CommandoHSC is an AI-powered HSC exam response analyser run by a teacher/developer in New South Wales, Australia. This policy covers how we handle your personal information under the Privacy Act 1988 (Cth) and the Privacy and Other Legislation Amendment Act 2024 (Cth). Questions? hello@commandohsc.com
We collect only what's needed to run the Service — nothing more.
- Account — email address, and name/profile picture if you sign in with Google. Passwords are hashed, never stored in plain text.
- Exam responses — the text you submit is sent to Anthropic's Claude API and not stored on our servers after analysis.
- Payments — handled entirely by Stripe. We never see or store your card details.
- Usage data — credit balance, subject and question type per analysis, date/time of analyses, and basic browser/device info (via cookieless analytics).
We don't collect sensitive information (health, racial, religious, biometric data) and don't solicit it.
- Deliver AI feedback on your submitted responses
- Manage your account, credits, and purchases
- Send transactional emails (receipts, confirmations, low-credit alerts)
- Monitor reliability and fix errors
- Detect and prevent abuse
- Meet our legal obligations
We don't sell your data, use it for marketing, or use your exam responses to train AI models.
Your submitted text is processed by Anthropic's Claude API to generate feedback and estimated mark ranges — without human review of individual responses. This is disclosed in line with Australian automated decision-making transparency obligations (APP 1 and the forthcoming requirements under the Privacy and Other Legislation Amendment Act 2024, commencing December 2026).
AI feedback is a study aid only — not official NESA assessment. Estimated marks are indicative. Anthropic does not use API data to train their models by default. You must not include your full name, student number, or school name in submitted responses — this information is not required for analysis and including it unnecessarily increases your privacy exposure.- Supabase — database and auth, AWS Sydney region
- Anthropic — AI analysis, processed in the United States
- Stripe — payments, United States
- Netlify — hosting and serverless functions, United States
- Plausible Analytics — cookieless analytics, European Union. No personal identifiers transmitted. We do not use cookies or browser fingerprinting for tracking purposes. Plausible collects only aggregate, anonymous usage statistics.
For overseas providers, we take reasonable steps to ensure they handle your data consistently with the Australian Privacy Principles. We may also disclose information where required by Australian law.
- Exam responses — deleted immediately after analysis
- Account data — held while your account is active, deleted within 30 days of closure
- Transaction records — 7 years (financial record-keeping obligations)
- Technical logs — up to 90 days, then purged
Under the Privacy Act 1988 (Cth), you can access, correct, or request deletion of your data at any time — email hello@commandohsc.com and we'll respond within 14 business days at no charge. Under the Privacy and Other Legislation Amendment Act 2024 (Cth), additional privacy rights — including civil claim provisions — are being introduced in stages, with key provisions commencing December 2026.
CommandoHSC is designed for HSC students (typically 16–18). Users under 18 must have parental consent before registering or purchasing. We don't knowingly collect data from children under 13 — if you believe this has happened, contact us immediately and we'll delete the account. We'll update our practices when the OAIC's Children's Online Privacy Code comes into force (December 2026).
We take reasonable technical and organisational measures to protect your data (APP 11, Privacy Act 1988): HTTPS everywhere, row-level database security, server-side API keys never exposed to the browser, and Stripe's PCI-compliant infrastructure for payments. No system is 100% secure — if we become aware of a breach likely to cause serious harm, we'll notify affected users and the OAIC under the Notifiable Data Breaches scheme.
Under the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988), if we experience a breach likely to cause serious harm we will notify the OAIC and affected individuals as soon as practicable — including what happened, what data was involved, and what steps to take. Suspect your account is compromised? Contact us immediately at hello@commandohsc.com.
We'll update this policy as our practices or the law changes — including ongoing reforms under the Privacy and Other Legislation Amendment Act 2024. Material changes will be noted in the effective date above and emailed where appropriate. Continued use means acceptance.