Privacy Policy
This Privacy Policy explains how Multiplai X (further referenced as “Multiplai X”, “we”, “us” or “our”) collects, uses, stores, and protects personal information in relation to our websites and services, including Dotti — our timetable-scheduling service for Australian primary schools. Multiplai X operates under ABN 79 610 493 826 within Australia.
Our voluntary commitment. Multiplai X is a small business operator within the meaning of the Privacy Act 1988 (Cth) and is not automatically bound by the Australian Privacy Principles (“APPs”). We voluntarily use our best efforts to handle all personal information in accordance with the APPs.
Contents
Part A — Multiplai X websites and services
Part B — Dotti service (school timetabling)
Common
Part A
Multiplai X websites and services
This part describes how we handle information generally across Multiplai X websites, products, and services — including but not limited to multiplaix.com, multiplaix.com.au, and dotti.multiplaix.com.au. Product-specific aspects are covered in subsequent sections (e.g. Part B for the Dotti application).
Scope of this policy
This policy applies to information we process on or through our websites, applications, products, and services. Where a specific product or region requires additional notice, we provide it in a product-specific part of this policy or in a separate notice.
If you provide information to us on a third-party platform, the information you provide may be separately collected by that platform, and that platform’s own privacy practices will govern its use of your information. Choices you make on a third-party platform do not apply to our use of information we have collected through our sites, products, or services. An example of this is billing information collected by our billing partner Stripe Payments Australia PTY LTD.
Our role
For our own websites, marketing communications, and product analytics, Multiplai X acts as an independent controller — we decide why and how personal information is processed.
When we process personal information provided to us by a customer in the course of delivering a product (such as school data entered into Dotti), we act as a processor, handling that information only on the customer’s authority and only to the extent needed to deliver the service.
What we collect
When you visit or interact with our websites and services we may collect:
- Identifiers — such as IP address, device identifier, browser type, and (if you contact us or create an account) name and email address.
- Online activity — pages visited, referring URLs, session duration, and basic interactions with our websites.
- Professional information — where provided in correspondence or a form: organisation name, job title, and business contact details.
- Approximate location — inferred from IP address at country or region level, used to improve site performance and relevance.
- Preferences — such as cookie-consent choices.
We do not infer or generate psychological profiles, behavioural predictions, or targeted-advertising segments. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
How we use information
We use the information we collect to:
- operate, maintain, and improve our websites and services;
- respond to enquiries and provide support;
- send service-related communications (for example, policy changes or security notices);
- measure basic website usage so we can identify issues and improve content;
- secure our services, prevent abuse, and investigate incidents;
- comply with legal obligations.
Sharing and third parties
We share information only where necessary to deliver our services or comply with law. Recipients may include:
- Service providers we engage to operate our websites and products — for example, hosting and edge-delivery providers. Multiplai X’s corporate website multiplaix.com is served by Carrd (carrd.co), a lightweight one-page hosting service. multiplaix.com.au is a reserved domain that does not currently host content. Third parties specific to the Dotti service are listed in Part B §4.
- Authorities where required by law, subpoena, or court order, or to protect our rights or the safety of others.
- Successors in a business transaction (e.g. sale or restructure).
Our service Dotti uses additional third parties, which are listed separately in Part B §4.
Cookies
Our websites use cookies for essential operation (session management, cookie-consent preferences). Where analytics or functional cookies are used, we identify them as such:
- Essential — required for the site to function, including remembering that you have seen and responded to any cookie banner.
- Functional — may be used to remember preferences such as language.
We do not currently use advertising or third-party tracking cookies on our websites. You can disable cookies in your browser; some features may not work as intended if you do.
Children
Our websites and services are not directed to children. We do not knowingly collect personal information directly from children. If you believe a child has provided personal information to us, please contact privacy@multiplaix.com and we will take appropriate steps to delete it.
Your privacy rights
You can exercise your privacy rights — including access to, correction of, and (subject to law) deletion of personal information we hold about you — by contacting us at privacy@multiplaix.com. When we receive a request, we may need to verify your identity before acting on it.
International transfers
Our core infrastructure for the Dotti service is located in Australia (see Part B §4). Some of our website and marketing tools — including edge caches, transactional email providers, and payment processors — operate globally. Where personal information is transferred outside Australia, we take reasonable steps to use widely accepted third-parties who value confidentiality and data-protection obligations to the same standard as presented within this policy.
Part B
Dotti — timetable scheduling service
These are the information we collect specifically related to our Dotti product and associated services (collectively referred to as “service” or “Dotti”). This is in addition to any other information collected under Part A.
1. What we collect
We collect only the information necessary to operate the service. This includes, but is not limited to:
School and staff information
School name, school contact details, subscription plan, and the name and email address of each staff user who creates or accesses a Dotti account.
Timetable information
Any information provided to set-up and run the timetable solver associated with Dotti, which may include but is not limited to, class names, teacher names, scheduling rules, schedule configurations, year groups and subjects.
Billing information
Billing is processed through STRIPE PAYMENTS AUSTRALIA PTY LTD (or any associated global parent company or subsidiary) and further referred to as “Stripe”. The information you provide will be separately collected by Stripe and Stripe’s own privacy practices will govern the use of your information. Choices you make on Stripe’s platform will not apply to our use of the information we have collected through our sites, products, or services.
