HTMLImage
    Skip to content
    ← Back to home

    Privacy Policy

    Last updated: 12 May 2026

    Version: 1.0

    Effective date: 12 May 2026

    This Privacy Policy explains how EduBill (ABN 29 627 646 853) ("EduBill", "we", "us", or "our") collects, uses, discloses, stores, and protects personal information when you use the EduBill platform at app.edubill.com.au or visit our website at edubill.com.au (collectively, the "Service").

    This Privacy Policy is designed to be consistent with the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth). EduBill is currently a small business operator and may not be technically bound by the Privacy Act 1988 (Cth) due to its annual turnover, but we apply APP-aligned standards as a matter of policy because our customers are themselves subject to the Act and because we believe it is the right approach.

    If you do not agree with this Privacy Policy, you must not use the Service.

    1. Scope and roles

    1.1 Two categories of personal information

    The Service handles two categories of personal information:

    • Account information - information about you (and your Authorised Users) as a direct user of the Service, such as your name, email, and login activity. EduBill is the data controller of this information.
    • Customer Data - information about your Agency's students, subagents, billing school contacts, and other individuals whose details you upload to the Service. EduBill acts as a data processor for this information, on your instructions, under the Terms of Service.

    You (as the Customer / Agency) are responsible for ensuring you have a lawful basis (including any consents required) to collect, hold, and disclose Customer Data to EduBill, and for providing privacy notices to the individuals whose information you upload.

    1.2 Students under 18

    Some Customer Data may relate to international students who are minors (for example, Year 10 and Year 11 students enrolled at Australian schools). EduBill does not collect personal information directly from minors. Where Customer Data relates to a minor, you (the Agency) are responsible for obtaining any required parental or guardian consents before uploading that information to the Service.

    2. Information we collect

    2.1 Information you provide to us (Account information)

    When you create an Account and use the Service, we collect:

    • Identity and contact information: name, email address, business name, ABN.
    • Account credentials: hashed password (we never store plaintext passwords; authentication is handled by Supabase Auth).
    • Billing information: billing email and address. We do not store credit card numbers. Payment card details are collected and stored directly by our payment processor, Stripe, on its secure infrastructure.
    • Communications: support requests, feedback, and other messages you send us.
    • Configuration and preferences: settings, role assignments, and other choices you make in the Service.

    2.2 Customer Data you upload

    When you use the Service, you may upload personal information about third parties including:

    • Students: name, date of birth, contact details, nationality, passport number, enrolment details, course details, and related records.
    • Subagents: name, contact details, commission rates, payment/banking details (for the purpose of subagent commission tracking).
    • Billing School contacts: name, role, business email, business phone.
    • Other Agency staff (your Authorised Users): name, work email, role assignments.

    You determine what Customer Data is uploaded. EduBill does not require any particular field beyond what is necessary for the Service to function.

    2.3 Information collected automatically

    When you access the Service, we automatically collect:

    • Log information: IP address, browser type and version, operating system, device identifiers, referring page, pages viewed, and timestamps.
    • Session information: authentication tokens, session identifiers, and login/logout events.
    • Cookies: see clause 9.

    We collect this information to operate the Service, secure it against abuse, diagnose issues, and improve usability.

    2.4 Information from third parties

    We may receive limited information from third parties acting on our behalf, including our payment processor (Stripe, regarding payment status), our email provider (Brevo, regarding email delivery and bounce events), and our hosting and infrastructure providers (regarding service health and security events).

    2.5 We do not use customer data to train AI

    EduBill does not use Customer Data or Account information to train artificial intelligence or machine learning models, and does not send Customer Data to any AI/LLM service as part of the normal operation of the Service.

    3. How we use personal information

    We use personal information only for the following purposes:

    • Providing the Service: authenticating you, displaying your data, generating invoices and commission records, sending transactional emails on your behalf, and performing the functions you request.
    • Billing and payments: processing subscription payments, issuing tax invoices, and managing refunds.
    • Support and communications: responding to support requests, sending service notifications (such as security alerts and important changes), and sending periodic emails about product updates.
    • Security: detecting, preventing, and responding to fraud, abuse, security incidents, and violations of our Terms of Service.
    • Legal and compliance: complying with our legal obligations, responding to lawful requests from authorities, and enforcing our agreements.
    • Service improvement: analysing aggregate, de-identified usage patterns to improve the Service. We do not analyse the contents of Customer Data for this purpose.

    We do not sell personal information.

    4. Legal bases for processing

    In Australia, we collect and use personal information where:

    • it is reasonably necessary for our business functions or activities (APP 3);
    • you have consented (for example, by agreeing to this Privacy Policy at sign-up);
    • it is required or authorised by law.

    For Customer Data, you (the Customer) are responsible for ensuring the lawful basis under the applicable law of the data subject's jurisdiction, which may include India's Digital Personal Data Protection Act 2023, China's Personal Information Protection Law, the EU/UK General Data Protection Regulation, or other applicable laws.

    5. Disclosure of personal information

    5.1 To our service providers (sub-processors)

    We disclose personal information to the following sub-processors to operate the Service:

    Sub-processorPurposeLocation of processing
    Supabase Inc.Database, authentication, file storage, serverless functionsAWS, Sydney for the production database; some operational metadata may be processed in other regions
    Vercel Inc.Frontend hosting and content deliveryGlobally distributed edge network; static assets and routing
    Stripe Payments Australia Pty LtdPayment processing and tax invoicingStripe's global infrastructure; some payment data is processed outside Australia in accordance with Stripe's privacy policy
    Brevo (Sendinblue SAS)Transactional email delivery and SMTP relayEuropean Union; emails are transmitted globally to recipient inboxes

    We require each sub-processor to provide a level of data protection consistent with this Privacy Policy and applicable law. We do not disclose Customer Data to any other third party without your instruction, except as set out below.

