Scope
This privacy policy applies to personal information held by Vast Puddle Pty Ltd (ABN 64 628 125 968) as the provider of the Junipa platform. Junipa acts as a data processor on behalf of schools (data controllers).
Information We Hold
Student Information
- Identity: name, date of birth, gender, student number
- Educational: year level, enrolment, adjustment level, disability category
- Health and wellbeing: medical conditions, wellbeing observations
- Support: case notes, Individual Education Plans, evidence records, behavioural observations
- Parent/guardian: name, email, phone, relationship
Teacher and Administrator Information
- Name, email, phone, role, employment status
- System usage and authentication logs
How We Collect Information
We collect information through:
- Direct input from school staff using the Junipa platform
- Integration with Student Information Systems (via Wonde API or LISS)
- CSV file imports uploaded by school administrators
How We Use Information
Information is used solely for the purposes directed by the school:
- NCCD compliance, record-keeping, and reporting
- Student plan management and evidence collection
- De-identified reporting for school administration
- System access, authentication, and support
We do not sell, trade, or share personal information with third parties for marketing or any purpose beyond service delivery.
Data Storage and Security
- All data is stored in Google Cloud Platform, Sydney region (australia-southeast1). No personal information leaves Australia.
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Authentication: Firebase Auth with SSO (Azure AD, Google Workspace, SAML 2.0) and multi-factor authentication
- Access control: role-based (Teacher, Administrator, Auditor, Case Worker)
- Backups: automated daily, 30-day retention
For full security details, see junipa.com.au/data-security.
Data Retention
- Active subscriptions: data retained for the duration of the school's subscription
- Backups: 30-day automated retention, then purged
- Audit logs: retained for 7 years
- On termination: schools may request a full data export. Data is deleted within 90 days of contract termination, with written confirmation provided.
- Individual student records: schools can request deletion at any time
Sub-Processors
We use the following sub-processors to deliver the service:
- Google Cloud Platform (infrastructure, Sydney region) - SOC 2, ISO 27001 certified
- Cloudflare (WAF, DNS, CDN) - no personal data stored at edge
- Wonde (SIS integration, if configured by school) - ISO 27001 certified
Information Disclosure
We only disclose personal information when:
- Instructed by the school (data controller)
- Required by Australian law
- Necessary to prevent serious harm (e.g. mandatory reporting obligations)
Your Rights
Under the Australian Privacy Principles, you have the right to:
- Request access to your personal information
- Request correction of inaccurate personal information
- Request deletion of your personal information
- Request a copy of your data in a structured format
Requests can be made via your school or directly to us.
Data Breach Notification
In the event of a data breach involving personal information, we notify affected schools within 24 hours. We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).
