Privacy policy

Privacy at Recess

Recess is a private record-keeping tool for adults supporting autistic children. Children do not use the app directly. Parents, teachers, and clinicians use Recess to keep behaviour, medication, and classroom notes in one accountable record.

Effective date
20 June 2026
Operator
Web Foundry Pty Ltd, Australia
Contact
privacy@recess.app

What you need to know

  • Your Recess records are hosted in Australia, in Sydney.
  • Parents control who can see a child’s records and can revoke access.
  • Teachers do not see medication names, diagnoses, or clinical free text.
  • We do not sell data, use advertising trackers, or train models on child records.
  • You can request access, correction, deletion, or consent withdrawal.

Who we are

Recess is operated by Web Foundry Pty Ltd, an Australian company. In this policy, “we”, “us”, and “Recess” mean Web Foundry Pty Ltd. Privacy requests can be sent to privacy@recess.app.

Data we collect

Account information

Email address, password hash handled by AWS Cognito, display name, role, and optional phone number. We use this to authenticate users and secure accounts.

Child profile data

Child name, date of birth, school year, support needs flags, classroom assignment, and authorised care-team relationships. We use this to show the right records to the right adults.

Behaviour records

Observations about what happened, what came before, what helped, context, time, and intensity. We use this to help the care team understand patterns over time.

Medication data

Medication names, doses, dose times, adherence notes, and observed effects. This is visible to parents and authorised clinicians, not teachers in raw form.

Classroom data

Teacher-recorded classroom observations and structured notes. Parents and authorised clinicians can review these based on consent settings.

Audit logs

Who viewed or changed records, the action taken, and the timestamp. Audit logs are retained for at least 365 days in tamper-resistant storage.

Crash diagnostics

App version, device platform, operating system version, anonymised identifiers, and stack traces. Personal content is scrubbed before diagnostics are sent to Sentry.

Why we collect it

We collect data to authenticate adults, keep child records organised, enforce role-scoped access, maintain an audit trail, support deletion requests through the app’s deletion endpoint, and fix reliability issues.

Our legal basis is consent and legitimate interest for adult users, with explicit parent or guardian consent for child-related records. Recess is not targeted at EU users, but we will handle any valid GDPR-style access, correction, or deletion request carefully.

Children’s privacy

Recess is designed for adults to manage information about children. Children do not have Recess accounts and should not be given access to an adult account. Parent or guardian consent controls sharing.

We apply extra care to child data: teacher views are filtered, consent is scoped, access is audited, and deletion requests are honoured unless a legal retention obligation applies.

Where data is hosted

Recess application data is hosted in Sydney, Australia through AWS and Neon. We use AWS Cognito for account identity, AWS hosting services for the application, and Neon for PostgreSQL storage in the Australian region.

Sentry processes scrubbed crash diagnostics outside Australia. We do not send names, email addresses, child names, medication names, behaviour text, clinical notes, or classroom notes to Sentry.

Third parties

  • AWS: identity, hosting, storage, compute, and monitoring in Australia.
  • Neon: managed PostgreSQL database in Australia.
  • Sentry: crash diagnostics with PII scrubbing enabled.

We do not use third-party advertising trackers, advertising identifiers, social media plugins, or cross-app tracking.

Retention

  • Account and child records are kept while the account is active or until a deletion request is completed.
  • Deletion requests are handled through the app and backend deletion request process.
  • Audit logs are retained for at least 365 days and may be retained longer where required by law.
  • Crash diagnostics are retained only as long as needed for reliability and debugging.

Your rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you can request access, correction, deletion, or a review of how your information is handled. Email privacy@recess.app.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at oaic.gov.au.

Security

Recess uses TLS for data in transit, encryption at rest, Cognito-managed password storage, least-privilege internal access, audit logging, and automated security checks. If we discover a data incident that affects your information, we will notify affected users in line with the Notifiable Data Breaches scheme.

Changes

We may update this policy as Recess changes. If a change materially affects how we handle personal information, we will update this page and notify users through the app where appropriate.

Contact

Privacy questions, access requests, correction requests, deletion requests, or complaints can be sent to privacy@recess.app.

This policy is written for the Recess pilot and store-submission context. It should be reviewed by Australian legal counsel before broad public launch.