Effective date: to be set when published on the live site
1. Who we are
Shared Learnings, operated by Shared Learnings Pty Ltd ("Shared Learnings", "we", "us"), an Australian proprietary company registered in New South Wales.
- ABN: to be filled in once registered
- Registered office: to be filled in once confirmed
- Privacy contact: privacy@sharedlearnings.com
This policy explains what personal information we collect about you when you use sharedlearnings.com, the engine at sharedlearnings.com/engine, the source-authority hub at sharedlearnings.com/resources, the methodology page at sharedlearnings.com/methodology, our APIs, or any related services (collectively, the "Service"), how we use it, who we share it with, and your rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
If you're an EU/UK resident, the General Data Protection Regulation (GDPR) also applies, we've designed our practices to meet the higher of the two standards.
2. What personal information we collect
We collect only the information we need to provide the Service. Specifically:
2.1 Account information
- Your email address (used as your sign-in)
- A hashed version of your password (we never store passwords in plain text)
- Your name (if you provide it)
- Your business profile: business name, industry, monthly spend range, account type (e-commerce / lead gen / app / brand awareness), digital marketing experience level
2.2 Billing information
- Your payment method (handled by Stripe, see §4. We never see or store your card number ourselves; we only store a Stripe Customer ID and Subscription ID)
- Your billing address and tax status (if you provide them)
- Your subscription history and invoices
2.3 Usage information
- Your searches: Settings Checker queries, Insights queries, Test Engineer sessions
- Your A/B test submissions (these become Community Contributions, see §6 retention)
- Your sign-in history and session metadata (timestamps, IP addresses for security)
2.4 Technical information
- Your IP address (for security, geo-routing, and rate-limiting)
- Your browser type and version
- Your device type and operating system
- Performance and error data (via Sentry, see §4)
We do not collect sensitive personal information as defined in the Australian Privacy Act (health, sexuality, religion, political views, racial origin, etc.), the Service has no reason to need any of this. We also do not collect your customers' or clients' personal data; if you submit your own A/B test results, you're responsible for ensuring they don't contain identifying information about third parties (see Terms of Service §4).
3. How we use your personal information
We use your information for the following purposes, each with a clear legal basis:
| Purpose | Legal basis |
|---|---|
| Providing the Service you signed up for (searches, verdicts, account management) | Performance of contract |
| Sending transactional emails (verification, welcome, billing, free-search lifecycle notifications, cancellation confirmations) | Performance of contract |
| Sending marketing emails (product updates, tips) | Your consent, opt out any time via Account Settings or the unsubscribe link in every marketing email |
| Detecting and preventing fraud, abuse, and security incidents | Our legitimate interests + your safety |
| Improving the Service (aggregated usage analytics, error tracking) | Our legitimate interests |
| Complying with legal obligations (tax records, financial reporting, court orders) | Legal obligation |
We do not sell your personal data to third parties, use it to train external AI models, or share it with advertisers for their own marketing. For our own ads on Meta, we measure ad performance using Meta's conversion tools: an in-browser Meta Pixel (governed by the regional cookie consent in Section 8.3 below) and server-side conversion signals sent when you sign up or subscribe. The data sent is pseudonymous, a hashed (irreversible) email address and, where available, the Meta browser cookie id, used solely to measure our own ad performance. We never send raw personal data, and never share your data with any other advertiser.
4. Who we share your personal information with
We use a small number of trusted third-party processors to operate the Service. Each is contractually bound to handle your data only as we direct, and each has its own privacy policy you can read:
| Processor | What they do | Where data is stored |
|---|---|---|
| Supabase | Primary database (account, profile, A/B test submissions) and authentication | Sydney region |
| Stripe | Payment processing (card details, billing, subscriptions) | Global with regional residency options |
| Resend | Transactional email delivery | EU + US |
| Sentry | Application error tracking + AI monitoring | EU region (locked at signup) |
| Anthropic | AI processing for Settings Checker, Insights, Test Engineer queries | US, query only, not your account identity |
| Tavily | Real-time web search for Settings Checker, Insights, News | US, query only, not your account identity |
| Google LLC | Web analytics (Google Analytics 4) | US, anonymous/cookieless pings when consent declined |
| Railway | Application hosting (the server running the Service) | US region |
| UptimeRobot | External health monitoring (pings /health endpoint, no user data exposure) | US |
| Meta Platforms, Inc. | Ad conversion measurement (Meta Pixel + Conversions API) | US / Global; in-browser Pixel loads by default outside the EU, EEA, and UK and only after consent within them; see Section 8.3 |
Beyond this list, we share personal information only when we have your specific consent, when it's required by law (court order, regulator request), or when necessary to investigate or respond to abuse.
5. Where your data is stored
Our primary database is hosted in Sydney, Australia (Supabase ap-southeast-2 region). This keeps Australian users' data within Australia by default.
