1. Who We Are
Lobi is operated by [Your Pty Ltd name — to be registered] (ABN: [to be registered]), Brisbane, Queensland, Australia.
Contact: hello@heylobi.com.au
2. What This Policy Covers
This policy explains how we collect, use, store, and protect personal information when you and your child use Lobi. We are committed to complying with:
- Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
- Privacy and Other Legislation Amendment Act 2024 (including automated decision-making disclosure requirements effective 10 December 2026)
- OAIC Children's Online Privacy Code 2026 (when registered)
- Notifiable Data Breaches scheme under Part IIIC of the Privacy Act
- Spam Act 2003 (Cth) for any electronic communications
- Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010)
3. Information We Collect
From Parents:
- Email address (for account login)
- Password (stored as a cryptographic hash — we cannot see or retrieve your password)
From Children (entered by parents only — children cannot enter their own data):
- First name only (no surname)
- Year level
- State/territory
- Learning needs (e.g. ADHD, autism, dyslexia — optional, treated as sensitive information under APP 3)
- Interests (e.g. Minecraft, horses, art — optional)
- Workspace colour preference
- Voice and sound settings
- Session summaries: date, duration, topics covered, mastery signals (no conversation content)
- Mood check-in responses (start and end of session emoji only)
We DO NOT Collect:
- Surnames of children
- Dates of birth
- School names
- Home addresses
- Photos, images, or videos of children
- Biometric data (including facial recognition or voiceprints)
- Conversation content (see Section 4)
- Location data
- Device identifiers or advertising IDs
- Behavioural tracking data
- Data from other apps or services on the device
Sensitive Information (APP 3 compliance)
Learning needs data (ADHD, autism, dyslexia) is classified as sensitive information under the Privacy Act because it relates to health. We collect this ONLY with explicit parental consent, use it ONLY to adapt the learning experience, and parents can remove it at any time through their child's profile settings.
4. Conversations — Zero Retention
This is our most important privacy commitment.
When your child uses Lobi, their conversation is sent to the Anthropic Claude API for processing in real-time. This means:
- Conversation content is transmitted to Anthropic's servers to generate Lobi's responses
- Anthropic processes the data under their Terms of Service (anthropic.com/terms) and does not use API conversations to train their models
- Once the API response is returned, the conversation exists only in the child's browser session
- When the session ends or the browser is closed, the conversation is permanently gone
- We do NOT store, log, cache, or back up any conversation content in our database or on our servers
- We do NOT have the ability to retrieve past conversations
- No conversation data is used for any form of analytics, training, or profiling
We store only a brief session summary: date, duration, topics covered (as curriculum codes), and mastery signals. These summaries contain no conversational content.
5. Automated Decision-Making Disclosure (Privacy Act s 26WA, effective 10 December 2026)
Lobi uses artificial intelligence (Anthropic Claude, a large language model) in the following ways:
What AI does in Lobi:
- Generates educational content and questions in response to child input
- Selects teaching approaches based on the child's year level and learning needs profile
- Determines the difficulty and topic progression within a session
- Generates quick-reply button options for the child to tap
- Detects emotional distress signals in child input and redirects to safety resources
What AI does NOT do in Lobi:
- AI does not make decisions about a child's educational needs, diagnosis, or capabilities
- AI does not generate reports or assessments that are presented as professional evaluations
- AI does not communicate with schools, teachers, or other services about the child
- AI does not make any decisions that have legal or similarly significant effects
Human oversight:
- Parents control all profile settings and can override or change any learning needs selections
- Parents can review session summaries
- Parents can end sessions, delete profiles, or delete their entire account at any time
- The AI system prompt is available for parents to read (transparency page)
6. How We Use Information
We use personal information only to:
- Authenticate your account (email and password)
- Personalise your child's learning experience (name, year level, interests, learning needs)
- Apply appropriate teaching adaptations (learning needs)
- Display session summaries to parents
- Send essential account emails (signup confirmation, password reset)
We do NOT use personal information to:
- Advertise to you or your child
- Build behavioural or psychological profiles
- Share with third parties for any purpose
- Train AI models
- Make automated decisions with legal or significant effects
- Target content based on profiling
- Track behaviour across sessions or over time
7. Third-Party Services
Lobi uses the following third-party services:
| Service | Purpose | Data shared | Data stored by them | Location | Privacy policy |
|---|---|---|---|---|---|
| Supabase | Database and authentication | Email, hashed password, child profile data | Yes — encrypted at rest | Singapore | supabase.com/privacy |
| Anthropic Claude API | AI response generation | Conversation content in real-time only | No — API data not retained or used for training | United States | anthropic.com/privacy |
| Netlify | Website hosting | IP address (standard web hosting) | Standard server logs | United States | netlify.com/privacy |
| Stripe (future) | Payment processing | Payment card details — we NEVER see these | Yes — PCI DSS compliant | United States | stripe.com/privacy |
Cross-border data transfer: Some of our service providers are located outside Australia. By using Lobi, you consent to the transfer of data as described above. We ensure all providers maintain privacy and security standards consistent with the APPs.
