How does RoxWhy help Australian students?

RoxWhy provides personalised AI tutoring, homework help, and academic tracking specifically designed for the Australian K-12 curriculum.

Is RoxWhy suitable for all Australian school levels?

Yes, RoxWhy supports students from Kindergarten through Year 12 across all Australian states and territories.

How does the AI personalize learning?

Our AI adapts to each student's learning style, pace, and academic strengths to provide customized lessons and support.

ROXWHY AI – Privacy Policy

Last updated: 13 July 2025

MXN Technology Pty Ltd trading as ROXWHY AI (ABN 18688619856) ("MXN Technology","ROXWHY AI", "we", "our" or "us") operates the RoxWhy learning‑assistant platform, available at roxwhy.com.au and related sub‑domains, mobile apps and integrations (together, the Services).

We are committed to protecting your privacy and handling personal information in accordance with:

the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
where applicable, the EU/EEA General Data Protection Regulation (GDPR); and
any other privacy laws that apply to the jurisdictions in which we operate.

By accessing or using the Services you confirm that you have read and understood this Privacy Policy and consent to the handling of your personal information as described below. If you do not agree, please do not use the Services.

1. Who this policy applies to

This policy applies to:

visitors to our websites;
registered users of the RoxWhy platform (e.g. students, educators, administrators); and
representatives of schools, universities, businesses or other organisations that contract with us.

If you are under 18 years of age you should review this policy with a parent or legal guardian. Users under 15 years must obtain verifiable parental or guardian consent before using the Services.

2. The information we collect

Category	Examples	Purpose
Identity & contact data	First name, surname, e‑mail address, school/institution, role (student, teacher etc.), account password, subscription details.	To create and manage accounts, authenticate users, provide support and comply with legal obligations.
Educational data	Subjects studied or taught, assessment responses, progress metrics, feedback, learning analytics.	To personalise learning, track progress, provide reports to educators/institutions and improve the platform.
Technical & usage data	IP address, device type, browser, operating system, language settings, referring URLs, page views, session duration, error logs.	To secure and optimise the Services, detect fraud, compile statistics and guide product development.
SSO / third‑party log‑in data	Name, e‑mail and tokens supplied by Google, Microsoft or similar identity providers (if you choose single sign‑on).	To streamline registration and log‑in and link your third‑party account to RoxWhy.
Cookies & similar tech	Small data files stored on your device, plus local storage, pixels and scripts.	To remember preferences, maintain sessions, measure traffic and deliver core functionality.

We may also create or collect aggregated, de‑identified or anonymised information that cannot reasonably identify you; we may use or disclose such information for any lawful purpose.

3. How we collect information

Directly from you – when you register, complete a profile, submit answers, contact support or otherwise interact with the Services.
Automatically – via cookies, server logs and analytics tools when you use or navigate the Services.
From your institution or employer – where an organisation provisions accounts or provides enrolment information.
From third parties – identity providers (SSO), payment processors or integrated services you authorise.

You may refuse to provide certain information, but some features may then be unavailable.

4. Why we collect, use and disclose personal information

We handle personal information only where it is reasonably necessary for our functions and activities, including to:

Provide and operate the Services – create accounts, deliver content, enable AI‑driven assistance, issue certificates and process payments.
Personalise learning – adapt lessons, recommend resources and generate analytics reports for students and educators.
Communicate with you – send service messages, respond to enquiries, notify you of material changes and (with your consent) send optional updates or research invitations.
Improve and develop – analyse usage trends, test features, conduct surveys and train our models (using de‑identified data where feasible).
Ensure security and integrity – authenticate users, detect misuse, prevent fraud and enforce our Terms of Use.
Comply with law – satisfy record‑keeping obligations, respond to lawful requests and resolve disputes.

Under the GDPR our legal bases for processing typically include: performance of a contract; legitimate interests (e.g. product improvement, fraud prevention); consent (where required for marketing or cookies); and compliance with legal obligations.

We will not use or disclose personal information for any secondary purpose unless:

you have consented;
it is required or authorised by law; or
the APPs or GDPR otherwise permit.

5. Sharing your information

We do not sell, rent or trade personal information.

We disclose information only to:

Authorised personnel of ROXWHY AI who need it to perform their duties.
Service providers (sub‑processors) that support hosting, storage, analytics, authentication, communications, customer support and AI functionality. Each provider is bound by written agreements requiring confidentiality, robust security and compliance with applicable privacy laws. A current list is available on request.
Institutional clients – where a school or organisation administers your account, authorised staff may access student progress and analytics.
Regulators, courts or law‑enforcement – where disclosure is required or permitted by law.
Successors in a business transaction – in the event of a merger, acquisition or asset sale, subject to the same or equivalent protections.

