Nurture Privacy Policy (Australia)

V 1.1 Created 17th Dec 2025

This Privacy Policy explains how we collect, hold, use and disclose personal information for Australian schools using the Services, and how you can access/correct information or make a complaint. It is intended to align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1) Scope and how the Services are deployed

This policy applies to our website(s) and web application, our Microsoft Teams application, and our Canvas integration (together, the "Services").

Australian schools may use Nurture in either of these deployment models:

  • Customer-tenant deployment: Nurture is deployed into the school’s own Microsoft/Canvas environment (the "School Tenant"). Student submissions and teacher content are stored in the School Tenant.
  • Nurture AU tenant: the school uses a Nurture-controlled environment hosted in Australia.

2) Roles in schools

Where a school or education authority uses Nurture, it typically administers the workspace and controls how student and staff information is used within that workspace. We provide and operate the Services to support the school’s educational workflows.

3) Personal information we collect and hold

We may collect and hold the following types of personal information:

  • Account and workspace information (staff/admin): name, school email, role/permissions, school/organisation details, identifiers required to provide access.
  • Student information (as configured by the school): student name or identifier, class/course context, and education content submitted through the Services.
  • User-provided content: student work, teacher instructions, curriculum documents, feedback, rubrics/marking criteria, and other content a user chooses to enter, upload, or paste.
  • Support and communications: information you provide when contacting support (and any attachments/content you include).
  • Technical and usage information: security and operational logs, device/browser details, timestamps, and usage metrics necessary to operate and secure the Services.

4) How we collect personal information

We collect personal information:

  • directly from users (when they enter or upload content);
  • from the school/education authority (where provisioning/synchronisation is enabled);
  • via Microsoft Teams / Canvas integrations as configured by the school; and
  • automatically through use of the Services (e.g., operational and security logging).

5) Why we collect, use and disclose personal information

We collect, use and disclose personal information to:

  • provide, operate, maintain and secure the Services;
  • create and manage school workspaces, accounts, permissions, and integrations;
  • process and display content within the workspace (including student work and teacher outputs);
  • provide support and respond to requests;
  • monitor reliability, prevent misuse, and maintain service performance; and
  • comply with legal obligations and manage disputes.

6) AI features

Nurture includes AI-assisted features to support educational workflows (for example, drafting feedback, summaries, learning outcomes, rubrics, or marking guidance).

Customer-tenant deployment (School Tenant): AI processing occurs within the school’s tenant using an Azure deployment in the Australian region, and Nurture does not store copies of student submissions/teacher content in Nurture systems as part of that processing.

Nurture AU tenant: AI processing occurs within Nurture’s Australia-hosted environment.

What data the AI processes:

  • user-provided content (e.g., student work, teacher instructions, curriculum documents, marking criteria); and
  • a first name only (for personalisation).

We do not intentionally send other account profile fields (such as surnames or email addresses) to AI prompts. If other personal information appears in AI processing, it is because it was included in user-provided content.

Human review: Teachers can review, edit, and override AI outputs before they are shared or saved.

Training use: We do not use Customer Data submitted through the Services to train or improve general-purpose AI models.

7) Where data is stored and processed

For Australian deployments, Account PII and Customer Data are hosted and processed in Australia for both deployment models described in section 1.

  • Customer-tenant deployment: student submissions and teacher content are stored in the School Tenant.
  • Nurture AU tenant: Customer Data is stored in Nurture-controlled infrastructure hosted in Australia.
  • Service providers (subprocessors): for Australian deployments, the only subprocessors intended to process Account PII and/or Customer Data are configured for Australian data hosting (see our Subprocessors / Third-Party Suppliers list).
  • Technical telemetry (limited): we may send de-identified technical telemetry (for example, event IDs, device/browser details, diagnostics) to operational tooling such as monitoring and code-hosting services. This telemetry is configured to exclude Account PII and Customer Data.
  • Overseas access (within Nurture): authorised Nurture personnel located outside Australia (e.g., Ireland) may access personal information from time to time for limited purposes such as support, security, reporting, and service administration. This does not change where the data is hosted.

8) Disclosures to third parties

We may disclose personal information to:

  • the relevant school/education authority and authorised users within that organisation;
  • our approved service providers (subprocessors) that support delivery of the Services (e.g., hosting, email delivery, support tooling, monitoring), limited to what is required for their role; and
  • regulators, law enforcement, or other parties where required or authorised by law.

A list of key suppliers/subprocessors (and which ones process Account PII and/or Customer Data) is available at gonurture.com/security.

9) Notifications (Microsoft Teams)

Nurture may send notifications within Microsoft Teams, including in-app notifications and direct messages (where enabled by the school). Notification settings can be managed in Microsoft Teams and/or by school configuration.

10) Data security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Safeguards include encryption in transit and at rest, access controls, and monitoring.

11) Data retention and deletion (30 days)

We retain personal information only for as long as necessary to provide the Services and meet legal, security, and operational requirements.

  • Active accounts: retained while the school workspace/account remains active.
  • Inactive accounts: may be deleted or de-identified after a period of inactivity, unless required or permitted to retain it for legal, security, or dispute-resolution purposes.
  • Deletion requests (30 days): schools (or authorised administrators) can request deletion by contacting support@gonurture.com. We will delete or de-identify personal data from Nurture-controlled active systems within 30 days of a verified request, except where retention is required or permitted for legal, security, audit, or backup purposes.
  • For customer-tenant deployments, deletion of data stored in the School Tenant is controlled by the school’s tenant settings and retention policies.

12) Access and correction

You may request access to, or correction of, personal information we hold about you by contacting us. We may need to verify identity and, where the school controls the workspace, we may direct requests through the school administrator.

13) Complaints

If you have a complaint about how we handle personal information, contact support@gonurture.com (Attn: Privacy) with details. We will investigate and respond within a reasonable time. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC).

14) Data breaches

We maintain an incident response process for suspected or confirmed data breaches. Where the Notifiable Data Breaches (NDB) scheme applies and an eligible data breach occurs, we will notify affected individuals and the OAIC as required.

15) Contacting Us

Privacy contact: daniel@gonurture.com

Information Security Manager: Daniel Paul

Need help or have questions?
Contact us

Save time and deliver higher-quality feedback.
Help your students fulfil their potential.
Helping schools make the shift from summative to formative.

Nurture
About UsCareersGuidesContact UsRequest Demo
Legal
Terms of UsePrivacy PolicyGDPR & DPASecurity Centre
© Nurture 2025