How Orca collects, uses, stores and handles personal information in connection with the Orca activity planning platform and website.
[Company Name] Pty Ltd (ABN [XX XXX XXX XXX]) ("Orca", "we", "us", "our") operates the Orca activity planning platform ("Platform") and website at [URL] ("Website"). We are committed to handling personal information responsibly and in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
This policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have in relation to it. It applies to schools and educational organisations that subscribe to Orca ("Schools"), as well as to school staff, students, parents and guardians whose information is managed within the Platform, and to visitors to our Website.
Orca is primarily a business-to-business service. Much of the personal information we hold is provided to us by Schools as part of setting up and operating the Platform — for example, staff and student records uploaded by a school administrator. However, Orca also enables Schools to collect information directly from users (including staff, students and parents) through event forms. In these cases, the personal information is submitted directly by the individual. In all cases, the School determines what information is collected and for what purpose. The School is the data controller for that information. We act as a data processor, handling personal information only to deliver the service the School has contracted us to provide.
If you have questions about this policy or how we handle your information, please contact us at hello@orca.school.
The personal information we hold falls into the following categories, depending on how the Platform is configured by each School.
When a School subscribes to Orca, we collect information about the organisation and its nominated administrators, including:
Schools provide us with information about staff who will use the Platform, which may include:
Schools provide us with information about students in connection with activity planning and management. This may include:
Schools provide us with information about parents in connection with activity planning and management. This may include:
Orca allows schools to associate alerts with individual students to support safe and informed activity management. Alerts may include:
These alerts are entered and managed entirely by the School. We store and display this information within the Platform solely to support the School's activity management and duty of care responsibilities. Alert information is not used by us for any other purpose and is not shared with third parties other than our infrastructure sub-processors for storage purposes. Access to alert data by Orca staff is limited to what is necessary for the operation, maintenance and troubleshooting of the Platform, as described in Section 4.
Because alerts may include health information and other sensitive information (see Section 7), schools are responsible for ensuring appropriate consents have been obtained from parents or guardians before entering this type of information into the Platform.
Where a School provides contact details for parents or guardians in connection with student activities, this may include name, email address and phone number. This information is used only for the purposes configured by the School within the Platform.
Orca allows teachers and coordinators to attach forms to events as a way of collecting information from staff, students or parents. Forms may be used for a range of purposes at the School's discretion — for example, collecting permission responses, dietary preferences, emergency contact details, or any other information relevant to an activity or excursion.
Form responses may include:
Because form content is determined entirely by the School, we cannot predict or limit what categories of information may be submitted through forms. It is possible that form responses will contain sensitive information — for example, health details, dietary requirements or other personal circumstances — depending on the questions a teacher chooses to ask.
Form responses are stored within the Platform and are accessible only to authorised staff at the relevant School. We store this information solely to deliver the forms feature and do not use form response data for any other purpose. Schools are responsible for ensuring that any form questions are appropriate, that respondents have been informed about how their answers will be used, and that any necessary consents have been obtained — particularly where questions may elicit sensitive information or where forms are directed at minors.
When you access the Website or Platform, we automatically collect certain technical information including IP address, browser type and version, pages visited and timestamps. This information is used for security monitoring, access logging and improving the performance of the Platform.
Personal information enters the Platform through two main channels.
The first is information provided by Schools. Schools configure the Platform and upload staff and student records as part of administering the service. This includes account setup, student enrolments, alert information and other administrative data. In these cases the School is providing information on behalf of individuals, and the School is responsible for ensuring it has a lawful basis for doing so.
The second is information submitted directly by users. When a School attaches a form to an event, staff, students or parents may submit responses directly through the Platform. These responses — which may include free text, uploaded files or any other content a respondent provides — are collected directly from the individual completing the form. The content of these forms is determined by the School, not by us.
We also collect information:
Where a School provides information about individuals — including students who are minors — that School is responsible for ensuring it has obtained all necessary consents and has a lawful basis for sharing that information with us.
Where a School creates a form that will be completed by minors or that asks questions likely to elicit sensitive information, the School is responsible for ensuring appropriate consent has been obtained from parents or guardians before the form is issued.
We use the personal information we hold for the following purposes:
We do not use personal information — and in particular we do not use student information — for advertising, marketing to students, commercial profiling or any purpose unrelated to delivering the Platform to Schools.
We do not sell personal information to any third party under any circumstances.
Where we send marketing communications to school administrators about Orca features or updates, we do so in accordance with the Spam Act 2003 (Cth) and provide an opt-out mechanism in every communication.