6. International transfers & data residency

User location	Primary storage location	Safeguards for cross‑border transfers
Australia & other non‑EU regions	Australia	APP 8 and contractual clauses with sub‑processors.
EU/EEA	EU/EEA data centre(s)	GDPR‑aligned controls, including Standard Contractual Clauses (SCCs), when data is accessed outside the EU/EEA.

Some limited metadata or anonymised content may transit or be processed in other jurisdictions to maintain service performance. Personal identifiers are transferred only where essential and protected by contractual and technical safeguards.

We will notify institutional clients at least 30 days in advance of any material changes to data‑hosting locations or new sub‑processors.

7. Security

We apply industry‑standard technical and organisational measures, including:

TLS 1.2+ encryption in transit and AES‑256 encryption at rest.
Role‑based access controls and multi‑factor authentication.
Secure software development life‑cycle (SDLC) and code reviews.
Continuous monitoring, intrusion detection and independent penetration testing.
Regular, encrypted backups and disaster‑recovery planning.

Despite our efforts, no method of transmission or storage is completely secure. You are responsible for safeguarding your password and promptly notifying us of any suspected unauthorised use.

8. Data retention & deletion

We retain personal information only for as long as necessary to fulfil the purposes described above, and thereafter for:

statutory retention periods (e.g. taxation or financial reporting); or
the resolution of disputes or enforcement of agreements.

Standard retention schedule

Account type	Retention trigger	Deletion timeframe
Year 12 students	End of academic year	Automatic deletion within 90 days unless account is linked to an ongoing subscription.
Individual subscribers	Subscription expiry	Permanent deletion or anonymisation within 90 days, unless required by law.
Institutional licences	End of contract	Data deleted or returned to the institution per contractual terms (default 90 days).

Your choices

Access & correction – Contact support@roxwhy.com.au to request a copy of, or correction to, your personal information. We will respond within 30 calendar days unless a lawful exception applies.
Deletion (right to erasure) – You may request full deletion of your account. Because your data is intertwined with platform functions, selective deletion is not currently possible. Deleted data cannot be recovered.
Data portability – Schools and institutions may request an export of their data (CSV or JSON) at any time, free of charge unless unreasonably burdensome.

9. Direct marketing

We will not use your personal information for unsolicited marketing. Where you have opted‑in to receive updates, you may unsubscribe at any time by following the instructions in the message or contacting us.

10. Cookies & tracking technologies

We use first‑party and third‑party cookies, pixels and local storage to:

maintain sessions and security;
remember preferences;
measure usage and performance; and
improve content relevance.

Most browsers let you refuse or delete cookies, but some features of the Services may not function properly if you do so. For EU/EEA visitors we seek consent to non‑essential cookies in accordance with the ePrivacy Directive and GDPR.

11. Children's privacy

We do not knowingly collect personal information from children under 13 years without parental consent. If we become aware that a child under 13 has provided personal information without such consent, we will delete it as soon as practicable.

12. Data breach notification

In the unlikely event of a data breach likely to result in serious harm, we will:

Contain and assess the breach.
Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme; and, where applicable, notify EU/EEA supervisory authorities within 72 hours as required by the GDPR.
Take remedial action to prevent recurrence.

13. Your rights under the GDPR (EU/EEA users)

Subject to conditions, you may have the right to:

access, correct or erase your personal data;
restrict or object to processing;
receive a portable copy of data you have provided;
withdraw consent at any time (without affecting prior processing); and
lodge a complaint with your local supervisory authority.

Please contact our Privacy Officer to exercise these rights.

14. Changes to this policy

We may amend this Privacy Policy from time to time. If a change materially affects your rights we will give reasonable notice (e.g. via e‑mail or in‑app message). The "Last updated" date at the top indicates the current version.

15. Contact us & complaints

Privacy Officer

MXN Technology Pty Ltd

E‑mail: support@roxwhy.com.au

If you believe we have breached your privacy rights you may lodge a written complaint with our Privacy Officer. We will respond within 30 days. If you are not satisfied, you may contact the:

Office of the Australian Information Commissioner (OAIC)

oaic.gov.au | 1300 363 992

EU/EEA users may also complain to their national supervisory authority.

This Privacy Policy is provided for general information and does not constitute legal advice. You should obtain independent advice to ensure that the policy meets your specific legal requirements.