Privacy Policy

1. Overview

LLND Architect is a software-as-a-service (SaaS) platform designed for Australian Registered Training Organisations (RTOs). We collect personal information from two main groups:

• RTO staff and account holders — trainers, assessors, administrators, and billing contacts who use the Platform on behalf of their Organisation.
• Learners (students) — individuals who complete LLND screening assessments (quizzes) deployed by an RTO through the Platform.

We handle these two categories differently and apply the highest practicable standards of care to learner data, which may relate to minors or individuals with educational support needs.

2. Information We Collect

2.1 Account and Organisation Information

• Full name and email address of account holders and Authorised Users.
• Organisation name, ABN, and RTO Provider Number.
• Billing contact details and invoice records.
• Profile photographs (if voluntarily uploaded).
• IP addresses and device/browser information collected automatically via authentication and security logs.

2.2 Learner Information (uploaded or entered by the RTO)

• Full name and email address.
• Date of birth (collected for age verification and reporting purposes).
• Quiz responses and assessment answers.
• AI-generated gap analysis and LLND support plan data.

2.3 Usage and Technical Data

• Log data (route access, API calls, timestamps, error events).
• AI telemetry: token counts and estimated cost per AI generation (aggregate, not content).
• Audit trail records (who performed what action and when) — these are stored within your Organisation's data scope.

3. How We Collect Information

We collect personal information in the following ways:

• Directly from you — when you create an account, invite team members, or update your profile.
• From your Organisation — when an Authorised User uploads or enters learner records via bulk import (CSV) or manual entry.
• From learners directly — when a learner accesses a publicly shared quiz link and enters their name, email, and date of birth.
• Automatically — via cookies, server logs, and authentication tokens when you use the Platform.
• From third-party authentication — via Supabase Auth (which handles our identity layer).

4. How We Use Personal Information

4.1 RTO Staff Information

We use RTO staff personal information to:

• create and manage your account;
• provide, operate, and improve the Platform;
• process payments and manage subscriptions;
• send transactional communications (account alerts, billing receipts, team invitations);
• respond to support requests;
• enforce our Terms and Conditions; and
• comply with our legal obligations.

4.2 Learner Information

We use learner personal information to:

• administer the LLND quiz and record responses on behalf of the RTO;
• generate AI-powered gap analysis and support plan reports for the learner and their RTO; and
• provide the learner with access to their own results.

We do not use learner information for marketing, profiling outside the assessment context, or any purpose not instructed by the RTO that deployed the quiz. The RTO is the primary data controller for learner data; we act as a data processor on their behalf.

4.3 Legal Bases

Under the APPs, we rely on the following legal bases: consent (where collected); performance of a contract; compliance with a legal obligation; and our legitimate interests in operating and improving the Platform (where those interests are not overridden by your rights).

5. Disclosure to Third Parties

We share personal information with the following service providers to deliver our Services:

• Manual billing administration — billing requests are processed directly with you during beta; no payment card data is stored by us.
• Hostinger — our primary web hosting and server infrastructure provider. Your data is stored on Hostinger's servers located in Singapore.
• Supabase Inc. — for database management, storage, and secure user authentication (stores your email and hashed password for login purposes).
• Resend Inc. — for transactional email delivery (e.g., account alerts and team invites). Only email addresses are transmitted.
• Google Gemini API — for generating AI-assisted assessment content. Assessment prompts are sent to Google's Gemini 2.5 Flash model. No learner personally identifiable information (PI) is sent to this API. See Section 8 for full details.
• Google Analytics — for monitoring website performance and user engagement (anonymized data only). No personally identifiable information is shared with Google Analytics.
• Upstash Inc. — for Redis-based rate limiting (stores anonymised rate-limit keys, not personal content).

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

6. Overseas Disclosure

Some of our third-party service providers are located outside Australia (including the United States, the European Union, and Singapore). In particular, our primary hosting infrastructure is operated by Hostinger with servers located in Singapore. When we disclose personal information overseas, we take reasonable steps to ensure the recipient is bound by privacy obligations comparable to the APPs, or we obtain your consent to the transfer.

By using the Platform, you consent to the transfer of personal information to overseas recipients as described in Section 5 above, where such transfer is necessary to provide the Services.

7. Learner and Student Data

RTOs deploying learner quizzes through the Platform are responsible for:

• obtaining all necessary consents from learners (or their guardians, where the learner is under 18) before deploying a quiz;
• informing learners about how their data will be used; and
• ensuring that the collection of personal data (including date of birth) reflects current RTO reporting requirements.

