Privacy Policy
1. Privacy, in Plain English
Before the legal detail, here is the short version — the version we'd want as parents ourselves.
- The Brain Bus is built for kids, but accounts belong to parents. Children never create an account, never give us their email address, and never hand over any personal information directly. Every account is a parent or guardian account.
- We collect the minimum we need, and nothing more. A child's profile in our system is, at most, a first name and an age band ("Junior Adventurers," for example). No birthdate, no last name, no photo, no location, no device ID.
- We never sell data. Ever. Not to advertisers, not to data brokers, not to anyone. This isn't a policy we might change later — it's a line we won't cross.
- We don't run behavioural advertising or tracking aimed at children, and we don't use tools like Google Analytics or Meta Pixel anywhere on our site or in our products.
- Our website analytics are cookie-free. We use Plausible Analytics, a privacy-first tool that measures overall traffic trends, not individual visitors, and never stores anything that identifies you.
- You can delete everything, anytime. Parents can request full deletion of their account and all associated data, including any child profile information, at any time.
- If we ever get this wrong, tell us. Email hello@thebrainbus.fm and we will fix it.
The rest of this document is the complete, legally detailed version of the above. We've written it to be as plain as a privacy policy can be, because a policy parents can't understand isn't really protecting anyone.
2. Who We Are and What This Policy Covers
The Brain Bus is an educational, road-trip-themed audio podcast and (where subscribed) private podcast feed service for children aged 2–13, produced and operated from Australia. We publish four age-banded shows — Tiny Explorers (2–4), Junior Adventurers (5–7), Brain Busters (8–10), and Mind Blowers (11–13) — and operate a website and account dashboard at thebrainbus.fm.
This Policy explains what information we collect across our website, our email list, our subscription and account system, and our podcast distribution, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to:
- Visitors to thebrainbus.fm, including anyone browsing our episode library or age-band pages;
- Anyone who joins our email list or newsletter;
- Parents and guardians who create an account, including those who set up a child profile or purchase a subscription; and
- Anyone who contacts us directly (for example, via hello@thebrainbus.fm).
This Policy does not govern how third-party podcast apps and platforms (Spotify, Apple Podcasts, YouTube, Amazon Music, and others) collect or use information when someone listens to our free, publicly distributed episodes through their own apps. See Section 20.
We are based in Australia and are therefore primarily governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Because our audience includes families in the United States, the United Kingdom, the European Union, Canada, and New Zealand, we also describe in this Policy how we meet our obligations under the US Children's Online Privacy Protection Act (COPPA), the EU and UK General Data Protection Regulation (GDPR), the UK Age Appropriate Design Code, and equivalent Canadian and New Zealand privacy law.
3. Our Commitment to Children's Privacy
Children's media carries a different standard of care than ordinary consumer products, and we've designed The Brain Bus around that from the ground up rather than bolting privacy protections on afterward. Three design decisions sit underneath everything else in this Policy:
Every account belongs to an adult.
Children are never asked to register, log in, enter an email address, or provide any information about themselves directly to us. If a feature would ever require a child to submit information, it is routed through the parent or guardian's account instead, and the parent provides it on the child's behalf.
We practise data minimisation as a security strategy, not just a compliance checkbox.
The best protection against a data breach involving a child's information is to never collect that information in the first place. A child's profile in our systems contains, at most, a first name (optional) and an age band — never a date of birth, a numeric age, an email address, a photo, a voice recording, a device identifier, or location data.
We do not behaviourally target, profile, or advertise to children.
This is an absolute rule across every part of our business, including any future advertising on our free tier (see Section 9).
4. Information We Collect
4.1 Information We Collect From You (the Parent or Guardian)
| Category | Examples | When Collected |
|---|---|---|
| Account information | Email address, name | When you create a parent/guardian account |
| Authentication data | Encrypted password, session tokens | When you log in (handled by our authentication provider, Supabase) |
| Billing information | Name, billing email, subscription tier and status | When you purchase a Single Band Pass or Family Pass subscription |
| Communication data | Email address, contents of your message | When you email us, contact support, or respond to a survey |
| Marketing preferences | Email address, subscription tags (e.g., which age bands you're interested in) | When you join our email list or newsletter |
We never ask a parent for information about themselves beyond what's needed to create an account, process a subscription, and communicate with you about your subscription or our content.
