Scope

This policy applies to QAVRA’s websites, products, and services (the “Services”). It covers information collected from visitors, customers, learners, assessors, and administrators who use the Services.

What we collect

We collect information you provide directly (such as name, email, organisation details, and content you submit), plus technical and usage data needed to operate the platform securely (device identifiers, IP, audit logs, and performance telemetry).

For partnership-course provisioning, this may include the acting user identity, organisation selected, provider/course identifiers, timestamps, and records showing acceptance of the applicable Terms and Privacy Policy.

Account and billing data

If you subscribe to paid plans, we collect billing contact details and plan information. Payment details are handled by our payment processors and are not stored by QAVRA unless required for invoicing.

For marketplace payments, refunds, and partner settlement workflows, QAVRA may process and retain transaction metadata such as checkout session IDs, payment intent IDs, refund IDs, amount breakdowns, processing fee amounts, and recovery ledger records used to reconcile provider obligations.

Learning, assessment, and evidence data

The Services may process course structures, assessment items, learner submissions, assessor feedback, evidence artefacts, and related audit trail data. This information is used to deliver the learning experience, measure outcomes, and support compliance requirements.

How we use data

We use data to deliver and improve the service, provide support, prevent abuse, and communicate about updates. We do not sell personal information.

We also use administrative and acceptance data to provision partnership courses, apply provider delivery restrictions, maintain audit trails, and confirm which organisation accepted the relevant legal terms at the time of activation.

Cross-provider learner profile

If you register as a learner and provide consent, QAVRA may combine your learning activity across participating providers and course offerings to present a unified learner profile and improve training quality, recommendations, and learner support. This processing is limited to service delivery and improvement purposes described in this policy.

Legal bases for processing

We process personal information based on contractual necessity, legitimate interests (such as security and product improvement), compliance with legal obligations, and consent where required.

AI processing

Some features use AI to generate content and insights. Your inputs and outputs are processed to deliver those features. We do not use your data to train public models without your permission.

QAVRA may send prompts, retrieved Knowledge Expert context, uploaded content, generated outputs, and related metadata to contracted AI providers only as needed to deliver requested AI features. QAVRA does not opt in to provider model training for customer content unless an authorised customer gives separate explicit permission.

If your organisation opts in to train, tune, configure, or personalise an Expert AI with its own content, QAVRA uses that content only to create, operate, evaluate, maintain, support, and improve the Expert AI for that organisation. We do not use that customer-specific Expert AI data to train other customers' models, public or shared QAVRA models, or third-party public models unless your organisation gives separate explicit permission.

Model providers

We may use third‑party model providers to deliver AI features. Data shared with these providers is limited to what is necessary to perform the requested task and is subject to confidentiality and security obligations.

AI processing may occur in regions outside Australia depending on the provider and workload routing. We contractually require our AI providers to apply strict security controls and limited retention/deletion practices. For eligible enterprise customers, QAVRA may provide in-house or customer-controlled AI processing options to reduce external data transfer.

For customer-trained Expert AI features, content, training files, evaluation data, prompts, outputs, model artefacts, and related metadata may be processed or retained by QAVRA and contracted AI infrastructure providers as needed for training, fine-tuning, inference, evaluation, storage, security, abuse-prevention, deletion, and support. This processing is limited to the customer-specific feature and does not permit unrelated model training or cross-customer reuse.

Where QAVRA uses commercial AI APIs, including providers such as OpenAI and Anthropic, those providers state that API or commercial-product inputs and outputs are not used to train their generative models by default unless the customer explicitly opts in or submits materials through feedback or similar optional programs. Provider policies may change, and QAVRA reviews provider data-use terms when configuring AI processing.

External AI apps and MCP connections

If an authorised user connects QAVRA to an external AI app or MCP client, such as ChatGPT, Claude, Codex, or another compatible assistant, QAVRA may provide bounded Knowledge Expert metadata, search results, and relevant retrieved excerpts to that external app so it can answer the user's request. QAVRA does not provide direct access to full source documents through Knowledge Expert listing, and retrieval is subject to authentication, permission checks, rate limits, and usage audit records.

Data sent from QAVRA to a user-connected external AI app is also handled under that external provider's account type, privacy settings, and terms. For example, consumer ChatGPT or Claude accounts may have separate model-improvement settings, while business, enterprise, or API plans may apply different default protections. Users and organisations are responsible for configuring those external accounts appropriately before using sensitive Knowledge Expert content outside QAVRA.

