Privacy Policy

Effective Date: November 20, 2024

Geneva Projects Sdn. Bhd. ("Edventure+", "we", "our", or "us") values your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information in accordance with the Personal Data Protection Act 2010 (PDPA Malaysia) and applicable international privacy laws.

SCOPE OF THIS POLICY

This Privacy Policy applies to:

• Edventure+ website (edventure.plus)
• Edventure+ iOS mobile application
• Edventure+ Android mobile application

Please note: Some third-party services listed below are used only on our website and are NOT integrated into our mobile applications. Platform-specific details are noted where applicable.

1. Data User / Controller Information

Data User (Controller):
Geneva Projects Sdn. Bhd.
Company Registration No: 201101007458 (935596-P)
Registered Address: #20, Menara KH, Malaysia
Email: hello@edventure.plus
Data Protection Officer (DPO): hello@edventure.plus

This entity is responsible for the collection, processing, and protection of your personal data.

2. Information We Collect

We collect only the information necessary to provide and improve your learning experience:

PARENT/GUARDIAN ACCOUNT DATA:

• Full name and email address
• Phone number (optional - for WhatsApp/SMS authentication)
• Profile photo (optional - from device camera/library)
• Malaysian state (for localized content)
• Billing information (processed securely via Stripe)
• Subscription status (free or premium)

STUDENT PROFILE DATA (Parent-Managed):

• Student name(s) or nickname
• Date of birth / Age (3-25 years)
• Grade level (Darjah 1-6 for primary, Tingkatan 1-5 for secondary, corresponding to Malaysian KSSR/KSSM curriculum standards)
• School information (optional)
• EdTag username (optional - anonymized identifier for leaderboards)

EDUCATIONAL PROGRESS DATA:

• Exam scores and quiz results
• Subject-specific performance (Matematik, Bahasa Melayu, Bahasa Inggeris, Sains, and Sejarah)
• Study streaks and learning patterns
• Practice session history
• Progress analytics for parent dashboard

DEVICE/TECHNICAL DATA:

• Device type (iOS/Android)
• Operating system version
• App version
• Push notification tokens (for study reminders)
• App interaction events (for feature improvement)
• Session information

USAGE DATA (Internal Analytics Only - Mobile Apps):

• Interactions with the platform (mobile apps only)
• Time spent on learning activities
• Learning progress and preferences
• Stored in our own Supabase database (not shared with third-party analytics companies)

WEBSITE ANALYTICS DATA (Website Only):

• Anonymous page views and session duration (Google Analytics)
• Anonymous conversion tracking (Meta/Facebook Pixel - no personal identifiers)

AUTHENTICATION DATA:

• Login credentials (email/password or Google OAuth)
• Authentication tokens (stored securely in iOS Keychain for mobile apps)
• Login session history

3. How We Use Your Information

We process your data only for legitimate and disclosed purposes:

• To provide and improve the Edventure+ platform
• To personalize learning paths and recommendations
• To enable adaptive quiz difficulty based on performance
• To track educational progress for parent dashboard
• To send study reminders and achievement notifications (mobile apps)
• To process subscription payments (via Stripe)
• To communicate updates and respond to support queries
• To maintain security and prevent unauthorized access
• To improve platform features through internal usage analysis

We do not process personal data beyond what is necessary for these purposes.

4. Basis of Processing & User Consent

By creating an account or using Edventure+, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

You may withdraw your consent at any time by contacting hello@edventure.plus. However, withdrawal of consent may limit your ability to use some platform features.

5. Sharing Your Information

We do not sell your data.

We share limited data with trusted service providers for essential platform operation:

USED IN MOBILE APPS & WEBSITE:

• Supabase (supabase.com/privacy)
  • Purpose: Database hosting, user authentication, backend APIs
  • Data shared: User profiles, student data, exam results, progress tracking
  • Storage location: Singapore (Southeast Asia region)
• Stripe (stripe.com/privacy)
  • Purpose: Subscription payment processing (RM28/month, RM280/year)
  • Data shared: Billing information (processed securely via Stripe Checkout)
  • Storage location: Stripe's secure global infrastructure
• Expo Push Notifications (expo.dev/privacy)
  • Purpose: Study reminders and achievement notifications (mobile apps only)
  • Data shared: Push notification tokens, user ID
  • Storage location: Expo's notification service infrastructure
• Google OAuth (policies.google.com/privacy)
  • Purpose: Optional "Sign in with Google" authentication
  • Data shared: Name, email address, profile photo (only if user chooses Google sign-in)
  • Storage location: Google's authentication infrastructure

USED ON WEBSITE ONLY (NOT in mobile apps):

• Google Analytics (policies.google.com/privacy)
  • Purpose: Anonymized website usage statistics
  • Data shared: Anonymized page views, session duration, bounce rates
  • Storage location: Google's analytics infrastructure
  • Note: NOT integrated into iOS or Android mobile applications
• Meta/Facebook Pixel (facebook.com/privacy)
  • Purpose: Website marketing analytics for ad campaign optimization
  • Data shared: Anonymized conversion tracking (no personal identifiers shared)
  • Storage location: Meta's advertising infrastructure
  • Note: NOT integrated into iOS or Android mobile applications
• Netlify (netlify.com/privacy)
  • Purpose: Website hosting and delivery
  • Data shared: Website access logs (IP addresses, timestamps)
  • Storage location: Global CDN infrastructure
  • Note: Web hosting only, not applicable to mobile apps

All service providers are used exclusively for platform functionality and are bound by strict confidentiality and data protection obligations. We do not share data for purposes unrelated to our educational service.

