Privacy Policy

Effective 18 May 2026. Last updated 18 May 2026.

1. About this policy

Origae Pty Ltd (we, us, our) operates the PriorLeap platform (the Platform) at priorleap.com. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what personal information we collect when you use the Platform, why we collect it, how we store it, how long we keep it, and your rights.

The Platform is intentionally designed to collect as little personal information as possible and to delete it as soon as we reasonably can. The shorter the retention, the smaller the blast radius if something ever goes wrong on our side.

PriorLeap is not a Registered Training Organisation. We do not issue qualifications. The Platform is a workflow tool that a Registered Training Organisation, or an assessor you nominate, uses to record their assessment of your prior learning. Their privacy obligations to you sit alongside ours and may be broader.

2. What we collect, and why

When you use the Platform we collect:

Your name and email address. Entered at /start. Used to label your application and as the identifier for the session token in your browser. We do not send you marketing email.
The qualification and units you select. Pulled from the public training.gov.au catalogue based on your selection.
Evidence you upload. Files such as resumes, certificates, references, and any text descriptions you write about how each piece relates to a unit.
Your competency conversation. The assessor questions and your written responses.
A one way hash of the recovery secret you choose at sign up. We store only the scrypt hash, never the secret itself. The hash cannot be reversed to recover the original secret. It exists so you can sign back in via /resume by typing your email plus the secret, with no email round trip.
Limited technical metadata. IP address (for rate limiting and abuse prevention only), request timestamps, and browser session cookies.

We do not ask for or collect: date of birth, government identifiers (USI, driver licence, Medicare), payment card details (handled directly by Stripe at the point you choose to pay), phone numbers, or physical addresses.

You are responsible for the accuracy and truthfulness of every item you submit, and for not uploading material that contains the personal information of any third party without their consent.

3. How we use it

Your information is used only to:

operate the application workflow so you can submit evidence, exchange written questions and answers with an assessor, view a recorded outcome, and download an outcome letter;
provide the assessor you have nominated with the material they need to record a competency decision;
protect the Platform from spam, scraping, and abuse;
generate aggregate, anonymised statistics about throughput (see section 5).

We do not sell, rent, or trade your information. We do not use it for advertising, profiling, or model training.

4. How long we keep it

A daily automated process permanently deletes your data per the windows below:

In flight applications (anything not finalised): deleted after 30 days of inactivity. Each meaningful action (you submit, you reply, the assessor records a decision) resets the clock.
Completed applications after an outcome letter is unlocked: deleted 30 days after unlock.
Applications closed without progress by an assessor: deleted 24 hours after the close out.
Browser session tokens: student tokens expire after 30 days of inactivity, assessor tokens after 14 days. Expired tokens are purged within 24 hours.

When an application is deleted, every related record (units, evidence files, conversations, sessions) is permanently removed.

You are responsible for downloading any document you want to keep before the retention window expires. We cannot recover or supply data after deletion. We accept no liability for any loss, claim, or consequence arising from data that has expired and been deleted.

5. Anonymised audit residue

One anonymous audit row per application survives the purge so we can monitor aggregate throughput. It contains a salted SHA 256 hash of the email address (one way, computationally infeasible to reverse), the identifier of the assessing organisation, the qualification code, the number of units, the outcome, and whether the outcome letter was paid for. This residue contains no name, email address, evidence content, conversation content, or other personal information.

6. Who has access

Your data is visible only to:

You, via the session cookie set in your browser at /start;
The assessor or assessors you nominate, by your decision to share your access code with them. Whoever holds the code can act as your assessor until the code expires. Treat the code like a password.
PriorLeap operations staff, only for the minimum needed to keep the Platform running (incident response, abuse investigation, infrastructure maintenance).

We do not disclose your data to any Registered Training Organisation unless and until you have explicitly shared your access code with an assessor at that organisation. We do not disclose your data to ASQA, training.gov.au, or any other regulator unless required to do so by law.

7. Third parties we rely on

To run the Platform we use:

Vercel (hosting and edge delivery). Your requests transit Vercel infrastructure.
Neon (Postgres database hosting). Your application data is stored in a Neon project hosted in an Australian region wherever supported.
Groq (AI inference, third party public large language model service). When you click any feature labelled Polish with AI, or when AI evidence mapping or AI question generation runs, the relevant text is sent to Groq for processing. Before submission we redact direct personal identifiers (name, email, contact details) from the prompt payload where reasonably possible. You should still treat the AI as a public large language model service and avoid pasting highly sensitive personal information into evidence descriptions or conversation answers. We do not control what Groq or any future model provider does with the inference call beyond the contractual terms of their public API.
Stripe (payment processing, used only if you choose to unlock the official outcome letter). Stripe handles card details directly. We never see or store payment card data.
training.gov.au (qualification lookups). Public catalogue search only. No personal information is sent.

Each provider has its own privacy policy. By using PriorLeap you acknowledge that the data necessary to operate the Platform passes through these providers.

8. Data location

We host data in Australian infrastructure regions where the provider supports it. Some processing (notably AI inference via Groq) may occur outside Australia. By using AI features you consent to the text submitted for processing being transmitted overseas.

9. Security

We take reasonable steps to protect your information against loss, misuse, unauthorised access, modification, and disclosure. Access codes are hashed before storage (we never store a usable copy of the raw token). Data in transit is encrypted via HTTPS.

The Platform short retention windows in section 4 are themselves a primary security control. Data that no longer exists on our servers cannot be stolen, leaked, or subpoenaed. The smaller the data we hold, and the shorter we hold it, the smaller the exposure to you if a breach ever occurs on our side or with one of the third party providers we use.

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If an eligible data breach occurs we will notify affected individuals and the Office of the Australian Information Commissioner as required.

No system can be guaranteed completely secure. We do not, and to the extent permitted by law cannot, warrant that the Platform is free from vulnerability or that any specific safeguard will prevent unauthorised access. You use the Platform on that basis.

10. Your rights

Under the Privacy Act and the APPs, you have the right to:

access the personal information we hold about you;
correct information you believe to be inaccurate;
request deletion of your application and associated records at any time. In practice this happens automatically within the retention windows in section 4. You can also request immediate deletion by emailing the address in section 14;
complain to us, and if unsatisfied, to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may need to verify your identity before acting on a request.

11. Cookies and tracking

We use only essential cookies required for the Platform to function, primarily the session cookie (pl_session) that keeps you signed in on this device. We do not use advertising cookies, third party analytics that fingerprint visitors, or behavioural tracking pixels.

12. Children

The Platform is not intended for use by anyone under 16. We do not knowingly collect information from children under 16. If you believe a child has provided us information, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The version in force on the date you submit information governs how we handle that information. Material changes will be highlighted on the Platform.

14. Contact

Privacy enquiries can be sent to nick.patterson [at] origae.dev (Dr Nick Patterson, Origae Pty Ltd). The address is written this way to slow down automated scrapers. Replace [at] with @ when sending. You can also lodge a complaint directly with the Office of the Australian Information Commissioner.