Security & Privacy Overview

All Aurvio data is stored exclusively in AWS ap-southeast-2 (Sydney, NSW) — an AWS region with data residency guarantees within Australian jurisdiction.

No data is transferred to, processed in, or accessible from overseas data centres. We do not use any third-party services that store personal data outside Australia.

This meets the requirements of Australian Privacy Principle 8 (cross-border disclosure of personal information).

Aurvio is designed to align with the Safer Technologies for Schools (ST4S) framework — the Australian Department of Education's standard for assessing the privacy and security suitability of digital tools used in schools.

Key ST4S requirements we address: data minimisation (only first name and year level for children), no advertising, no data monetisation, parental consent model, and Australian data hosting.

Schools considering Aurvio for classroom use can reference this page as part of their procurement due-diligence process.

Aurvio complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles.

We collect only the minimum personal information required to operate the service. For child profiles: first name and year level only. For parent accounts: name, email address, and payment token (processed by Stripe — we never see full card details).

Parents have the right to access, correct, and delete all data associated with their account. Deletion is immediate for account data and completes within 30 days for backup copies.

Children never create accounts, provide email addresses, or independently interact with any account system on Aurvio.

A parent or guardian creates a single family account and adds children as sub-profiles. Only a first name and year level are collected for each child.

This design eliminates the risk of children accidentally sharing sensitive information and ensures all consent and data decisions rest with the parent.

Aurvio does not display advertising of any kind to children or parents.

We do not sell, rent, licence, or otherwise trade your family's personal information with any third party for commercial purposes.

We do not use advertising SDKs, retargeting pixels, or behavioural tracking. The only analytics tool used is Vercel Analytics — a privacy-respecting, first-party solution that does not fingerprint users or build cross-site profiles.

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted by AWS using AES-256.

Parent account passwords are hashed with bcrypt (cost factor 12) and are never stored in plain text.

Aurvio supports TOTP two-factor authentication (compatible with Google Authenticator, Authy, and any TOTP app) to protect parent accounts against unauthorised access.

Failed login attempts are rate-limited and accounts are temporarily locked after repeated failures to prevent brute-force attacks.

All significant account security events — logins, password changes, 2FA enable/disable, account deletion — are recorded in a tamper-resistant audit log retained for 12 months.

In the event of a data breach affecting personal information, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) within the timeframes required by the Notifiable Data Breaches (NDB) scheme.

Our incident response plan is reviewed annually.

We collect only what's necessary. Child profiles contain a first name and year level — nothing else.

Parents can delete their entire account and all associated data from the account settings page at any time. No fee, no waiting period, no "cool-down".

Deleted data is removed from live systems immediately and from encrypted backups within 30 days.