Privacy Policy - Badanamu

KIDSLOOP PRIVACY POLICY

GENERAL

Respecting and protecting our users’ privacy and Personal Data is important to Kidsloop Limited and its related companies (including subsidiaries, affiliates, holding companies and companies held in common control) (collectively, we or us, Kidsloop or Kidsloop Group or Licensor). This Privacy Policy is intended to help users understand how we collect, use and safeguard Personal Data in our interactions with users on platform(s) owned and operated by us listed on the KIDSLOOP PLATFORM LIST page as a data controller / data user (collectively, our Platform(s)) and /or on platform(s) operated by our Partners (Partner Platform(s)) as a data processor.

Partner(s), Licensee(s) or Sub-Licensee(s)) means an entity which has entered into a business partnership agreement with a Kidsloop Group company (Partnership Agreement) which may include a licence and/or sub-licence of the Platform(s) and a data processor agreement (where we act as a data processor on behalf of that Partner, terms of which are set out in the (Data Processor Agreement) page).

This Policy also describes the data protection rights we respect, including a right to object to some of the processing which we carry out. More information about data protection rights, and how to exercise them, is set out in the section WHAT RIGHTS DO USERS HAVE?

WHAT INFORMATION DO WE COLLECT?

We collect and process Personal Data about users on our Platform(s) (subject to this Privacy Policy) and/or process data about users on Partner Platform(s) (subject to that Partner’s Privacy policy, our User Policy and the Data Processor Agreement if applicable) who:

- visit and/or register and use the Platform (s) or Partner Platform(s);

- use services we provide on the Platform(s) or Partner Platform(s);

- use third-party services offered by service providers such as analytics companies, advertising networks and any other third party service providers that we choose to collaborate or work with in order to deliver our services such as public cloud services, data centres and SaaS providers

- provide us with Personal Data via: our Partners/social media platforms/networks or telephone enquiries, application for or use of our services on the Platform(s) or our Partner Platform(s); and

- attend live and/or online classes or other educational events during which image/voice is captured by photography and/or video or sound recording on our Platform(s) or Partner Platform(s).

When we directly collect Personal Data from you, we will let you know at that time whether the information requested is mandatory for us to fulfill the purposes set out in this Privacy Policy. If you do not provide us with such mandatory Personal Data, then we may not be able to provide you with certain services.

In this Privacy Policy:

Personal Data means any information that is recorded, electronically or otherwise, that can be used alone or in combination with other information to identify a natural person or reflect the activity of an identifiable natural person including without limitation: contact information, name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication (messages between users, discussions, comments to posts, notifications; user profile data including course material (assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behavior / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to us; and

Partner user means a Partner(s)’ employees (including teachers, administrators, lecturers, mentors and other)s, a Partner(s) other employees and contractors, and any other user authorised by the Partner who transmits Personal Data via the Partner Platform, including children, parents or guardians.

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We process Personal Data for the following purposes and pursuant to the following legal bases (where applicable under relevant laws):

To operate our business and pursue legitimate interests, in particular:

- To perform our agreements to provide services to users on the Kidsloop Platform(s) and Partner Platform(s) by: providing educational materials, templates, and reports, animating and digitizing content, enhancing the user experience of our services, improving educational materials, content and learning outcomes using feedback from users and intelligence we generate from user behaviors, the consequences of those actions and observed learning patterns (Derivative Data) in order to deliver personalized lesson plans and reports on our Platform(s) and Partner Platform(s) and to do so in certain instances automated decisions are taken;

- To monitor use of Kidsloop Platform(s) and Partner Platform(s), our services (both online and offline) and employ user information to help us monitor, improve and protect our products, content and services on Kidsloop Platform (s) or Partner Platform(s), (both online and offline);

- To analyse trends, usage, user behavior and to predict behaviors (whether on an individualized, anonymized or aggregated basis), to help us better understand how individual users and our collective user base access use of content and services, on Kidsloop Platform(s) or Partner Platform(s) when necessary for the purposes of performing our contracts to:

- improve our services;

- respond to user and Partner requests, feedback and preferences;

- provide reports on learning outcomes and performance of users for our own use and for our use by our Partners;

- measure the effectiveness of our content and/or content provided by our Partners and animation of that content;

- measure the effectiveness of our analysis and feedback to users and our Partners from Derivative Data that we generate from the behavior patterns, learning outcomes and performance of users and course or content patterns and layout;

- measure the effectiveness of live and virtual classes and other educational events;

- conduct marketing demonstrations targeted at potential partners (on an aggregated and anonymized basis only);

- provide our Partners with support, gathering feedback and responding to questions from users of our product and services or our Partners or the general public;

- assess and recruit candidates for open positions with Kidsloop Group companies;

- manage third party developers that we have engaged; and

- crowdsource data analytics and hackathon activities (on an aggregated and anonymized basis only) and any data captured in AB testing for personalisation of our services to users.

When users give us consent (if required) by opt in:

- To provide direct marketing communications in relation to products, services, events, offers or promotions under the categories stated below, provided by: (a) us or other Kidsloop Group companies, (b) Partners, and (c) other third party providers, such marketing communications may be in various forms, including advertisements, special events notifications or newsletters, and delivered via various methods (in accordance with the consent for use of Personal Data that you provide to us), such as by, email, SMS, WhatsApp, WeChat messages, smartphone app push notifications, notifications on your social media pages, completion of Google forms, in–app messaging or postal mail.

Such marketing communications may market or offer products or services (including special events and promotions) in the following categories: educational services, social networking services, payment services, on-line advertising services, other e-commerce, information and communications and services and other products and services related to any of the foregoing, which we think may be relevant to users and/or Partners based on information provided to us (for instance, via user participation in our user surveys); and

- To allow users to register for our services and participate in our trials, tests, demonstrations, events, courses and promotions, including verifying their identity at those events and promotions.

For purposes which are required by law:

- In response to requests by government or law enforcement authorities conducting an investigation.

RELYING ON LEGITIMATE INTERESTS

We have carried out an assessment on all the data processing activities described above in order to weigh up any privacy implications against our legitimate business interests. Users can obtain information on any of our assessments by contacting us using the details set out in the section Security Measures.

INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSON

We will only collect personal data from users under the age of 20 with the consent of the parent/guardian of that user.

The Platforms, websites and mobile applications can be accessed by minors below the age of 20 only with the consent of parents/guardian and by further usage users are acknowledging that they have guardian/parental consent.

Please note that if we are made aware that we have collected Personal Data from anyone under the age of 20 without verification of guardian/parental consent, we will take steps to remove that information from our servers within 24 hours.

WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING

Wherever we require user or Partner consent under applicable law, the user or Partner will always be able to withdraw any consent provided to us. We shall cease to use or process Personal Data for the purpose in respect of which the user or Partner has withdrawn their consent, but we may still use, process, store and transfer such data for other purposes, such as those set out above, to the extent allowed under applicable laws. Specifically, in the case of users or Partners from the European Economic Area (EEA) and the United Kingdom, we might be able to send direct marketing without their consent, where we rely on our or a third party's legitimate interests. Irrespective of the legal basis on which we rely to send direct marketing, users and Partners have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. They can do this by contacting us using the details in the section below How to get in touch with us.

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

We may share user or Partner Personal Data with the related companies of Kidsloop Limited located within or outside the jurisdiction of operation of the Platform(s) for the purposes set out in How do we use this information, and what is the legal basis for this use? section above. However, where required under applicable law, we will not provide such Personal Data to any related companies of Kidsloop Limited in order for them to send you direct marketing communications regarding their own products and services, unless we obtain your prior consent.

Personal Data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in How do we use this information, and what is the legal basis for this use? section above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

Personal Data will also be shared with third party service providers located within the jurisdiction of operation of the relevant Platform, who will process it on our behalf for the purposes identified in this Privacy Policy. In particular, we use sub processors on the Sub-Processor List page and the following third party service providers:

- E-mail/SMS/MMS/WeChat/WhatsApp blasting service providers;

- Data storage and cloud service providers (for storage of Personal Data and hosting of applications that process Personal Data for the purposes identified in this policy);

- Google, Facebook, Instagram, Linked In and other networks (for matching of Personal Data with their database in order to send users our direct marketing materials through their Google, Facebook and/or Linked In account(s));

- Marketing (including digital marketing) and analytic agencies (for display of advertising materials on our Platform(s) and other platforms that users may visit, and analysis of user online behaviour and usage of our Platform(s) – these agencies use cookies; please refer to our separate Cookies Policy for details); and

-Data analytics, AB testing, hackathon service providers and agencies (for the purposes stated in section above How do we use this information, and what is the legal basis for this use?

