Privacy Policy

1. What personal information we collect and why

1.1 Waitlist and market activation form (/api/waitlist)

When you submit a request for access or a school activation via the form on our homepage, we collect the following information:

The legal basis for processing this information is your consent, given at the point of form submission. We do not pre-tick consent boxes. You may withdraw consent at any time by emailing liam@math.foundation.

Do not enter student personal information in the activation form. That form is for educators and account holders only.

1.2 Learner accounts (not yet live)

Production learner accounts — including school SSO, parent-linked student profiles, and learning records stored on our servers — are not yet active. When they launch, this policy will be updated and you will be asked to review it before creating an account. Any learner data collected at that point will be used solely to deliver the Math Foundation education service.

1.3 Information we do not collect

We do not collect payment card details directly. Paid checkout is handled by Stripe, a PCI-DSS compliant payment processor. We receive limited billing metadata such as plan, checkout session ID, payment status, receipt/invoice link, and the email address needed for onboarding and support. We do not purchase third-party marketing lists or profile users from external sources.

2. Local browser storage — what stays on your device

The Math Foundation alpha and demo pages store learner progress entirely in your browser using the browser's built-in localStorage API. This data never leaves your device unless you explicitly export a pilot packet (see section 4).

Data that may be stored locally includes:

• Learner name (or initials, at the user's discretion)
• Demo and exercise progress — questions attempted, answers given, misconception tags
• Family profiles — up to 6 named learner profiles per browser instance
• XP (experience points), streaks, and badges earned during practice sessions
• Mastery gate attempts and placement score
• Skill progress markers and spaced-review queue state
• Consent status and version recorded at profile creation

You can clear this data at any time by clearing your browser's local storage (browser Settings → Privacy → Clear browsing data → Cached/stored data). Clearing your browser data is permanent and cannot be undone by us because we have no copy of it.

Because this data is stored only in your browser, we are not a "controller" of it in the GDPR sense until it is transmitted to our servers. We recommend that shared-device users (e.g. school computer labs) clear local storage after each session.

3. Voice processing

Math Foundation offers a voice-input feature so learners can speak their answers rather than type them. We take a privacy-first approach to voice:

3.1 Browser speech recognition

Where supported, the learner's browser speech recognition API (e.g. Web Speech API) is used. Audio is processed by the browser itself or by the browser vendor's servers under the browser vendor's own privacy policy. We receive only the transcribed text string — not the raw audio.

3.2 On-device Whisper (whisper-tiny.en)

As an alternative to browser speech, Math Foundation may offer local inference via whisper-tiny.en, a small automatic speech recognition model that runs entirely within your browser using WebAssembly. When this mode is active:

• Audio is captured from the microphone and processed entirely on your device.
• No audio data is transmitted to our servers or any third-party server.
• Only the resulting text transcription is used to evaluate your answer.
• The Whisper model weights are downloaded once from a content delivery network and then cached locally. No user data is sent during inference.

3.3 What we receive

Regardless of the voice mode in use, the only information that may be sent to our servers is the text transcription of the learner's answer (e.g. "forty-two"), treated the same as a typed answer. We do not store, analyse, or share audio recordings.

3.4 Microphone permission

Your browser will ask for microphone permission before voice input is activated. You can revoke this permission at any time in your browser or device settings. Voice features are entirely optional — the product works fully without a microphone.

4. Pilot packet exports and consent versioning

4.1 Pilot packet contents

Educators and testers may export a "pilot packet" — a downloadable file containing a snapshot of a learner's local session. The packet includes:

• Learner profile data stored in local storage (name or initials, role, goal)
• Skill progress, mastery gate results, and misconception tags
• Spaced-review queue and telemetry counters (number of attempts, time-on-task estimates)
• Teacher intervention signals generated during the session
• Consent version field recording which privacy policy was acknowledged

This privacy policy was published under activation consent version market-activation-2026-06-14. Pilot packets exported from the alpha lab additionally carry their own pilot-consent version — currently alpha-pilot-2026-06-12 — stamped into each export so that schools can maintain compliant records of when consent was given and which policy applied.

4.2 Handling exported packets

A pilot packet is a file on your device. Once exported, it is your responsibility to handle it in line with your school's or organisation's data governance obligations. We recommend:

• Only exporting packets after parent, guardian, or school consent has been obtained.
• Using first names or initials rather than full names in roster fields during the alpha.
• Storing exported packets securely and deleting them when no longer needed.

We do not receive, store, or process pilot packets unless you email them to us as part of a support request, in which case they will be used only to diagnose the reported issue and deleted within 30 days.

5. Children's data and parental consent

Math Foundation is intended for learners of all ages, including children. We apply additional protections when learners are under 18 years of age.

5.1 Age gating

The market activation form requires the submitting adult to identify their role (parent, tutor, teacher, or school administrator). Learner accounts — when production accounts launch — will require a parent or guardian to create and manage accounts on behalf of learners under 13 years of age (or the applicable age of digital consent in the user's jurisdiction).

5.2 What parental consent covers

When a parent or guardian creates an account for a child, they consent on behalf of that child to:

• Storage of learner progress data in the Math Foundation service.
• Processing of voice input (text transcription only, audio not stored).
• Sharing of anonymised, aggregated learning analytics with the child's teacher or school where the child is enrolled in an institutional plan.

