Gabuu
    Sign In

    Privacy Policy

    Gabuu Privacy Policy

    Effective Date: 27 February 2026

    Last Updated: 27 February 2026

    Gabuu (“we”, “us”, “our”) operates the web application located at gabuu.app (the “Platform”). Gabuu is operated by Geoff Mallinson as an unincorporated entity based in New South Wales, Australia.

    We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy describes how we collect, hold, use, disclose and protect your personal information when you use the Platform.

    By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

    1. Scope

    This Privacy Policy applies to all users of the Platform, including:

    • Students
    • Educators (teachers, lecturers, facilitators)
    • School administrators and institutional contacts
    • Any other individuals who access or interact with the Platform

    Where the Platform is used within a school or institutional setting, the relevant institution may also have its own privacy obligations. This Policy addresses Gabuu's obligations as the operator of the Platform.

    2. What Personal Information We Collect

    We collect only the personal information that is reasonably necessary for us to provide and improve the Platform. The types of personal information we may collect include:

    2.1 Information provided at sign-up

    • Full name
    • Email address
    • School or institution name

    This information may be provided directly by the user or by an authorised educator or school administrator on behalf of the user.

    2.2 Usage and analytics data

    We collect de-identified usage and analytics data through Vercel Analytics to understand how the Platform is used and to improve performance. This may include:

    • Pages visited and features used
    • Session duration and frequency
    • Browser type and device information
    • General geographic location (country/region level, not precise location)

    Vercel Analytics is privacy-focused and does not use cookies for tracking. For more information, see Vercel's Privacy Policy.

    2.3 User-generated content

    • Flashcards, study sets, and other learning content created by users
    • Study performance data (e.g. card review history, recall accuracy, scheduling data)

    2.4 Information we do not collect

    • We do not collect dates of birth, government identifiers, or financial information
    • We do not collect sensitive information as defined under the Privacy Act (e.g. health information, racial or ethnic origin, political opinions, religious beliefs)

    3. How We Collect Personal Information

    We collect personal information through:

    • Direct collection — when you create an account or interact with the Platform
    • Institutional provision — when a school or educator creates accounts or provides information on behalf of users
    • Automated collection — through Vercel Analytics when you use the Platform

    We will not collect personal information by unlawful or unfair means.

    4. Purpose of Collection — How We Use Your Information

    We use your personal information for the following purposes:

    1. Providing the Platform — to create and manage your account, deliver learning content, and operate the spaced repetition and retrieval practice features
    2. Personalising the learning experience — to adapt study schedules, difficulty, and content sequencing based on your performance
    3. Communication — to send you important service notifications, respond to enquiries, and provide support
    4. Analytics and improvement — to understand usage patterns and improve Platform features, performance, and reliability
    5. Institutional reporting — to provide educators and school administrators with aggregated engagement and performance data for their students
    6. Legal compliance — to comply with applicable laws, regulations, and legal processes

    We will not use your personal information for any purpose other than those set out above, or a purpose you would reasonably expect, unless we obtain your consent or are required or authorised by law.

    5. Artificial Intelligence

    The Platform uses artificial intelligence (AI) models, including Claude (Anthropic) and OpenAI, to assist with flashcard generation and content creation.

    Our AI commitments:

    • No user-identifiable information is sent to any AI model. All data transmitted to AI services is de-identified and contains only the content necessary to generate the requested output (e.g. subject matter text for flashcard creation).
    • Your data is not used to train AI models. We have confirmed with our AI providers that data submitted through our API integrations is not used for model training purposes.
    • There is no open chat interface to AI. AI functionality is limited to specific, educator-directed tasks such as content generation.
    • AI content protection measures are in development to safeguard the integrity of educator-created materials.

    6. Disclosure of Personal Information

    We may disclose your personal information to:

    6.1 Service providers

    We use the following third-party service providers who may process data on our behalf:

    ProviderPurposeData Location
    SupabaseDatabase hosting and authenticationSydney, Australia
    VercelApplication hosting and analyticsSydney, Australia (nearest region)
    Anthropic (Claude)AI-assisted content generationUnited States (no PII transmitted)
    OpenAIAI-assisted content generationUnited States (no PII transmitted)

    6.2 Educators and institutions

    Where the Platform is used within a school or institutional setting, we may share student engagement and performance data with the relevant authorised educators and administrators. This data is shared to support teaching and learning outcomes and is limited to what is reasonably necessary for that purpose.

    6.3 Legal requirements

    We may disclose personal information where required or authorised by law, including in response to:

    • Court orders or subpoenas
    • Requests from regulatory authorities (e.g. the Office of the Australian Information Commissioner)
    • Obligations under the Notifiable Data Breaches scheme

    We will not sell, rent, or trade your personal information to any third party.

    7. Cross-Border Disclosure

    Our primary data storage is located in Australia (Supabase, Sydney region; Vercel, Sydney region).