Derivative Data collected on the Platform(s) or Partner Platform(s) and stored separately from Personal Data will be used to generate intelligence delivered as part of our services.

In the event, that our business or any part of it is sold or integrated with another business, or the shares in Kidsloop Group companies are sold in private or public share offerings, user and Partner(s) Personal Data will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business or shares.

User Personal Data may be transferred to or from jurisdictions in which Kidsloop has operating subsidiaries or Partner(s) subject to applicable laws.

WHAT RIGHTS DO USERS HAVE?

Where permitted by law, users of the Platform(s) have the right to ask us for a copy of their Personal Data; to correct, delete or restrict (stop any active) processing of their Personal Data; and to obtain their Personal Data in a structured, machine-readable format, and to ask us to share (port) this data to another controller.

HOW TO GET IN TOUCH WITH US

We hope that we can satisfy queries users of the Platform(s) may have about the way we process data. If users have any concerns about how we process data, or would like to opt out of direct marketing or request access to or correct their Personal Data, they can get in touch by: (a) contacting our Data Privacy Officer (DPO) at [email protected] – details are of the name and address of the DPO are available at Kidsloop Data Privacy Officer;

or (b) sending their request by post to; Data Protection Assurance Office, Kidsloop (UK) Limited, Fora - Spitalfields, 35-41 Folgate St, London E1 6BX, United Kingdom.

WHO IS THE DATA CONTROLLER / DATA USER

The data controllers / data users in respect of the Personal Data of users of the Kidsloop Platform(s) are the Kidsloop Group companies. The contact details for the respective privacy officers of each Kidsloop Group company can be found in the section above How to get in touch with us . The data controller / data user of any Personal Data collected on a Partner Platform(s) is the Partner and we may also act as joint controller with our Partner(s) and/or process user data as a data processor on behalf of the Partner to provide services on Partner Platform(s) subject to our User Policy.

HOW LONG WILL WE KEEP USER DATA?

Where we process registration data, we will retain your data for a minimum of 7 years or for as long as needed for the purpose of collection or as long as users are active on Kidsloop Platform(s) or Partner Platform(s) and provided it is required for business and legitimate interests or legal requirement.

Where we process data in connection with a Partnership Agreement and Data Processor Agreement, we do not keep users’ Personal Data if they are no longer a registered user on the Partner’s Platform(s) or if we are no longer in partnership with that Partner. An identifier via controlled encryption key to user Personal Data in Derivative Data (which we will retain) will be broken to protect the privacy of users’ Personal Data if they are no longer a user on the Partner Platform(s) or we are no longer in partnership with that Partner.

Where we process Personal Data for marketing purposes or with user consent, we process the data for as long we have the user's valid consent, or until the user asks us to stop and for a short period after this (to allow us to implement their requests). We also keep a record of the fact that the user has asked us not to send them direct marketing or to process their data so that we can respect their request in the future.

Derivative Data is aggregated data collected by Kidsloop from operational data collected on its Platform(s) or Partner Platform(s) from user behaviors in respect of the Platform(s) and/or content held on the Platform(s). It is used in anonymized form to deliver and improve services on the Platform(s) and may be sold or licensed to other third parties. It is also used in form which cannot be anonymized whilst the User holds a Distribution Account on the Platform(s) and/or the licence agreement between the Licensor and the Licensee and/or Sub-Licensee is in force, to personalise the user and Partner experience. Derivative Data which cannot be anonymised is not shared with any third parties. Kidsloop owns and will retain all right title and interest in or to any Derivative Data in anonymized form.

We will keep the images captured by our analytics cameras or cameras operated by our Partners only for as long as the retention of such images is necessary for the authorized purposes detailed in How do we use this information, and what is the legal basis for this use? section above.

PHOTOGRAPHY POLICY

We or our Partners may take photographs and/or video recordings of users in live classes and make recordings of virtual classes or other school events for authorized purposes detailed in How do we use this information, and what is the legal basis for this use? section above. By participation in these events and acceptance of this Privacy Policy users agree to publication of these images and/or videos and sound recordings on Kidsloop Platform(s) or Partner Platform(s) for delivery of our products and services. We do not permit unauthorised photography, sound and/or video recording for any other commercial use, private gain, use in press or media, or for promotional purposes in live classes or recording of virtual classes or other school events.

APPLICABLE LOCAL LAWS FOR VISITORS FROM:

BRAZIL

USERS UNDER 18 YEARS OF AGE

Any user who is under the age of 18 must obtain consent from his or her parents or guardian before providing any Personal Data to us – see INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSON.

WHAT RIGHTS DO USERS HAVE?

Users of the Platform(s) or Partner Platform (s) located in Brazil can:

Request confirmation on whether we process their Personal Data.

Request access to their Personal Data.

Request rectification of the Personal Data that we hold about them.

Request erasure or anonymization of their Personal Data. This enables them to ask us to delete or remove Personal Data where they have withdrawn their consent or where we are processing unnecessary or excessive Personal Data or even where we are processing their Personal Data in violation of the LGPD.

Object to processing of their Personal Data where we are processing their Personal Data in violation of the LGPD.

Request processing restrictions on their Personal Data where we are processing unnecessary or excessive Personal Data or even where we are processing their Personal Data in violation of the LGPD.

Request information on the public and private entities with or from whom we share their Personal Data.

Request the transfer of their Personal Data to another party.

Review of any decision issued through the use of artificial intelligence based on their personal data that is considered to have an impact on their interests.

Request clear and adequate information on the criteria and procedures used in any decision issued through the use of artificial intelligence based on their personal data that is considered to have an impact on their interests.

These rights may be limited, for example if fulfilling their request would reveal Personal Data about another person, where they would infringe the rights of a third party (including our rights) or if a user of the Platform(s) asks us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are available under applicable laws. We will inform users of relevant exemptions we rely upon when responding to any request they make.

To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests’ assessment, users can get in touch with our Data Protection Officer using the details set out in the section Kidsloop Data Privacy Officer above. If users have unresolved concerns, they have the right to complain to the Brazilian Data Protection Authority (ANPD).

CALIFORNIA

CALIFORNIA CONSUMER PRIVACY POLICY (GENERAL)

Notice for California Residents

Effective date: November 2021; Last updated: November 2021

The California Consumer Privacy Act (CCPA) provides consumers who are California residents with certain rights to their Personal Data. This section explains those rights. If you are a website visitor who is a California consumer and would like to exercise any of those rights, please see information listed below.

For purposes of this Notice, a "California consumer" is a natural person who resides in California.

This Statement describes the categories of Personal Data we collect and may have collected in the preceding 12 months, as well as the sources from which the Personal Data is collected, the purposes for the collection or use of the Personal Data, and the third parties with whom we may have shared the Personal Data.

WHAT INFORMATION DO WE COLLECT?

We are required to disclose to users the categories and sources of Personal Data we collect from them within the previous 12 months. Please refer to the sections What information do we Collect? and How do we use this information, and what is the legal basis for its use? for details on the Personal Data we collect.

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Sharing Personal Data/Do not sell my Personal Data

We may disclose user Personal Data to third parties for a variety of business purposes. Please refer to the Who will we share this data with, where and when? section for details.

We do not sell users’ Personal Data to non-affiliated third parties for their own marketing and advertising or other business purposes without your consent. In addition, Kidsloop has not sold users’ Personal Data to non-affiliated third parties in the last 12 months. If a user is entitled to any disclosure rights in their jurisdiction regarding our sale of their personal information to non-affiliated third parties or our disclosure of their personal information to third parties for their own direct marketing purposes, this disclosure satisfies those requirements. If a user still wishes to learn more about our compliance with this requirement, they can contact us at the email address found in How to get in touch with us.

Pursuant to California’s “Shine the Light” law, California residents have the right to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. Users may make such a request by using the contact information identified in How to get in touch with us.

Other California User Privacy Rights

Right to Know

Users have the right to request that we disclose certain information about our collection, use of disclosure of their Personal Data over the past 12 months. Upon receipt and confirmation of a verifiable user request, we will disclose:

The categories of Personal Data we collected about the user in the preceding twelve (12) months
The categories of sources from which we collected Personal Data about the user in the preceding twelve (12) months
Our business or commercial purpose for collecting such Personal Data in the preceding twelve (12) months
The categories of third parties with whom we shared such Personal Data in the preceding twelve (12) months
The specific pieces of Personal Data we collected about the user in the preceding twelve (12) months
If we sold or disclosed the user’s Personal Data for a business purpose, two separate lists disclosing the categories of Personal Data involved in:

- sales, and the category third party to whom the data was sold (if at all)

- disclosures for a business purpose, and the category of third party to whom the data was disclosed

Only a user or a user’s authorized agent may make a request to access a user’s Personal Data. Users may have the right to make a free request twice during any twelve-month period.

