Privacy Policy
How ACTI Analytics collects, uses, and protects personal information.
1. Who we are
ACTI Analytics is a platform operated by ACTI ANALYTICS PTY LTD (ACN 697 563 027), a proprietary company with limited liability, incorporated on 28 April 2026 in the Australian Capital Territory, Australia.
We provide a student device activity analytics platform to Australian secondary schools. Schools use ACTI Analytics to understand how school-issued devices are being used during class time, so they can support teaching and reduce off-task behaviour.
If you have questions about this policy or how we handle personal information, contact us at:
- Privacy enquiries: privacy@actianalytics.com
- General enquiries: sales@actianalytics.com
- Post: ACTI ANALYTICS PTY LTD, Canberra ACT, Australia
2. What personal information we collect
We collect two categories of personal information, depending on how you interact with us:
(a) Website visitors
If you fill in a contact or demo request form on our website, we collect:
- Your name
- Your email address
- Your role and school name
We do not use tracking cookies or third-party analytics on our website.
(b) School platform users — student device activity
When a school deploys the ACTI agent on school-managed devices, the agent collects:
- The name of the foreground application (e.g. “Google Chrome”)
- The title and full URL (including any query string) of the active browser tab — including when the browser is in a private or “incognito” window. Private-browsing sessions are recorded and flagged, not exempted.
- Whether audio is playing
- Timestamps for each activity segment
- A device identifier assigned by the school
The agent does not collect:
- Student names, emails, or personal identifiers
- Keystrokes, screenshots, or screen recordings
- Camera or microphone audio
- File contents or personal documents
- Location data
- Biometric data or any sensitive information as defined under the Privacy Act
Student identifiers used in the platform are opaque IDs assigned by the school. ACTI does not hold a mapping between these IDs and student names — only the school does.
Activity is recorded and reported at the level of an individual device, not only in aggregate. So that staff can support a student who is off-task, authorised school users can see — for a single lesson — how much of the period a given device was off-task and which sites and applications it used. Throughout the platform each device appears only under a pseudonymous label (for example, “Student 1”). ACTI never displays or stores a student’s name and has no means of linking a label to a named student; only the school can do that, using the roster held in its own systems, and the school controls which of its staff may view this detail.
3. How we collect it
Website information
We collect information directly from you when you submit a form on our website. Form submissions are processed through Formspree, a third-party form handling service.
Platform activity data
Activity data is collected by a lightweight software agent installed on school-managed devices (macOS and Windows). The agent runs in the background and samples the foreground application every 5 seconds. It merges consecutive identical activity into segments, buffers them locally in an on-device database, and transmits them to our servers in batches every 30 seconds over HTTPS.
The agent is deployed and managed by the school’s IT administrators.
4. Why we collect it
We collect and use personal information for the following purposes:
- Website enquiries: To respond to your contact or demo request and follow up with relevant information about our services.
- Platform analytics: To provide the contracted analytics service to the school. Pseudonymised activity data is presented to authorised school staff both as class- and year-group-level patterns and as per-device (individual, but pseudonymous) detail, so teachers and administrators can understand and respond to how school-issued devices are used during class time.
We do not use personal information for advertising, profiling, or any purpose other than providing and improving the service contracted by the school.
6. Overseas disclosure
Under Australian Privacy Principle 8, we are required to tell you when personal information is disclosed to overseas recipients.
Our backend infrastructure (including the database that stores pseudonymised activity data) is hosted by Railway in Singapore. Our frontend application is hosted by Vercel in the United States. Authentication is provided by Google Firebase, which processes data in the United States.
We take reasonable steps to ensure that overseas recipients handle personal information consistently with the Australian Privacy Principles. These steps include:
- Selecting providers with strong data protection practices and certifications
- Entering into contractual arrangements that require compliance with applicable privacy laws
- Encrypting all data in transit and at rest
- Limiting access to authorised personnel only
7. Storage and security
We take the security of personal information seriously and implement reasonable technical and organisational measures to protect it, including:
- All data is encrypted in transit using TLS/HTTPS
- Data is encrypted at rest in our PostgreSQL database
- Access to production systems is restricted to authorised personnel
- Authentication tokens are stored in the operating system keychain on devices
- All API endpoints require authentication and are rate-limited
- Parameterised database queries are used throughout to prevent injection attacks
In the event of an eligible data breach, we will notify affected schools and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.
8. Retention and deletion
We retain pseudonymised student activity data for the duration of the school’s subscription. Schools may request deletion of their data at any time during the subscription term.
When a school’s contract ends, we will securely delete all associated activity data within 30 days of the termination date. The school may request a data export before this final deletion.
9. Student data and children’s privacy
ACTI Analytics processes pseudonymised activity data for secondary school students, who are typically aged 12–18. We recognise the particular importance of protecting children’s privacy and have designed the platform to operate without ever holding a student’s identity: all activity — including individual, per-device detail — is keyed only to a pseudonymous identifier that ACTI cannot link to a named student. The school, as data controller, is the only party able to re-identify a student, using the roster held in its own systems.
Our commitments regarding student data
- No direct identifiers stored: We do not store student names, email addresses, or any direct identifier. Activity is keyed only to a pseudonymous identifier that ACTI cannot link to a named student — only the school can.
- No sale of data: Student activity data is never sold to any third party
- No advertising: Student activity data is never used for advertising, marketing, or behavioural targeting
- No profiling: Student activity data is never used to build profiles for purposes unrelated to the school’s contracted analytics service
- Limited disclosure: Only aggregated data from which no individual student or school can be re-identified may be used for platform improvement and academic research, and may be shared with research partners. Individual, per-device records are never shared outside the platform.
- The platform does not collect more information than is necessary to provide the service
Best interests of the child
In anticipation of the Australian Children’s Online Privacy Code (expected December 2026), we have adopted a best-interests framework for how we handle student data:
- Minimisation: We collect only device activity signals (application names, browser tab titles and URLs, and audio state). We do not collect names, keystrokes, screenshots, file contents, or sensitive information.
- Purpose limitation:Data is used solely to provide the school’s contracted analytics — both aggregate patterns and per-device (pseudonymous) detail that lets staff support an individual student during class. It is not used for behavioural scoring, ranking, or any purpose beyond the school’s instructional use, and ACTI never attaches a student’s identity to it.
- Transparency:Schools are responsible for informing students and parents — before the agent is deployed — that device activity (including the websites visited, and activity in private/incognito windows) is recorded and visible to authorised staff at an individual level. We provide schools with plain-language materials to support this.
- No harm: The platform is designed to support teaching practice, not to punish students. Where dashboards show individual (pseudonymous) device activity, it is so staff can help a student who is struggling to stay on task; the school controls who may access this view, and ACTI presents it without any identifying information.
10. Access and correction
Under Australian Privacy Principles 12 and 13, individuals have the right to access and request correction of their personal information.
Because ACTI does not hold a direct relationship with students (we process data on behalf of schools), access and correction requests regarding student activity data should be directed to the relevant school in the first instance. The school — which alone can match a pseudonymous identifier to a named student — may then contact us to facilitate the request.
If you have submitted information through our website and wish to access or correct it, contact us at privacy@actianalytics.com.
11. Complaints
If you believe we have mishandled your personal information, please contact us first so we can investigate and resolve the issue:
- Email: privacy@actianalytics.com
We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify subscribing schools directly.
We encourage you to review this policy periodically.