PRISM Workstyle Assessment

Privacy Policy

Quick links

1. Overview

This Privacy Policy explains how Beacon Star (operating the PRISM® Workstyle Assessment, "PRISM") collects, uses, stores, and protects personal information when students and schools use the platform.

PRISM is offered to students through their school. Schools are responsible for obtaining the necessary parental or guardian consent at enrolment, and act on behalf of the parent or guardian for the purposes of authorising student participation in PRISM. We rely on the school's authorisation for under-18 access.

Where your data is stored. All PRISM data is hosted in Australia, on Supabase Postgres infrastructure in the Sydney (ap-southeast-2) region. Your personal information is not transferred or disclosed overseas as part of normal operations.

We are committed to handling your information consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and applicable Queensland privacy legislation.

Our details:

  • Operator: Beacon Star
  • Legal entity: TO BE CONFIRMED
  • Privacy contact: info@beacon-star.com
  • Postal address: TO BE CONFIRMED

2. What we collect

We collect only the information needed to run the assessment, give you your result, and meet our legal and accountability obligations.

2.1 At signup

  • First name and last name.
  • Email address, used to verify your account, send your result, and respond to data requests.
  • Age band (14–17 or 18 and over), used to apply the right rules and age-appropriate content.
  • Access code provided by your school or workshop facilitator.
  • A password you choose for sign-in. We never store passwords in readable form; they are stored as cryptographic hashes by our authentication provider.
  • Acknowledgment that you have read this Privacy notice, with a timestamp.

2.2 During the course

  • Your responses to the 20-item PRISM® Workstyle self-assessment.
  • Your answers to the recall quizzes and workplace scenarios across the course.
  • Reflective inputs and other text you choose to enter (for example, the "I was surprised / not surprised" reflections).
  • Course progress markers (videos watched, lessons completed, time on each step).
  • Your computed PRISM® Workstyle profile and certificate of completion.

2.3 Operational data

  • Standard server logs from our hosting and CDN providers (timestamps, IP address, user-agent string), used for security, abuse prevention, and platform performance.
  • Audit-log entries recording significant operational events (sign-ins, password changes, certificate issuance, admin actions) for accountability and security investigations.

What we do not collect

  • Date of birth (only the broad age band).
  • Health, financial, or other sensitive information.
  • Camera, microphone, or location data.
  • Third-party tracking, advertising, or social-media identifiers.

3. Why we collect it

We collect and use your information to:

  1. Run the course. Present videos, questions, and scenarios; record your answers; compute your PRISM® Workstyle profile; issue your certificate.
  2. Authenticate you. Confirm your email, sign you in, send password resets, and protect your account.
  3. Send your results. Deliver your profile and certificate to you, and let you re-access them through your hub.
  4. Honour your rights. Respond to requests to access, correct, or delete your data.
  5. Protect the platform. Detect and prevent fraud, abuse, or unauthorised access.
  6. Comply with law. Respond to lawful requests from regulators or courts, and meet record-keeping obligations.

We do not use your data for marketing, profiling for advertising, or automated decision-making that affects your legal rights.

Your de-identified responses may also be used to improve the course, evaluate the PRISM® framework, and produce aggregate research and analytics. Aggregate research never identifies individuals. You can request the deletion of your data at any time by contacting us.

4. How we store and protect it

4.1 Where it lives

All identifiable PRISM data is stored on Supabase Postgres, hosted in the Sydney region (ap-southeast-2). Static frontend assets are served via Cloudflare's content delivery network with edge presence in Australia. Data is not transferred or disclosed overseas as part of normal operations.

4.2 How it's protected

  • Encryption at rest: The database is encrypted at rest by our hosting provider.
  • Encryption in transit: All data exchanged between your browser and our systems uses HTTPS with TLS 1.2 or above.
  • Access control: Database access is gated by Row Level Security policies. Students see only their own data. Authorised school staff (admins, trainers) see only the cohorts they manage.
  • Passwords: Stored as cryptographic hashes by our authentication provider. Beacon Star staff never see your password.
  • Audit log: Significant operational events are recorded in an audit log used for accountability and security investigations.
  • Security headers: The platform enforces strict transport security, content-security policies, and frame-blocking to reduce the risk of common web attacks.

4.3 Service providers

Provider Purpose Region
Supabase Database, authentication, transactional email (account verification, password reset) Australia (Sydney, ap-southeast-2)
Cloudflare Content delivery network, DNS, DDoS protection. Cloudflare proxies traffic but does not have access to assessment data. Global, with Australian edge nodes

We do not use third-party analytics, advertising trackers, or AI services that would link your responses to cross-site profiles.

5. How long we keep it

We retain personal information for as long as is reasonably necessary for the purposes set out in this policy and to meet our legal and accountability obligations.

  • Identifiable account data (name, email): retained while your account is active and for a reasonable period after, typically up to 12 months from your last activity, unless you ask us to delete it sooner.
  • De-identified assessment responses, scores, and certificates: may be retained indefinitely for course improvement, evaluation of the PRISM® framework, and aggregate research.
  • Audit-log entries: retained for accountability and security purposes.

You can ask us to delete your identifiable data at any time. We will action a deletion request within a reasonable time, generally within 30 days, except where law or accountability obligations require us to keep specific records.

6. Sharing your information

We share your information only:

  • With your school or workshop facilitator. They may see participation status, completion, grade, and aggregate cohort metrics. They cannot see your individual recall or scenario answers.
  • With the service providers listed in section 4.3. They process data on our behalf under contract and only for the purposes set out above.
  • Where required by law. For example, a lawful regulator request, court order, or child-safeguarding obligation.

We do not sell your information.

7. Your rights

7.1 Access

You can ask us what personal information we hold about you. We will respond within a reasonable time, generally within 30 days.

7.2 Correction

If any information is inaccurate (for example, your email is wrong), tell us and we will correct it.

7.3 Deletion

You can ask us to delete your identifiable data. We will action the request within a reasonable time, generally within 30 days, except where law or accountability obligations require us to keep specific records.

7.4 Withdrawing consent

You can stop using PRISM at any time. If you ask us to stop processing your data, we will mark it for deletion. We cannot un-send results that have already been emailed.

7.5 Parents and guardians

Parents and guardians of students under 18 may request to see, correct, or delete their child's data. Requests should typically be made through the school, who will pass them to us. We may verify that the requester is the parent or guardian before acting.

8. Complaints

If you believe we have mishandled your information, please contact us first:

Email: info@beacon-star.com
Postal: TO BE CONFIRMED

We will respond within a reasonable time, generally within 30 days.

If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC):

Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: oaic.gov.au

9. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The "Last updated" date below indicates when the most recent change was published. Material changes will be communicated through the platform.

Current version: 2.0
Last updated: 7 May 2026

10. Contact us

Privacy contact: info@beacon-star.com
Postal address: TO BE CONFIRMED
Website: assessment.beacon-star.com