top of page

Privacy Policy

Last updated: 14 March 2026

1. INTRODUCTION

Looping EduTech, a division of Ninefiftysix Pty Ltd ("Looping", "we", "us", or "our"), is committed to protecting your privacy in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

In addition, we align our practices with internationally recognised data protection standards, including the General Data Protection Regulation (GDPR). GDPR is widely considered one of the most comprehensive and rigorous privacy frameworks in the world, and by aligning with its core principles — such as data minimisation, transparency, access rights, and secure handling — Looping supports global user rights and expectations across all regions in which we operate.

While Looping is not ISO/IEC 27701 certified, our systems are closely aligned with its core privacy management principles, including:

 

  • Minimal data collection (only what is required for authentication and assessment)

  • Strong encryption standards (AES-256 at rest, TLS 1.3 in transit)

  • Strict role-based access control and two-factor authentication

  • Transparent retention policies and audit-ready evidence handling

  • Anonymised and contractually protected use of third-party AI services

 

This Privacy Policy explains how Looping collects, uses, stores, and protects personal information in connection with our immersive learning and assessment platform. It outlines the categories of data we collect, the specific purposes for which that data is used, how we manage data retention and security, and how we comply with Australian privacy laws and internationally recognised data protection standards.

2. INFORMATION WE COLLECT

During Learning Sessions (Students — Institutional and B2B)

When a learner accesses Looping through an institution, training provider, or organisation, we collect only the information required to securely verify identity, personalise the learning experience, and generate assessment evidence. This includes:

  • Full name: collected to match the student with their unique identifier (e.g. USI or Student ID) for compliance and session tracking. Only the first name is used within the learning interaction to personalise the experience.

  • Learner identifier: such as a Unique Student Identifier (USI), LMS-issued student ID, or institution-specific number.

  • Session interaction data: including responses, completed tasks, timestamps, and engagement logs during the scenario.

  • Session recording: a full video and audio recording of the learner's final VR session, stored securely for audit and assessment evidence.

Consumer Accounts (Direct Learner Sign-Up)

Looping also supports individual consumer accounts created directly through the Looping app or platform, independent of any institution or organisation. When a consumer account is created, we collect:

 

  • Full name: used to personalise the learning experience and verify identity at login.

  • Email address: used to verify your identity during sign-up via a one-time verification code, and for account communications.

  • Country: collected at the time of sign-up to support appropriate framework alignment, regional compliance, and localisation of content. Country is detected automatically based on your IP address and confirmed by you during the sign-up process.

  • Password: set by the learner on first login and required to authenticate at the start of every session. Passwords are stored in an encrypted format and are never visible to Looping staff.

  • Session interaction data: the same session-level data described above, linked to your consumer account rather than an institution.

3. LICENSING, ORGANISATIONAL & ADMIN ACCOUNTS

If your organisation holds a licence or partnership with Looping (e.g. as an RTO, school, or enterprise training provider), we may collect the following details during account setup:

  • Full name of the designated contact person

  • Work email address

  • Organisation name and role

  • (Optional) phone number for onboarding or support purposes

All payment processing is handled externally via a secure, PCI-compliant third-party provider. Looping does not store, process, or even see any credit card numbers or payment details.

4. SESSION TRACKING & USAGE DATA

Looping collects session-level data each time a learner begins an Immersive Learning Module, regardless of whether the session is completed.

The following data is recorded at the point of session launch:

  • Learner's full name

  • Learner's unique identifier (e.g. LMS ID, national student number, consumer account ID, or institution-issued ID)

  • The name or code of the Immersive Learning Module

  • The timestamp marking the start of the session

  • The name of the organisation, training provider, school, or educator the learner is linked to (or "Consumer" for direct accounts)

  • (If applicable) the timestamp marking session completion

5. WEBSITE VISITORS (VOLUNTARY SUBMISSIONS ONLY)

When you visit the Looping website, we may collect information only if you submit it voluntarily, such as by:

  • Requesting a demo

  • Joining the pilot program

  • Filling out a contact or enquiry form

In these cases, we may collect:

  • Your name

  • Email address

  • Organisation name (if provided)

This information is used solely to respond to your enquiry, is not connected to any learning or authentication data, and is never shared with third parties.

6. DATA STORAGE & ENCRYPTION

Looping uses strong encryption and secure infrastructure to protect all user data during collection, transmission, storage, and archiving.

