PRISM Workstyle Assessment

Privacy Policy

Quick links

1. Overview

This Privacy Policy explains how the PRISM® Workstyle Assessment ("PRISM") collects, uses, stores, and protects personal information when students and schools use the platform.

PRISM is offered to students through their school. Schools are responsible for obtaining the necessary parental or guardian consent at enrolment, and act on behalf of the parent or guardian for the purposes of authorising student participation in PRISM. We rely on the school's authorisation for under-18 access.

Where your data is stored. All PRISM data is hosted in Australia, on Supabase Postgres infrastructure in the Sydney (ap-southeast-2) region. Your personal information is not transferred or disclosed overseas as part of normal operations.

We are committed to handling your information consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and applicable Queensland privacy legislation.

Privacy contact:

2. What we collect

We collect only the information needed to run the assessment, give you your result, and meet our legal and accountability obligations.

2.1 At signup

  • First name and last name.
  • Email address, used to verify your account, send your result, and respond to data requests.
  • Age band (14–17 or 18 and over), used to apply the right rules and age-appropriate content.
  • Access code provided by your school or workshop facilitator.
  • A password you choose for sign-in. We never store passwords in readable form; they are stored as cryptographic hashes by our authentication provider.
  • Acknowledgment that you have read this Privacy notice, with a timestamp.

2.2 During the course

  • Your responses to the 20-item PRISM® self-assessment.
  • Progress markers (which step you are on and time on each step).
  • Your computed PRISM® Workstyle profile and certificate of completion.

2.3 Operational data

  • Standard server logs from our hosting and CDN providers (timestamps, IP address, user-agent string), used for security, abuse prevention, and platform performance.
  • Audit-log entries recording significant operational events (sign-ins, password changes, certificate issuance, admin actions) for accountability and security investigations.

2.4 Demographic information

During profile setup we ask a short set of demographic questions, your age band, gender at birth, work or study status, typical team role, region, time spent living or working overseas, and how many languages you speak. We use this only in aggregate, de-identified form to understand who takes part and to evaluate the PRISM® framework. It is never published against your name.

What we do not collect

  • Date of birth (only the broad age band).
  • Health or financial information, or special-category sensitive information such as ethnicity, religion, or health.
  • Camera, microphone, or location data.
  • Third-party tracking, advertising, or social-media identifiers.

3. Why we collect it

We collect and use your information to:

  1. Run the course. Present videos, questions, and scenarios; record your answers; compute your PRISM® Workstyle profile; issue your certificate.
  2. Authenticate you. Confirm your email, sign you in, send password resets, and protect your account.
  3. Send your results. Deliver your profile and certificate to you, and let you re-access them through your hub.
  4. Honour your rights. Respond to requests to access, correct, or delete your data.
  5. Protect the platform. Detect and prevent fraud, abuse, or unauthorised access.
  6. Comply with law. Respond to lawful requests from regulators or courts, and meet record-keeping obligations.

We do not use your data for marketing, profiling for advertising, or automated decision-making that affects your legal rights.

Your de-identified responses may also be used to improve the course, evaluate the PRISM® framework, and produce aggregate research and analytics. Aggregate research never identifies individuals. You can request the deletion of your data at any time by contacting us.

4. How we store and protect it

4.1 Where it lives

All identifiable PRISM data is stored on Supabase Postgres, hosted in the Sydney region (ap-southeast-2). Static frontend assets are served via Cloudflare's content delivery network with edge presence in Australia. Data is not transferred or disclosed overseas as part of normal operations.

4.2 How it's protected

  • Encryption at rest: The database is encrypted at rest by our hosting provider.
  • Encryption in transit: All data exchanged between your browser and our systems uses HTTPS with TLS 1.2 or above.
  • Access control: Database access is gated by Row Level Security policies. Students see only their own data. Authorised school staff (admins, trainers) see only the cohorts they manage.
  • Passwords: Stored as cryptographic hashes by our authentication provider. Our staff never see your password.
  • Audit log: Significant operational events are recorded in an audit log used for accountability and security investigations.
  • Security headers: The platform enforces strict transport security, content-security policies, and frame-blocking to reduce the risk of common web attacks.

4.3 Service providers

Provider Purpose Region
Supabase Database, authentication, transactional email (account verification, password reset) Australia (Sydney, ap-southeast-2)
Cloudflare Content delivery network, DNS, DDoS protection. Cloudflare proxies traffic but does not have access to assessment data. Global, with Australian edge nodes
ANZ Worldline Card payment processing for facilitator seat purchases. PRISM never sees or stores card numbers, they are entered directly with the payment provider. Australia

We do not use third-party analytics, advertising trackers, or AI services that would link your responses to cross-site profiles.

4.4 Cookies and local storage

PRISM uses only functional storage on your device, a sign-in session token and your language preference. We do not use advertising, analytics, or cross-site tracking cookies.

4.5 Data breaches

If a data breach occurs that is likely to result in serious harm, we will notify the affected individuals (and, for students, their school) and the Office of the Australian Information Commissioner, as required by Australia's Notifiable Data Breaches scheme. We maintain an incident-response process to contain and investigate breaches.

5. How long we keep it

We retain personal information for as long as is reasonably necessary for the purposes set out in this policy and to meet our legal and accountability obligations.

  • Identifiable account data (name, email): retained while your account is active and for a reasonable period after, typically up to 12 months from your last activity, unless you ask us to delete it sooner.
  • De-identified assessment responses, scores, and certificates: may be retained indefinitely for course improvement, evaluation of the PRISM® framework, and aggregate research.
  • Audit-log entries: retained for accountability and security purposes.

You can ask us to delete your identifiable data at any time. We will action a deletion request within a reasonable time, generally within 30 days, except where law or accountability obligations require us to keep specific records.

6. Sharing your information

We share your information only:

  • With your school or workshop facilitator. They can see your name, email, participation and completion status, and your PRISM® profile result (your dimension scores). They cannot see your individual recall-quiz or scenario answers, or your private reflections.
  • With the service providers listed in section 4.3. They process data on our behalf under contract and only for the purposes set out above.
  • Where required by law. For example, a lawful regulator request, court order, or child-safeguarding obligation.

We do not sell your information.

7. Your rights

7.1 Access

You can ask us what personal information we hold about you. We will respond within a reasonable time, generally within 30 days.

7.2 Correction

If any information is inaccurate (for example, your email is wrong), tell us and we will correct it.

7.3 Deletion

You can ask us to delete your identifiable data. We will action the request within a reasonable time, generally within 30 days, except where law or accountability obligations require us to keep specific records.

7.4 Withdrawing consent

You can stop using PRISM at any time. If you ask us to stop processing your data, we will mark it for deletion. We cannot un-send results that have already been emailed.

7.5 Parents and guardians

Parents and guardians of students under 18 may request to see, correct, or delete their child's data. Requests should typically be made through the school, who will pass them to us. We may verify that the requester is the parent or guardian before acting.

8. Complaints

If you believe we have mishandled your information, please contact us first:

Email: [email protected]
Postal: TO BE CONFIRMED

We will respond within a reasonable time, generally within 30 days.

If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC):

Phone: 1300 363 992
Email: [email protected]
Website: oaic.gov.au

9. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The "Last updated" date below indicates when the most recent change was published. Material changes will be communicated through the platform.

Current version: 2.1
Last updated: 1 June 2026

10. Contact us

Privacy contact: [email protected]
Postal address: TO BE CONFIRMED
Website: assessment.beacon-star.com