Privacy Policy

ACTS Education (the “Service”, “ACTS”, or “Platform”) is operated by Evolve Simulations Pty Ltd (“Evolve Simulations”, “we”, “us”, or “our”), an Australian company. ACTS provides AI-assisted educational simulations to schools, tertiary institutions, TAFE providers, and other approved institutional customers (each, an “Institution”).

This Privacy Policy explains how we handle personal information when Institutions, educators, and learners use ACTS. It is written to be consistent with the Australian Privacy Principles in the Privacy Act 1988 (Cth) and, where applicable, equivalent state and territory information privacy laws and education-sector requirements.

ACTS uses an institution-governed account model. Learners cannot self-register. Educators are invited by Institution administrators, and learner accounts are provisioned by Institutions or their delegated educators.

When an Institution licenses ACTS, the Institution generally determines what learner data is uploaded, who is given access, what simulations are assigned, and how long records are retained, subject to the limits set out in this policy and our agreement with the Institution. Where the Institution makes those decisions, the Institution is the data controller (or equivalent) for that information and we act on the Institution’s behalf as a processor or service provider. Some processing — for example, security, billing, and platform integrity — is carried out by us as controller.

The categories of information ACTS may handle include:

• Account and profile data: name, role (learner, educator, Institution administrator, or ACTS administrator), Institution affiliation, cohort or class assignment, work email, and authentication identifiers.
• Simulation records: the structured record of a simulation attempt, including scenario identifier, timestamps, rubric outcomes, AI-generated feedback, and assessment reports.
• Transcripts: text transcripts of spoken or typed interactions in a simulation, where the simulation type produces them.
• Audio (optional): raw audio recordings of voice simulations are only stored when the Institution has explicitly enabled audio retention for that cohort or scenario and, where required, learner or guardian consent has been obtained. By default ACTS processes voice in real time and does not retain raw audio beyond what is needed to produce a transcript.
• Feedback and support data: messages, ratings, support tickets, and incident reports that you submit to us.
• Billing and credit ledger data: Institution-level billing information, package and credit ledger entries, invoices, and a mirror of payment metadata returned by our payment processor. We do not store full card numbers.
• Audit and security logs: sign-in events, role changes, access events, and other operational logs needed to keep the platform safe and accountable.
• Technical data: device, browser, IP address, and similar technical signals collected when you use the Platform.

We practise data minimisation: ACTS does not ask Institutions for learner information beyond what is necessary to deliver, assess, and support the simulations licensed by the Institution.

We treat learner information with particular care. Specifically:

• Learner records are accessible only to the learner themselves and to authorised educators and administrators within the learner’s Institution, subject to role-based access controls.
• Learners always see what an educator can see about their own simulation activity from their learner dashboard, including transcripts and any retained audio that is associated with their account.
• We do notuse learner data, transcripts, or audio to train, fine-tune, or evaluate AI models without the Institution’s written permission. Where AI models are used to generate feedback, those calls are made on a per-request basis and providers are contractually restricted from training on customer content (see “Subprocessors” below).
• ACTS is not positioned as an open-ended general-purpose chatbot for learners. Simulations are bounded scenarios designed and supervised by educators.

Voice-based simulations use Microsoft Azure Speech (speech-to-text and text-to-speech) and related Azure AI services to produce a real-time conversational experience. By default:

• Audio is streamed for processing and is not retained as a stored file once the transcript has been produced.
• Transcripts and structured simulation records are retained so that educators can mark, give feedback, and so learners can review their own attempts.
• Retention of raw audio is an explicit Institution opt-in and may be subject to additional consent requirements at the Institution level (for example, parental or guardian consent for minors).
• Where audio is retained, it is visible to the learner, the relevant educator, authorised Institution administrators, and authorised ACTS staff acting on a documented support or compliance request.

We use personal information to:

• Deliver simulations, generate AI-assisted feedback, and produce assessment reports for the Institution.
• Authenticate users, enforce role-based access, and maintain the integrity and security of the Platform.
• Manage Institution billing, package and credit allocations, and related accounting records.
• Respond to support requests, investigate incidents, and meet our legal and contractual obligations.
• Improve ACTS — for example, by analysing aggregated and de-identified usage patterns. We do not use identifiable learner content for product improvement without the Institution’s permission.

