Back
Exit Ticket

Privacy Policy

Effective date: 6 April 2025

1. Introduction

Exit Ticket ("we", "us", "our") is committed to protecting the privacy of all users of our platform, including teachers, school administrators, and students. This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in accordance with the Privacy Act 2020 (New Zealand) and its 13 Information Privacy Principles (IPPs).

Exit Ticket is a New Zealand-based education technology platform. We recognise the particular importance of protecting the personal information of children and young people in the education context, and we have designed our data practices with this responsibility in mind.

By using the Exit Ticket platform and services (the "Service"), you acknowledge that you have read and understood this Privacy Policy.

2. What Personal Information We Collect

In accordance with Information Privacy Principle 1 (Purpose of Collection), we only collect personal information that is necessary for the operation of the Service. The types of personal information we collect depend on your role:

Teacher and School Administrator Accounts

  • Account information: name, email address, school affiliation, and role.
  • Authentication data: login credentials (passwords are stored in encrypted form only).
  • Subscription and billing information: payment details are processed and stored by our payment provider, Stripe. We store only a reference identifier — we do not store credit card numbers, CVV codes, or full card details.
  • Usage data: information about how you use the Service, such as assessments created, classes managed, and features accessed.

Student Accounts

  • Account information: name, email address, year level, and class assignment.
  • Authentication data: login credentials (passwords are stored in encrypted form only).
  • Assessment data: responses to assessments, marks, feedback received, and learning plan progress.
  • Usage data: information about assessment completion, time spent, and learning plan engagement.

Student accounts are created by teachers or school administrators. We do not collect personal information directly from students under the age of 16 without the involvement of a teacher or school administrator acting with appropriate parental or guardian consent.

3. How We Collect Personal Information

In accordance with Information Privacy Principle 2 (Source of Information), we collect personal information:

  • Directly from you: when you register for an account, update your profile, create classes, or contact us.
  • From teachers and school administrators: when they create student accounts or import student data via CSV upload.
  • Automatically: through your use of the Service, including log data, device information, and browser type. We use this information to maintain security and improve the Service.

4. Notification at Collection

In accordance with Information Privacy Principle 3 (Collection — What to Tell the Individual), we inform you at or before the time of collection about:

  • The fact that personal information is being collected.
  • The purpose for which it is being collected.
  • The intended recipients of the information.
  • Whether the supply of information is voluntary or mandatory.
  • The consequences of not providing the information.
  • Your rights of access to and correction of your personal information.

Teachers who create student accounts are responsible for ensuring that students and their parents or guardians are informed about the collection and use of personal information through the Service, in accordance with their school's privacy policies and obligations.

5. How We Use Personal Information

In accordance with Information Privacy Principle 10 (Limits on Use), we use personal information only for the purposes for which it was collected, or for directly related purposes that you would reasonably expect. Specifically, we use personal information to:

  • Provide and operate the Service, including assessment creation, AI marking, learning plan generation, and analytics.
  • Manage your account, process subscriptions, and handle billing.
  • Communicate with you about your account, the Service, and any updates or changes.
  • Improve the Service, including training and improving our AI marking and question generation systems.
  • Ensure the security and integrity of the Service.
  • Comply with our legal obligations under New Zealand law.

AI Training and Improvement

Student assessment responses and teacher moderation decisions may be used to improve the accuracy of our AI marking and question generation systems. This data is used in aggregate and de-identified form wherever possible. The AI system learns from teacher feedback to improve marking quality and question relevance over time. We do not use student personal information for any purpose unrelated to the educational services provided by the platform.

6. Storage and Security of Personal Information

In accordance with Information Privacy Principle 5 (Storage and Security), we take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure. Our security measures include:

  • Encryption of data in transit using TLS/SSL protocols.
  • Encryption of passwords using industry-standard hashing algorithms.
  • Access controls that restrict data access to authorised personnel only.
  • Regular security reviews and updates to our systems.
  • Secure authentication mechanisms for all user accounts.

Student data is only accessible to the teacher(s) assigned to their class and to school administrators within the same school. Students cannot access other students' data.

7. Disclosure of Personal Information

In accordance with Information Privacy Principle 11 (Limits on Disclosure), we do not sell, rent, or trade personal information to third parties. We may disclose personal information in the following limited circumstances:

  • Service providers: We use trusted third-party service providers to help operate the Service, including cloud hosting, payment processing (Stripe), and email delivery. These providers are contractually required to protect personal information and may only use it for the purposes we specify.
  • Legal requirements: We may disclose personal information if required by law, regulation, legal process, or governmental request.
  • Safety: We may disclose personal information if we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent illegal activity.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

8. Disclosure of Information Outside New Zealand

In accordance with Information Privacy Principle 12 (Disclosure Outside New Zealand), we take steps to ensure that personal information transferred overseas is subject to comparable privacy protections. Our Service uses cloud infrastructure that may store or process data in locations outside New Zealand, including but not limited to Australia, the United States, and the European Union.