Data sharing

We share data with vetted service providers (hosting, analytics, security, and AI infrastructure) under contractual confidentiality and security obligations.

Where required to deliver a provider-owned partnership course, QAVRA may also share limited operational metadata with the relevant course provider or delivery infrastructure, such as organisation identity, course selection, launch configuration, and provisioning status.

When a learner accesses content through a content partnership licence, QAVRA may make limited learner and launch data available to the source content owner. This may include full name, email, learner ID, licensee organisation, course or qualification accessed, launch timestamps, non-assessment access or progress status, and related licence identifiers where available. This does not include learner assessment answers, submissions, uploaded files, scores, assessor feedback, detailed assessment results, or assessment exports for learners in the licensee organisation unless a separate written agreement and lawful basis expressly permit it.

Assessment records created by licensee learners are handled under the licensee organisation's authorised admin, assessor, and support access. The source content owner can manage assessment records for its own learners, but content partnership reporting does not give the source content owner access to licensee learner assessment submissions or results.

A content partnership does not give the source provider general access to your learner list, learner profiles, enrolment records, assessment activity, assessment submissions, assessment results, or other learner information in your organisation. Limited operational reporting is separate from access to your learner administration and assessment records.

Authorised organisation administrators may export content partnership learner reports for support, compliance, licence administration, and contractual usage visibility. Exported data must not be reused for unrelated marketing, resale, audience-building, or third-party disclosure unless another lawful basis or explicit consent applies.

Where required to process payments and refunds, QAVRA shares payment-related data with Stripe and Stripe Connect participants, including connected providers, strictly for transaction processing, reconciliation, fraud prevention, and legal compliance.

Purpose limitation and marketing controls

Personal information collected through a specific workflow, consent prompt, enrolment path, or partnership-course action may only be used for that disclosed purpose unless the individual or customer provides additional consent or another lawful basis applies.

Contact details and learner records obtained through the Services must not be used for unrelated direct marketing, profiling, resale, or audience-building activities unless separate consent has been obtained where required by law.

No sale or third-party marketing use

QAVRA does not sell your personal information and does not share learner personal data with third parties for their independent marketing or commercial use. Personal data remains within QAVRA and authorised customer contexts, except where disclosure is required to operate the Services (through contracted subprocessors), comply with law, or where you have explicitly consented.

Customers, providers, and other authorised recipients of data made available through the Services must not on-sell, disclose, or repurpose that data for unrelated third-party use except where the data subject has explicitly consented or disclosure is required by law.

Customer-controlled data

Customers control the content and data stored within their QAVRA accounts. If you are a learner or assessor, please direct requests about your data to your organisation’s administrator.

Security

We use industry-standard safeguards including access controls, encryption in transit, and monitoring. No system is 100% secure, but we continuously improve our controls.

Cookies and analytics

We use cookies and similar technologies for authentication, security, and analytics. You can manage cookies through your browser settings and, where available, opt out of non-essential analytics.

Your rights

You can request access, correction, deletion, or export of your data. Contact us to manage preferences or to opt out of specific processing where available.

Retention

We retain data only as long as needed to provide the service, comply with legal obligations, and resolve disputes. You can request deletion at any time.

Where QAVRA makes personal information available to a customer, provider, or integration partner for a defined service purpose, that recipient is expected to delete or securely destroy the information when it is no longer required for that purpose, subject to legal retention requirements.

International transfers

We may process data in locations where we or our providers operate. We use appropriate safeguards for cross-border transfers.

Australia privacy compliance

QAVRA complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You can request access to or correction of your personal information, make a complaint, or ask questions about our privacy practices at any time. If we cannot resolve your concern, you may contact the Office of the Australian Information Commissioner (OAIC).

If a data breach occurs that is likely to result in serious harm, QAVRA will assess the incident promptly and provide required notifications to affected individuals, customers, and regulators in accordance with applicable law, including the Notifiable Data Breaches scheme where relevant.

Changes to this policy

Content partnership privacy terms are implementation-ready platform terms and should be reviewed by legal counsel before production launch.

We may update this policy from time to time. If we make material changes, we will provide notice through the Services or by email.

Questions? Contact us.