We provide learner data access only to members of the Organisation that deployed the quiz. Learner data is not shared across Organisations, is not accessible to our team except as required for support or legal compliance, and is not used for any commercial purpose.

RTOs may export learner reports in PDF format and may delete learner records within the Platform at any time.

8. AI Processing and Third-Party Models

When you generate an assessment, the Platform sends the following information to Google's Gemini API:

• Unit codes and titles (public training.gov.au data);
• Performance criteria and foundation skills (public training.gov.au data);
• Workplace context and industry information (provided by the RTO); and
• Internal generation parameters (temperature, schema definitions).

We do not include learner names, emails, dates of birth, or individual quiz responses in AI prompts.

Google's use of data sent to the Gemini API is governed by Google's Cloud Data Processing Addendum and AI Services Terms. As of the date of this policy, Google does not use Gemini API inputs to train its models for API customers. We recommend reviewing Google's current terms for the most up-to-date position.

9. Cookies and Tracking

We use the following types of cookies and local storage:

• Strictly necessary cookies — Supabase authentication tokens (JWT cookies) required to keep you logged in. These cannot be disabled without breaking the Platform.
• Functional storage — browser local storage is used to persist UI preferences (e.g., dark mode, sidebar state). No personal information is stored.

We do not use third-party advertising cookies, cross-site tracking pixels, or analytics platforms that share data with advertisers.

10. Data Security

We implement industry-standard security measures including:

• TLS encryption in transit for all data.
• Encrypted password storage via Supabase Auth (bcrypt hashing; we never store plaintext passwords).
• Row-level access controls ensuring Organisation data is isolated.
• Rate limiting and prompt-injection detection on AI endpoints.
• Audit logging of all create, update, and delete actions within an Organisation.
• Regular dependency security audits.

No data transmission over the internet is 100% secure. While we use all reasonable measures to protect your information, we cannot guarantee absolute security. You are encouraged to use strong, unique passwords and to notify us immediately of any suspected unauthorised access.

11. Data Retention

We retain personal information for as long as necessary to fulfil the purposes set out in this Policy:

• Account data — retained while your Organisation has an active account. After account deletion, metadata may be retained for up to 60 days before permanent deletion.
• Assessment and learner data — retained per your Organisation's data retention settings. Professional and Enterprise plans include 5-year retention; Boutique plan retains data for the subscription period plus 60 days.
• Audit logs — retained for 12 months from creation (relevant for ASQA audit purposes).
• Billing records — retained for 7 years as required by Australian tax law.

12. Access and Correction

Under APP 12 and APP 13, you have the right to request access to, and correction of, personal information we hold about you. To make a request, contact us at hello@llndarchitect.com.au with the subject line "Privacy Request".

We will respond within 30 days. We may need to verify your identity before providing access. In some circumstances, we may decline access as permitted by the Privacy Act (e.g., where it would unreasonably impact another person's privacy).

RTO account holders can update most of their own profile information directly within the Platform's settings. Learners who wish to access or correct their records should contact the RTO that deployed the quiz; RTOs can update learner records on their behalf.

13. Children's Privacy

The Platform's account registration is intended for adults (18+). However, RTOs may deploy LLND quizzes to learners who are under 18. Where a quiz is deployed to learners under 18, the RTO is responsible for obtaining appropriate parental/guardian consent in accordance with applicable privacy laws.

We do not knowingly collect personal information from individuals under 18 years old through our registration process. If you believe we have inadvertently collected information from a minor without appropriate consent, please contact us so we can promptly delete it.

14. Direct Marketing

We may send you product updates, educational resources, and platform announcements by email, using the email address associated with your account. Each marketing email will include an unsubscribe link. Transactional communications (billing receipts, security alerts, team invitations) are not classified as direct marketing and cannot be opted out of while your account is active.

We do not engage in unsolicited commercial electronic messaging (spam) in violation of the Spam Act 2003 (Cth).

15. Complaints

If you believe we have breached the APPs or this Privacy Policy, please contact our Privacy Officer at hello@llndarchitect.com.au with the subject line "Privacy Complaint".

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent in-app notice. The updated policy will be effective from the date published at the top of this page.

17. Contact Us

For all privacy enquiries, access requests, or complaints, please contact: