate the platform:

Each sub-processor is bound by contractual obligations to protect personal data. Data may be transferred outside Australia; where this occurs we rely on appropriate safeguards (Standard Contractual Clauses for EU transfers, or equivalent mechanisms).

• Active account data is retained for as long as your account remains open.
• Upon account cancellation or termination, data is retained for 60 days, then permanently deleted.
• Dialogue session content (student messages and AI responses) is retained for the duration of the Tenant's subscription plus 60 days.
• Billing records are retained for 7 years as required by Australian tax law.
• Server logs are retained for 90 days.

Depending on your location, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data (subject to legal retention requirements).
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Restriction — request that we restrict processing of your data in certain circumstances.

Students should direct data requests to the Tenant (school) that enrolled them — the Tenant is the Data Controller for student data and must handle these requests. Tenants may then instruct us to action deletion or export.

To exercise your rights as a Tenant or platform user, contact us using the details in Section 10 below. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest (AES-256 via Supabase / AWS).
• Row-Level Security (RLS) on all database tables — data is isolated per tenant by design.
• Service role keys are never exposed to the client.
• Automated safeguarding monitoring on all student dialogue sessions.

No system is completely secure. If you become aware of a security vulnerability or data breach, please notify us immediately at the contact details in Section 10.

Epistemika uses session cookies set by Supabase for authentication. We do not use third-party advertising cookies or tracking pixels. No data is shared with advertising networks.

You can disable cookies in your browser settings, but doing so will prevent you from logging in to the platform.

For privacy enquiries, data subject requests, or to report a concern:

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

If you are in Australia and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

We may update this Privacy Policy from time to time. We will notify Tenant account holders by email at least 14 days before material changes take effect. The effective date at the top of this page will be updated. Continued use of the platform after the effective date constitutes acceptance.