4.2 Information About Your Child (Provided by You)
If you choose to personalise your dashboard, you may optionally provide:
- Your child's first name (optional — you can use a nickname, an initial, or leave it blank); and
- Your child's age band (e.g., "Brain Busters, 8–10") — selected from our four bands, never a specific birthdate or numeric age.
This information is entered by you, the parent, never collected directly from a child. We do not collect, and our systems are technically designed to reject, a child's last name, date of birth, numeric age, photograph, location, voice recording, or any device or behavioural identifier.
4.3 Information We Automatically Collect
When you browse thebrainbus.fm, our analytics provider (Plausible Analytics) records aggregate, non-identifying trends — page views, referring sites, approximate country-level location, and device/browser category — using a cookie-free method that never stores your IP address or any other identifier tied to you personally (see Section 8).
When you submit a form (such as our email signup form), our bot-protection tool, Cloudflare Turnstile, briefly processes a small set of technical signals (your IP address, browser/TLS information, and the website you're on) for the sole purpose of distinguishing a real visitor from automated spam. Cloudflare does not use this information to identify, profile, or advertise to you, and we don't receive or store these signals ourselves. For full details of how Cloudflare handles Turnstile data, see the Turnstile Privacy Addendum.
Our servers, hosted on Vercel and protected by Cloudflare, generate standard technical logs (timestamps, error codes, request paths) used only for security, performance, and troubleshooting purposes, and are retained for a limited period before automatic deletion.
4.4 Payment Information
When you subscribe to a paid plan, your payment is processed directly by Stripe, a PCI-DSS-compliant payment processor. We never see, receive, or store your full card number, CVV, or bank account details — Stripe handles that data on its own secure infrastructure and provides us only with a payment status, a customer reference ID, and the last four digits of your card for your own reference in your dashboard.
4.5 Information We Do Not Collect — Ever
To be unambiguous about where we draw the line, we do not:
- Collect or store a child's last name, date of birth, or numeric age;
- Collect a child's email address or create a login or account for a child;
- Collect voice recordings, photographs, or video of any child;
- Collect precise geolocation data from any user;
- Collect biometric identifiers (fingerprints, facial templates, voiceprints, or similar) from anyone;
- Use behavioural tracking, advertising pixels, or cross-site tracking technology of any kind (including Google Analytics or Meta/Facebook Pixel) anywhere on our site; or
- Sell, rent, or trade any personal information to any third party, under any circumstances.
5. How We Use Information
We use the information described in Section 4 only for the following purposes:
- To create and administer your parent/guardian account;
- To process payments, manage your subscription, and provide access to the age-banded private podcast feed(s) you've subscribed to;
- To personalise your dashboard (for example, showing your child's name and age band so you can tell your feeds apart);
- To send you transactional communications — order confirmations, receipts, password resets, and service notices — via our transactional email provider, Resend;
- To send you marketing communications (such as new-episode announcements or special offers) via our email marketing provider, Kit (ConvertKit), only if you've opted in, and always with a one-click unsubscribe;
- To understand aggregate website traffic trends so we can improve the site, via Plausible Analytics, in a way that never identifies you individually;
- To detect and prevent spam, fraud, and abuse of our forms and checkout process;
- To respond to your questions, support requests, or complaints; and
- To comply with our legal, accounting, and tax obligations (for example, retaining payment records as required under Australian tax law).
We do not use any information we collect to make automated decisions that produce legal or similarly significant effects about you or your child, and we do not use profiling for advertising purposes.
6. Who We Share Information With
We share information only with the service providers ("sub-processors") that help us operate The Brain Bus, and only to the extent necessary for them to perform that function. We never share, sell, or license personal information to advertisers, data brokers, or anyone outside this list for their own independent purposes.
