← Back to home

Privacy Policy

Last updated: 31 May 2026

1. About this policy

Awa Education(“we”, “us”, “our”) operates a school management platform for New Zealand kura and schools. This Privacy Policy explains how we collect, use, store, and protect personal information in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) set out therein.

By using our service, your school agrees to the practices described in this policy. If you have any questions, contact our Privacy Officer at pipgorrie@gmail.com.

2. Who we collect information about

We collect personal information about:

  • School staff (teachers, leadership, administrators)
  • Students enrolled at participating schools
  • Whānau/parents and caregivers (where school-managed accounts are used)

We act as a data processor on behalf of your school, which is the data controller. Schools are responsible for ensuring they have appropriate authority to share personal information with us under the Privacy Act 2020.

3. What information we collect

Staff information

  • Name, email address, role
  • Teaching Council registration number and status
  • Practising certificate expiry date
  • Class assignments and professional goal records (PGC)

Student information

  • Name, date of birth, gender, ethnicity
  • NSN (National Student Number)
  • Year level, class enrolment, support level (ORS tier)
  • Assessment results and learning progress records
  • Attendance records
  • IEP (Individual Education Plan) data
  • Intervention and SENCO notes
  • EOTC participation records

Usage and technical information

  • Login timestamps and session data (for security auditing)
  • IP addresses (used for rate limiting and security; not stored long-term)
  • Application activity logs

4. How we use personal information

We use personal information only for the following purposes:

  • Providing and operating the school management platform
  • Supporting school staff in tracking student progress, attendance, and wellbeing
  • Generating reports and curriculum planning tools for authorised staff
  • Sending service-related communications (e.g. invitations, password resets)
  • Security monitoring and fraud prevention
  • Complying with our legal obligations

We do not use personal information for advertising, marketing to third parties, or any purpose unrelated to your school’s use of the platform.

5. Artificial Intelligence features

Our platform uses AI-assisted features powered by Anthropic’s Claude API. When you use these features:

  • Relevant content is sent to Anthropic’s API to generate responses. The specific data sent depends on the feature used — see the table below.
  • Anthropic does not use API data to train its models— data sent via the API is not used for model training by default, per Anthropic’s API usage policy.
  • AI-generated content is always presented to staff for review before use. Staff remain responsible for all decisions affecting students.
AI featureData sent to Anthropic
Student report generationStudent first name, year level, achievement descriptors, teacher observation notes (no NSN, no IEP content, no date of birth)
Lesson and unit plan generationYear level, subject, curriculum strand — no student names or identifiers
Career education contentYear level, focus area, capability tags — no student names or identifiers
Principal report commentsStudent first name, subject achievement descriptors (no NSN, no IEP content)

AI features are disclosed within the application interface wherever they are used. We do not send NSNs, IEP content, dates of birth, addresses, or contact details to the AI API.

6. Third-party service providers

We use the following third-party providers to operate the service:

ProviderPurposeData location
VercelApplication hostingAU/NZ region
Supabase (PostgreSQL)Database storageSydney, AU (AWS ap-southeast-2)
ResendTransactional emailUSA (email transit only)
Anthropic Claude APIAI-assisted featuresUSA (transient, not stored)

We maintain contractual agreements with all third-party providers requiring them to protect personal information in accordance with our obligations under the Privacy Act 2020.

7. Data security

  • All data is transmitted using TLS 1.2 or higher (TLS 1.3 preferred)
  • Passwords are hashed using bcrypt and never stored in plain text
  • Access is restricted by role — teachers see only their own class and student data
  • School data is isolated per organisation — no cross-school data access is possible
  • Login attempts are rate-limited to protect against brute-force attacks
  • Session tokens are invalidated on password reset

8. Data retention

We retain personal information in accordance with the New Zealand Public Records Act 2005 and the Privacy Act 2020:

  • Student data: Retained for 7 years after the student leaves the school, then permanently deleted
  • Staff data: Retained for 6 years after the staff member leaves the school, then permanently deleted
  • School data: Schools can request full export or deletion at any time via the Admin panel. Upon a verified deletion request, all data is deleted within 60 days (except records required to be kept by law)
  • Backups: Deleted per our hosting provider’s standard schedule (Supabase retains backups for up to 30 days)

Schools can export all student and staff data as CSV at any time from the Admin panel. The platform provides tools to mark when a student leaves school, starting the 7-year retention clock.

9. Safer Technologies 4 Schools (ST4S)

Awa Education is designed to meet the requirements of the Safer Technologies 4 Schools (ST4S) framework used by New Zealand schools to assess the safety and privacy of digital tools.

ST4S CriterionHow we meet it
Privacy policyThis policy, compliant with the NZ Privacy Act 2020
Data ownershipSchools own their data; we act as data processor only
Data locationPrimary database in Sydney, Australia (AWS ap-southeast-2); application hosting via Vercel with AU/NZ routing
Data retention7 years for students, 6 years for staff — aligned with NZ Public Records Act 2005
Data exportSchools can export all data as CSV at any time from the Admin panel
Data deletionFull school data deletion on request within 60 days; individual student deletion available in Admin panel
SecurityTLS 1.2+, bcrypt password hashing, rate limiting, session invalidation on password change, TOTP two-factor authentication available for all staff accounts
Access controlRole-based access (Teacher, SENCO, Leadership, Whānau); school data fully isolated
AI / third-party processingDisclosed in this policy (section 5); identifiable student data is not sent to AI APIs
No advertisingStudent data is never used for advertising or sold to third parties

For ST4S enquiries, contact: pipgorrie@gmail.com

10. Your rights under the Privacy Act 2020

Under the New Zealand Privacy Act 2020, individuals have the right to:

  • Request access to personal information we hold about them
  • Request correction of inaccurate personal information
  • Complain about a breach of the Information Privacy Principles

Requests should be directed to your school’s administrator in the first instance, or directly to our Privacy Officer at pipgorrie@gmail.com.

If you are not satisfied with our response, you can contact the Office of the Privacy Commissioner (www.privacy.org.nz).

10b. Privacy breach notification

Under sections 113–120 of the Privacy Act 2020, we are required to notify the Office of the Privacy Commissioner, and affected individuals, of any privacy breach that is likely to cause serious harm.

  • We maintain an internal Privacy Breach Register for all incidents, including low-severity ones.
  • If a notifiable breach is identified, we will report it to the Privacy Commissioner as soon as practicable via www.privacy.org.nz.
  • Affected individuals (and/or their school) will be notified as soon as practicable after notifying the Commissioner, with details of what happened and what steps we have taken.
  • Schools are encouraged to also maintain their own breach response procedures in line with their obligations as data controllers.

To report a potential breach to us, contact pipgorrie@gmail.com immediately. School administrators can also log incidents directly in Admin → Privacy Breach Register.

11. Cookies and tracking

We use session cookies solely to maintain authenticated login sessions. We do not use advertising cookies, tracking pixels, or any third-party analytics that identify individual users.

12. Changes to this policy

We may update this policy from time to time. Where changes are material, we will notify school administrators by email at least 30 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.

13. Contact

Privacy Officer: Awa Education

Email: pipgorrie@gmail.com

Jurisdiction: New Zealand

This privacy policy applies to Awa Education and is governed by New Zealand law.

For NZ school enquiries regarding ST4S, contact: digital.services@education.govt.nz