6. Cross-Border Data Transfer

Your information may be stored or processed on servers located outside Malaysia (e.g., Singapore, the United States, Europe).

We ensure that such transfers comply with Section 129 PDPA, and are made only:

• To jurisdictions with comparable data protection laws, or
• With your explicit consent, or
• Through contractual safeguards ensuring adequate protection

All third-party service providers listed above maintain international data protection standards and security certifications.

7. Data Retention and Deletion

We retain personal data only as long as necessary to provide our services or comply with legal obligations.

Specifically:

• Active accounts: Retained until account closure is requested
• Inactive accounts (no login for 24 months): Automatically deleted
• Upon verified deletion request: Erased within 30 days
• Educational progress data: Retained for account lifetime or until deletion requested
• Billing records: Retained for 7 years as required by Malaysian tax law

You may request:

• Access to your data
• Correction of inaccurate information
• Deletion or account termination
• Data portability (copy of your data in machine-readable format)

Contact: hello@edventure.plus with subject line "Data Request"

8. Google Sign-In Integration

When you sign in with Google, we access only:

• Your name and profile picture
• Your email address
• Basic account info for authentication

This information is used solely for:

• Creating and maintaining your Edventure+ account
• Authentication and secure sign-in
• Personalized learning experiences
• Communication about your learning progress

We do not access or store any other Google data or services (Gmail, Drive, Calendar, etc.) beyond this authentication scope.

You can revoke Edventure+'s access to your Google account at any time through your Google Account settings (myaccount.google.com/permissions).

9. Children's Privacy Protection

Edventure+ is committed to protecting the privacy of children using our educational platform.

We comply with Malaysia's Personal Data Protection Act 2010 (PDPA) and adopt enhanced standards from COPPA (U.S.), GDPR (EU), and international best practices for child data protection.

9.1 Parental Consent

For users under 18 years old in Malaysia (the age of majority), we require parental/guardian consent before any data collection.

Parents/guardians must:

• Create and manage their child's account
• Review and approve the data collected
• Provide consent during account setup
• Maintain full control over all student data and settings
• Request correction or deletion at any time

Verification is performed through parent-managed email confirmation and secure authentication before account activation. Students cannot create accounts directly without parental involvement.

9.2 Information Collected from Children

We collect only minimal data necessary for educational functionality:

DATA COLLECTED:

• Student name or nickname (parent-provided, can be anonymized)
• EdTag username (optional - anonymized identifier like @star_learner)
• Date of birth / Age (for age-appropriate content)
• Grade level (Darjah 1-6 and Tingkatan 1-5 for Malaysian curriculum alignment)
• Parent/guardian's email address and contact information
• Learning progress and quiz performance data
• Subject-specific scores and achievements
• Study streaks and practice session history
• Basic session and device information (for technical support)

DATA NOT COLLECTED:

• Home addresses or precise geolocation
• Phone numbers from children directly
• Photos or videos of children
• Social security numbers or identification documents
• Financial information from children
• Sensitive personal data unrelated to education

9.3 Use of Children's Data

Children's data is used only for:

• Personalized learning experience based on grade level and performance
• Educational progress tracking for parent dashboard
• Adaptive quiz difficulty to optimize learning outcomes
• Study reminders and achievement notifications (with parental approval)
• Platform security and parental communication
• Improving educational content and curriculum alignment

We do NOT:

• Sell or rent children's data
• Use children's data for behavioral advertising
• Profile children for commercial purposes
• Share children's data with unauthorized third parties
• Track children across other apps or websites

9.4 Third-Party Services & Child Accounts

Third-party services used in our platform are configured for child-compliant operation:

MOBILE APPS (iOS/Android):

• Supabase: Secure database with row-level security for child data protection
• Stripe: Payment processing (parents only - children never see billing)
• Expo: Push notifications (study reminders only, no advertising)
• Google OAuth: Optional authentication (parental approval required)

WEBSITE ONLY (Not in mobile apps):

• Google Analytics: Age-appropriate anonymized analytics, configured to exclude personally identifiable information
• Meta Pixel: Configured for conversion tracking only (no behavioral targeting of children)

All third-party processors:

• Are bound by strict data protection agreements
• Do not use children's data for advertising or marketing
• Maintain security standards compliant with international child protection laws
• Are regularly audited for compliance

9.5 Parental Rights

Parents/guardians have full control and can:

• Review their child's personal data at any time via parent dashboard
• Request data correction or updates
• Request data deletion or account closure
• Prohibit further processing or data collection
• Request a copy of their child's data in portable format
• Control privacy settings and social feature participation
• Monitor all platform activity through the parent dashboard

Submit requests to: hello@edventure.plus with subject line "Child Privacy Request"

We will respond within 14 days and process valid requests within 30 days.