Right to Request Deletion

Users have the right to request that we delete Personal Information we collected from them. Users may have the right to request that we delete their personal information, subject to certain exceptions. Upon receipt and validation of a verifiable customer request, we will delete such Personal Information from our records, unless an exception under the CCPA applies. Users should be aware that, once deleted, their data, including their account and activities, cannot be restored.

Right not to be discriminated against

We will not discriminate or retaliate against a user for exercising any of their rights under the CCPA.

Verifying Your Request

For users’ safety and the safety of their information, we cannot fulfill a request to provide or delete personal information if we cannot verify a user’s identity or authority to make the request. We need to confirm the personal information relates to the requesting user or the individual for whom someone is a lawful agent.

To verify a user’s identity, we will ask that they provide the following information when submitting their request:

• First Name

• Last Name

• Email Address

• Mobile Phone Number

• Address

• City

• State

• Zip Code.

We may require additional verification information from a user, including before deleting or disclosing particularly sensitive information. We will only use the verification information a user provides for the purpose of verifying their identity or authority to make the request.

We will respond to users requests within forty-five (45) days. However, in certain circumstances, we may require additional time to process the request, as permitted by the CCPA or other applicable law. We will advise users within forty-five (45) days after receiving their request if such an extension is necessary and why it is needed. Any disclosures we provide will only cover the 12-month period preceding our receipt of a verifiable consumer request.

Submitting a request does not require users to create an account with us. We do not charge users a fee to process or respond to verifiable consumer requests unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell the user why we made that decision and provide them with a cost estimate before completing their request.

In some instances, we may not be able to honor a request. For example, we will not honor a request if we cannot verify a user’s identity, if we cannot verify that a user has the authority to make a request on behalf of another individual or if an exception applies. We will advise the user in our response if we are not able to honor their request.

Authorized Agents

Users may have the option to designate an authorized agent to submit a request on their behalf, so long as the authorized agent has the user’s written and signed permission to do so, the user has taken steps to verify their identity directly with us, and the user has directly confirmed with us that they provided the authorized agent permission to submit the request on the user’s behalf. If a user would like to designate an agent, their agent must register as such with the California Secretary of State and submit a copy of this registration along with the user’s consumer request to us. If someone submits a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom they are submitting a request.

How to Submit a Request; Questions

If a user has any questions about these rights or is a California resident who would like to exercise their rights as described above, they may use the contact information identified in HOW TO GET IN TOUCH WITH US. For requests to exercise your rights, provide the information listed in the “Verifying Your Request” section above.

CALIFORNIA PRIVACY POLICY (CHILD DATA-SPECIFIC)

Effective date: November 2021; Last updated: November 2021

For purposes of this Privacy Policy, the term “Parent” includes a legal guardian.

WHAT INFORMATION DO WE COLLECT?

Please refer to the sections WHAT INFORMATION DO WE COLLECT?

When we collect Personal Data from children under the age of 13, we will obtain the consent of their parents to collect this information – see INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSON.

HOW DO WE USE THIS INFORMATION?

Please refer to the sections HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR ITS USE? for details on the Personal Data we collect. We also use user information

- to communicate with Parents, including sending them information about their child’s account.

- to obtain permission from parents for children who want to use our services or participate in an activity that requires consent (e.g., if the activity requires the child to provide personal data). If we require parental consent for any data collection, use, or disclosure from the child, we will use your information to contact you for such permission. We do not knowingly collect personal data from anyone under the age of 13 without giving parents the opportunity to consent to their child’s personal data being collected, used, or disclosed. During the period when parental consent is being requested, the information provided will be held on a temporary basis. If we do not receive a parent’s consent we will delete the information provided by the child within a reasonable period.

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Sharing Personal Data/Do not sell my Personal Data

We may disclose user Personal Data to third parties for a variety of business purposes. Please refer to the WHO WILL WE SHARE THIS DATA WITH, WHERE AND WHEN? section for details.

WHAT RIGHTS DO USERS HAVE?

Parents may email KIDSLOOP DATA PRIVACY OFFICER at the email address given in this link if they wish to take any of the following actions:

- access their child’s personal data;

- correct factual errors contained in such information;

- request that any such data be deleted or removed; or

- request that we refrain from collecting or retaining such information.

OUR DO NOT TRACK POLICY

Some browsers have “do not track” features that allow users to tell a website not to track them. These features are not all uniform. We do not currently respond to those signals. If a user blocks cookies, certain features on our website may not work. If you block or reject cookies, not all of the tracking described in our Cookies Policy will stop.

SECURITY

We have implemented reasonable security measures as required by relevant law. However, no security procedure is perfect. We cannot promise that use of our sites will be completely safe. We encourage you to use caution when using the Internet.

UPDATES

From time to time, we may change our Privacy Policy. We will notify users through a notice posted on our sites of any material modification to our Privacy Policy as required by law. We encourage users to check our sites regularly and re-read this Privacy Policy for updates. A user’s inaction or continued use of the website, or their provision of information to us after any such notices, will tell us that the users agrees to these changes.

EUROPEAN UNION AND UNITED KINGDOM

GENERAL DATA PROTECTION REGULATION (GDPR)

Notice for residents of the European Economic Area (EEA) and the United Kingdom

Last updated: November 2021

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Where information is transferred outside the EEA / UK (as appropriate), and where this is to a Partner or third party service provider in a country that is recognized as offering an adequate level of data protection, the transferred data will be protected by the standard contractual clauses, an appropriate certification or code of conduct, or other mechanism recognized under the applicable law. A copy of the relevant mechanism can be provided for user review on request using the details set out in the section HOW TO GET IN TOUCH WITH US above.

WHAT RIGHTS DO USERS HAVE?

Users of the Platform(s) or Partner Platform (s) located in the EEA and UK can object to the processing of their Personal Data in some circumstances (in particular, where we do not have to process the data for business or other legitimate interests, purposes for which consent has been given (including direct marketing) or other legal requirements).

To exercise any of these rights, or to obtain other information, users can get in touch with us – or our privacy officer – using the details set out in the section HOW TO GET IN TOUCH WITH US above. If users have unresolved concerns, they have the right to complain to a data protection authority where they live, work or where they believe a breach may have occurred.

HOW LONG WILL WE KEEP USER DATA?

Where we process Personal Data for site security purposes, we retain it for 7 years after any business and legitimate interests no longer exists and where we process Personal Data in connection with performing a contract with us (other than a Data Processor Agreement with a Partner), we retain the data for 7 years from the last user interaction with us.

HONG KONG

The additional requirements set out under this section apply solely to Personal Data of all users of our Platform(s) collected by KidsLoop Limited in Hong Kong and is presented in compliance with the Personal Data (Privacy) Ordinance (Cap. 486).

INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSONWe will only collect Personal Data of any user under the age of 18 with consent from his or her parent or guardian see INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSON.

HOW LONG WILL WE KEEP USER DATA?

We will keep any Personal Data only for so long as is necessary to fulfil the purposes outlined in the section HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR ITS USE? of this Privacy Policy, unless a longer retention period is required under law. We will either irreversibly anonymise or securely destroy such Personal Data once we no longer need it.

INDIA

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE?

When users give us consent (if required) by opt-in:

Under Section 72-A of the Information Technology Act 2000 (IT Act), personal data collected while providing services under the terms of lawful contract, may be disclosed only on the basis of consent of the concerned users. Further, under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) issued under the IT Act, for collection of sensitive personal data or information (SPDI) for any purpose whatsoever, prior written consent from users is to be obtained through letter or any mode of electronic communication. Under the SPDI Rules, the following categories of personal information has been designated as SPDI:

(a) password;

(b) financial information such as bank account or credit card or debit card or other payment instrument details;

(d) sexual orientation;

(e) medical records and history;

(f) biometric information;

(g) any detail relating to the above clauses as provided to the body corporate for providing service; and

(h) any of the information received under above clauses by the body corporate for processing, stored or processed under lawful contract or otherwise.

HOW TO GET IN TOUCH WITH US

WHAT RIGHTS DO USERS HAVE?

Right to withdraw consent for Personal Data

You have the right to withdraw your consent for personal data at any time in writing by sending an e-mail to the email address set out in the How to get in touch with us? section. However, please note that withdrawal of consent will not be retrospective in nature and shall be applicable prospectively.

