Last updated: 7 May 2026 Effective: 7 May 2026
1. Who we are
Poios is operated by Poios Pty Ltd ("Poios", "we", "us", or "our"), an Australian-registered entity. This policy applies to personal information we collect when you use our platform, register an institution, or communicate with us.
2. Information we collect
We collect the following categories of personal information.
- Identity and contact information: name, work email address, work phone number, professional role, and the institution you are affiliated with.
- Authentication and security information: hashed passwords (using bcrypt with appropriate cost factors), one-time passcodes, IP addresses, browser user agent, and access timestamps.
- Institutional and academic content: material that you or your institution upload to the platform, including unit outlines, assessment artefacts, rubrics, and moderation records.
- Operational telemetry: aggregate usage data, performance metrics, and error logs used to operate and improve the platform.
3. How we use information
Personal information is used to:
- provide, operate, and maintain the platform and its services;
- authenticate users and protect platform security;
- communicate with you about your account, our services, and material updates;
- maintain audit trails required for regulatory compliance and ICT audits;
- improve the platform through aggregated, deidentified analysis.
We do not sell personal information. We do not use personal information to train third-party AI models without explicit institutional consent.
4. Where we store data
Personal information and institutional content are stored in AWS data centres located in Australia (Sydney, ap-southeast-2) and, for redundancy, Singapore (ap-southeast-1). No data is processed in or transferred to jurisdictions outside this scope without explicit institutional consent and a defensible legal basis.
5. How we secure data
- Transport encryption via TLS 1.3 for all client-server communications.
- Encryption at rest for all primary databases and object storage.
- Bcrypt hashing for credential storage with appropriate cost factors.
- Role-based access control with least-privilege defaults.
- Append-only audit logs with cryptographic integrity verification.
- Regular security review and dependency vulnerability scanning.
6. Your rights
Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:
- access the personal information we hold about you;
- request correction of personal information that is inaccurate or incomplete;
- request deletion of personal information, subject to overriding legal or institutional retention obligations;
- lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
To exercise any of these rights, contact us at [email protected].
7. Cookies and tracking
Poios uses session cookies for authentication and necessary platform operation. We do not use third-party advertising cookies. Aggregate analytics are collected using a self-hosted, privacy-preserving telemetry service that does not track individual users across sessions.
8. Data retention
Personal information is retained for the duration of your active account, plus such period as is required by Australian regulatory or institutional obligations. Audit logs are retained for a minimum of seven years to support ICT and academic quality audits. On account closure, personal information is deidentified or deleted within 90 days, except where retention is legally required.
9. Changes to this policy
Material changes to this policy will be communicated via email to registered users and posted on this page at least 30 days before they take effect. Non-material clarifications may be made at any time and will be reflected in the "last updated" date above.
10. Contact
For privacy-related questions, requests, or complaints, contact our Privacy Officer at [email protected].