    5.2 Other disclosures

    We may disclose personal information:

    • to professional advisers (such as lawyers and accountants) under duties of confidentiality;
    • to a successor entity in connection with a sale, merger, or restructure of the EduBill business (in which case the successor will be bound by this Privacy Policy or a substantially similar policy);
    • where required by law, court order, or lawful request from a regulatory authority;
    • to protect the rights, property, or safety of EduBill, our Customers, or others.

    5.3 Recipients you direct us to

    Where you use the Service to send invoices, commission statements, or other communications to third parties (such as Billing Schools or Subagents), you direct us to disclose the relevant Customer Data to those recipients.

    6. Cross-border data transfers

    The Service stores production database content in AWS Sydney. However, some processing occurs outside Australia because of the global nature of our sub-processors:

    • Vercel operates a global edge network.
    • Stripe processes payment information through its global infrastructure.
    • Brevo is headquartered in the European Union and transmits emails globally to recipient inboxes.
    • Supabase may process limited operational and support metadata outside Australia.

    Where personal information is disclosed to a recipient outside Australia, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to the information, as required by APP 8.

    By using the Service, you acknowledge that personal information you upload may be processed in jurisdictions other than your own. You are responsible for ensuring that any cross-border transfer of Customer Data is lawful in the jurisdiction(s) of the data subjects, including (where applicable) under India's Digital Personal Data Protection Act 2023, China's Personal Information Protection Law, Vietnam's privacy laws, and equivalent laws in other jurisdictions.

    7. Data retention

    7.1 Account information

    We retain your Account information for as long as your Account is active, and for a reasonable period after closure for legal, accounting, and dispute-resolution purposes (typically up to seven (7) years for tax-related records, as required by Australian law).

    7.2 Customer Data

    We retain Customer Data in active systems for thirty (30) days after your Account is closed, during which time you may request export. After this period, Customer Data is permanently deleted from active systems. Backup copies may persist until rotated out of backup retention in the ordinary course (typically within a further sixty (60) days).

    7.3 Logs and operational data

    Log data (including IP addresses) is retained for security and diagnostic purposes for up to ninety (90) days.

    7.4 Legal hold

    We may retain information longer than the periods above where required by law, court order, or to resolve an active dispute.

    8. Your rights and choices

    8.1 Rights under the Australian Privacy Act

    Subject to limited exceptions in the Privacy Act, you have the right to:

    • Access personal information we hold about you;
    • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
    • Complain about how we handle your personal information (see clause 11).

    To exercise these rights, contact us at support@edubill.com.au. We will respond within a reasonable period (and within thirty (30) days where required by law).

    8.2 Rights of Customer Data subjects

    If you are an individual whose personal information has been uploaded to the Service by an Agency (for example, a student, subagent, or billing school contact), please contact the Agency directly to exercise your rights. The Agency is the entity that decided to collect and use your personal information. EduBill, as data processor, will assist the Agency to fulfil valid requests but cannot act on your request without the Agency's instruction.

    8.3 Export and deletion

    Customers may export Customer Data through the Service at any time during their Subscription, and within thirty (30) days after Account closure. You may also request deletion of your Account at any time by emailing support@edubill.com.au.

    8.4 Marketing communications

    You may opt out of non-transactional marketing emails at any time by clicking the unsubscribe link in any such email or by contacting support@edubill.com.au. We will continue to send transactional and service-related communications even after you opt out, because these are necessary to operate the Service.

    8.5 Anonymity

    The Australian Privacy Principles include the option to interact anonymously or pseudonymously where lawful and practicable (APP 2). Because the Service is a financial and identity-bearing record-keeping platform, anonymous use is not practicable. You may, however, contact us anonymously with general queries that do not require an Account.

    9. Cookies and similar technologies

    We use cookies and similar technologies to:

    • keep you signed in (essential session cookies);
    • remember your preferences (functional cookies);
    • monitor service health and detect abuse (security cookies).

    We do not use third-party advertising cookies. You can control cookies through your browser settings; however, disabling essential cookies will prevent you from signing in to the Service.

    10. Security

    We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

    • encryption of data in transit (HTTPS/TLS);
    • encryption of data at rest in our database and storage layer;
    • authentication and authorisation enforced at the database layer via Row Level Security;
    • access controls for EduBill personnel on a need-to-know basis;
    • regular software updates and security patches;
    • automated backups for disaster recovery.

    No system is perfectly secure. If you believe your Account has been compromised, please contact support@edubill.com.au immediately.

    10.1 Data breach notification

    If EduBill experiences an eligible data breach (as defined under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth)) that is likely to result in serious harm to affected individuals, we will:

    • notify the Office of the Australian Information Commissioner (OAIC); and
    • notify affected individuals (or, where you are the Customer, work with you to notify the affected individuals whose Customer Data is involved),

    in each case as required by law and as soon as practicable after we become aware of the breach.

    11. Complaints

    If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, please contact us at support@edubill.com.au with a description of the issue. We will acknowledge your complaint within seven (7) days and aim to resolve it within thirty (30) days.

    If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

    12. Changes to this Privacy Policy

    We may update this Privacy Policy from time to time. We will notify you of any material change by email or through the Service at least fourteen (14) days before the change takes effect. The "Last updated" and "Version" fields at the top of this page indicate the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

    13. Contact

    For privacy questions or requests, please contact:

    • EduBill
    • ABN: 29 627 646 853
    • Email: support@edubill.com.au
    • Address: 358 Lonsdale Street, Melbourne, VIC 3000, Australia