Right to access, review and correct Personal Data

You have the right to request to access, review and correct any Personal Data that you have provided by sending an email to the address set out in the How to get in touch with us? section.

INDONESIA

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We process Personal Data for the following purposes and pursuant to the following legal bases (where applicable under relevant laws):

To operate our business and pursue legitimate interests, in particular:

- To perform our contracts to provide services to users on the Kidsloop Platform(s) and Partner Platform(s) by: providing educational materials, templates, and reports, animating and digitizing content, enhancing the user experience of our services, improving educational materials, content and learning outcomes using feedback from users and intelligence we generate from user behaviors, the consequences of those actions and observed learning patterns (Derivative Data) in order to deliver personalized lesson plans and reports on our Platform(s) and Partner Platform(s);

- improve our services;

- respond to user and Partner requests, feedback and preferences;

- provide reports on learning outcomes and performance of users for our own use and for our use by our Partners;

- measure the effectiveness of our content and/or content provided by our Partners and animation of that content;

- measure the effectiveness of live and virtual classes and other educational events;

- conduct marketing demonstrations targeted at potential partners (on an aggregated and anonymized basis only);

- provide our Partners with support, gathering feedback and responding to questions from users of our product and services or our Partners or the general public;

- assess and recruiting candidates for open positions with Kidsloop Group companies;

- manage third party developers that we have engaged; and

- crowdsource data analytics and hackathon activities (on an aggregated and anonymized basis only) and any data captured in AB testing for personalisation of our services to users.

- To allow users to register for our services and participate in our trials, tests, demonstrations, events, courses and promotions, including verifying their identity at those events and promotions.

For purposes which are required by law:

- In response to requests by government or law enforcement authorities conducting an investigation.

WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING

Wherever we require user or Partner consent under applicable law, the user or Partner will always be able to withdraw any consent provided to us. We shall cease to use or process Personal Data for the purpose in respect of which the user or Partner has withdrawn their consent, but we may still use, process, store and transfer such data for purposes which are required by law as set out above, to the extent allowed under applicable laws. Specifically, in the case of users or Partners from the European Economic Area (EEA) and the United Kingdom, we might be able to send direct marketing without their consent, where we rely on our or a third party’s business or legitimate interests. Irrespective of the legal basis on which we rely to send direct marketing, users and Partners have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. They can do this by contacting us using the details in the section below HOW TO GET IN TOUCH WITH US.

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

We may share user or Partner Personal Data with the related companies of Kidsloop Limited located within or outside the jurisdiction of operation of the Platform(s) for the purposes set out in HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE? section above. However, where required under applicable law, we will not provide such Personal Data to any related companies of Kidsloop Limited in order for them to send you direct marketing communications regarding their own products and services, unless we obtain your prior consent.

Personal Data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE? section above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

Personal Data will also be shared with third party service providers located within or outside of the jurisdiction of the operation of the Platform(s) who will process it on our behalf for the purposes identified in this Privacy Policy. In particular, we use the following third party service providers and sub processors on the SUB-PROCESSOR LIST page:

- E-mail/SMS/MMS/WeChat/WhatsApp blasting services;

- Data storage and cloud service providers (for storage of Personal Data and hosting of applications that process Personal Data for the purposes identified in this policy);

- Google, Facebook, Instagram, Linked In and other networks (for matching of Personal Data with their database in order to send users our direct marketing materials through your Google, Facebook and/or Linked In account(s));

-Data analytics, AB testing, hackathon service providers and agencies (for the purposes stated in section above HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE?

- Derivative Data collected on the Platform(s) or Partner Platform(s) and stored separately from Personal Data will be used to generate intelligence delivered as part of our services and may also be sold or licensed to Partners and/or third parties for their own purposes.

Derivative data will have a link via a controlled encrypted key back to Personal Data. The key can be deleted if a user stops using the Platform(s) so that the Derivative Data can remain stored by us without identifying the user personally. Ownership of such Derivative Data will vest in the Kidsloop Group on creation and will be retained on termination of a relationship with a user or with a Partner, the key having been deleted.

In the event, that our business or any part of it is sold or integrated with another business, or the shares in Kidsloop Group companies are sold in private or public share offerings user and Partner(s) Personal Data will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business or shares.

User Personal Data may be transferred to or from jurisdictions in which the Company has operating subsidiaries or Partner(s) subject to applicable laws.

WHAT RIGHTS DO USERS HAVE?

HOW LONG WILL WE KEEP USER DATA?

Where we process registration data, we do this for as long as users are active on our Platform(s) or Partner Platform(s) and provided it is required for business and legitimate interests or legal requirement, or to the extent permitted by the applicable law.

Where we process data in connection with a Partnership Agreement of Data Processor Agreement, we do not keep users’ Personal Data if they are no longer a registered user on the Partner’s Platform(s) or if we are no longer in partnership with that Partner. An identifier via controlled encryption key to user Personal Data in Derivative Data (which we will retain) will be broken to protect the privacy of users’ Personal Data if they are no longer a user on the Partner Platform(s) or we are no longer in partnership with that Partner.

We will keep the images captured by our analytics cameras or cameras operated by our Partners only for as long as the retention of such images is necessary for the authorized purposes detailed in HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE? section above.

PAKISTAN

THE PREVENTION OF ELECTRONIC CRIMES ACT, 2016 (PECA)

WHAT RIGHTS DO USERS HAVE?

Right to privacy of Identity Information

User’s Identity Information i.e., information which may authenticate or identify an individual or an information system and enable access to any data or information system, cannot be obtained, sold, transmitted, or used without the user’s authorization.

Users have the right to apply to the local regulatory body for securing, destroying, blocking access, or preventing transmission of their Identity Information.

The relevant local regulatory body is the Pakistan Telecommunication Authority established under the Pakistan Telecommunication (Re-organization) Act 1996.

PEOPLE’S REPUBLIC OF CHINA

Notice for residents of the People's Republic of China

Last updated: November, 2021

WHAT INFORMATION DO WE COLLECT?

Personal Data that we collect from you includes without limitation contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; payment information (credit/debit card information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, including discussions, comments to posts and notifications); user profile data including course material ( assessments, assessment results and grades, such as activity score and activity completion rate); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to us.

We request your permissions to access Personal Data. By ways of example:

We request your permission to collect your username, email, mobile number, birthday and gender. We use your username, Email and mobile number to establish an account for you and authenticate your identity to serve you. If you refuse to provide us with such information, we will not be able to open an account for you. You may elect not to provide your birthday or gender information.
We will access your location information when you upload homework files after you open the location permission. You may elect to turn off the location permission. In any case, the location information is not collected on purpose but automatically along with the updated files. Therefore, we will remove your location information timely after it has been collected.

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We process your Personal Data for the business functions described in this policy and /or any additional service specific privacy information. Please note that one or more purposes may apply simultaneously.

Provision of products and services. We may process and use your Personal Data to provide you the product or service you have requested, fulfill your other requests, such as customer service, process your order or as otherwise may be necessary to perform or enforce the contract between you and us. We may also process and use your Personal Data to ensure the functionality and security of our products and services, to identify you, and to prevent and detect fraud and other misuses.

Development of products and services. We may process and use your Personal Data to personalize our offerings and to provide you with service more relevant to you, for example, to make recommendations and to display customized content and advertising. We may combine Personal Data collected in connection with your use of a particular product and/or service of ours with other Personal Data we may hold about you, except where such Personal Data was collected for a different purpose.

Communicating with you and marketing. We may process and use your Personal Data to communicate with you, for example, to provide information relating to our products and/or services you are using or to contact you for customer satisfaction queries. We may process and use your Personal Data for marketing. Marketing purposes may include using your Personal Data for personalized marketing or research purposes in accordance with applicable laws, for example, to conduct market research and to communicate our products, services or promotions to you via our own or third parties’ electronic or other services. In addition, some of our products and services may be used to promote products and services of other companies. However, we do not disclose your Personal Data to such companies for their marketing purposes without your prior consent.

Access and removal of certain Personal Data. When you transmit your homework files to us, we automatically collect the names of the authors and editors of the uploaded files (along with the author and/or editor’s company information as recorded by the uploaded files, where applicable). The afore-listed Personal Data is not collected on purpose and will be removed timely after being collected.

Use of user profiling. We may process and use your Personal Data (such as your contact information, your identity data, your activity score and activity completion rate) for profiling/personalization for such purposes as targeted direct marketing and improvement of our products or services. We may also create aggregate and statistical information based on your Personal data. Profiling/personalization includes automated processing of your Personal Data for evaluating, analyzing or predicting your personal preferences or interests in order to, for example, send you marketing messages concerning products or services best suitable for you.