Billing information provided to us are the school’s billing email address and transaction records. Payment card details are handled directly by Stripe and never touch Multiplai X systems.
Technical information
IP address, browser type, device information, usage logs, and error reports — for service operation, security, and quality improvement.
Support correspondence
The content and communication details of support requests you send us and our replies.
2. What we don’t collect
We do not collect or store:
- dates of birth;
- home addresses or personal contact details;
- health, disability, or medical information;
- photographs or behavioural records;
- academic results or attendance records; or
- parent or guardian personal details.
To the best of our knowledge and intentions we do not collect or process any sensitive information as defined in section 6(1) of the Privacy Act 1988 (Cth).
3. How we use information
We use personal information to:
- operate Dotti — including generating, storing, and exporting timetables;
- authenticate accounts and verify eligibility (Australian education email domain);
- process payments through Stripe;
- send service-related communications;
- provide support;
- maintain security, investigate incidents, and prevent fraud or abuse; and
- comply with legal obligations.
We never use personal information for: advertising or marketing profiling; sale or licensing to third parties; training of artificial intelligence or machine-learning models; or any purpose unrelated to operating Dotti for your school.
The staff members who hold a Dotti account act on behalf of the school. The school is the organisation responsible to parents, students, and regulators for how information is handled. Multiplai X acts only as the school’s service provider — processing any information provided to run the Dotti service only on the school’s authority and only to the extent needed to generate timetables.
We rely on the School to have the consent, authority, and privacy arrangements required under its own applicable laws when providing any information to generate timetables.
4. Third parties and overseas disclosure
To operate Dotti, we engage the following third parties:
Google Cloud Platform
Sydney, Australia (australia-southeast1) · operated by Google LLC
Hosts the Dotti application (Cloud Run), database (Cloud SQL), and file storage (Cloud Storage). All data provided to generate a timetable and any output related to that resides on Australian servers within this region.
Firebase Hosting
Global edge network · operated by Google LLC
Firebase is the edge network that delivers the Dotti website to you and routes user traffic to our Australian servers. It is a Content Delivery Network (CDN), not a data store.
What Firebase does: serves our public website files (HTML, CSS, JavaScript, images, logo) from edge locations worldwide (including Sydney and Melbourne for Australian traffic), terminates HTTPS at the edge, and forwards your requests to our Cloud Run backend in Sydney.
What Firebase can see: request URLs, HTTP headers (including our session cookie value, which is an opaque random identifier), and request and response bodies in transit as it routes each request. This transit handling is inherent to any CDN or edge proxy and is required to deliver your requests to our servers.
What Firebase stores: only our public website files, cached on edge nodes for performance. Google retains routine operational logs (timestamps, source IPs, user-agent strings) for a limited period.
What Firebase does not store: no school data, no project/session contents and no billing data.
SendGrid
United States · operated by Twilio Inc.
Sends transactional emails — signup verification, account notifications, support replies. Processes recipient email addresses and email content. Does not process school data or personal information unless provided by you within the e-mail communication.
Stripe
Australia and United States · operated by Stripe Payments Australia Pty Ltd and affiliates
Handles subscription billing and the Stripe Customer Portal. Processes the school’s billing email, payment card data (directly, never via Multiplai X), and transaction records.
Overseas transfer
Where personal information is disclosed to third parties outside Australia (currently SendGrid in the United States, and Stripe’s United States processing infrastructure), Multiplai X takes reasonable steps to ensure overseas recipients handle personal information consistently with this policy, including by selecting widely-trusted providers bound by equivalent confidentiality and data-protection commitments.
5. Changes of third-parties or sub-processors
If we propose to add or change a third-party or sub-processor that will process school-related data, we will notify you by email before the change takes effect. If you reasonably object on privacy or compliance grounds, you may terminate your subscription without penalty and receive a pro-rata refund of any prepaid fees.
6. Security and retention
Security
No method of transmission or storage is completely secure; however, we take reasonable steps to minimise risk. Measures we apply include:
- encryption in transit (TLS) and at rest;
- private database network access — our database is not publicly exposed on the Internet in steady state.
Retention
- Active timetable/project related data: retained for the duration of your subscription.
- Post-termination: timetable/project related data remains available for export for 30 days, then deleted from live systems.
- Disaster-recovery backups: encrypted automated backups containing timetable/project related data are retained for up to 7 days before being overwritten.
- Billing records: retained for 5 years after the relevant transaction, to meet ATO record-keeping requirements under the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
7. Notifiable data breaches
In the event of an eligible data breach, we will:
- notify the affected school without undue delay; and
- provide the information the school needs to meet its own reporting obligations.
8. Your rights
Under the Privacy Act 1988 and our voluntary APP commitment, you may:
- request access to personal information we hold about you;
- request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading;
- request deletion of your account and associated personal information, subject to our billing-record retention obligations.
You can exercise your privacy rights by contacting us at privacy@multiplaix.com.
9. Cookies
The Dotti application uses a single authentication cookie named __session to keep you logged in. It contains an opaque random identifier — not your personal information. No advertising or tracking cookies are used on the Dotti app.
Common
Complaints, changes, contact
Complaints
If you believe we have handled your personal information in a way that is inconsistent with this Privacy Policy or the APPs, email privacy@multiplaix.com. We will acknowledge your complaint within 5 business days and respond substantively within 30 days.
If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
Changes
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice before they take effect.