1. Introduction

This Privacy Policy explains how HPT Practice NSW, operated as a sole trader (ABN 14 380 906 076) ("we," "our," or "us") handles personal information collected through hptpracticensw.com ("the Website").

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). By using the Website, you acknowledge that you have read this policy. By submitting the contact form or making a purchase, you consent to the handling of your personal information as described below.

2. What Information We Collect

2.1 Information You Give Us

When you submit our contact form (or email us directly), we collect:

• Your name
• Your email address
• The subject line and the content of your message

If you contact us about a refund or duplicate charge, you may also provide the email address used at Stripe checkout, the approximate date(s) of the charge, and the last four digits of the card used. We do not ask for, and you should not send, your full card number.

2.2 Payment and Purchase Identification

Payments are processed by Stripe Payments Australia Pty Ltd. When you make a purchase, Stripe collects your card details, billing information, and transaction data directly. We do not see, store, or have access to your full card number, CVC, or expiry. Stripe handles your card data under Stripe's Privacy Policy.

We do collect the email address you use at Stripe checkout. Stripe forwards it to us via webhook, and we store it in our database (Cloudflare D1) against your purchase record so we can:

• Identify your purchase and grant access to the paid scenarios
• Restore your access if you switch browsers or devices
• Detect and prevent accidental duplicate charges to the same email
• Handle refund and support requests

Alongside your email we also store the minimum payment metadata Stripe provides — the amount, the source of the purchase, the Stripe event ID, and a timestamp. We do not store the last four digits of your card unless you give them to us in support correspondence.

2.3 Account and Sign-In Information

So that your paid access works across devices, the Website offers email-based sign-in. When you use it we handle:

• Magic-link tokens. When you request a sign-in link, we generate a one-time token, store a hashed copy tied to your email for up to 15 minutes, and email the link to you. The stored token is deleted as soon as it is used or expires.
• A session cookie set after sign-in. It is HTTP-only, marked Secure, sent SameSite=Lax, and lasts up to about 90 days. It holds a signed token bound to your email and a session ID, which is what keeps you signed in across page loads.
• Session metadata stored in our database for security: a hashed device fingerprint (derived from your user-agent string and language preference), a short human-readable user-agent description, and an anonymised IP prefix (a /24 for IPv4 or /64 for IPv6 — never your full IP address).
• New-device sign-in alert emails. If we see a sign-in from a device fingerprint we have not seen on your account, we email you a security alert through Resend so you can review and revoke it. These alerts are for security only and are never used for marketing.

2.4 Information Collected Automatically

When you visit the Website, our hosting provider (Cloudflare) and any analytics or anti-abuse tools we use may automatically collect:

• IP address and approximate geolocation derived from it
• Browser type and version
• Operating system and device type
• Pages visited, time spent on pages, and referring URL
• Date and time of access

This information is used for security, analytics, and improving the Website. We do not use it to build advertising profiles.

3. How We Use Your Information

We use the information collected to:

• Respond to your messages, questions, and refund requests
• Process payments and confirm purchases
• Identify your purchase by email and grant you access to the paid scenarios when you sign in from any device or browser
• Send sign-in (magic-link) and new-device security alert emails
• Occasionally email purchasers about HPT-related updates, new practice content, or discounts on similar HPT-related products we offer ourselves. Every such email will include a clear unsubscribe link, and unsubscribing will not affect your paid access.
• Diagnose bugs you report
• Operate and secure the Website
• Analyse usage patterns to improve content and features
• Comply with legal obligations

We do not sell your personal information, and we do not share your email address with third parties for their marketing. If you ever receive a marketing email from us, it is from us only and is about HPT Practice or directly related products we offer ourselves.

4. Cookies and Tracking

The Website uses a minimal number of cookies and similar technologies, including:

• Essential cookies set by Cloudflare to keep the Website secure and available
• An authentication / session cookie set after you sign in. It is HTTP-only, marked Secure, sent SameSite=Lax, and expires up to about 90 days after issue. It is required for access to the paid scenarios via your account.

You can control cookies through your browser settings, but disabling essential cookies will break the Website, and clearing the session cookie will sign you out (you can sign back in by requesting a fresh magic link).

5. Disclosure of Your Information

We share personal information only with the third-party service providers we need to operate the Website:

• Stripe — processes payments and stores card data on our behalf
• Resend — delivers contact-form messages, magic-link sign-in emails, and new-device security alerts on our behalf
• Cloudflare — hosts the Website, holds our database (Cloudflare D1) of purchases and sessions, and provides security and CDN services
• Email provider — receives the messages sent from the contact form

We may also disclose personal information where required by law, court order, or to protect our legal rights or the safety of others.

We do not sell, rent, or trade personal information to third parties for marketing purposes.

6. Overseas Disclosure

• Stripe — Australia, United States, Ireland
• Resend — United States
• Cloudflare — United States, with content delivered from edge locations worldwide

We choose providers that publish privacy commitments comparable to the Australian Privacy Principles, but we cannot guarantee that overseas recipients will handle your information in the same way an Australian organisation would.

7. Data Retention

• Contact-form messages and email correspondence — kept in our inbox for as long as needed to respond and to keep a record of the conversation, then archived. We typically delete inbox correspondence after 24 months unless it relates to an unresolved matter or a refund record we need to retain.
• Payment and purchase records — retained for at least 7 years to meet Australian taxation and record-keeping obligations.
• Sessions and magic-link tokens — sessions are kept until you revoke them or they expire (typically about 90 days of inactivity). Magic-link tokens are deleted as soon as they are used or 15 minutes after issue, whichever comes first.
• Server logs and analytics — retained for short periods (typically 30–90 days) for security and debugging.

8. Security and Data Breaches

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. The Website is served over HTTPS, and our service providers (Stripe, Cloudflare, Resend) maintain industry-standard security controls.

No internet transmission or storage system is 100% secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access any personal information we hold about you (APP 12)
• Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
• Request deletion of personal information we hold about you, subject to our legal obligations to retain certain records (note that purchase records may need to be kept for at least 7 years for taxation; we will deidentify these where possible)
• Sign out of, or revoke, individual devices from the device management page once signed in
• Unsubscribe from marketing emails at any time via the unsubscribe link in any marketing message; this will not affect your paid access or transactional/security emails
• Withdraw consent for the promotional use of any communication you have previously sent us
• Lodge a complaint about how we have handled your personal information

To exercise any of these rights, contact us using the details in section 12. We will respond within 30 days.

You may also choose to interact with the Website anonymously or under a pseudonym, except where we need to verify your identity to process a refund or where it is impractical (APP 2).

10. Children's Privacy

The free portions of the Website are intended for learner drivers aged 16 and above. The paid tier is intended for users aged 18 and above (or for purchase by a parent or guardian on behalf of a minor). We do not knowingly collect personal information from children under 16 without parental consent. If you believe we hold personal information about a child under 16, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will update the "Last updated" date at the top of this page when we do. Material changes will be flagged at the top of this page for at least 30 days. Continued use of the Website after changes are posted constitutes acceptance of the updated policy.

The 8 May 2026 update reflects the introduction of email-based account access (magic-link sign-in, session cookies, and new-device security alerts) and reserves the right to send occasional marketing emails to purchasers about HPT-related products, with a clear unsubscribe link in every such email.

12. Contact Us and Complaints

To ask questions, exercise your rights, or make a privacy complaint, contact us:

We will acknowledge complaints within 7 days and aim to resolve them within 30 days. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or on 1300 363 992.