8. Children's Privacy
We take children's privacy seriously and design for it:
- Parental gate: Only parents can create accounts and child profiles. Children cannot create accounts.
- Minimal collection: We collect the minimum information necessary to provide the learning experience.
- No social features: Children cannot communicate with other users, ever.
- No internet access: Lobi cannot access the internet, share links, or display external content during sessions.
- No advertising: Lobi contains no advertising of any kind and never will.
- No profiling: We do not build behavioural profiles of children.
- Anti-addiction design: No streaks, points, leaderboards, push notifications, or variable reward mechanics. Sessions have parent-set time limits that children cannot override.
- Emotional safety: If a child expresses emotional distress, Lobi gently redirects to Kids Helpline (1800 55 1800). No data about the distress is stored.
- Privacy by default: All privacy settings are set to the most protective option by default. Voice reading is off by default. Sound effects can be turned off.
- Best interests: All design and data handling decisions prioritise the best interests of the child, consistent with the OAIC Children's Online Privacy Code.
9. Data Storage, Security, and Retention
Storage:
- All data is stored in Supabase (Singapore region, SOC 2 Type II compliant)
- Row Level Security (RLS) ensures families can only access their own data
- All data is encrypted at rest and in transit
Security measures:
- Passwords are hashed using industry-standard bcrypt
- API keys are stored server-side in Netlify environment variables, never in browser code
- HTTPS encryption on all connections
- Two-factor authentication on all administrative accounts
- Regular review of access controls and security practices
Retention:
- Account data is retained while your account is active
- Session summaries are retained while your account is active
- Conversation content is never retained (see Section 4)
- When you delete your account, all associated data is permanently deleted within 30 days
- Backups that may contain deleted data are purged within 90 days
10. Your Rights Under the Privacy Act
You have the right to:
- Access (APP 12): Request a copy of all personal information we hold about your family. We will respond within 30 days.
- Correction (APP 13): Request correction of any inaccurate information. We will correct it promptly.
- Deletion: Request deletion of all your family's data at any time. We will delete it within 30 days.
- Withdraw consent: Withdraw consent for collection of sensitive information (learning needs) at any time by editing your child's profile.
- Complain: Lodge a complaint with us first (hello@heylobi.com.au). If unsatisfied, lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
To exercise any of these rights, email: hello@heylobi.com.au
11. Data Breach Response
In the event of an eligible data breach under the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988):
- We will conduct a rapid assessment within 72 hours of becoming aware of a suspected breach
-
If the breach is likely to result in serious harm, we will:
- Notify the OAIC as soon as practicable (and within 30 days at most)
- Notify all affected users by email, including: what happened, what data was involved, what we are doing about it, and what steps they can take
- We will take immediate steps to contain and remediate the breach
- We will document the breach and our response for compliance records
Risk mitigation: Our zero conversation retention policy significantly reduces the impact of any potential breach — even in a worst case scenario, no conversation content would be exposed because it is never stored.
12. Cookies, Tracking, and Analytics
- Lobi does NOT use tracking cookies
- Lobi does NOT use analytics tools (no Google Analytics, Hotjar, Facebook Pixel, or similar)
- Lobi does NOT use behavioural tracking of any kind
- Lobi does NOT use fingerprinting or device identification
- Essential cookies may be used for authentication (login session management) only
13. Marketing Communications
- We will ONLY send you marketing communications if you have explicitly opted in
- You can opt out at any time by clicking unsubscribe or emailing hello@heylobi.com.au
- Transactional emails (signup confirmation, password reset, data breach notifications) are not marketing and will be sent as necessary
- We comply with the Spam Act 2003 (Cth) for all electronic communications
14. Changes to This Policy
We may update this policy from time to time. For material changes:
- We will notify you by email at least 14 days before the changes take effect
- We will clearly describe what has changed
- Continued use of Lobi after the effective date constitutes acceptance of the updated policy
- The current version will always be available at heylobi.com.au/privacy
15. Contact Us
For questions, access requests, complaints, or any privacy concerns:
Email: hello@heylobi.com.au
You can also contact the OAIC:
- Website: oaic.gov.au
- Phone: 1300 363 992
- Online complaint form: oaic.gov.au/privacy/privacy-complaints
Also read: Terms of Service