    When AI models are used for content generation, de-identified content data (containing no personal information) may be transmitted to servers located in the United States operated by Anthropic and OpenAI. As no personal information is included in these transmissions, cross-border disclosure obligations under APP 8 are not engaged. We nonetheless maintain contractual and technical safeguards to ensure appropriate data handling.

    We will notify you and update this Policy if our data storage or processing arrangements change in a way that involves cross-border disclosure of personal information.

    8. Data Security

    We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our security measures include:

    • SOC 2 compliant infrastructure — our hosting provider (Vercel) maintains SOC 2 compliance (security.vercel.com)
    • Australian-hosted database — all user data is stored in Supabase's Sydney, Australia region
    • Strong authentication — a minimum 14-character password requirement
    • Encryption — data is encrypted in transit (TLS) and at rest
    • Access controls — access to personal information is restricted to authorised personnel only
    • No PII in AI pipelines — personal information is never transmitted to AI providers

    We regularly review our security practices and will update them as appropriate.

    9. Children and Young People

    The Platform is designed for use by students, including those under the age of 18. We recognise the heightened obligations that apply to the handling of children's personal information under the Privacy Act and OAIC guidance.

    Our approach:

    • Access for students under 18 is typically mediated through their school or educator, who is responsible for obtaining appropriate consent for the student's use of the Platform
    • We minimise the personal information collected from all users, including children
    • We do not collect sensitive information from any user
    • We do not include social features, open chat, or user-to-user communication that could expose children to risk
    • Educator-created content is the primary content source, reducing exposure to inappropriate material

    Where a school or institution provides student information to Gabuu, the institution acts as the data controller for those students, and we process that data on its behalf in accordance with this Policy and any applicable data processing agreement.

    Parents or guardians who have questions about their child's use of the Platform are encouraged to contact the relevant school or institution, or to contact us directly at contact@gabuu.app.

    10. Cookies and Tracking Technologies

    The Platform uses Vercel Analytics, which is a privacy-focused analytics solution. Vercel Analytics does not use cookies for tracking purposes and does not collect personally identifiable information.

    We do not use third-party advertising cookies, remarketing pixels, or behavioural tracking technologies.

    If our use of cookies or tracking technologies changes in the future, we will update this Policy and, where required, seek your consent.

    11. Accessing and Correcting Your Personal Information

    Under APP 12 and APP 13, you have the right to:

    • Access the personal information we hold about you
    • Request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading

    To make a request, please contact us at contact@gabuu.app. We will respond to your request within 30 days. There is no charge for making a request or for the correction of personal information. We may charge a reasonable fee for providing access if the request requires substantial effort.

    If we refuse a request for access or correction, we will provide you with written reasons for the refusal and information about how you may complain about the decision.

    12. Data Retention and Deletion

    We retain your personal information only for as long as is reasonably necessary for the purposes described in this Policy, or as required by law.

    • Account data is retained for the duration of your account. If you request deletion of your account, we will delete or de-identify your personal information within 30 days, except where retention is required by law.
    • Usage analytics data collected by Vercel Analytics is aggregated and de-identified.
    • User-generated content (e.g. flashcards, study sets) may be retained in de-identified form to support institutional content libraries, unless deletion is requested.

    To request deletion of your account and personal information, please contact us at contact@gabuu.app.

    13. Notifiable Data Breaches

    In the event of an eligible data breach (as defined under Part IIIC of the Privacy Act), we will:

    1. Take immediate steps to contain the breach and mitigate any harm
    2. Conduct an assessment to determine whether the breach is likely to result in serious harm to any individual
    3. If serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, and in any event within 30 days of becoming aware of the breach
    4. Maintain a record of all data breaches, including those assessed as not reaching the notification threshold

    14. Future Payment Processing

    We intend to introduce paid subscription features in the future. When payment processing is implemented, it will be handled by Stripe, a PCI DSS-compliant payment processor. We will not store credit card numbers or payment card details on our servers. This Policy will be updated before any payment functionality is introduced, with details of how payment information is handled.

    15. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

    • Update the “Last Updated” date at the top of this Policy
    • Where practicable, notify users via the Platform or by email

    We encourage you to review this Policy periodically. Your continued use of the Platform after changes are made constitutes acceptance of the updated Policy.

    16. How to Contact Us

    If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us:

    Email: contact@gabuu.app

    We will acknowledge your enquiry within 7 days and aim to resolve any complaint within 30 days.

    17. Complaints

    If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

    • Online: oaic.gov.au/privacy/privacy-complaints
    • Phone: 1300 363 992
    • Post: GPO Box 5218, Sydney NSW 2001

    18. Applicable Law

    This Privacy Policy is governed by the laws of New South Wales and the Commonwealth of Australia, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

    Gabuu
    Privacy Policy

    © 2026 Gabuu