Some processing happens internationally: Stripe processes payments globally, Resend sends emails from EU/US servers, Sentry is locked to the EU region for GDPR alignment, and Anthropic + Tavily + Google process queries in the US. Where data is transferred internationally, we rely on the processor's certified data-protection commitments (GDPR Standard Contractual Clauses, Privacy Shield successor frameworks) to ensure protection comparable to Australian law.
6. How long we keep your data
- Your personal information (email, profile, billing, sessions, searches) is retained while your account is active. After cancellation, it's retained for a 90-day grace period so you can reactivate without losing your data. After 90 days, all personal information is permanently deleted.
- Your A/B test submissions ("Community Contributions" in our Terms) are anonymised at the same 90-day point, identifying information stripped, then retained indefinitely as part of the community-aggregated verdicts other users see. This is the network-effect contract of the Service: by submitting tests, you agree they become community signal (Terms of Service §5.4). If you don't agree with this, don't submit A/B test data; the Service still works for Settings Checker, Insights, and News.
- Cancellation feedback (your reason for cancelling) is retained as anonymised aggregate data for product analytics, your individual reason is not linked to your identity after deletion.
- Legal-retention records (tax records, financial records) are retained for 7 years as required by Australian law, regardless of account deletion.
7. Your rights
Under the Australian Privacy Act + GDPR (whichever applies to you), you have the right to:
7.1 Access
Ask for a copy of the personal information we hold about you. Use Account Settings → Privacy → "Export my data" for self-serve export, or email privacy@sharedlearnings.com for a manual request.
7.2 Correct
Update your personal information at any time via Account Settings, or by emailing us if you can't access your account.
7.3 Delete
Request deletion of your personal information. Account-level deletion happens automatically 90 days after cancellation; you can also request immediate deletion via Account Settings → Privacy → "Delete my account now". Note: anonymised Community Contributions are not deleted (see §6 above and Terms of Service §5).
7.4 Object
Object to certain uses of your information (e.g. marketing emails, opt out via the email-preferences toggle or the unsubscribe link in any marketing email).
7.5 Portability
Receive your personal information in a structured, commonly-used, machine-readable format (we export as JSON via Account Settings → Privacy).
7.6 Complaint
If you're unhappy with how we've handled your personal information, you can email us first at privacy@sharedlearnings.com, we aim to resolve complaints within 30 days as required by the Australian Privacy Act. If you're not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints. EU residents also have the right to complain to your local data-protection authority.
We respond to all rights requests within 30 days.
8. Cookies and tracking
8.1 Strictly necessary (no consent required)
- Session cookies that keep you signed in
- Security cookies (CSRF tokens, anti-fraud)
- Load-balancing and caching cookies
8.2 Analytics
We use Google Analytics 4 (GA4) to understand how visitors use Shared Learnings. GA4 is managed under Google Consent Mode v2: visitors in the EU, EEA, and UK are tracked only after they accept analytics cookies; visitors elsewhere (including Australia) are measured by default and can decline at any time via the cookie notice, declining never affects your access. When you decline, GA4 receives only anonymous, cookieless pings. Sentry session-replay cookies are only set when an error occurs.
8.3 Advertising
We use the Meta Pixel and Meta Conversions API to measure how our ads on Meta perform. The in-browser Meta Pixel follows the same regional consent as GA4 above: in the EU, EEA, and UK it loads only after you accept analytics cookies; elsewhere, including Australia, it loads by default and you can decline at any time via the cookie notice. We also send server-side conversion signals when you sign up or subscribe, using the hashed email you provide, so performance can still be measured if your browser blocks the Pixel. Declining never affects your access to the Service.
You can clear cookies at any time via your browser settings. Clearing them will sign you out of the Service.
9. Children
The Service is intended for users 18 years and older (matching the Terms of Service eligibility requirement). We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please email privacy@sharedlearnings.com and we'll delete it within 30 days.
10. International data transfers
If you're outside Australia, your personal information may be transferred to and processed in Australia (where our primary database is hosted) and in the countries where our third-party processors operate (see §4).
For EU/UK residents: these transfers rely on Standard Contractual Clauses (or equivalent) with our processors, providing protection comparable to GDPR standards. The Sentry data residency is locked to the EU specifically to avoid the data-export question entirely for error telemetry.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified to your account email at least 30 days before they take effect. The current version is always at sharedlearnings.com/privacy, with a "last updated" date at the top.
If you don't agree with a change, your option is to cancel your subscription before the change takes effect (see Terms of Service §8).
12. Contact us
For any privacy-related question, request, or complaint:
- Email: privacy@sharedlearnings.com
- General support: support@sharedlearnings.com
- Mailing address: to be filled in once Pty Ltd registered office is confirmed
We aim to respond to all privacy requests within 30 days as required by the Australian Privacy Act.