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, and account storage | Parent account data (email, name), subscription status, optional child first name/age band | Asia-Pacific (Sydney) region |
| Stripe | Payment processing, billing, tax calculation | Billing name/email, payment method (held by Stripe, not us), subscription/customer ID | United States (with international infrastructure; Stripe is independently PCI-DSS certified) |
| Castos | Private podcast feed (RSS) hosting and subscriber management | Parent's email and name, to issue and manage access to the private podcast feed(s) for the age band(s) subscribed | United States |
| Kit (ConvertKit) | Marketing email and newsletter management | Email address, subscription tags (age band/tier interest) — only for users who opt in | United States |
| Resend | Transactional email delivery (receipts, password resets, account notices) | Email address, transactional message content | United States |
| Sanity.io | Content management system for episode metadata and show notes | No personal information — content only | United States / global CDN |
| Plausible Analytics | Website analytics | No personal information; cookie-free, aggregate traffic data only | European Union (Estonia) |
| Cloudflare | Content delivery network, DNS, and bot protection (Turnstile) | Technical signals (IP address, browser/TLS data) for bot detection only; no profiling | Global network, with EU/US infrastructure |
| Vercel | Website hosting | Standard server request logs | Global network, with US infrastructure |
We require each of these providers to handle information securely and only for the purposes we've engaged them for. We do not permit any of them to use information we share for their own advertising or marketing purposes.
We may also disclose information where required by law — for example, in response to a valid subpoena, court order, or other lawful government request — or where necessary to protect the rights, property, or safety of The Brain Bus, our users, or the public.
If The Brain Bus is ever involved in a merger, acquisition, or sale of assets, any personal information held would be transferred subject to the protections of this Policy (or a successor policy that provides at least equivalent protection), and parents would be notified of any such change.
7. International Data Transfers
Because several of our service providers operate outside Australia (principally in the United States and the European Union), some personal information may be processed or stored overseas. Where this occurs:
- We choose providers with strong, independently recognised data protection practices and, where applicable, certifications (for example, Stripe's PCI-DSS certification and Plausible's EU hosting and GDPR-by-design model);
- We rely on contractual protections such as data processing agreements and, where relevant, standard contractual clauses with our providers; and
- We take reasonable steps consistent with Australian Privacy Principle 8 to ensure overseas recipients don't breach the APPs in relation to information we disclose to them.
If you are located in the EU or UK, transfers of your personal information outside the EU/UK are made under an appropriate transfer mechanism (such as the EU-US Data Privacy Framework, where the receiving provider participates, or standard contractual clauses).
8. Cookies, Analytics and Similar Technologies
Essential cookies only.
Our website uses a small number of strictly necessary cookies — for example, an httpOnly session cookie issued by Supabase when a parent logs into their account, and a short-lived cookie used by Stripe during checkout for fraud prevention. These cookies are necessary for the site to function and are not used for advertising or cross-site tracking.
No advertising or tracking cookies.
We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technology anywhere on thebrainbus.fm.
Cookie-free analytics.
Our analytics provider, Plausible Analytics, does not use cookies or any other persistent identifier. It counts visits using a temporary, anonymised, rotating hash that cannot be used to identify you or track you across days, devices, or other websites, and it never stores your raw IP address. Because Plausible doesn't collect personal data or use tracking cookies, we don't need to show you a cookie consent banner for analytics — though we'll always tell you plainly, as we're doing here, exactly what we use and why.
If our technology choices ever change in a way that would require a cookie consent banner (for instance, if we introduced a tool that does use tracking cookies), we will update this Policy and add the appropriate consent mechanism before doing so.
9. Advertising
Our free tier is designed to be supported, in part, by advertising rather than by collecting payment from every family. Whether or not advertising is active on our free tier at any given time, the following commitments are permanent and non-negotiable:
- We will never use behavioural advertising, profiling, or targeting based on a child's activity, identity, or inferred characteristics.