We will not use a child's data for advertising, behavioural profiling, or any purpose beyond delivering the Math Foundation education service. We will not sell a child's personal information under any circumstances.

5.3 Alpha period

During the current alpha, all learner data stays on the device (see section 2). No child's data is transmitted to our servers without an explicit export action by the supervising adult. Schools piloting the alpha should obtain appropriate parental consents before using the software with students, consistent with their own privacy obligations.

5.4 Australian law

The handling of children's personal information is subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), in particular APP 3 (collection of solicited personal information) and APP 6 (use or disclosure). We treat all student data with the same care as sensitive information under APP 6.

6. How we share information

We do not sell, rent, or trade personal information with third parties for their own marketing or commercial purposes.

We may share personal information with:

• Service providers acting as our processors — for example, cloud hosting, email delivery, and analytics tools that we use to operate Math Foundation. These providers are bound by contractual obligations to process data only on our instructions and to maintain appropriate security.
• Schools and educators — where a learner is enrolled in a Classroom or School plan, the educator managing that account can see that learner's progress within Math Foundation. We do not share learner data with other schools or third parties outside the account.
• Legal obligations — if we are required by law, regulation, court order, or government authority to disclose personal information, we will do so and, where legally permitted, notify the affected individual.
• Business transfers — if Riverun Pty Ltd is acquired, merged, or its assets transferred, personal information may be transferred as part of that transaction. We will notify users via email or a prominent notice on this site before personal information is transferred and becomes subject to a different privacy policy.

7. Data retention

Where applicable law requires a shorter retention period, we will comply with that requirement. You may request earlier deletion at any time under section 9 or section 10 below.

8. Security

We implement reasonable technical and organisational measures to protect personal information against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS/TLS) for all data in transit, access controls limiting who within Riverun Pty Ltd can access personal information, and regular review of our security practices.

No transmission over the internet or electronic storage system is completely secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at liam@math.foundation.

In the event of a data breach affecting your personal information, we will notify you and, where required, the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988.

9. Your rights — Australian Privacy Act 1988

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the following rights:

• Access (APP 12): You may request access to the personal information we hold about you. We will respond within 30 days and, where reasonable and practicable, provide access in the format you request.
• Correction (APP 13): If personal information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading, you may ask us to correct it.
• Anonymity (APP 2): Where lawful and practicable, you may interact with us without identifying yourself. The alpha demo is fully available without any account or name.
• Complaint to OAIC: If you are not satisfied with our handling of your personal information or our response to a complaint, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or call 1300 363 992.

To exercise any of these rights, email liam@math.foundation with the subject line "Privacy Request". We may ask you to verify your identity before acting on your request.

10. Your rights — EU and UK (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or UK GDPR may apply to the processing of your personal data. In addition to the rights described in section 9, you have:

• Right to erasure ("right to be forgotten"): You may ask us to delete your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal basis applies.
• Right to restriction of processing: You may ask us to pause processing of your data in certain circumstances.
• Right to data portability: You may ask for a copy of personal data you provided to us in a structured, machine-readable format.
• Right to object: You may object to processing based on our legitimate interests.
• Right to withdraw consent: Where we rely on your consent as the legal basis for processing, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Legal basis for processing under GDPR: For waitlist / activation data, the legal basis is consent (Article 6(1)(a) GDPR). For production learner accounts, the legal bases will be contract performance (Article 6(1)(b)) and, for children's data, explicit parental consent (Article 6(1)(a) and Article 8).

Cross-border transfers: Riverun Pty Ltd is based in Australia. Australia is not currently the subject of an EU adequacy decision. If you are located in the EEA or UK, your personal data is transferred to Australia. We rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. You may request a copy of applicable transfer mechanisms by contacting us.

To exercise GDPR rights, email liam@math.foundation. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK at ico.org.uk, or your national supervisory authority in the EEA).

11. Cookies and tracking

Math Foundation uses minimal tracking. Specifically:

• We do not use third-party advertising cookies or cross-site tracking pixels.
• We may use a lightweight, privacy-respecting analytics tool to count page visits and measure which features are used, without identifying individual users. Any such tool is configured with IP anonymisation and without persistent cross-site identifiers.
• The waitlist form records the source page URL and user agent string for fraud prevention and duplicate detection — these are not used for advertising.

If and when we introduce additional cookies, we will update this section and, where required by law, obtain your consent before setting them.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes — for example, introducing server-side learner accounts, adding new data processors, or changing how voice data is handled — we will:

• Update the "Effective date" at the top of this page.
• Post a notice on math.foundation for at least 30 days.
• Where we have your email address, send you a notification.
• Increment the consent version identifier so that any data collected after the change carries the new version.

Your continued use of Math Foundation after the effective date of a revised policy constitutes your acceptance of the revised terms. If you do not agree, you may request deletion of your data as described in sections 9 and 10.

13. Contact and complaints

For any privacy question, access request, correction request, or erasure request, contact:

Riverun Pty Ltd
ABN 65 663 364 154
Ocean Grove, Victoria, Australia
Email: liam@math.foundation

We aim to respond to all privacy requests within 10 business days and to resolve them within 30 days. If we cannot respond within that time we will let you know and give you an expected resolution date.

If you are not satisfied with our response, you may escalate to:

• Australia: Office of the Australian Information Commissioner — oaic.gov.au, 1300 363 992
• UK: Information Commissioner's Office — ico.org.uk
• EEA: Your national data protection supervisory authority