Exceptions to obtaining consent

According to relevant laws and regulations of PRC, we do not need users’ authorization to collect and use users’ Personal Data under the following circumstances or in connection with the following matters:

Fulfilment of obligations under laws and regulations by us;
Directly related to national security or national defense;
Directly related to public security, public health or major public interests;
Directly related to criminal investigations, prosecutions, trials or execution of court decisions;
For the purpose of safeguarding the life, property or other significant legitimate rights and interests of the users or other individuals, and it is hard to obtain consent from the users;
The Personal Data involved is disclosed to the public by the user;
(The collecting and using of Personal Data are) essential to the signing and performing of a contract with the user;
The Personal Data is collected from legally and publicly disclosed information, such as legal news reports and government information disclosure;
The collecting and using of Personal Data is essential to maintaining safe and stable operation of the product or service provided, such as the discovery and handling of product or service failures;
The Personal Data Controller is a news agency and the collection and use of Personal Data is essential for it to carry out legitimate news reporting;
Other circumstances stipulated by laws and regulations.

WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING

Withdrawal of consent does not affect the consent-based Personal Data processing prior to the withdrawal.

WHAT RIGHTS DO USERS HAVE?

In addition to the rights of the user in part WHAT RIGHTS DO USERS HAVE?, the user has the rights in relation to accessing information, de-registration and withdrawal of consent:

Users have the right to access the following information:

-The Personal Data or types of the Personal Data of the user held by us;

- The source of the above mentioned Personal Data, as well as the purpose for which it is used;

-The identity or type of any third party who has obtained the above mentioned Personal Data.

HOW TO GET IN TOUCH WITH US

We hope that we can satisfy queries users of the Platform(s) may have about the way we process data. If users have any concerns about how we process data, or would like to opt out of direct marketing or request to access or correct their Personal Data, they can get in touch by sending their request by post to Kidsloop (Shanghai) Education Technology Co., Ltd., Room 1008, No.355, Hongqiao Road, Xuhui District, Shanghai, China.

HOW DO WE UPDATE THIS POLICY?

PHILIPPINES

Notice for Philippines residents

Last updated: November 2021

In this Privacy Policy:

Sensitive Personal Data refers to Personal Data:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4. Specifically established by an executive order or law to be kept classified.

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We process Personal Data for the following purposes and pursuant to the following legal bases (where applicable under relevant laws):

With respect to Personal Data (excluding Sensitive Personal Data), to operate our business and pursue legitimate interests, in particular:

- improve our services;

- respond to user and Partner requests, feedback and preferences;

- provide reports on learning outcomes and performance of users for our own use and for our use by our Partners;

- measure the effectiveness of our content and/or content provided by our Partners and animation of that content;

- measure the effectiveness of live and virtual classes and other educational events;

- conduct marketing demonstrations targeted at potential partners (on an aggregated and anonymized basis only);

- provide our Partners with support, gathering feedback and responding to questions from users of our product and services or our Partners or the general public;

- assess and recruit candidates for open positions with Kidsloop Group companies;

- manage third party developers that we have engaged; and

- crowdsource data analytics and hackathon activities (on an aggregated and anonymized basis only) and any data captured in AB testing for personalisation of our services to users.

When users give us consent (if required) by opt in, with respect to Personal Data (including Sensitive Personal Data):

- To allow users to register for our services and participate in our trials, tests, demonstrations, events, courses and promotions, including verifying their identity at those events and promotions.

For purposes which are required by law:

- In response to requests by government or law enforcement authorities conducting an investigation.

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Consent is required in the sharing of Personal Data, even when the Personal Data is to be shared with an affiliate or parent company, or similar relationships.

Furthermore, data sharing for direct marketing purposes shall be covered by a data sharing agreement which is subject to review by the National Privacy Commission (NPC). The data subject shall also be provided with the following information prior to collection or before Personal Data is shared: a) identity of the Personal Data Controller or Data Processor; b) purpose of sharing of Personal Data; c) categories of Personal Data concerned; d) intended recipients; e) existence of the rights of data subject; and f) other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.

WHAT RIGHTS DO USERS HAVE?

Under local law, the data subject is entitled to the following rights:

a. Right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling. The data subject also has the right to be informed of the description of his or her data, basis of processing, method, recipients, etc.

b. Right to object to the processing of his or her Personal Data, including processing for direct marketing, automated processing or profiling.

c. Right to Access. The data subject has the right to reasonable access to, upon demand, the contents of his or her Personal Data that were processed, sources of such data, manner or processing, etc.

d. Right to dispute the inaccuracy or error in the Personal Data

e. Right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the Personal Data Controller’s filing system.

f. Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of his or her rights and freedom as a data subject.

g. Right to data portability

Transmissibility of Rights of the Data Subject - the lawful heirs and assigns of the data subject may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

Limitation on Rights - the foregoing rights shall not be applicable if the processed Personal Data is used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: provided, that the Personal Data shall be held under strict confidentiality and shall be used only for the declared purpose. The same are also not applicable to the processing of Personal Data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

HOW LONG WILL WE KEEP USER DATA?

Retention of Personal Data shall only for as long as necessary:

(a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;

(b) for the establishment, exercise or defense of legal claims; or

(c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.

With respect to Sensitive Personal Data, the same may be retained for as long as the data subject’s consent exists and is effective, or until the data subject objects to the retention.

Retention of Personal Data shall be allowed in cases provided by law, depending on the type of data processed.

Personal Data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.

SOUTH KOREA

Notice for South Korea Residents

Last updated: November 2021

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Please find below who we will share user data with, which data items will be shared and for what purpose, and how long the recipients will retain the transferred data. The transfer will be made electronically.

Third Party Recipients	Transferred Items	Purpose of Transfer
알리는 사람들 (https://smartsms.aligo.in/)	학부모 휴대전화번호 Mobile phone number of parents	알림 메시지, 광고 For notification messages, advertising
㈜온애드앤	이름, 자녀이름, 자녀출생년도, 연락처, 이메일 Name, name of children, date of birth of children, contact information, email address	광고, 마케팅 업무 대행, 웹사이트 개발 For advertising, marketing agency, developing websites
㈜엔에이치앤	이름, 자녀이름, 연락처, 이메일 Name, name of children, contact information, email address	카카오톡 인증 및 알림톡 메세지 발송 For sending Kakaotalk certification and/or notification messages
㈜KG이니시스	이름, 연락처 Name, contact information	결제 서비스 For payment services
바다나무 가맹센터	이름, 자녀이름, 자녀출생년도, 연락처, 이메일 Name, name of children, date of birth of children, contact information, email address	제품 상담 For product consultation
㈜케이티알파(기프티쇼비즈)	이름, 연락처 Name, contact information	기프티콘 발송 For sending out gifticons
다우기술	휴대폰 번호 Mobile phone number	문자 발송 For sending out messages
CJ 대한통운	이름, 연락처, 주소 Name, contact information, address	제품 발송 For sending out products for delivery
AP Logistic	Customer’s 1. Name 2. Address, 3. Phone Number	For delivery of products
KG Inicis	Customer’s 1. Name 2. Phone Number 3. Credit card company	To pay for the product payment
Payat	Customer’s 1. Name 2. Phone Number 3. Credit card company	To pay for the product payment
Naver smartstore	Customer’s 1. Name 2. Phone Number 3. Credit card company	To pay for the product payment

INTERNATIONAL DATA TRANSFER

Please find below who we will share user data with, where the data will be transferred, which data items will be shared and for what purpose, and how long the recipients will retain the transferred data. The transfer will be made electronically and continuously, for storage in the Kidsloop data lake for service improvement (personalization) purposes.

Third Party Recipients (and Contact Details of the DPO) and Their Location Country	Transferred Items	Purpose of Transfer	Period of Retention
Amazon Web Services Singapore Private Limited (Telephone Number: +65 6722 0300) Location: Singapore	Browsing information, contact information, geolocation, government Identifiers, personal identification, sensory and electronic information, user account information, employment information, education and skills, family information, biometrics, race, religion, sexual orientation, disability, background checks, professional experience and affiliations	For service improvement for personalized lesson plans	Until the purposes stated in the section “HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE” are achieved.

WHAT RIGHTS DO USERS HAVE?

Users have the right to access personal data we hold about them, to rectify any personal data held about them that is inaccurate, to request the deletion of personal data held about them, and the right to request the suspension of the processing of their personal data. Users can exercise such rights by contacting us at [email protected].

HOW LONG WILL WE KEEP USER DATA?

