Privacy Policy
Last updated: 5 July 2026
1. Introduction & Scope
edu.games (“edu.games”, “we”, “us”) operates a learning-games marketplace and platform for schools and universities, including the marketplace, developer, teacher and student portals, the xAPI Learning Record Store (LRS), and this documentation site. This Privacy Policy explains what data we collect and how we use it. By using the platform you accept this policy.
2. Information We Collect
Waitlist & marketing. When you join our waitlist we collect the email address you submit. Waitlist entries are stored in our Supabase database and a confirmation email is sent via Resend.
Account data. When you register we create an account through Supabase authentication and store profile details you provide: display name, school, class code, biography, and website.
Payment data. Purchases are processed by Stripe. We receive transaction and purchase records; we do not store full payment card numbers — Stripe acts as the payment processor.
Learning records (xAPI). As learners play games, games send xAPI statements to our LRS. These describe an actor (identified by email/mbox or an opaque account identifier), a verb, an activity, and results such as scores, completion, and timestamps.
Technical & diagnostic data. We use cookies and session tokens to keep you signed in, and we log basic request data to operate and secure the service. If the platform encounters an error, diagnostic information (such as stack traces and the page or request involved) is sent to our error-monitoring provider, Sentry, to help us fix it.
3. How We Use Information
We use data to operate the platform, deliver and run games, generate learning analytics for educators, process payments, send transactional email and (where you have opted in) marketing email, monitor and fix errors, and to maintain and improve the service.
4. Student & Education Data
A significant portion of the learning-record data we process concerns students, some of whom may be minors. Where edu.games processes student data on behalf of a school or university, we act as a data processor / service provider under the direction of that institution. The institution is responsible for establishing a lawful basis and obtaining any consents required before students use the platform. Our Data Processing Agreement governs this relationship in more detail for institutions that require one.
5. Children’s & Minors’ Privacy
The platform is designed for use within educational institutions. We do not knowingly collect personal data directly from children outside an institutional relationship. Responsibility for parental or guardian consent, and for compliance with laws protecting minors, rests with the school or university deploying edu.games.
6. Legal Bases & Regional Rights
edu.games is operated from Australia and handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where the GDPR applies, we rely on the following legal bases depending on the activity: performance of a contract with you or your institution (running your account and delivering games), compliance with a legal obligation, our legitimate interests (securing the platform, preventing fraud and abuse, and improving the service), and your consent (for example, marketing email or optional cookies), which you may withdraw at any time.
For users in the EU and UK, you have rights of access, rectification, erasure, restriction, objection, and portability, as set out in Section 11 below. If you are not satisfied with how we handle your personal data, you also have the right to lodge a complaint with your local supervisory authority — for example, the Information Commissioner’s Office (ICO) in the UK, your national data protection authority in the EU, or the Office of the Australian Information Commissioner (OAIC) in Australia. For US educational records, we recognise the relevance of FERPA and support institutions in meeting their obligations. Data-subject and parental requests should be directed to the relevant institution, or to edu.games where we are the controller.
7. Sharing & Third-Party Processors
We share data only with processors that help us run the platform: Supabase (authentication, database, and waitlist), Resend (email), Stripe (payments), Cloudflare R2 (game file storage), Vercel (hosting), and Sentry (error monitoring). We do not sell personal data, and we do not share it for cross-context behavioural advertising. A current, versioned list of our sub-processors — including their role and how to be notified of changes — is available at edu.games/subprocessors.
8. Cookies & Similar Technologies
We use strictly necessary cookies to keep you signed in and to protect the platform (for example, session and authentication cookies set by Supabase). We do not currently use third-party advertising or cross-site tracking cookies. Most browsers let you block or delete cookies through their settings; doing so may prevent you from signing in or using parts of the platform. If we introduce analytics or preference cookies in future, we will update this policy and provide a way to manage your choices.
9. Data Retention
We retain waitlist emails until you unsubscribe, account and profile data for the life of your account, and learning records for the period agreed with the relevant institution. xAPI statements are immutable by specification and are retained accordingly. Diagnostic data sent to Sentry is retained according to Sentry’s standard retention window before automatic deletion.
10. Security
We protect data in transit with encryption and restrict access to authorised systems and personnel. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Your Rights & Choices
You may request access to, correction of, or deletion of your personal data, and you may opt out of marketing email at any time. To protect your data, we may need to verify your identity before actioning a request. Contact us using the details below to exercise these rights.
12. California Privacy Rights
If you are a California resident, the CCPA (as amended by the CPRA) gives you the right to know what personal information we collect and why, to request deletion or correction of your personal information, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined by California law. You may exercise these rights yourself or through an authorised agent, and we will not discriminate against you for doing so. Contact privacy@edu.games to make a request.
13. International Transfers
The processors listed above may store or process data outside your country, including in Australia where edu.games is based. Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum, as set out in our Data Processing Agreement.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the platform or by email, and the “Last updated” date above will change.
15. Contact
Questions about this policy, and requests concerning your personal data, can be sent to privacy@edu.games.