Privacy Policy

1Purpose and scope

This Privacy Policy explains how Syllabus Sync ("we", "us", "our") collects, holds, uses and discloses personal information when you use our web application and progressive web app (the "Service"). We are committed to handling personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Syllabus Sync is a campus companion tool developed for students at Macquarie University. This policy applies to all users of the Service.

2What personal information we collect

A) Account and identity data

• Full name (or display name)
• Email address
• Password (stored as a cryptographic hash — we never store your raw password)
• Student ID, course, and year of study
• Account preferences and settings
• Profile avatar (if uploaded)

B) Multi-factor authentication data

• TOTP enrolment secrets (time-based one-time password), stored encrypted and served with Cache-Control: no-store
• WebAuthn/passkey credential IDs and public keys (no biometric data is stored)

C) Usage and device data

• Device type, browser, operating system, language preference
• IP address (for security rate-limiting and abuse prevention)
• Timestamps and basic request metadata
• Application error logs and performance diagnostics (collected via Sentry with all text masked and media blocked)

D) Learning and timetable content (user-provided)

• Units/courses, schedules, deadlines, reminders, and to-do items you create
• Calendar events and feed preferences

E) Location data (only with your permission)

• GPS coordinates for campus map and navigation features — collected only when you grant browser/device location permission
• Location data is processed locally on your device for real-time navigation and is not stored on our servers
• You can revoke location permission at any time via your device or browser settings

F) Cookies and session data

• Session cookies (strictly necessary for authentication)
• Security cookies (CSRF protection)
• Theme and language preference cookies

We do not intentionally collect "sensitive information" as defined under the Privacy Act (e.g., health, racial/ethnic origin, political opinions, religious beliefs) unless strictly necessary and with your explicit consent.

3How we collect personal information

We collect information:

• Directly from you — when you sign up, update your profile, create content, or adjust settings
• Automatically — via session cookies, server logs, and error monitoring

In accordance with APP 5, we take reasonable steps to notify you at or before the point of collection (via in-product notices and this policy).

4Why we collect and how we use personal information

We use personal information to:

• Provide and operate the Service (authentication, core features, data sync)
• Personalise your experience (preferences, saved settings, theme)
• Maintain security (fraud prevention, abuse detection, rate limiting, incident response)
• Improve performance and reliability (error tracking, diagnostics)
• Communicate with you (service messages, important security updates)
• Meet legal obligations and enforce our terms

We only collect information that is reasonably necessary for our functions and activities.

5Disclosure of personal information

We may disclose personal information to:

• Service providers who assist in operating the Service (see Section 6 for details)
• Authorities if required by law, court order, or to prevent serious threats to life, health, or safety
• Business transfers (e.g., acquisition or merger), with appropriate protections

We do not sell personal information.

6Overseas disclosure and third-party services

Some service providers may store or process data outside Australia. Where we disclose personal information overseas, we take reasonable steps to ensure it is handled consistently with the APPs (e.g., contractual controls, security standards).

7Security of personal information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our security measures include:

• Encryption in transit (TLS/HTTPS enforced via HSTS)
• Encryption at rest for database and file storage
• Secure password hashing (passwords are never stored in plain text)
• Multi-factor authentication options (TOTP, WebAuthn/passkeys)
• Role-based access controls and least-privilege service keys
• Rate limiting and brute-force protection on authentication endpoints
• Content Security Policy (CSP) with nonces to prevent XSS
• Service worker security: API routes and authenticated pages are never cached; all caches are cleared on logout
• Automated session expiry and secure cookie handling

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8Data retention

We retain personal information only as long as necessary to:

• Provide the Service and maintain your account
• Comply with legal obligations
• Resolve disputes and enforce our terms
• Maintain security and audit integrity

When your data is no longer required, we take reasonable steps to delete or de-identify it. You may request account deletion at any time via your account settings or by contacting us.

9Cookies and analytics

We use cookies and similar technologies to:

• Keep you signed in and maintain secure sessions
• Remember your preferences (theme, language, accessibility settings)
• Monitor application errors and performance (via Sentry — with text masking and media blocking enabled for privacy)

We do not use third-party advertising cookies or behavioural tracking. You can control cookies via your browser settings.

10Access and correction

Under APPs 12 and 13, you may request access to personal information we hold about you and request corrections if it is inaccurate, out-of-date, incomplete, irrelevant or misleading.

You can view and update most of your information directly in Settings and Manage Profile. For other access or correction requests, contact us at support@mq.edu.au. We may need to verify your identity before fulfilling requests.

11Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint by emailing support@mq.edu.au with details of your concern.

We will acknowledge your complaint and respond within a reasonable timeframe (generally within 30 days). If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).

12Data breaches (Notifiable Data Breaches scheme)

Where the Privacy Act 1988 applies to us, if we experience an eligible data breach that is likely to result in serious harm, we will notify affected individuals and the OAIC as required under the Notifiable Data Breaches (NDB) scheme.

13Education context

Syllabus Sync is designed for university students at Macquarie University. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

14Changes to this policy

We may update this policy from time to time. We will post the latest version within the Service and update the "Last updated" date above. Material changes will be communicated via in-app notification.