We immediately destroy relevant personal data after the purpose of collection and use is achieved. However, if applicable laws and regulations require us to retain the data, we will store it for a certain period prescribed in the applicable laws and regulations. In this case, we will transfer the relevant data to a separate database or other storage place.

Records on contract or subscription withdrawal: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
Records on price settlement and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
Records on consumer complaint or dispute settlement: 3 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
Records on collection/processing and use of credit information: 3 years (Use and Protection of Credit Information Act)
Records on labelling/advertising: 6 months (Act on the Consumer Protection in Electronic Commerce, Etc.)
User’s internet log records/user’s access point tracking data: 3 months (Protection of Communications Secrets Act)
Other data verifying communication facts: 12 months (Protection of Communications Secrets Act)

We destroy user Personal Data in a manner that renders it unrestorable by the relevant department, after the purpose of collection and use of the personal data is achieved.

PHOTOGRAPHY POLICY

We or our Partners may take photographs and/or video recordings of users in live classes and make recordings of virtual classes or other school events for authorized purposes detailed in HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE? section above. In such case, we will obtain your consent prior to collecting and/or processing this data. We do not permit unauthorised photography, sound and/or video recording for any other commercial use, private gain, use in press or media, or for promotional purposes in live classes or recording of virtual classes or other school events.

UPDATES TO THIS POLICY

In the event we make any changes to this Policy, we will notify users of such changes at least 7 days before the effective date of the updated policy (30 days if the changes will significantly affect user rights or obligations under this Policy) via our website or service page).

THAILAND

Notice for Thailand residents

Last updated: November 2021

If you are under the age of 20, you may only provide consent to the use of the Platform or Partner Platform(s) and all related services provided through the representation of your parent or legal guardian, and your parent or legal guardian hereby represents that you consent and agree to this Privacy Policy.

In addition to the rights provided to users above, if you are a Thai citizen or accessing the Platform from Thailand, you have: (i) the right to require Kidsloop Group to record your requests for the correction of your Personal Data including the outcome of such requests; and (ii) the right to file a complaint with the legal authorities in case of any violation of the applicable law.

Where Personal Data is transferred to a Partner or third party service provider located outside of Thailand in a country that is recognised as offering an adequate level of data protection, the transferred Personal Data will be protected by the standard contractual clauses, and other mechanisms recognised under the applicable law with legally enforceable remedies available in Thailand.

In case of any foreign entity within the Kidsloop Group being deemed a Data Controller or Data Processor, the Local Representative of that foreign entity is locally appointed. The Local Representative can be contacted through our Data Privacy Officer see section Kidsloop Data Privacy Officer above.

VIETNAM

Last updated: November, 2021

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We collect Personal Data from you when you voluntarily provide such information such as when you register for access to the Platform (s) or Partner Platform(s), use certain Services provided by Kidsloop Group and its Partner (s), contact us with inquiries or respond to one of our surveys.

In respect of sensitive personal data which covers information regarding political and religious views, health conditions, biometric data, genetic data, sexual orientation, crime records, financial data and geographic location and social relationships (Sensitive Personal Data), we shall process Sensitive Personal Data after registration with the Personal Data Protection (PDP) Committee, which is a newly established governmental agency under Draft Decree of Personal Data Protection set up by the Vietnam’s Ministry of Public Security and will be empowered to inspect for compliance with personal data protection regulations in Vietnam.

When users give us consent (if required) by opt in:

By voluntarily providing us with Personal Data, you are consenting to our use of it in accordance with this Privacy Policy. If you provide Personal Data, you acknowledge and agree that such Personal Data may be transferred from your current location to the offices and servers of Kidsloop Group and its Partner(s) and the authorized third parties referred to in the Policy located in overseas if permitted by applicable laws.

Kidsloop Group and its Partner(s) have rights to disclose Personal Data in the following cases:

For purposes which are required by law:
In response to requests by government or law enforcement authorities conducting an investigation, and handling an act of violations of laws;
For purposes of national security, social order and safety;
In case of an emergency, a threat to life or seriously affecting the health of that data owner or public health;
The disclosure of Personal Data is required by Press Law that shall not cause the economic, honorable, spiritual or material damage to the users or public health;
As allowed by the regulations in international agreements or treaties to which Vietnam is a member;
Scientific research or statistics in encrypted form that is to be de-identified and replaced with a code.

The Sensitive Personal Data shall not be disclosed in any cases, otherwise than as provided by applicable laws.

There are, however, certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, as set forth below:

Business Transfers:

As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets.

Related Companies:

We may also share your Personal Data with our Kidsloop Group companies for purposes consistent with this Privacy Policy.

Agents, Consultants and Related Third Parties:

We, like many businesses, sometimes hire other companies to perform certain business-related functions. Examples of such functions include mailing information, maintaining databases and processing payments. When we employ another company to perform a function of this nature, we only provide them with the information that they need to perform their specific function.

WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING

You may correct or modify your Personal Data at any given time by contacting us via email at [email protected]. You may request us for re-examination, correction or removal of your Personal Data; and not to supply or use relevant Personal Data until such Personal Data is corrected.

HOW LONG WILL WE KEEP USER DATA?

The Personal Data collected from you will be stored for the duration of performance of the Platform (s) or Partner Platform(s) and deleted from the Platform (s) or Partner Platform(s) database upon your request or seven (7) years after your discontinued use of our Services.

Exclusions:

This Privacy Policy does not apply to any Personal Data collected by Kidsloop Group companies and Partner(s) other than Personal Data collected through the Platform (s). This Privacy Policy shall not apply to any unsolicited information you provide to the Platform (s) or through any other means. This includes, but is not limited to, information posted to any public areas, such as bulletin boards (collectively, Public Areas), any ideas, news, photography, and other unsolicited submissions (collectively, Unsolicited Information). All Unsolicited Information shall be deemed to be non-confidential and we shall be free to reproduce, use, disclose, distribute and exploit such Unsolicited Information without limitation or attribution.

Changes to Privacy Policy:

The Platform(s) and our business may change from time to time. As a result, at times it may be necessary for us to make changes to this Privacy Policy. We reserve the right to update or modify this Privacy Policy at any time and from time to time without prior notice. Please review this Privacy Policy periodically, and especially before you provide any Personal Data. This Privacy Policy was last updated on the date indicated above. Your continued use of the Platform(s) after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

Access to Information; Contacting us:

To keep your Personal Data accurate, current, and complete, please contact us as specified above. We will take reasonable steps to update or correct Personal Data in our possession that you have previously submitted via the Platform (s). Please also feel free to contact us if you have any questions about Privacy Policy or the information practices of the Platform(s). You may also contact via email at [email protected] if you have any questions about the collection and processing of your Personal Data at any time.

Non-Identifiable or Aggregated Data:

When you interact with the Platform (s), we receive and store certain personally non-identifiable information. Such information, which is collected passively using various technologies, cannot presently be used to specifically identify you. We may store such information itself or such information may be included in databases owned and maintained by us and our Partner(s). We may use such information and pool it with other information to track, for example, the total number of visitors to the Platform(s), the number of visitors to each page of the Platform (s), the domain names of our visitors' Internet service providers, and how our users use and interact with our services. Also, in an ongoing effort to better understand and serve the users, we often conduct research on its customer demographics, interests and behavior based on the Personal Data and other information provided to us. This research may be compiled and analyzed on an aggregate basis. We may share this non-identifiable and aggregate data with its affiliates, agents and business partners, but this type of non-identifiable and aggregate information does not identify you personally. We may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.

We may also use a technology called "cookies." A cookie is a piece of information that the computer that hosts the Platform (s) gives to your browser when you access the Platform (s). Our cookies help provide additional functionality to the Platform (s) and help us analyze the Platform (s) usage more accurately. For instance, the Platform (s) may set a cookie on your browser that allows you to access the Platform (s) without needing to remember and then enter a password more than once during a visit to the Platform (s). In all cases in which we use cookies, we will not collect Personal Data except with your permission. On most web browsers, you will find a “help” section on the toolbar. Please refer to this section for information on how to receive notification when you are receiving a new cookie and how to turn cookies off. We recommend that you leave cookies turned on because they allow you to take advantage of some of the Platform(s) features. For further information, please refer to our COOKIES POLICY below.

KIDSLOOP PLATFORM LIST

SERVICE PROVIDERS

We rely on public cloud providers to offer services on our Platform(s) which include Tencent, AWS, Google and BizFly. This list will be updated on our website as new service providers are engaged to deliver our services.

SECURITY MEASURES

Kidsloop has implemented the security measures set out below in accordance with industry standards to protect personal information. Kidsloop may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services. The updated version can be found at https://kidsloop.net/global/securitymeasures .