9.6 Data Security for Children

We apply enhanced protection for child accounts:

TECHNICAL SAFEGUARDS:

• All data transmission encrypted via HTTPS/TLS
• Authentication tokens stored in iOS Keychain (mobile apps)
• Row-Level Security (RLS) policies in Supabase database
• Parent-only access controls for sensitive settings
• Secure password requirements and session management

OPERATIONAL SAFEGUARDS:

• Limited internal staff access to children's data (need-to-know basis)
• All staff bound by confidentiality agreements
• Regular security audits and vulnerability assessments
• Incident response procedures for data breaches
• Data backup and recovery systems

PRIVACY BY DESIGN:

• Parental dashboard for oversight and transparency
• Privacy settings default to most protective options
• Optional features (leaderboards, social) require parental approval
• Age-appropriate content filtering
• No direct marketing or communications to children

If we discover data collected from a child without verified parental consent, it will be deleted immediately.

9.7 EdTag Anonymization System

To protect student privacy in social features (leaderboards, competitions):

EDTAG FEATURES:

• Students can create anonymous EdTag usernames (e.g., @star_learner, @math_hero)
• Real names are NEVER displayed in public rankings or leaderboards
• EdTag usernames are optional - students can use the platform entirely in private mode
• Parents control whether their child participates in social features
• EdTag can be changed at any time by parents

PRIVACY BENEFITS:

• Children can compete and learn safely without exposing real identities
• Prevents identification or contact by strangers
• Reduces risk of cyberbullying or unwanted attention
• Aligns with KPM (Ministry of Education) child safety guidelines

Parents can disable all social features in the privacy settings, ensuring their child's learning remains completely private.

10. Data Security

We apply strict administrative, technical, and physical safeguards to protect your personal data:

TECHNICAL MEASURES:

• Encrypted data transmission (HTTPS/TLS 1.3)
• Secure cloud storage with encryption at rest
• Multi-factor authentication options
• Secure token-based authentication (JWT)
• iOS Keychain storage for sensitive data (mobile apps)
• Regular security patches and updates

ADMINISTRATIVE MEASURES:

• Employee confidentiality agreements
• Role-based access controls (least privilege principle)
• Regular staff security training
• Data breach response procedures
• Privacy impact assessments

PHYSICAL MEASURES:

• Secure data center facilities (Supabase, Stripe, AWS-backed)
• Access controls and monitoring
• Redundant backup systems
• Disaster recovery plans

ONGOING PROTECTION:

• Regular vulnerability scanning and penetration testing
• Security audits and compliance reviews
• Monitoring for unauthorized access attempts
• Incident response team on standby

While we implement industry-standard security measures, no system is 100% secure. We continuously monitor and improve our security posture to protect your data.

11. Your Rights Under PDPA

You have the following rights under Malaysian Personal Data Protection Act 2010:

ACCESS RIGHT:

• Obtain a copy of your personal data we hold
• Understand how your data is being processed
• Receive data in machine-readable format (data portability)

CORRECTION RIGHT:

• Update inaccurate or outdated information
• Complete incomplete data
• Request amendments to incorrect records

ERASURE RIGHT (Right to be Forgotten):

• Request deletion when data is no longer needed
• Withdraw consent for data processing
• Request removal of child accounts

WITHDRAWAL OF CONSENT:

• Stop specific data processing activities
• Opt-out of marketing communications (if any)
• Disable optional features (push notifications, social features)

COMPLAINT RIGHT:

• Lodge a complaint with our Data Protection Officer
• Escalate to the Malaysian Department of Personal Data Protection (JPDP)
• Seek legal remedies for privacy violations

RESTRICTION RIGHT:

• Limit processing of your data while disputes are resolved
• Object to processing for specific purposes

To exercise these rights, contact our DPO at:

Email: hello@edventure.plus
Subject line: "PDPA Rights Request"

We will respond within 14 days and fulfill valid requests within 30 days (or as required by law).

12. Updates to This Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Industry best practices

NOTIFICATION OF CHANGES:

• Significant changes will be notified through the platform (in-app notification)
• Email notification to registered parent/guardian accounts
• Updated "Effective Date" at the top of this policy
• Change history available upon request

Your continued use of Edventure+ after such notice constitutes your acceptance of the updated terms. If you do not agree with changes, you may close your account by contacting hello@edventure.plus.

13. Contact Us

For any privacy-related questions, concerns, or requests:

Email: hello@edventure.plus
Subject line: "Privacy Inquiry"

Data Protection Officer: hello@edventure.plus
Company: Geneva Projects Sdn. Bhd.
Registration: 201101007458 (935596-P)
Address: #20, Menara KH, Malaysia

We aim to respond to all inquiries within 14 business days.

14. Bahasa Melayu Version

Versi Bahasa Melayu Polisi Privasi ini tersedia di:
https://edventure.plus/privacy-bm.html

(Nota: Sekiranya terdapat percanggahan antara versi Bahasa Inggeris dan Bahasa Melayu, versi Bahasa Inggeris akan diguna pakai.)