Privacy Policy

Overview

Co-Curricular Manager ("we", "us", "our") is operated by Jesse McKinnon. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform at cocurricularmanager.com and related services.

We are committed to protecting the privacy of school staff and complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using Co-Curricular Manager, you agree to the collection and use of information in accordance with this policy. Schools using the platform accept this policy on behalf of their staff as part of our Terms of Service.

Data We Collect

Account and identity data

• Full name and email address
• School name and department
• Authentication credentials (passwords are stored as one-way bcrypt hashes; we never store plaintext passwords)
• Microsoft account identifier (when signing in via Microsoft 365 SSO)

Activity and participation data

• Co-curricular activities staff are registered for or coordinate
• Hour logs submitted by staff, including session dates, hours, and any notes
• Approval decisions made by coordinators and administrators
• Session notes entered by coordinators

Usage and system data

• Login timestamps and authentication events (for security audit purposes)
• IP addresses (retained in server logs for up to 30 days)
• Browser and device type (standard HTTP request data)

What we do not collect

• Student data of any kind
• Sensitive personal information (health, financial, or biometric data)
• Data from third-party advertising or tracking networks
• Payment card details (payments processed externally when applicable)

How We Use Data

We use the data we collect solely to provide and improve the Co-Curricular Manager platform for your school. Specifically:

• Platform operation — authenticating users, displaying dashboards, processing approvals, and generating reports
• Communications — sending password reset emails, email verification links, and admin invitation links
• Security — detecting and preventing unauthorised access
• Product improvement — understanding aggregate usage patterns to improve the platform (never linked to individual identities without consent)
• Support — diagnosing and resolving issues reported by schools

We do not use your data for advertising, profiling, or any purpose unrelated to delivering the platform service to your school.

Data Storage and Location

All school data is stored and processed within Australia. We do not transfer personal data to servers or services outside of Australia except as described below.

We use the following third-party services, each of which may process limited data:

• Render.com — cloud hosting provider; servers located in the Sydney, Australia region
• Microsoft Azure — used for SSO authentication only; no school data is stored with Microsoft beyond the authentication handshake
• Resend.com — email delivery for system emails (verification links, password resets). Email addresses are transmitted for delivery only and are not retained by Resend for marketing.

School Data Isolation

Each school's data is completely isolated from all other schools on the platform. This is enforced at the database level — every data record is scoped to a school identifier, and all queries are filtered by that identifier.

Staff from School A cannot access any data from School B under any circumstances. Administrators from one school cannot view or modify data belonging to another school.

Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party.

We may disclose data in the following limited circumstances:

• With your school's authorisation — school administrators have full access to all data within their school's account and may export or share it as they see fit
• Legal obligations — where required by Australian law, a court order, or a lawful government request
• Safety — where disclosure is necessary to prevent serious harm
• Business transfer — if Co-Curricular Manager is acquired or merged, your data may be transferred as part of that transaction, with notice provided to your school

Your Rights

Under the Australian Privacy Act 1988, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate or incomplete personal information
• Complaints — make a complaint if you believe we have mishandled your personal information
• Data export — school administrators may export all school data at any time through the platform's reporting features

To exercise these rights, contact us at jessemckinnon20@gmail.com. We will respond within 30 days.

If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Data Retention

We retain data for as long as your school's account is active. If your school's account is terminated:

• All school data will be made available for export for 30 days after termination
• After 30 days, all personal data associated with the school will be permanently deleted from our systems
• Server logs (containing IP addresses) are retained for 30 days then automatically purged
• Anonymised aggregate statistics may be retained indefinitely

Security Measures

We implement industry-standard security controls including:

• All data transmitted over HTTPS/TLS encryption
• Passwords stored as bcrypt hashes (cost factor 12) — never in recoverable form
• Password reset tokens stored as SHA-256 hashes — raw tokens are transmitted only once via email
• JWT-based authentication with short-lived tokens
• Role-based access control enforced at the API layer
• Security controls designed in alignment with ISO 27001 principles

Contact Us

For privacy enquiries, requests to access or correct your data, or to make a complaint:

• Email: jessemckinnon20@gmail.com
• Response time: We aim to respond to all privacy enquiries within 5 business days

This Privacy Policy may be updated from time to time. Material changes will be communicated to school administrators via email. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.