UniRubric
← Back to legal kit
UniRubric · Legal kit

Privacy Policy

PRIVACY-2026-01

How UniRubric collects, uses, stores, and discloses personal information. Aligned with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles, the EU General Data Protection Regulation (GDPR), and the US Family Educational Rights and Privacy Act (FERPA) where applicable.

Status: DRAFT — REQUIRES LEGAL REVIEW BEFORE EXECUTION. Pending lawyer review per master spec §15. Specific clauses needing attention before execution: APP 8 (cross-border disclosure — §6.1 of this policy now provides the Anthropic-specific disclosure), APP 11 (security of personal information), GDPR lawful basis declarations, FERPA directory-information opt-out language, and the Notifiable Data Breaches scheme notification timeline.
Last updated: 14 May 2026 · UniRubric · Adelaide, South Australia

1. Who we are

UniRubric is operated from Adelaide, South Australia. We are the data controller (under GDPR) / APP entity (under the Australian Privacy Act) for personal information collected through the Services.

For institutional customers, the institution is the data controller for student personal information; UniRubric processes it as a data processor / sub-processor under the Master Services Agreement and Data Processing Agreement.

2. What we collect

2.1 Account information

When you create an account we collect your email address, name, and (for institutional users) the institution and role assigned by your administrator. If you sign up using Google, we receive the basic profile information your Google account is configured to share.

2.2 Submissions and assessment data

When you upload a rubric, an assignment brief, or a student submission, we collect that content so we can grade or pre-check it. Lecturers may attach a student name or external identifier to a submission for their own marking workflow; that label is stored alongside the submission.

2.3 Usage data

We collect technical telemetry necessary to operate the Services reliably: timestamps, error logs, response times, the pages you visit, and the actions you take. We use a small set of third-party services (listed in our Subprocessors page) that collect analogous telemetry.

2.4 Communications

If you email us, fill in a quote-request form, or otherwise contact us, we keep that correspondence to respond to you and to improve our service.

3. What we do NOT collect

  • We do not collect biometric information, geolocation more precise than country / region, financial-account information beyond what Stripe or PayPal pass through, or any sensitive information as defined by the Australian Privacy Principles (health information, racial/ethnic origin, etc.) unless explicitly required for institutional contracting.
  • We do not collect personal information from children under 13 in any market, and we do not direct the Services at children under 18 anywhere.
  • We do not collect, retain, or process Special Category Data (Article 9 GDPR) without explicit lawful basis, which is rare and contract-specific.

4. How we use your information

  • To provide, operate, and maintain the Services.
  • To grade or pre-check rubric-anchored submissions you upload.
  • To communicate with you about your account and the Services.
  • To prevent fraud, abuse, and security incidents (legitimate interest under GDPR; APP 11 obligation under the Privacy Act).
  • To comply with legal obligations, including responses to lawful requests by public authorities.

We do not sell your personal information. We do not advertise inside the Services. We do not use your submissions, rubrics, or assessment data to train AI models — neither our own nor those of any model provider we use.

5. AI model providers

The Services rely on large-language-model APIs to grade and generate feedback. The current primary provider is Anthropic, PBC. We send rubric and submission text to Anthropic for grading inference. Under our agreement with Anthropic, this content is not used to train Anthropic’s models. We disclose all model providers in the Subprocessors page in our legal kit and update that list when it changes.

6. Data residency and cross-border transfers

Our primary database is hosted in Australia (Sydney region, ap-southeast-2). All student submission storage, grading records, audit logs, and account data for Australian institutional customers remain in Australia at rest. For institutions outside Australia, we offer EU and US data residency options on request, configured at the institution level.

6.1 Cross-border AI inference (APP 8 disclosure)

UniRubric performs grading inference using the Anthropic Claude API. At time of writing, Anthropic does not offer a guaranteed Australian processing region for its API. This means that the text of your rubric, your assignment brief, and the relevant student submission is transmitted to Anthropic for inference and may be processed in the United States or in other regions where Anthropic operates its infrastructure. This transmission happens in real time at grading; no copy of the submission is retained by Anthropic after the inference call completes.