Data at Rest

All stored data — including learner session records, interaction logs, and assessment evidence — is encrypted using AES-256 encryption. This applies to both active storage and long-term archival storage environments. Data access is strictly controlled through permission-based systems, and no personal data is publicly accessible at any time.

Data in Transit

All data transmitted between Looping and connected systems — including learning management systems (LMSs), secure third-party services, and learner devices — is encrypted using TLS 1.3 or higher. This ensures that sensitive information such as authentication data and session interactions remain secure throughout their lifecycle.

7. RETENTION & LIFECYCLE

  • Data from immersive sessions is stored in secure infrastructure for a defined period, after which it is automatically transferred to long-term encrypted archival storage.

  • Archived data is retained for as long as required under applicable compliance, legal, or institutional policies.

  • All transfers between storage environments are encrypted and managed through automated lifecycle controls to minimise risk.

8. SECURITY MONITORING

Looping uses secure system logging and monitoring to detect unauthorised access attempts, session anomalies, and authentication errors. All monitoring is conducted in line with privacy regulations and supports internal security auditing and system review processes.

9. THIRD-PARTY PROVIDERS

Looping works with carefully selected third-party providers to support the secure delivery of our platform. These providers assist with infrastructure, security, processing, and system functionality. All third-party services used by Looping:

 

  • Operate under strict data protection agreements

  • Are required to meet or exceed industry-standard privacy and security practices

  • Are contractually prohibited from using Looping data for analytics, profiling, or independent processing purposes

 

Looping does not, under any circumstances, sell, trade, or share personal data with third parties — with or without consent. We also do not permit data sharing for advertising, marketing, or model training.

10. USE OF AI-DRIVEN PROCESSING & THIRD-PARTY AI SERVICES

Looping uses adaptive artificial intelligence (AI) technologies to power real-time learner interaction, speech processing, and scenario response. To support this, we securely engage trusted third-party AI services to process:

  • Learner responses or choices (e.g. AI-driven NPC interactions)

  • System-level natural language processing tasks

11. DATA HANDLING BY AI SERVICES

  • All AI services used by Looping process input in real-time only and do not retain personal data beyond what is required for standard safety monitoring

  • No student data is shared with or used by third-party AI providers for model training or profiling

  • All AI-generated content is subject to automated safety and moderation checks to ensure compliance with platform standards and responsible use policies

  • All data is encrypted in transit using TLS 1.3 and anonymised wherever possible

12. DATA CONFIDENTIALITY & CONSENT

  • Only the minimum data necessary to deliver and personalise the learning experience is shared with AI services (e.g. first name and in-session responses)

  • Looping does not share contact information, login credentials, or system identifiers with any AI provider

13. COMPLIANCE

All interactions with third-party AI services are designed to meet global data protection laws and privacy expectations, including the Australian Privacy Principles (APPs), GDPR, and other applicable international standards.

14. SESSION RECORDING & SCREEN CAPTURE

Looping records learner sessions for the purpose of generating assessment evidence within the Looping Converged Assessment Portfolio (CAP). The following applies to all recording activity:

  • Recordings are initiated and controlled entirely within the Looping platform. Looping does not access, record, or interact with the device's camera, microphone (outside of the VR headset environment where applicable), or any other system-level media at any time.

  • On VR headsets, the immersive session is recorded within the Looping application only. No external screen recording, phone camera, or device-level capture is initiated by Looping.

  • On mobile or tablet devices (including iOS and Android) used for the Looping demo or companion app, Looping does not record the device screen, camera, or microphone. Any screen capture functionality within the demo is limited to the Looping application environment and does not capture content from other apps or system-level activity.

  • All recordings are stored securely in accordance with the encryption and access control policies described in this document.

  • Recordings are used solely for assessment evidence purposes and are not shared, published, or used for any purpose outside of the learner's assessment record.

15. TWO-FACTOR AUTHENTICATION & ACCESS SECURITY

Looping enforces strict access controls to protect sensitive system data and platform operations.

16. INTERNAL ADMINISTRATOR ACCESS (LOOPING SYSTEM)

All administrator and privileged user accounts within Looping — such as system operators and technical staff — are protected using two-factor authentication (2FA). This ensures that only authorised individuals can access system logs, stored evidence, and backend functionality. Access is granted on a need-to-know basis and is regularly reviewed to ensure compliance with internal security policies.