- Any advertising we run will be contextual (based on the show or episode, not the listener) and vetted for brand safety and age-appropriateness — no political advertising, no junk food marketing directed at young children, no manipulative calls to action aimed at kids, consistent with Australia's AANA Code for Advertising and Marketing Communications to Children and the US FTC's guidance on advertising to children.
- Sponsored content will always be clearly and honestly disclosed as advertising, never disguised as part of an episode's editorial content.
- We will never use data collected from a child, or about a child's listening habits, to sell, build, or refine an advertising profile — for our own use or anyone else's.
If we introduce dynamic ad insertion through our podcast hosting or distribution partners, those ad placements are governed by the advertising policies of that platform in addition to the commitments above, and we select only partners willing to meet our brand-safety and no-targeting requirements for children's content.
10. AI and Content Indexing
The Brain Bus uses AI tools in parts of our production process (for example, scripting assistance and voice synthesis), and every episode is reviewed by a human before publication. Separately, our publicly available episode pages and transcripts may be indexed by search engines and, in a controlled way, by AI search and discovery crawlers, to help families find our content — premium subscriber-only transcripts are excluded from this. None of this involves your personal information or your child's personal information: it relates only to our own published show content, never to your account, your child's profile, or your listening data.
11. Data Retention Policy
We keep personal information only for as long as we have a genuine, documented purpose for holding it, and we delete it once that purpose has been served, except where we're legally required to retain it for longer (for example, financial records under Australian tax law).
| Information Category | Purpose of Collection | Business Need for Retention | Retention Timeframe |
|---|---|---|---|
| Parent/guardian account data (email, name) | Operating the account and subscription | Required to provide ongoing access to the service and respond to support requests | Retained while the account is active; deleted within 30 days of a verified account deletion request |
| Child's first name / age band (provided by parent) | Personalising the parent's dashboard | Required only while the associated account is active | Deleted immediately upon deletion of the parent account, or upon the parent's specific request to remove it, whichever is sooner |
| Billing/subscription records | Processing payment, managing subscription status | Required for accounting, tax, and dispute-resolution purposes | Retained for 7 years after the relevant transaction, consistent with Australian tax record-keeping obligations, then deleted |
| Marketing email list data | Sending opted-in newsletters and announcements | Required only while you remain subscribed | Deleted within 30 days of unsubscribing or withdrawing consent |
| Website analytics data (Plausible) | Understanding aggregate traffic trends | No individual record is created or retained — aggregated, non-identifying data only | Rotating anonymised identifiers are discarded every 24 hours; no personal data is ever stored |
| Bot-protection signals (Cloudflare Turnstile) | Preventing spam and automated abuse of forms | Processed transiently for the single purpose of the form submission | Not retained by us; governed by Cloudflare's own short-term retention for security purposes |
| Server/security logs | Security monitoring, troubleshooting, abuse prevention | Required for a limited window to investigate incidents | Retained for a limited period (typically 30–90 days) and then automatically deleted |
| Customer support correspondence | Responding to and resolving your enquiry | Required to track and resolve the issue, and for quality purposes | Retained for up to 2 years, then deleted |
We do not retain any category of children's personal information indefinitely, and we do not retain it for any purpose beyond those listed above.
12. Data Security
We take a layered, defence-in-depth approach to protecting the information described in this Policy:
- All traffic to and from thebrainbus.fm is encrypted in transit (HTTPS/TLS).
- Authentication sessions use secure, httpOnly cookies rather than browser local storage, reducing exposure to cross-site scripting attacks.
- Database access is governed by row-level security policies, meaning a parent's account can only ever access their own data — never another family's.
- Private podcast feed URLs are treated as credentials: they are never logged in full, never exposed in error messages, and can be regenerated by a parent at any time if they suspect a URL has been shared or compromised.
- We do not store full payment card details — that responsibility sits with our PCI-DSS-certified payment processor, Stripe.
- We maintain an internal information security program addressing the safeguards described in this section, appropriate to the size and sensitivity of the information we hold.
- In the event that any system holding parent account data or child profile information were to be compromised, we have a breach-notification procedure in place (see Section 21).
