Privacy Policy

Last updated: 17/01/2026

Effective date: 17/01/2026

1. Introduction and Scope

educraft ("we," "our," "us," or "the Company") is committed to protecting your privacy and being transparent about how we collect, use, disclose, and safeguard your personal information. This Privacy Policy explains our practices regarding personal information when you use our AI-powered slide generation service for NCEA teachers, accessible at https://educraft.co.nz and https://app.educraft.co.nz (collectively, the "Service").

This Privacy Policy is designed to comply with:

• New Zealand Privacy Act 2020 and its 13 Information Privacy Principles (IPPs)
• General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA)
• Other applicable privacy and data protection laws in jurisdictions where we operate

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

Data Controller: educraft, Auckland, 0930, New Zealand. For questions about this policy, contact us at rumiawais@gmail.com.

2. Information We Collect

We collect information that identifies or relates to you ("Personal Information"). The categories we collect depend on how you interact with our Service.

2.1 Information You Provide

When you register, use our Service, or communicate with us, you may provide: identity information (name, username); contact information (email, phone, billing address); account credentials (encrypted password); professional information (school, subject areas, NCEA levels, experience); profile information (picture, bio, preferences); content you create (slides, prompts, templates, annotations); communication data (support requests, feedback); payment information (processed securely by Stripe - we never store payment information); and marketing preferences.

2.1.1 Google Classroom Integration

If you use our feedback generation feature and connect your Google Classroom account, we access only documents, drives, and files specifically related to Google Classroom submissions for feedback generation purposes. We do not access, view, or process any other files or data in your Google Drive or Google account. We access this information only with your explicit permission when you grant Google Drive access, and only for the limited purpose of generating feedback for student submissions.

2.2 Information Collected Automatically

We automatically collect: technical information (IP address, device type, OS, browser, screen resolution, language, time zone); usage information (pages visited, features used, time spent, click patterns, search queries, session data); performance data (response times, errors, crash reports); general location (derived from IP - country/region/city, not GPS); and referral information (referring website, search terms, campaign identifiers).

2.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to collect information about your use of our Service. Types: (1) Essential cookies (required for Service function, cannot be disabled); (2) Functional cookies (enhance functionality, remember preferences); (3) Analytics cookies (help us understand usage patterns); (4) Performance cookies (improve performance). Third-party cookies: Vercel Analytics, payment processors, and Formspree (for contact forms). You can control cookies through browser settings, but disabling certain cookies may limit Service functionality.

2.4 Information from Third Parties

We may receive information from: payment processors (transaction confirmations, subscription status); authentication services (if you log in via Google/Microsoft, we receive name, email, profile picture); Google Classroom (when you connect your account for feedback generation, we access only Classroom submission-related documents and files - see Section 2.1.1); and publicly available sources (educational directories, professional networks) if relevant to providing our Service.

3. Legal Basis for Processing (GDPR Compliance)

For users located in the EEA, we process your Personal Information based on the following legal grounds under GDPR:

• Contractual Necessity: To perform our contract with you (providing the Service, processing payments, managing your account)
• Legitimate Interests: To improve our Service, ensure security, prevent fraud, analyze usage patterns, and communicate important service updates (we balance our interests against your privacy rights)
• Consent: When you have given clear consent for specific processing activities (e.g., marketing communications, optional analytics)
• Legal Obligation: To comply with legal requirements, such as tax obligations, record-keeping requirements, and responding to lawful requests from authorities
• Vital Interests: To protect your vital interests or those of another person (e.g., in emergency situations)

You have the right to withdraw consent at any time where we rely on consent as the legal basis. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

4. How We Use Your Information

We use Personal Information for the following purposes:

4.1 Service Provision

To create and manage accounts, authenticate users, process requests, store content, provide support, send service communications, process payments, and generate feedback for student submissions through Google Classroom integration (accessing only Classroom-related documents and files).

4.2 AI Content Generation

To process prompts, generate educational slides, customize content based on preferences, and improve AI performance. Important: Your prompts and generated content are processed through OpenAI's API. We don't share your personal identifying information with OpenAI, but content is processed per OpenAI's Privacy Policy.

4.3 Service Improvement

To analyze usage patterns, conduct R&D, test features, monitor performance, fix bugs, and optimize user experience.

4.4 Communication

To send service updates, security notifications, respond to support requests, send marketing communications (with consent), notify about policy changes, and send newsletters (opt-out available).