17. STUDENT ACCESS & AUTHENTICATION

Students are required to provide their Looping ID, Full Name, and Learner ID to access Looping. Upon first login, students create their own password, which is verified at the start of every subsequent session. This ensures that access to learning content and assessment data remains personal and secure at all times. Passwords are encrypted and are never stored or accessible in plain text.

18. CONSUMER ACCOUNT AUTHENTICATION

Consumers who create a direct account with Looping verify their email address via a one-time code during sign-up. On first login, a personal password is created and required for all future sessions. Consumer accounts are self-managed and are not linked to any educational institution.

19. ROLE-BASED ACCESS CONTROL (WITHIN LOOPING)

Looping enforces internal role-based access control (RBAC) to ensure that only authorised personnel can access sensitive data and system functions.

  • Access to session records, system logs, storage environments, and platform infrastructure is restricted to approved technical and administrative staff

  • Permissions are assigned on a need-to-know basis

  • Access levels are regularly reviewed and updated to maintain security compliance

20. LMS ROLES & ACCESS CONTROL

Looping does not manage or assign user roles such as "student," "educator," or "administrator" within learning management systems (LMSs) or training platforms. These roles, and their associated access permissions, are created, controlled, and maintained entirely by the education provider, school, training organisation, or institution the learner is enrolled with.

 

Because these role assignments fall outside the Looping platform, we do not control which users can access particular data within those external systems. This structure is intentional and respects the governance and access policies set by each individual organisation.

21. SESSION TOKENS & APP AUTHENTICATION

The Looping app uses short-lived, encrypted authentication tokens to maintain your session while you are actively using the platform. These tokens are stored temporarily for the duration of your session only and are automatically cleared when you sign out or close the app. They are not used for tracking, analytics, or any purpose outside of maintaining your secure session.

22. NOTIFICATIONS OF SYSTEM CHANGES

If Looping makes significant changes to how or where data is stored, processed, or handled — including infrastructure or security system updates — we will notify users in advance.

Notifications may be provided via:

  • Our website

  • In-app messages

  • Email (if applicable through your training provider or institution)

23. USER RIGHTS & DATA REQUESTS

For Institutions and Organisations

Looping is used under licence by registered education and training organisations, including schools, RTOs, universities, and corporate learning providers. These institutions are responsible for enrolling learners, managing accounts, and determining the context in which Looping is used.

All data collected by Looping is handled in accordance with our published privacy policies and infrastructure standards. While we manage our own data protection protocols, we do not have a direct contractual relationship with institutional learners, and we do not independently determine access rights or data entitlements for individual students, unless required to do so by applicable law.

Requests to access, correct, or delete learner data must be submitted through the authorised institutional contact. Looping will action all valid and approved data-related requests as part of our partnership with that organisation.

 

Requests From Individual Learners (Institutional)

If you are a student or learner using Looping as part of your enrolment in a course, training program, or educational institution, please contact your school, provider, or organisation directly for any requests related to your personal information. Looping supports privacy and data access rights, but cannot process individual requests unless formally received through your education provider. This ensures that all data handling aligns with both the provider's policies and Looping's own data protection standards and legal obligations.

Requests From Consumer Account Holders

If you have created a direct consumer account with Looping, you may contact us directly to request access to, correction of, or deletion of your personal information. Consumer account holders have the right to:

  • Request a copy of the personal data held about them

  • Request correction of inaccurate or outdated information

  • Request deletion of their account and associated personal data, subject to any legal or compliance obligations

To submit a request, please contact us at hello@looping.au.

24. CHANGES TO THIS POLICY

Looping may update this Privacy Policy from time to time to reflect changes in technology, legal requirements, or our services. When updates are made, the revised policy will be posted on our website along with the effective date. We recommend reviewing this page periodically to stay informed about how your data is handled.

25. COOKIES

The Looping website may use cookies to enhance your browsing experience and help us understand how visitors interact with our site. These cookies do not store personally identifiable information. You have full control over cookie usage and can manage or disable them through your browser settings at any time.

26. CONTACT US

If you have any questions or concerns about this Privacy Policy, please contact us directly.

Email: hello@looping.au

Phone: 1800 956 956 (Australia only)

bottom of page