Gakuto ("we," "us," or "our") is committed to protecting the privacy and security of the personal data of our users, including Centre Administrators, Tutors, Parents, and Students. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our platform ("Platform").

1. Data Controller vs. Data Processor

Under applicable data protection laws, including the Singapore Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR) where applicable:

• Data Controller: The educational institution or tuition centre ("Centre") using Gakuto is the Data Controller. The Centre is responsible for obtaining consent from Parents/Students to collect and process their data.
• Data Processor: Gakuto acts as a Data Processor, processing personal data solely on behalf of and according to the instructions of the Centre.

2. Data We Collect

We collect and process the following categories of data:

• Account Information: Names, email addresses, phone numbers, and encrypted passwords of Centre Administrators and Tutors.
• Student & Parent Data: Student names, parent contact information (emails, phone numbers), enrollment dates, and sibling relationships, as entered by the Centre.
• Academic Data: Test scores, attendance records, behavioral logs, and AI-generated progress reports.
• System Data: IP addresses, browser types, session activity, and audit logs tracking actions performed within the Platform for security purposes.
• Billing Information: Subscription and payment details processed securely by our third-party payment provider (Stripe). Gakuto does not store complete credit card numbers.

3. How We Use Data

We use the collected data exclusively to:

• Provide, operate, and maintain the Gakuto Platform.
• Authenticate users and enforce role-based access control (RBAC).
• Facilitate communication between the Centre, Tutors, and Parents.
• Generate academic insights and reports using secure third-party Artificial Intelligence models.
• Monitor security, prevent fraud, and maintain compliance through audit logging.

4. Third-Party Data Sub-Processors

To provide our services, we utilize trusted third-party infrastructure providers ("Sub-Processors"). These include:

• Supabase: For secure PostgreSQL database hosting and user authentication.
• Vercel: For secure application hosting and edge routing.
• Stripe: For secure payment processing.
• Google (Gemini) / OpenAI: For AI-assisted report generation. Note: Data sent to these APIs is strictly scoped to the immediate request and is not used to train their public foundation models.

5. Data Security Measures

We implement stringent technical and organizational measures to protect your data, including:

• Encryption: All data is encrypted in transit (using TLS/SSL) and at rest (using AES-256 encryption via Supabase).
• Access Controls: Strict Row-Level Security (RLS) policies ensure data isolation between different Centres (Multi-tenant architecture).
• Auditing: Immutable audit logs track critical administrative actions.

6. Data Retention and Deletion

We retain personal data only for as long as the Centre maintains an active subscription or as required by law. Upon termination of a Centre's account, all associated Student, Parent, and Academic data is permanently deleted from our active databases within thirty (30) days. Backups are rotated and purged automatically according to our backup retention schedule.

7. User Rights

Subject to your jurisdiction (e.g., under PDPA or GDPR), you may have the right to access, correct, or request deletion of your personal data. Because Gakuto acts as a Data Processor, Parents and Students must direct all such requests to their respective Centre (the Data Controller). We will assist the Centre in fulfilling these requests.

8. Contact Us