No system can be guaranteed 100% secure, and we encourage parents to use a strong, unique password for their account and to contact us immediately at hello@thebrainbus.fm if they believe their account has been compromised.
13. Children's Privacy — Detailed Notice (COPPA)
This section provides the detailed notice required under the US Children's Online Privacy Protection Act (COPPA) and its implementing Rule (16 CFR Part 312), as amended effective 23 June 2025 with full compliance required from 22 April 2026.
Are we subject to COPPA?
Our content is directed to children under 13, which generally brings us within scope of COPPA's requirements regardless of where in the world The Brain Bus is based, because we have families in the United States. We have designed our service so that the parent or guardian — not the child — is the one who creates an account, provides any information, and authorises any purchase, which substantially limits the information we ever collect "from a child" in the legal sense.
What we collect from, or about, a child.
As described in Section 4.2, the only information about a child that ever enters our systems is an optional first name and an age band, and this is provided by the parent, not the child. We do not collect a child's email address, persistent identifier, geolocation, photograph, or any audio recording of a child's voice.
How we obtain parental consent.
Before any account is created or any child information is entered, the parent or guardian must affirmatively confirm, via a checkbox at sign-up, that they are the parent or guardian of any child whose information they add, and must verify their email address. For paid subscriptions, the requirement to provide a valid payment method tied to an adult-held financial account provides an additional, practical check that the account holder is an adult. Our sign-up consent mechanism is consistent with the methods recognised under 16 CFR § 312.5(b).
Categories of third parties and purpose of disclosure.
As set out in Section 6, the only third parties who ever receive any information connected to a child's profile are Supabase (which stores it as part of our database) and, indirectly, Castos (which receives the parent's email and name — never the child's name — to issue private feed access). No information about a child is disclosed to any advertiser, data broker, or analytics company, and we do not disclose children's personal information to any third party for behavioural or targeted advertising purposes.
Parental rights under COPPA.
As a parent or guardian, you have the right at any time to:
- Review the personal information we have collected about your child;
- Request that we delete your child's information;
- Refuse to permit our further collection or use of your child's information; and
- Withdraw your consent for the future collection of your child's information, with the understanding that we may then need to deactivate the relevant feature or account.
To exercise any of these rights, contact us at hello@thebrainbus.fm — see Section 19 for how this works in practice.
Data retention.
Our data retention policy for children's personal information is set out in full in Section 11 above: we collect a child's first name and age band only to personalise the parent's dashboard, we have no business need to retain it once the associated account is closed, and we delete it within 30 days of account deletion or immediately upon a parent's specific request, whichever comes first.
Voice recordings and persistent identifiers.
We do not collect, and have no feature that would collect, audio recordings of a child's voice. We do not use persistent identifiers to track a child across sessions, devices, or services for any purpose other than the strictly necessary session authentication of the parent's own account.
14. Your Rights — Australia
We handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Under the APPs, you have the right to:
- Know what personal information we hold about you and why (APP 1);
- Access the personal information we hold about you (APP 12);
- Request correction of any personal information that is inaccurate, out of date, or incomplete (APP 13);
- Make a complaint if you believe we've mishandled your personal information; and
- Be told, on request, the countries in which any overseas recipients of your information are likely to be located (APP 8).
If you have a complaint, please contact us first at hello@thebrainbus.fm so we can try to resolve it directly. If you're not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
A note on what's coming. The OAIC is currently developing a binding Children's Online Privacy Code under the Privacy and Other Legislation Amendment Act 2024, expected to be registered by 10 December 2026 (with a commencement date to be confirmed). We are tracking this development and will update our practices and this Policy as the final Code, and its commencement timeline, become clear.
15. Your Rights — United States
In addition to the COPPA-specific rights described in Section 13, residents of certain US states may have additional rights under state privacy laws (such as the right to know, delete, or opt out of the sale of personal information). As stated throughout this Policy, we do not sell personal information, and we do not use it for cross-context behavioural advertising. To exercise any applicable state-law rights, contact us at hello@thebrainbus.fm.