Organizational Measures

The Kidsloop management team has been actively involved in developing an information security culture within the Group and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.

Operations Management

Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;

Information security
Hosting environment security
Third party access
Capacity control
Change management
Backup and recovery
Access control
Documentation
Logging and monitoring
Incident response
Release management

Information Security team

Kidsloop has a team of Information security experts who are responsible for the overall information security of the organization. Their role include responsibility for;

Coordinating security related tasks
Securing corporate environment, network and devices
Security of the application (in-house penetration testing and application audits)
Monitoring and logging
Process and policy management (disaster recovery, path management etc.)
Training and education of employees, in the field of information security
Coordinating third-party security audits, and follow up on any findings
Reviewing code for potential security vulnerabilities.

Roles and responsibilities

All employees have clear roles within the Group and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.

Personnel security

All Kidsloop employees are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.

Access Control

Strict requirements are in place for any employee, hired consultants or third party requesting access to Kidsloop information systems. Access control is controlled by an authentication system. The user is required to:

Have management approval for the requested access
Have strong passwords that are in accordance with the corporate password policy
Change their password at regular intervals
Document that the access requested is required for their specific role/task
Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.

Kidsloop employs automatic temporary lock-out of the user terminal if left idle.

Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. Any changes to data are logged to create an audit trail for accountability.

Physical security

Data Centres

Kidsloop operates all its customer services from data centres separated from the corporate office work space. Access to data centres is strictly controlled and protected to reduce the likelihood of unauthorized access, fire, flooding or other damage to the physical environment. Physical access to data centres is limited to a small number of employees within Kidsloop and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre.

Technical measures – System availability

Kidsloop has implemented industry standard measures to ensure that Personal Data are protected from accidental destruction or loss, including:

infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
backup is stored at an alternative site and available for restore in case of failure of the primary system.
appropriate denial-of-service protection
365/24/7 personnel on duty to monitor and troubleshoot

Data protection

Kidsloop has implemented a series of industry standard measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during transport or at rest. This is accomplished by various industry standard measures including:

Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
Remote access to data centres is protected with a number of layers of network security
Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
Every decommissioned disk is subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
Regular third-party security audits (minimum annually), including penetration testing, that are made available to partners

Data centres

Kidsloop uses only state-of-the-art data centres, with 365/24/7 on-site security and monitoring operations. The data centres are housed in modern fire-resistant facilities that require electronic keycard access, with alarms that are linked to the on-site security operation. Only authorized employees and contractors are permitted to request electronic keycard access to these facilities.

System development

Kidsloop’s Platform(s) is based on industry standard technologies from well-known vendors, including Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco. Systems are periodically patched to the latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug fixes are released swiftly based on priority, following rigorous quality checks.

Kidsloop has measures in place to minimize the risk of introducing code in its platform that can degrade the security or integrity of the customer services and Personal Data processed. Measures include:

Regular training of staff
Code review by security architects
QA process for rigorous testing of changes prior to deployment

Sub-processor security

When onboarding sub-processors, Kidsloop performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Kidsloop performs regular security audits of the practices and delivery for existing sub-processors.

SUB-PROCESSOR LIST

None to date – to be updated as required on https://kidsloop.net/global/subprocessors.

KIDSLOOP DATA PRIVACY OFFICER

The details of the Kidsloop Data Privacy Officers in each applicable jurisdiction are available below:

United Kingdom

Name: Alistair Howard Lloyd

E-mail Address: [email protected]

India

Name: Alistair Howard Lloyd

E-mail Address: [email protected]

South Korea

Name: Jiyeon Kwon

E-mail Address: [email protected]

USER POLICY

USER PRIVACY INFORMATION

Kidsloop Group companies (Kidsloop) are committed to keeping its users’ Personal Data safe.

The information on this page is aimed at users of the Kidsloop services on Partner Platform(s). Under these circumstances we operate as a data processor. If you are looking for information on how Kidsloop manages data privacy for its own purposes (as a data controller and processor) please refer to the Privacy Policy page.

Kidsloop operates its services on Partner Platform(s) and subject to and in accordance with the Partner’s privacy policy as follows:

We do not own, control or process our users’ data independently. All Personal Data is controlled by the Partner. We do not determine the purpose or lawfulness of how user data is processed by our Partner and we are not responsible for the privacy practices of any Partner Platform(s)
We and our Partners will only collect Personal Data of users under the age of 20 with the consent of their parent/guardian.
We never transfer Personal Data to anyone including third parties without written instruction from our Partners. Users are advised to contact the Partner if they have questions about their Personal Data.
We do not sell or try to make money out of our Partner’s users’ Personal Data. We do not build profiles using our users’ data for our own purposes other than Derivative Data.
We delete Personal Data promptly when instructed by our Partners.
We and our Partners are both responsible for keeping users’ Personal Data safe. We employ physical, technical, and organizational measures as part of our security procedures. You can read about the security measures we take to keep our users’ data safe on the Kidsloop SECURITY MEASURES page.
We never let our third party service providers or sub-processors process Personal Data unless it is approved by the Partner. You can see a list of our sub-processors here. These sub-processors are legally bound to protect our users’ privacy in the same manner as we are.
For all our users, we take strict measures to ensure that we are compliant with applicable laws. For more information, visit our Partner Applicable Data Protection Regulations page.
In case of a data breach that could affect our Partners, we will always inform our Partners about this as soon as we become aware of it.
Our users might have a right to be informed in detail about what their Personal Data is used for and what their legal rights are. Users are advised to contact the Partner Platform(s) that they are registered to find out more about this.

The relationship between Kidsloop and our Partners is always based on a legal contract. To see an example of how we make legal arrangements for users’ Personal Data, you can review our Data Processor Agreement.

DATA PROCESSOR AGREEMENT

THIS AGREEMENT IS MADE BETWEEN:

Partner(s) or Licensee(s) or Sub-Licensee(s) acting as a data controller (the Data Controller)
Kidsloop entity or Licensor, acting as a data processor (the Data Processor)

DEFINITIONS

In this Agreement the Data Controller and the Data Processor are individually referred to as Party and collectively as the Parties.

Applicable Data Protection Regulations means legislation in respect of Personal Data protection applicable in the jurisdiction of operation of the Data Controller in connection with the performance of the Partnership Agreement detailed in section below;

Derivative Data – falls into two types: (A) aggregated, anonymised data which is delinked from User Personal Data and is not used to personalise the User learning experience; or (B) information extracted from raw or aggregated data (which may be analysed with data from external sources) which is used to personalise the User learning experience and cannot be anonymised.

Derivative Data collected on the Licensor, Licensee or any Sub Licensee Platform(s) (together the Platform(s)) to create intelligence to improve the services delivered by the Licensor to its clients has three use cases:

Data services: aggregated data derived from user interaction in live classes, customer management systems, learning management data system on the Platform(s) used to provide reports to Licensee(s) and/or Sub Licensee (s);
User services: raw data derived from individual interaction on the Platform(s) used to provide personalised reports to an end User;
Aggregation Data services: aggregated data derived from Use case 1 or 2 (which is not aimed at personalising the User learning experience) to provide reports to third parties such as publishers seeking information to improve content portfolios.

The table below summarises the type of Derivative Data that is being collected in each use case.

	A	B
1- Data Services	Yes	Yes
2- User Services	Yes	Yes
3- Aggregation Data Services	Yes	No

The Licensor holds full right, title and interest in and to any Type A Derivative Data including without limitation any predictive data derived from modelling. The Licensor may only use Type B Derivative Data whilst the User holds a distribution account on the Platform(s) and/or the licence agreement between the Licensor and the Licensee and/or Sub-Licensee is in force.

Partnership Agreement means the partnership agreement made between the Parties to this Agreement in connection with the licence and delivery of content and/or platform services. Terms defined in the Partnership Agreement shall have the same meaning in this Agreement unless the context requires otherwise;

Personal Data means any information relating to an identifiable natural person including without limitation: contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, discussions, comments to posts, notifications, etc.); user profile data including course material (assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to the Data Controller and/or Processor. For the avoidance of doubt, Personal Data does not include Derivative Data.

IT IS AGREED THAT:

Purpose

Pursuant to this Agreement, the Parties agree to ensure that Personal Data processed pursuant to the terms of the Partnership Agreement shall be undertaken lawfully in accordance with Applicable Data Protection Regulations and shall not come into the possession of any unauthorized third party.