Before disclosing personal information to an overseas recipient, we ensure that the recipient is subject to privacy laws that provide comparable safeguards to those under the Privacy Act 2020, or that we have appropriate contractual protections in place. Our key service providers maintain compliance with internationally recognised data protection standards.

9. Access to and Correction of Personal Information

In accordance with Information Privacy Principles 6 and 7 (Access and Correction), you have the right to:

  • Access your personal information: You may request a copy of the personal information we hold about you at any time.
  • Correct your personal information: If you believe any personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it.

Teachers can access and update their own account information and the information of students in their classes through the platform. Students can access their own assessment results and learning plans. Parents or guardians may request access to their child's information by contacting the school or by emailing us at [email protected].

We will respond to access and correction requests within 20 working days, as required by the Privacy Act 2020. If we refuse a request, we will provide reasons for the refusal and inform you of your right to complain to the Office of the Privacy Commissioner.

10. Retention of Personal Information

In accordance with Information Privacy Principle 9 (Retention), we do not retain personal information for longer than is necessary for the purposes for which it was collected. Our retention practices are as follows:

  • Active accounts: Personal information is retained for as long as your account is active and the Service is in use.
  • Cancelled subscriptions: Account data is retained for a reasonable period (up to 12 months) after cancellation to allow for reactivation, after which it will be securely deleted or de-identified.
  • Student data: When a student is removed from a class or a teacher's account is terminated, associated student data will be retained for the remainder of the school year and then securely deleted, unless the school requests earlier deletion.
  • Legal obligations: We may retain certain information for longer periods where required by law, such as financial records for tax purposes.

You may request deletion of your personal information at any time by contacting us at [email protected]. We will process deletion requests promptly, subject to any legal obligations to retain certain information.

11. Privacy Breach Notification

In accordance with Part 6 of the Privacy Act 2020, if we experience a privacy breach that is likely to cause serious harm to any affected individual, we will:

  • Notify the Office of the Privacy Commissioner as soon as practicable, and ideally within 72 hours of becoming aware of the breach.
  • Notify affected individuals as soon as practicable, providing details of the breach, the information involved, and steps they can take to protect themselves.
  • Take immediate steps to contain the breach and mitigate any harm.

We maintain an internal privacy breach response plan and regularly review our security practices to minimise the risk of breaches occurring.

12. Children's Privacy

We recognise the particular sensitivity of children's personal information in the education context. Our approach to children's privacy includes:

  • Student accounts are created and managed by teachers or school administrators, not by students directly.
  • We collect only the minimum personal information necessary for students to use the Service.
  • Student data is only accessible to their assigned teacher(s) and school administrators.
  • We do not use student personal information for marketing or advertising purposes.
  • We do not sell or share student personal information with third parties for commercial purposes.
  • Teachers are responsible for obtaining appropriate parental or guardian consent before creating student accounts, in accordance with their school's privacy policies.

We encourage schools to include information about their use of Exit Ticket in their school privacy notices to parents and guardians.

13. Cookies and Analytics

The Service uses cookies and similar technologies for the following purposes:

  • Essential cookies: Required for the Service to function, including authentication and session management.
  • Analytics: We may use analytics tools to understand how the Service is used and to improve its performance. Analytics data is collected in aggregate form and does not identify individual users.

We do not use cookies for advertising or tracking purposes. You can manage cookie preferences through your browser settings, but disabling essential cookies may affect the functionality of the Service.

14. Third-Party Links and Resources

The Service may contain links to third-party websites and educational resources, such as Khan Academy, IXL, Maths Buddy, and Mathletics. These links are provided as supplementary practice materials for students. We are not responsible for the privacy practices or content of these third-party websites. We encourage you to review the privacy policies of any third-party websites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice on the platform at least 14 days before the changes take effect. The "Effective date" at the top of this policy indicates when it was last updated.

16. Complaints

If you believe we have breached your privacy or have not handled your personal information in accordance with the Privacy Act 2020, you may:

  • Contact us directly at [email protected] to raise your concern. We will investigate and respond within 20 working days.
  • If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz or by calling 0800 803 909.

17. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: [email protected]
Platform: Exit Ticket

You may also contact the Office of the Privacy Commissioner for general privacy enquiries:

Website: www.privacy.org.nz
Phone: 0800 803 909

Applicable New Zealand Legislation and Guidance

This Privacy Policy has been drafted with reference to the following:

  • Privacy Act 2020 (New Zealand) and its 13 Information Privacy Principles
  • Office of the Privacy Commissioner — Children's Privacy Guidance for the Education Sector
  • Office of the Privacy Commissioner — Guidance on Notifiable Privacy Breaches
  • Office of the Privacy Commissioner — IPP 12 Model Clauses for Overseas Disclosure