Privacy Policy

Welcome to Ecodia. This Privacy Policy explains how Ecodia (“Ecodia”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information across our ecosystem... including Ecodia Alive, WattleOS, the Ecodia Youth & Business Alliance (ECO Local), Launchpad, EOS, and related sites, apps, and services (collectively, the “Services”).

As an Australian organisation, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we provide jurisdictional notices including the EU/UK GDPR, NZ Privacy Act, and California CPRA. This page is designed to be clear, practical, and transparent... giving you meaningful control over your information.

Summary (plain language): We only collect what we need, we don’t sell your data, we isolate and secure it, and we give you tools to access, export, and delete it.

This policy is informational and not legal advice. Certain features may provide additional just-in-time notices or in-product controls.

This policy applies to all users of the Services, including students/youth, parents/guardians, educators and schools, local businesses, partners, creatives, and public visitors. Where features are offered to or on behalf of schools, we act as a processor (service provider) to the school (the controller) and process student data only under their direction for educational purposes. For our direct consumer features (e.g., ECO Local rewards, newsletters, accounts), we act as a controller.

• Legal entity: Ecodia Pty Ltd - ABN: 89693123278.
• Contact: connect@ecodia.au
• Registered/Postal: 23 Saleng Cres, Warana 4575, QLD.

• Personal Information (PI): Information about an identifiable individual.
• Sensitive Information: Includes health, disability, ethnicity, etc. We avoid collecting this unless strictly necessary and lawful.
• Student Data: Data provided by a school/educator/guardian about a student for educational purposes.
• Pseudonymisation/De-identification: Processing to remove direct identifiers; residual re-identification risk is controlled via technical and organisational measures.
• Subprocessor/Service Provider: A third party engaged to support our Services under contract and data safeguards.

We collect information necessary to operate, secure, and improve the Services. Categories include:

Information You or Your Organisation Provide

• Account & Profile: name, email, role (youth, business, educator, parent, partner, etc.), school or business affiliation.
• Student/Education Data: student name, class, year level, enrolment and learning records (only at the school/guardian’s direction).
• Business Participation (ECO Local): business name, contact details, offer and redemption metadata, campaign and store information.
• Content & Communications: messages, support requests, feedback, uploaded media, submissions to Launchpad.
• Preferences & Consents: notification preferences, cookie choices, parental/guardian consents.

Information Collected Automatically

• Usage & Diagnostics: feature usage, performance metrics, session timestamps, crash logs; used to maintain and improve services.
• Device & Network: IP address, device type, browser/OS, coarse location derived from IP, security signals (e.g., unusual access patterns).
• Cookies/Local Storage: for session continuity, basic analytics, anti-fraud, and your saved preferences (see Cookies section).

Information from Partners or Public Sources

• Schools & Partners: rosters, class lists, or business program participation data shared under contract.
• Payment Processors: limited metadata (e.g., status, last 4 digits tokenised) when you make purchases or donations; we do not store full card data.
• Open/Public Data: information you publish publicly (e.g., business listing details) or lawful open datasets used to enrich place-based experiences.

Your information is used to:

• Operate, maintain, and provide features across Ecodia Alive, STUDIO, WattleOS, ECO Local, Launchpad, and EOS.
• Facilitate education workflows (classrooms, planning, assessment) strictly under school/guardian direction.
• Deliver ECO Local rewards, redemptions, and local offers; prevent fraud and abuse.
• Communicate service updates, transactional notices, and respond to support requests.
• Measure performance, fix bugs, and improve reliability and accessibility.
• Enforce terms, comply with law, and protect safety and integrity.

We do not:

• Sell personal information.
• Use student personal information for targeted advertising or build profiles unrelated to education.
• Allow third parties to use student data for their own marketing purposes.

Under the Australian Privacy Principles, we collect and handle personal information when reasonably necessary for our functions or activities, with consent where required. Where GDPR/UK GDPR applies, our lawful bases may include performance of a contract, legitimate interests (e.g., security, service improvement), legal obligations, and consent (e.g., certain analytics/studioing, parental consent for minors where required).

• We work with schools and guardians to minimise data collection and use it only for educational or program purposes.
• We offer role-appropriate experiences and require guardian consent when applicable.
• Student accounts and records can be accessed, corrected, exported, or deleted via the school/guardian and our support process, subject to legal retention obligations.
• We do not permit targeted advertising based on student data.

We use a minimal set of cookies and local storage for:

• Strictly Necessary: authentication/session continuity, fraud prevention, security.
• Preference: saved settings (e.g., role, theme, accessibility).
• Analytics (de-identified/aggregated where possible): basic feature usage to improve performance and reliability.

You can control non-essential cookies via in-product controls or your browser settings. Blocking necessary cookies may impact your experience.

Some features use AI to enhance accessibility, learning, creativity, or operations. Our approach:

• Private by Design: We prioritise on-platform processing and de-identified signals where feasible.
• No student PI used to train public models: We do not use identifiable student data to train foundation models.
• Vendors & Guardrails: Where third-party AI tools are used, they are bound by data-processing terms and are not permitted to use your data to train their public models.
• Human Oversight: AI outputs can be imperfect; humans remain in control.