For most processing of learner and educator data, we act on behalf of the Institution under our service agreement and the Institution’s lawful basis (for example, performance of the Institution’s educational functions, the Institution’s legitimate interests in delivering and assessing learning, or consent obtained by the Institution).

For our own processing — security, fraud prevention, billing, legal compliance, and product integrity — we rely on our legitimate interests as an Australian education-technology provider, performance of contract with the Institution, and applicable legal obligations.

We do not sell personal information. We share information only with:

• The learner’s Institution— including the educators and administrators authorised by that Institution.
• Subprocessors we engage to operate the Platform, under contract and only for the purposes of providing ACTS:
  • Supabase— managed PostgreSQL database and authentication. Tenant isolation is enforced through row-level security (RLS); no service-role key is exposed in the browser.
  • Vercel— web application hosting and edge delivery.
  • Microsoft Azure— speech-to-text, text-to-speech, and Azure AI Foundry models used to produce AI-assisted feedback. Azure is contractually restricted from using ACTS customer content to train its models.
  • Stripe— payment processing for Institution billing. Card data is handled by Stripe under PCI DSS; ACTS retains a billing mirror only.
  • Avaturn(planned) — avatar rendering for future simulation experiences. No identifiable learner content is shared beyond what is required to render an avatar session.
  • Other infrastructure, analytics, and customer-support providers used to keep ACTS reliable and accountable.
• Authorities and legal recipients where we are required to disclose by law (for example, in response to a valid warrant or subpoena), and only to the extent necessary.

Our current list of subprocessors is available to Institutions on request. Material additions are notified to Institutions in advance.

ACTS enforces strict role-based access control. Learners see their own data; educators see the cohorts assigned to them; Institution administrators see only their own Institution; and ACTS staff have access only on a least-privilege, audited basis to operate, secure, and support the Platform.

Cross-tenant access is prevented at the database layer through row-level security policies. Service-role credentials are never exposed to the browser.

By default, ACTS retains simulation records, transcripts, and assessment reports for the duration of the Institution’s licence. Institutions can configure shorter retention windows for cohorts and scenarios, including making retained audio self-deleting, subject to any record-keeping obligations the Institution has under education-sector or public-records law.

Audit and security logs are retained for a longer period to allow incident investigation and to meet operational and regulatory obligations. Billing records are retained for as long as required by Australian taxation and accounting law.

When an account is deactivated or an Institution’s licence ends, we delete or de-identify learner data on the timeline set out in our agreement with the Institution.

ACTS uses encryption in transit (TLS) for all client traffic and encryption at rest for stored data. Access to production systems is restricted, MFA-protected, and logged. We follow secure-development practices including code review, dependency management, and automated checks against the OWASP Top 10. We monitor for incidents and have a documented response process; if a notifiable data breach occurs we will notify affected Institutions and individuals in line with the Notifiable Data Breaches scheme under the Privacy Act.

Learners and educators can normally access, correct, and download their information from inside ACTS. For any request that the Platform cannot service directly — for example, deletion of an account or a copy of all data held about a learner — the appropriate route is through the learner’s Institution, which controls the underlying records.

Where an individual contacts us directly, we will pass the request to the relevant Institution and assist that Institution to respond. We will respond directly to the individual where the law requires us to do so.

ACTS is designed for institution-governed K-12, tertiary, TAFE, and training environments. Where ACTS is used with children, the relevant Institution is responsible for obtaining the appropriate parental or guardian consents and for setting age-appropriate configuration (including whether audio retention is enabled).

We will not knowingly process the personal information of a child in a way that conflicts with the consents and configuration set by the Institution.

We aim to host ACTS data in Australian regions where possible. Some subprocessors — particularly cloud AI services — may process information in other regions. Where personal information is transferred outside Australia, we put contractual protections in place that are intended to be consistent with Australian Privacy Principle 8.

The list of regions used by current subprocessors is available to Institutions on request. Specific data-residency commitments may be made to an Institution in its order form.

For privacy questions, including to make a privacy complaint, please contact:

Privacy Officer, Evolve Simulations Pty Ltd
Email: privacy@actseducation.com.au

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

We may update this Privacy Policy from time to time. Material changes will be notified to Institutions and shown on this page with a new version and date. Continued use of ACTS after an update constitutes acceptance of the updated policy, subject to the terms of the Institution’s agreement.

See also our Terms and Conditions.