16. Your Rights — European Union / EEA
If you are located in the European Union or European Economic Area, we process your personal information in accordance with the General Data Protection Regulation (GDPR). Our legal bases for processing are: performance of a contract (to provide the account/subscription you've requested), consent (for marketing communications), and legitimate interests (for fraud prevention and basic website analytics, which we've designed to be as privacy-preserving as possible).
Where a child in the EU/EEA is concerned, we rely on the consent of the parent or guardian, consistent with Article 8 GDPR, rather than seeking consent from the child directly.
You have the right to access, correct, delete, restrict, or port your personal information, to object to certain processing, and to withdraw consent at any time. You also have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at hello@thebrainbus.fm.
17. Your Rights — United Kingdom
If you are located in the United Kingdom, the rights described in Section 16 apply equally under the UK GDPR and the Data Protection Act 2018, enforced by the UK Information Commissioner's Office (ICO).
Because our content is likely to be accessed by children in the UK, we aim to align our practices with the standards of the ICO's Age Appropriate Design Code (the "Children's Code"), including: applying the highest privacy settings by default, collecting and retaining only the minimum information necessary, avoiding techniques that encourage users to provide more information or weaken their privacy protections, and switching off precise geolocation by default (we do not collect it at all). You may lodge a complaint with the ICO at ico.org.uk.
18. Your Rights — Canada and New Zealand
If you are located in Canada, we handle your personal information consistent with the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are located in New Zealand, we handle your personal information consistent with the New Zealand Privacy Act 2020. In both cases, the rights described in Section 14 (access, correction, and complaint) apply in substance, and you can reach us at hello@thebrainbus.fm to exercise them.
19. How to Exercise Your Rights
Whichever jurisdiction you're in, the process is the same:
- Email hello@thebrainbus.fm with your request — whether that's to access, correct, or delete your information (or your child's), to withdraw consent, or to unsubscribe from marketing emails.
- We will verify that the request is coming from the account holder (the parent/guardian), to make sure we're not handing out — or deleting — the wrong family's information.
- For account and full data deletion requests, we will action this within 30 days, cancelling any active subscription first and informing you that, while we delete your account data, Stripe may retain payment records for the period required by law (see Section 11).
- We will confirm in writing once your request has been completed.
There is no charge for exercising any of these rights.
20. Listening on Spotify, Apple, YouTube and Other Platforms
If your family listens to our free, publicly distributed episodes through a third-party app or platform — Spotify, Apple Podcasts, YouTube, Amazon Music, or any other directory — that platform's own privacy policy and terms govern any information it collects about your listening activity, app account, or device. We do not control, and this Policy does not cover, those platforms' data practices. We encourage you to review the privacy policy of whichever app or platform your family uses to listen. The aggregate listening data those platforms share back with us (download counts, episode completion rates, and similar metrics) is anonymised and not tied to any individual listener's identity.
21. Data Breach Notification
If we experience a data breach involving personal information, we will respond in line with our obligations in each relevant jurisdiction:
- Australia: we will assess whether the breach is an "eligible data breach" under the Notifiable Data Breaches scheme and, if so, notify affected individuals and the OAIC as required.
- United States / COPPA: if a breach involves children's personal information, we will notify affected parents without unreasonable delay, and the FTC where required.
- EU/UK GDPR: where applicable, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
We maintain an internal breach-response procedure so that, if this situation ever arises, we're acting from a plan rather than improvising under pressure.
22. Changes to This Policy
We may update this Policy from time to time — to reflect a new feature, a new service provider, or a change in the law (such as the Australian Children's Online Privacy Code once it is finalised). If we make a material change, we will update the "Effective date" at the top of this Policy and, where the change affects how we handle children's personal information or significantly affects your rights, we will take reasonable steps to notify account holders directly (for example, by email) before the change takes effect.
23. Contact Us
If you have any question about this Policy, or about how The Brain Bus handles your family's information, please contact us:
Email: hello@thebrainbus.fm
Operator: The Brain Bus, Australia
Effective date: 17 June 2026