TL;DR: Treat anything you submit to Launchpad (text, images, files, links, metadata) as accessible within Ecodia’s collaboration context. We will not exploit your work outside the collaboration you initiate without your express permission.

What “accessible” means

• Collaborators and spaces you join: Members of a workspace, program, or thread you participate in can see your submissions and their updates.
• Trust & Safety, security operations: Limited, logged access by authorised Ecodia personnel to investigate abuse, ensure platform safety, and comply with law.
• Service providers (under contract): Infrastructure, analytics, or moderation subprocessors acting on our instructions, bound by confidentiality and deletion terms (see /legal/subprocessors).

“Okay to show public” vs confidentiality

• The “Okay to show public” toggle controls directory listing/discoverability (e.g., appearing on the Launchpad browse page, showcases, or feeds).
• It is not a secrecy control. Even if unticked, your project may be accessible to people you directly share with, your collaborators, and the limited safety/operations audiences above.
• Don’t upload confidential or trade-secret materials you are not comfortable sharing within the collaboration context. Use private links, redacted summaries, or an NDA channel if needed.

Our promise

• No exploitation outside your collaboration: Ecodia will not commercialise, license, or otherwise use your Launchpad content beyond enabling the collaboration you initiate, unless you give explicit, informed permission (e.g., showcase opt-in).
• Attribution & consent for showcases: If you opt in to public features, we’ll attribute your project and respect your visibility settings.
• Removal & control: You can edit visibility, remove assets, or request deletion. Copies in backups and caches expire on a rolling schedule in line with our retention policy.

This notice supplements (and does not replace) the rest of this Privacy Policy and our Terms. Where there is a conflict, the stricter standard applies.

We share personal information only as needed, under contract and safeguards:

• Service Providers/Subprocessors: hosting, security, analytics, support tooling, communications, payments.
• Schools & Guardians: for education features at their direction.
• ECO Local Partners: limited redemption metadata to validate offers and prevent fraud.
• Legal/Safety: to comply with law or protect safety, rights, and integrity.

We maintain a living list of subprocessors and data locations (see /legal/subprocessors). We require confidentiality, security, limited purpose use, and deletion upon termination.

Data may be processed in Australia and other countries where we or our subprocessors operate. We implement transfer safeguards (e.g., contractual clauses, jurisdiction-appropriate mechanisms). For EU/UK data, we rely on GDPR-compliant transfer tools and require equivalent protections from vendors.

We retain personal information only as long as necessary for the purposes described or as required by law and contracts (e.g., school records retention). When no longer needed, we de-identify or securely delete data according to our lifecycle policies.

• Accounts: retained while active; scheduled deletion or archival after closure, subject to legal holds.
• Logs & Diagnostics: kept for a limited period to ensure security and reliability.
• Backups: deletion propagates to backups on a rolling schedule.

• Segregation & Sandboxing: tenant/user scoping and strict access controls with least privilege.
• Encryption: TLS in transit; industry-standard encryption at rest.
• Auditability: immutable audit trails for critical actions.
• Vulnerability Management: patching and routine reviews; incident response procedures.
• Employee Access: limited to trained personnel under confidentiality obligations.

No system is perfectly secure, but we continually improve our controls and monitor for abuse. If we become aware of an incident likely to pose a risk, we will notify impacted parties in accordance with applicable laws (e.g., the Notifiable Data Breaches scheme in Australia).

Depending on your role and location, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate, out-of-date, or incomplete information.
• Delete your account and associated personal information, subject to legal/contractual obligations.
• Export/Portability of certain information in a machine-readable format.
• Object/Restrict certain processing (e.g., non-essential analytics) where applicable.
• Withdraw Consent at any time for processing based on consent.

Use the quick actions or contact our Privacy Officer (see “Contact Us”). Student requests may be routed via the school/guardian.

In-product controls let you manage cookies, analytics, communications, and account settings.

• Privacy Settings... cookie/analytics preferences.
• Delete My Account... submit an account deletion request.

EU/EEA & UK (GDPR/UK GDPR)

• Controller/Processor: We act as controller for direct consumer features and processor for school-directed student data.
• Rights: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
• Transfers: safeguarded by appropriate transfer mechanisms (e.g., SCCs or equivalent).

California (CPRA)

• We do not “sell” personal information as defined by CPRA, nor do we “share” for cross-context behavioural advertising involving student PI.
• California residents have rights to know, delete, correct, and limit certain uses of sensitive personal information.

New Zealand

• We handle personal information in line with the NZ Privacy Act and Information Privacy Principles where applicable.

We may update this policy to reflect changes in laws, services, or practices. We’ll post updates here and, where appropriate, notify you through the Services or by email. The “Last Updated” date reflects the latest version.

If you have concerns, contact us first... most issues can be resolved quickly. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC): oaic.gov.au.

Privacy Officer
Ecodia
Email: connect@ecodia.au
Postal: 23 Saleng Cres, Warana 4575, QLD

For definitions and the current list of subprocessors/data locations, see /legal/subprocessors. We update that page as vendors change.