We rely on the following safeguards for this cross-border disclosure:

  • Contractual prohibition on training: Under our agreement with Anthropic, submission content sent to the Claude API is not used to train Anthropic’s models. This is the default position for Anthropic’s commercial API and is reflected in Anthropic’s commercial terms.
  • No retention by the sub-processor: Anthropic does not retain submission content beyond the short operational window required to deliver the inference response.
  • APP 8.1 reasonable steps: we take reasonable steps to ensure that Anthropic, as our overseas recipient, does not breach the Australian Privacy Principles in relation to the personal information disclosed. Where required, the standard contractual clauses approved by the EU Commission apply for any transfer involving EU/UK data subjects.
  • No bulk sharing: only the specific submission being graded at the moment of an inference call is transmitted. We do not bulk-transfer student data to Anthropic.

If your institution requires that no student submission text leaves Australia at any point in the processing chain, including for inference, please contact us. We are tracking Anthropic’s regional-residency roadmap and can negotiate alternative arrangements (including alternative providers or air-gapped deployment) for institutional contracts where this is a binding requirement. Until such an arrangement is in place, the disclosure described in this clause is unavoidable for the operation of the Services.

6.2 Other sub-processors

A full list of sub-processors, their regions, and the categories of data each receives is maintained on our Subprocessors page in the legal kit and is updated when sub-processors are added or change. For our hosting and data-store providers (Supabase, Vercel, Cloudflare), the data residency configured for your institution applies; for transactional email (Resend), error reporting (Sentry), product analytics (PostHog), and payments (Stripe, PayPal), the disclosure is necessarily extraterritorial and is limited to the categories of data each provider needs to deliver its specific function. None of these providers receive student submission text.

7. How long we keep your data

By default, raw submission text is retained for 30 days after grading completes. Grading metadata (scores, feedback, audit records) is retained for the duration of your account plus a reasonable archival period required for academic-integrity purposes. Institutional contracts may set different retention windows, ranging from 7 days to 3 years, configured at the institution level. On account closure, personal data is deleted within 90 days unless retention is required by law or by the institution’s academic-integrity policies.

8. Security

We use encryption in transit (TLS 1.3 minimum) and at rest (AES-256), Postgres row-level security on every table, MFA enforcement on administrative accounts, audit logging of every write to sensitive tables, and a defense-in-depth posture described in our InfoSec Schedule. We will notify affected users and the Office of the Australian Information Commissioner (OAIC) of any eligible data breach within the timeframe required by the Notifiable Data Breaches scheme.

9. Your rights

9.1 Access, correction, deletion

You may request access to, correction of, or deletion of your personal information at any time. The fastest channel is the self-service form at unirubric.com/privacy/request, which routes your request to the right party — UniRubric directly if you signed up with us, your institution if your data is held by us as a processor on behalf of an institution. You can also use the privacy contact form. We respond within 30 days either way.

9.2 Data portability (GDPR Art. 20)

Where GDPR applies, you may request your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.

9.3 Withdrawal of consent

Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of prior processing.

9.4 Complaints

If you believe we have not handled your personal information in accordance with this Policy or applicable law, please contact us first via the privacy contact form. If you are not satisfied with our response, you may complain to:

  • the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au;
  • your local data-protection authority in the EU/EEA / UK; or
  • the US Department of Education for FERPA matters (where applicable to the institution).

10. Cookies

We use first-party cookies for authentication, session management, and CSRF protection. We use a small number of essential third-party cookies for analytics (PostHog) and error tracking (Sentry), described in our Subprocessors page. We do not use advertising or cross-site tracking cookies.

11. Children

UniRubric is intended for higher-education users only. We do not knowingly collect personal information from individuals under 18. If you become aware that a minor has provided us with personal information, please use the privacy contact form and we will delete the information.

12. Changes to this policy

We may update this Privacy Policy to reflect changes to our practices or to applicable law. We will notify you of material changes by email or by an in-app notice prior to the change taking effect. The “Last updated” date at the top of this document indicates when the current version became effective.

13. Contact

All enquiries: /contact?topic=privacy

Questions about this document? Contact us or visit the contracting page.