4.5 Security and Fraud Prevention

To detect/prevent fraud and abuse, verify identity, monitor suspicious activity, protect rights and safety, and comply with security requirements.

4.6 Legal Compliance

To comply with laws and regulations, respond to lawful requests from authorities, enforce Terms of Service, protect legal rights, comply with tax/accounting obligations, and resolve disputes.

4.7 Business Operations

To manage operations, conduct analytics, plan strategies, and facilitate business transactions (with privacy protections).

5. Information Sharing and Disclosure

We do not sell, rent, or trade your Personal Information for marketing purposes. We may share it in the following circumstances:

5.1 Service Providers

We share Personal Information with trusted service providers who perform services on our behalf (cloud hosting, payment processing, AI services, analytics, email, support tools, form processing, security services, Google services for Classroom integration). These providers are contractually obligated to use information only for specified purposes, implement security measures, comply with privacy laws, and not use it for their own purposes.

5.1.1 Google Services Access

When you connect your Google Classroom account for feedback generation, we access your Google Drive through Google's API. We only access documents, drives, and files specifically related to Google Classroom submissions. We do not access, view, or process any other files or data in your Google Drive or Google account. This access is limited to generating feedback for student submissions and is subject to Google's Terms of Service and Privacy Policy. You can revoke this access at any time through your Google account settings.

5.2 Legal Requirements

We may disclose Personal Information when required by law, regulation, legal process, or government request (subpoenas, court orders, compliance with laws, law enforcement requests, protecting legal rights, legal proceedings).

5.3 Protection of Rights

We may disclose Personal Information to protect rights, property, or safety; prevent/investigate fraud, abuse, or security threats; enforce Terms of Service; or respond to emergencies.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Information may be transferred to the acquiring entity. We will notify you and ensure appropriate privacy protections are in place.

5.5 With Consent

We may share Personal Information with third parties when you have given explicit consent for specific purposes.

5.6 Aggregated Information

We may share aggregated, anonymized information that cannot identify you for research, analytics, or business purposes.

6. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your Personal Information. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

6.1 Technical Security

We use: encryption (TLS/SSL for data in transit, AES-256 for data at rest); secure authentication (hashed passwords, MFA support); secure cloud infrastructure with regular updates and monitoring; network security (firewalls, DDoS protection); regular security patches; continuous monitoring; and vulnerability assessments.

6.2 Administrative Security

We implement: strict access controls (least privilege principle); employee training on data protection; background checks for personnel with sensitive data access; confidentiality agreements; and documented incident response procedures.

6.3 Physical Security

Our Service is hosted on secure cloud infrastructure with physical security managed by hosting providers. Physical access to our offices/equipment is restricted and monitored.

6.4 Data Breach Notification

In the event of a data breach posing a risk to your rights, we will: notify supervisory authorities within 72 hours where required; notify affected users without undue delay if high risk; provide clear information about the breach and our response; and take immediate steps to contain the breach.

7. Your Privacy Rights

You have certain rights regarding your Personal Information, which vary by location and applicable law.

7.1 Rights Under New Zealand Privacy Act 2020

If located in New Zealand, you have: right to access your Personal Information; right to correction of inaccurate/incomplete information; right to object to certain processing; and right to complain to the Privacy Commissioner.

7.2 Rights Under GDPR (EEA Users)

If located in the EEA, you have: right of access; right to rectification; right to erasure ("right to be forgotten"); right to restrict processing; right to data portability; right to object; right to withdraw consent; and right to lodge a complaint with your data protection authority.

7.3 How to Exercise Your Rights

Contact us at rumiawais@gmail.com with your name, email, and a clear description of the right you wish to exercise. We respond within 30 days (may be extended for complex GDPR requests). We may request identity verification and may refuse or charge a fee for manifestly unfounded, excessive, or repetitive requests.

7.4 Additional Choices

You can: update account information through account settings; opt-out of marketing emails via unsubscribe links or account settings; manage cookies through browser settings (may affect functionality); and disable location services through device settings.

8. Data Retention and Deletion

We retain Personal Information only as long as necessary to fulfill the purposes in this policy, unless longer retention is required by law.

8.1 Retention Periods

Account Information: While active and 90 days after closure (unless earlier deletion requested). Content: While account is active (you can delete anytime). Payment Information: 7 years from last transaction (tax compliance). Communication Records: 3 years from last communication (longer if legally required). Analytics Data: Up to 2 years in anonymized/aggregated form. Legal Records: As required by law.

