Privacy Policy.

How we handle personal information when you use Roll/Call. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Last updated: 13 May 2026

Operator: Haixing Huang, ABN: 50676972643, based in NSW, Australia ("we", "us", "our").

Contact: qrrollcall.admin@gmail.com

1. Who this policy applies to

Roll/Call has two types of users:

• Teachers — sign up for an account to create classes and run attendance check-ins. We are the controller of teacher personal information.
• Students — appear on a teacher's class roster and check themselves in via QR code. Students do not have accounts. The teacher (and their institution) is the controller of student personal information; we process it on their behalf and under their instructions.

If you are a student and want to access, correct, or delete your information, please contact your teacher or institution first. They are responsible for the roster.

2. What we collect

From teachers:

• Email address and password (passwords are hashed; we never see them in plain text).
• Class names, roster entries, attendance records, and configuration you create.
• Standard server logs (IP address, browser type, timestamps) for security and abuse prevention.
• Billing information for paid plans (handled by Stripe — we do not store card numbers).

From students (via the teacher's roster and the check-in page):

• The name the teacher enters into the class roster (and optional student ID, if the teacher includes it).
• A randomly generated device identifier stored as a cookie on the student's device. This is used solely to enforce “one check-in per device” and is not linked to any other identifier.
• The timestamp of check-in and which class and session it relates to.

We do not collect: student email addresses, biometrics, location data, or payment information from students. We do not use tracking cookies or third-party analytics on the student check-in page.

3. Why we collect it

• To provide the attendance check-in service to teachers.
• To prevent abuse (duplicate check-ins, brute force).
• To allow teachers to view, edit, and export attendance for their own classes.
• To communicate service-related notices to teachers (e.g. security incidents, downtime, billing).

We do not sell personal information. We do not use personal information for marketing without consent.

4. How it's stored and overseas disclosure

Roll/Call uses the following sub-processors:

• Supabase Inc. (database and authentication). Supabase is headquartered in the United States. Our database is hosted in Supabase's Seoul, South Korea region (ap-northeast-2).
• Vercel Inc. (application hosting, United States). Processes requests on a transient basis; does not persistently store roster data.
• Stripe Payments Australia Pty Ltd (payment processing for paid plans). Handles teacher billing information; we receive only a customer reference and subscription status.

Because our database is in South Korea and our service providers are based in the United States, your personal information will be disclosed to overseas recipients in those countries. We take reasonable steps to ensure these recipients handle your information consistently with the Australian Privacy Principles, including by entering into the data processing agreements offered by each provider and using their Australian-region or enterprise-grade controls where available.

We use Supabase Row Level Security so that teachers can only access their own classes' data.

5. Retention

• Teacher accounts and class data: retained while your account is active. We will delete it within 30 days of account closure.
• Student check-in records: retained for as long as the teacher's class exists, or until the teacher deletes them.
• Server logs: retained for up to 90 days.
• Billing records: retained for 7 years as required by Australian tax law.

Teachers can delete classes, sessions, and rosters at any time from the dashboard.

6. Cookies

We use two cookies:

• Authentication cookie (teachers only) — required to keep you logged in.
• Device identifier cookie (students) — a random ID used only to prevent duplicate check-ins within a class. It does not identify you across other websites.

We do not use advertising or analytics cookies.

7. Your rights

Under the APPs you can:

• Request access to the personal information we hold about you.
• Request correction if it's inaccurate.
• Make a complaint about how we've handled your information.

Email qrrollcall.admin@gmail.com and we will respond within 30 days. Students should contact their teacher first.

If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au or 1300 363 992.

8. Data breaches

If we become aware of unauthorised access to or disclosure of personal information that is likely to result in serious harm, we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme.

9. Children

Roll/Call is designed to be used by teachers in classroom settings, which may include students under 18. We rely on the teacher and their institution to obtain any necessary consents (from parents, guardians, or the student) before adding a student to a roster. If you believe a student's information has been added without appropriate consent, contact us and we will work with the teacher to remove it.

10. Security

We use industry-standard measures including TLS in transit, hashed passwords, Row Level Security at the database layer, and unique constraints to prevent tampering. No system is perfectly secure, and we cannot guarantee absolute security.

11. Changes to this policy

We may update this policy. Material changes will be communicated to teachers via email. The “Last updated” date at the top reflects the current version.