Privacy Policy

AtarMate is operated from Melbourne, Australia. If you have a privacy question or want to make a complaint, email privacy@atarmate.app. We aim to respond within 7 business days. AtarMate is independent and not affiliated with VCAA or VTAC.

We try to collect as little as we can while still making the app useful.

• Account: your email address and a password (hashed — we never see it in plain text).
• Profile (optional): first name, year level, school name, graduation year, avatar choice. You can leave any of these blank.
• Study data: the VCE subjects you select, topic progress, SAC events you add, marks you record, and ATAR scenarios you save.
• Device data: if you opt in to push notifications, we store a device push token so we can send them. We don't track location, contacts, photos, microphone, or anything you didn't grant us.
• Crash and basic diagnostic data from Apple/Google when the app crashes, so we can fix bugs.

We do not use third-party advertising or analytics SDKs that track you across apps. We don't sell or rent personal information to anyone.

• To create your account and keep you signed in.
• To run the app's core features — predicting study scores and ATAR, tracking SACs, syncing progress between devices.
• To send you the notifications you opted in to.
• To respond when you contact support.
• To meet legal and security obligations (preventing abuse, investigating breaches, complying with lawful requests).

Your data is stored on Supabase infrastructure in the Sydney, Australia region. Communication between the app and the server is encrypted in transit (HTTPS). At rest, data sits behind Postgres row-level security: each user can only read or write their own rows.

The short version: nobody, except service providers we need to run the app.

• Supabase — our database, auth, and file storage provider (Sydney region).
• Apple Push Notification service and Google Firebase Cloud Messaging — to deliver push notifications you opted in to.
• Apple App Store / Google Play — for distribution and crash reporting.

We may disclose information if we're legally required to (court order, statutory request) or to protect our rights and the safety of users. We'll narrow disclosure to what's required.

AtarMate is built for VCE students, who are typically 16–18. If you are under 15 you should have a parent or guardian help you sign up and read this policy. We comply with the Australian Privacy Principles and will follow the Children's Online Privacy Code once it's registered. We don't profile users for advertising and we keep collection to the minimum needed to run the app.

You can, at any time:

• Access the data we hold about you — most of it is visible directly in the app. Email us if you want a full export.
• Correct anything inaccurate by editing your profile in the app or emailing us.
• Delete your account and all linked data from Profile → Settings → Delete Account in the app, or by emailing privacy@atarmate.app. Deletion completes within 30 days.
• Withdraw consent for notifications by disabling them in Settings → Notifications or in your device settings.
• Complain to us first; if you're not satisfied you can complain to the Office of the Australian Information Commissioner.

We keep your data while your account is active. When you delete your account, we remove your personal information within 30 days. Some logs (security events, payment records if applicable) may be retained for up to 12 months to meet legal obligations, after which they're deleted.

We encrypt data in transit (TLS) and at rest. Authentication uses Supabase Auth with email verification. Database access is enforced by row-level security. The app stores session tokens in the operating system keychain (iOS Keychain / Android Keystore). No system is perfect — if we ever have a breach likely to cause serious harm, we'll notify affected users and the OAIC under the Notifiable Data Breaches scheme.

The AtarMate marketing site uses only essential cookies for navigation and security. We don't run third-party advertising or analytics cookies on the marketing pages. The app itself doesn't use cookies — it talks to our API directly.

If we make material changes, we'll update the date at the top and notify you in-app the next time you open it. Minor clarifications happen without notice.

Email privacy@atarmate.app for any privacy question, access request, correction request, or deletion request. For everything else, email hello@atarmate.app.