8.2 Account Deletion

When you request deletion: we delete/anonymize Personal Information from active systems within 30 days; your content, templates, and preferences are permanently deleted; we retain minimal information for legal compliance (e.g., payment records); backup copies may be retained up to 90 days; anonymized/aggregated data may be retained for analytics. To request deletion, contact us at rumiawais@gmail.com or use account deletion features.

9. International Data Transfers

Our Service is primarily hosted in New Zealand, but we may transfer, store, and process Personal Information in other countries where service providers operate (United States, European Union, etc.).

9.1 Safeguards

We implement appropriate safeguards: standard contractual clauses (e.g., EU Standard Contractual Clauses for GDPR); service provider agreements requiring privacy compliance; transfers to countries with adequacy decisions (e.g., New Zealand); and binding corporate rules where applicable.

9.2 Specific Transfers

OpenAI (United States): Generated content is processed through OpenAI's API with appropriate safeguards. See OpenAI's Privacy Policy. Google Services (United States): When you connect your Google Classroom account, Classroom-related documents are processed through Google's services with appropriate safeguards. We only access documents related to Classroom submissions. See Google's Privacy Policy. Stripe (United States): Payment processing is handled by Stripe, a PCI-DSS compliant processor with appropriate safeguards. We never store payment information on our servers. See Stripe's Privacy Policy. Cloud Hosting: Hosting providers with security measures and data protection agreements. By using our Service, you consent to these transfers subject to the safeguards described.

10. Children's Privacy

Our Service is designed for teachers and educational professionals who are at least 18 years of age. We do not knowingly collect Personal Information from children under 13 years of age (or under 16 in the EEA) without verifiable parental consent.

If you are a parent or guardian and believe that your child has provided us with Personal Information without your consent, please contact us immediately at rumiawais@gmail.com. We will take steps to delete such information promptly.

If we become aware that we have collected Personal Information from a child under the applicable age without parental consent, we will take steps to delete that information as soon as possible, except where retention is required by law.

11. Automated Decision-Making and Profiling

We use automated processing, including AI-powered content generation, to provide our Service. This may involve:

• Analyzing your prompts and preferences to generate personalized educational content
• Recommending features or content based on your usage patterns
• Detecting fraud or security threats through automated systems

We do not use automated decision-making that produces legal effects or similarly significantly affects you without human intervention, except:

• As necessary to provide the Service (e.g., content generation based on your inputs)
• With your explicit consent
• As permitted by applicable law

If you are subject to automated decision-making and wish to contest the decision or request human review, please contact us.

12. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access.

We are not responsible for the privacy practices, content, or security of third-party services. Your interactions with third-party services are subject to their respective privacy policies and terms of service.

13. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no uniform standard for responding to DNT signals. We do not currently respond to DNT browser signals or mechanisms.

However, you can control tracking through your browser settings and by managing cookies as described in Section 2.3.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons.

When we make changes to this Privacy Policy:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will notify you by email (to the email address associated with your account) or through a prominent notice on our Service
• We will provide at least 30 days' notice before material changes take effect, where required by law
• Your continued use of our Service after changes become effective constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your Personal Information. If you do not agree with the updated policy, you may close your account and stop using the Service.

Previous versions: If you would like to review previous versions of this Privacy Policy, please contact us.

15. Contact Us

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

15.1 Data Protection Officer (if applicable)

If you are located in the EEA and wish to contact our Data Protection Officer (if we have designated one), please use the contact information above and specify that your inquiry is for the Data Protection Officer.

15.2 Complaints

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with:

• New Zealand: Office of the Privacy Commissioner (if you are located in New Zealand)
• EEA: Your local data protection authority (if you are located in the EEA). A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en

We encourage you to contact us first so we can try to resolve your concerns directly.

16. Additional Resources

New Zealand: Office of the Privacy Commissioner, Privacy Act 2020. EEA: GDPR.eu, European Data Protection Board. See also our Terms of Service and Contact page.

17. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, and deletion
• "Service" means the educraft website and application accessible at educraft.co.nz and app.educraft.co.nz
• "You" or "User" means the individual accessing or using the Service
• "We," "Us," "Our" means educraft and its operators

This Privacy Policy was last updated on December 31, 2025. We reserve the right to update this policy at any time. Please check this page periodically for updates.