Coming soon

The Kookabytes app is on its way.

Join the waitlist
Kookabytes

Privacy is a product decision, not a policy doc

Built so your IT team has nothing to argue about.

Australian-hosted, APP-aligned, and architected so we never need to collect personal data from a child to teach them about online safety.

  • Sydney-hosted data

    All school and student data is Sydney-hosted in Australia. Never leaves the country.

  • APP-aligned

    Aligned with the Australian Privacy Principles. Encryption in transit and at rest. Role-based access.

  • No PII from kids

    Students log in with a class code and three animal icons. No emails, no surnames, no birthdays collected.

  • DPIA on request

    Data Protection Impact Assessment available for your IT team or system office. We sign your DSA.

Our commitments in plain English

Where your data lives

  • All school and student data is Sydney-hosted in Australia.
  • No data is ever transferred outside Australia. CDN edges may serve static images globally; no personal data flows through them.
  • Backups are encrypted and stay within the Sydney region.

What we collect about students

  • Student first name (or chosen nickname) and class. That’s it.
  • No emails, surnames, dates of birth, addresses, or photos.
  • Login is a class code plus a three-icon picture password — credentials kids can remember without storing PII.

What we collect about staff

  • Work email, name, role, and the school you’re part of.
  • Standard auth metadata for security (last sign-in, IP for the auth event, audit log of administrative actions).
  • Billing handled by a PCI-DSS-compliant payments provider; we never see card numbers.

Who can see what

  • Row-level security on every table. Teachers see their classes; school admins see their school; super-admins (us) see only what’s needed for support and only with a logged justification.
  • Per-school subdomain isolation on the roadmap.

Compliance

  • Aligned with the Australian Privacy Principles (APPs).
  • Aligned with the eSafety Commissioner’s Best Practice Framework for online safety education.
  • Working toward NSW DET Information Asset Register (IAR) compatibility.

Documents your IT team may want

Data Protection Impact Assessment (DPIA)

Available to your IT or DPO team on request before procurement.

Data Sharing Agreement (DSA)

We sign your school or system office's standard DSA. Send it through.

Sub-processor list

Named list of every third party that touches data (Sydney-hosted database, payments provider, transactional email, CDN). Available on request and updated whenever it changes.

Incident response

Notification to affected schools within 24 hours of confirmed breach. We follow OAIC guidance.

Coming soon

Tilly's nearly ready. Are you on the list?

The Kookabytes app drops soon. Join the waitlist and you'll be first in when it ships.

Coming soon · Sydney-hosted · join the waitlist

Tilly, ready
Crook, sulking