Where your data lives
School Sport Portal runs on Google Firebase. All data infrastructure is hosted in australia-southeast1 (Sydney) on Google Cloud Firestore.
Cloud Firestore
Real-time data sync for carnival management, results, and scheduling — region: australia-southeast1 (Sydney).
Firebase Authentication
User identity via Google Sign-In using school Google Workspace accounts. No passwords stored by School Sport Portal.
Cloudflare CDN
Served via Cloudflare's global network with TLS 1.3, DDoS protection, and WAF.
Stripe Payments
All payment processing handled by Stripe. School Sport Portal never stores card numbers.
What data we collect and why
We collect only the information needed to run carnival and sport events for schools.
| Data Type | Purpose | Retention | Shared With |
|---|---|---|---|
| School name & contact | Account setup, invoicing | Duration of subscription | Stripe (billing) |
| Student names | Carnival event entry & results | Deleted on request | No third parties |
| Event results / scores | Carnival reporting & rankings | Retained while account is active | No third parties |
| Google account (staff) | Authentication only | Session-scoped | Google (auth only) |
| Usage analytics | Product improvement | Anonymised, 12 months | No third parties |
Who can see your school's data
Access to school data is strictly limited and controlled at multiple layers.
School-level isolation
Each school's data is stored under its own namespace. Firebase Security Rules enforce that authenticated users can only read and write data belonging to their own school.
Role-based access within a school
Administrators can configure events and manage user access. Teachers have read access to results relevant to their events. No student account types are created.
No data selling
School Sport Portal does not sell, rent, or share your school's data with advertisers, data brokers, or any third party for commercial purposes.
Encryption in transit and at rest
All connections are encrypted using TLS 1.3. HTTP connections are automatically redirected to HTTPS.
All data in Firebase Firestore and Storage is encrypted at rest using AES-256. Keys managed by Google KMS with HSM backing.
Legal & regulatory framework
Australian Privacy Act 1988
School Sport Portal is operated by Luck Dragon Pty Ltd (ACN 679 268 862). We comply with the Australian Privacy Principles (APPs). Our full Privacy Policy is at schoolsportportal.com.au/privacy.
Data residency
School Sport Portal's database is hosted in australia-southeast1 (Sydney) using Google Cloud Firestore. All carnival and event data is stored on Australian soil, consistent with Victorian DET Information Privacy Principle 9 (IPP 9) requirements for data localisation.
Breach notification
In the event of a data breach likely to result in serious harm, School Sport Portal will notify affected schools and the OAIC in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
Account and data management
- Access your data — School administrators can view all data held for their school at any time.
- Correct your data — Data can be edited directly within School Sport Portal.
- Delete your data — Request deletion at any time by emailing privacy@schoolsportportal.com.au. Completed within 30 days.
- Export your data — Event results can be exported in CSV format from within the application.
- Close your account — Cancel at any time. All school data will be deleted within 90 days of closure.
Questions about security or privacy?
Our team is happy to answer questions from IT staff, privacy officers, or school leadership.
Email privacy@schoolsportportal.com.au