The following third-party providers process personal information on our behalf as part of delivering the Platform. All data is stored and processed in Australia unless otherwise noted.
| Provider | Location | Purpose | Data processed |
|---|---|---|---|
| [Managed Hosting Provider] | Australia | Managed server hosting, server-level security, automated backups and infrastructure management | All data stored and processed on the Platform |
| [Cloud Infrastructure Provider] | Australia (Sydney) | Underlying cloud compute and storage infrastructure | All data stored on the Platform |
| Postmark (Wildbit LLC) | USA | Transactional email delivery (account notifications, system alerts, service emails) | Name and email address of recipients only |
The names of our infrastructure and hosting providers are available to Schools on request as part of security due diligence.
Note on Postmark: Postmark processes name and email address solely to deliver transactional emails on our behalf. This is the only personal data transferred outside Australia. Postmark holds SOC 2 Type II certification and does not use recipient data for any other purpose. Details are available at postmarkapp.com/security. By using the Platform, Schools consent to this limited transfer for transactional email purposes.
We will provide Schools with at least 30 days' notice of any changes to our sub-processors.
Sensitive information — as defined under the Privacy Act 1988 (Cth) — may be collected through the Platform in two ways.
Through student alerts: Schools may associate alerts with individual students to support duty of care and safe activity management. Alerts may include health information such as medical conditions, allergies or medication requirements, as well as behavioural or wellbeing notes. This information is entered and managed entirely by the School.
Through event forms: Because form content is determined by the School, it is possible that form responses submitted directly by staff, students or parents will contain sensitive information. For example, a teacher may ask about dietary requirements, health conditions, cultural considerations or other personal circumstances relevant to an activity. We cannot predict or control what sensitive information may be submitted through forms, as this depends entirely on the questions the School chooses to ask.
In both cases, we store sensitive information only because it has been provided through the Platform for the purpose of supporting the School's activity management. We do not use sensitive information for any other purpose, and we do not share it with any party other than our infrastructure sub-processors for storage.
Schools are responsible for:
If you wish to withdraw consent for sensitive information to be held, please contact your School administrator in the first instance. The School may then contact us to action the request.
All personal information collected through Orca is stored and processed in Australia. We do not transfer data outside Australia except as described in Section 6 in relation to Postmark.
We take reasonable technical and organisational steps to protect personal information from misuse, interference, unauthorised access, modification, disclosure and loss. These measures include:
Our hosting infrastructure is provided by certified third-party providers holding independently audited security certifications including SOC 2 Type II and ISO 27001. Full details are available on our Security page.
While we work hard to protect your personal information, no method of electronic storage or internet transmission is completely secure. We cannot guarantee absolute security, but we are committed to managing and minimising security risks on an ongoing basis.
We keep personal information for as long as is necessary to fulfil the purposes for which it was collected, and to meet our legal, contractual and reporting obligations.
Our standard retention periods are:
When a School's subscription ends:
Schools may request earlier deletion of specific records at any time by contacting us using the details at the end of this policy.
Under the Privacy Act 1988 (Cth), you have the right to request access to the personal information we hold about you, and to ask us to correct information that is inaccurate, incomplete or out of date.
Because Orca is a school-administered platform, personal information about staff and students is held on behalf of the School as data controller. We recommend that individuals contact their School administrator in the first instance. Schools can then contact us to action requests on their users' behalf.
To make a request directly to us, please contact hello@orca.school with your name and contact details. We may need to verify your identity before actioning a request. We will respond within a reasonable timeframe and in any event within 30 days.
There is no charge for making an access or correction request. In some circumstances we may be unable to provide access to all information we hold — for example, where doing so would unreasonably impact the privacy of another person — and we will explain our reasons if this occurs.
We take data breaches seriously. If we become aware of a data breach involving personal information that is likely to result in serious harm, we will:
Schools, as data controllers, are responsible for determining whether to make notifications to individuals under the NDB scheme, and we will cooperate fully with Schools in that process.
If there is a change of control in our business, or a sale or transfer of our business or assets, personal information held in our systems may form part of the assets transferred. Any such transfer would be made subject to confidentiality obligations and the incoming party would be required to handle personal information in a manner consistent with this policy and applicable Australian privacy law. We would notify affected Schools of any such change to the extent that we are legally able to do so.
Our Website may contain links to third-party websites that we do not operate or control. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information to them.
We may update this privacy policy from time to time to reflect changes to the Platform, our practices, or applicable law. When we make material changes, we will notify Schools by email and update the date at the top of this page. We encourage you to review this policy periodically.
If you have a concern about how we have handled your personal information, please contact us in the first instance using the details below. We will acknowledge your complaint promptly and work to resolve it within a reasonable timeframe.
If you remain unsatisfied after contacting us, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992
For questions about this privacy policy, to exercise your privacy rights, or to make a complaint, please contact:
See how Orca transforms activity management at your school. Book a personalised demo and we'll walk you through exactly how Orca fits your workflows.