Processing and Primary Responsibility

This Agreement regulates the Data Processor's processing of Personal Data on behalf of the Data Controller, including the collection, recording, alignment, storage and disclosure or a combination of such data. Subject matter and details of Personal Data being processed are detailed in Appendix 1.

The Data Processor itself has no right of disposal over the Personal Data and cannot process Personal Data for its own purposes. The Personal Data shall be solely used to fulfil the purposes of the Partnership Agreement within the limits that the Data Controller has laid down.

If the Data Processor is obliged by law to process Personal Data in any other manner than as instructed by the Data Controller, the Data Processor must notify the Data Controller before such processing commences, unless applicable legislation or legal process prevents it from providing such notice.

The Data Controller’s role and responsibilities

The Data Controller is responsible for ensuring that there is a lawful basis for the processing of the Personal Data, and that the actual processing is in accordance with Applicable Data Protection Legislation.

As part of this responsibility, the Data Controller is responsible for ensuring that system administrator(s) holds the necessary authorisation, prior to processing of Personal Data on behalf of the Data Controller.

The Data Controller shall also carry out any necessary privacy and data protection impact assessments, i.e., an assessment of the impact of the envisaged processing operations on the protection of Personal Data, prior to the processing.

The Data Controller is responsible for requests from end users for access to Personal Data held by the Data Controller or the Data Processor pursuant to the agreement. If such requests are received by the Data Processor, the Data Processor will advise the end user to submit its request to the Data Controller, who is responsible for responding to any such request.

If the Partnership Agreement allows for the Data Controller to install and enable additional products from external third parties (including extensions). The Data Controller acknowledges that if it installs, uses, or enables such third party products, which gain access to Personal Data, this data processor agreement does not apply to the processing of data transmitted to or from such external third party products. The Data Controller can enable or disable use of external third party products, and it is not required to use such products pursuant to the Partnership Agreement.

The Data Processor’s role and obligations

The Data Processor shall process Personal Data solely on behalf of the Data Controller and only as instructed by the Data Controller. Incidental processing of Personal Data by the Data Processor to ensure the security, operational maintenance, analysis or evaluation of the services provided under the Partnership Agreement and not having any adverse impact on the level of data protection of the data subjects, shall not be presumed to constitute processing for the Data Processor’s own purposes. For the avoidance of doubt the Data Processor is authorized to process data to create Derivative Data for the purpose of delivering the services and its own purposes.

The Data Processor undertakes to give the Data Controller access to all information which is necessary to document compliance with Applicable Data Protection Legislation, and to provide assistance so that the Data Controller can fulfil its responsibilities pursuant to the Applicable Data Protection Legislation.

Unless otherwise agreed or pursuant to statutory requirements, the Data Controller has a right of access to Personal Data that is processed by the Data Processor on behalf of the Data Controller and to all systems that are used for this purpose. The Data Processor undertakes to give assistance in this respect. However, the Data Processor shall not be obliged to disclose any business confidential or commercially sensitive information to the Data Controller. Furthermore, the Data Controller has no right of access where this implies a risk to the security or integrity of the relevant Personal Data.

The Data Processor, including employees, has a duty of confidentiality regarding documentation and Personal Data that the Data Processor has access to pursuant to this Agreement. This provision also applies after the termination of this Agreement. All necessary confidentiality agreements shall be entered into if the employees are not already bound by a statutory duty of confidentiality or secrecy. The duty of confidentiality also includes employees of Sub-Processors who carry out maintenance (or similar tasks) of systems that the Data Processor uses to provide or administer the service.

The Data Processors internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. The Data Processor designs its systems to only allow authorized persons to access data they are authorized to access; and ensure that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after recording. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. The logs shall be kept by the Data Processor for a minimum of 3 months. The Data Controller shall, upon so requesting, be given access to such logs.

Data Protection Officer

The Data Processor will appoint a data protection officer, if required, in accordance with the requirements of the Applicable Data Protection Legislation.

Use of sub-processors and export of data

The Data Processor's use of sub-processors to process Personal Data shall be agreed in writing with the Data Controller before the processing by the sub-processor commences unless the use of sub-processor already results from the Partnership Agreement. The Data Processor will ensure that any sub-processors only access and use Personal Data in accordance with the terms of this data processor agreement and that such sub-processors are bound by written agreements that require them to provide at least the level of data protection required by Applicable Data Protection Legislation. The Data Controller may, on reasonable and justifiable grounds, refuse to approve new sub-processors.

The sub-processor's listed on the following website, are hereby approved by the Data Controller: https://kidsloop.net/global/subprocessors. Should the Data Controller require more detailed information related to processing locations in order to comply with legal requirements or requests from data protection authorities, the Data Processor shall assist the Data Controller to address such compliance needs, provided that, prior to any such provision of information, the Data Controller has entered into appropriate confidentiality obligations where this is deemed necessary by the Data Processor.

Changes concerning an addition or a replacement of an entity listed in the sub-processor list shall be made available to the Data Controller, including by announcing them to the Data Controller through automated notices or other means where appropriate. Within 4 weeks of receiving such notice, the Data Controller may object to any such change or addition solely on reasonable grounds.

The Data Processor is responsible towards the Data Controller for the sub-processor's actions and omissions in the same manner as if these were the Data Processor's own acts or omissions. The Data Processor is responsible for ensuring that the sub-processor is familiar with the Data Processor's contractual and statutory duties, and that the sub-processor performs them in a similar manner vis-à-vis the Data Processor.

The Data Processor, and any potential sub-processor, cannot transfer Personal Data outside the territory of operation of the Partnership or pre-approved third countries without the prior written consent of the Data Controller. Data Controller's access to or use of Personal Data from or in a third country shall not, on the account of the Data Processor or any sub-processor, be considered a transfer of Personal Data to such third country.

To the extent such transfer of Personal Data is taking place, either to Data Processor entities or other third party sub-processors located in countries outside the territory of operation, such transfers shall be subject to binding and appropriate transfer mechanisms which provide an adequate level of protection in compliance with Applicable Data Protection Legislation.

Security

7.1 Security measures and documentation

The Data Processor shall fulfil the requirements for security measures stipulated in Applicable Data Protection Legislation. The Data Processor has a duty to document its security measures where required under Applicable Data Protection Legislation. Appendix 3 contains an overview of the Data Processors security measures. More detailed documentation can be made available to the Data Controller upon its request.

The Data Processor shall implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk involved, including by considering the nature of any cloud service provided to the Data Controller. The measures must protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. The Data Processor shall, in establishing such measures, take into account the confidentiality, integrity, availability and resilience of the information and the processing systems and services.

When processing Personal Data, appropriate security measures shall include inter alia as appropriate:

• the pseudonymisation and encryption of Personal Data;

• the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Data Controller and Data Processor shall take steps to ensure that any person acting under the authority of the Data Controller and Data Processor who has access to Personal Data does not process them except on instructions from the Data Controller, unless he or she is required to do so by Applicable Data Protection Legislation or other legislation.

7.2 Overview of processing activities

The Data Processor, and, where applicable, the Data Processor’s representative shall set up and maintain a list of all categories of processing activities carried out on behalf of the Data Controller, containing:

a) the name and contact details of the Data Processor and the data protection officer;

b) the categories of processing carried out on behalf of the Data Controller;

c) where applicable, transfers of Personal Data to a country outside the territory of operation, including the identification of that third country and the documentation of suitable safeguards as when required;

d) where possible, a general description of the technical and organisational security measures applied

The list shall be updated in accordance with clause 8 below. The Data Processor shall make the list available to the relevant data protection authority on request.

7.3 Notifications regarding data breach

In case of a data breach that has compromised the security or privacy of the Personal Data, this shall be reported to the contact point specified in clause 12 (Notices). Such notification should be issued without undue delay, but in no event later than 72 hours after the Data Processor becoming aware of the data breach.

The notification shall contain:

• A description of the Personal Data and, when possible, which types and the number of data subjects that are affected as well as which types and quantity of Personal Data are affected

• The name and contact details of any data protection officer or other contact person

• A description of the likely consequences of the incident

• A description of the measures which are taken or proposed to be taken to address the incident and, where appropriate, the measures to mitigate its possible adverse effects. The Data Controller is responsible for formally notifying a relevant Personal Data breach to data protection authorities and, where applicable, to those effected by the data breach.

7.4 Access management and equipment

The Data Processor must ensure that it has proper security of the service, including servers, databases and other relevant equipment or software, such that no unauthorised person can get access to Personal Data. The same applies with regard to any print-outs and other physical documents.

The Data Processor shall furthermore have a system for security control in accordance with Applicable Data Protection Legislation. The system shall include – but is not limited to routines for:

• Treatment of non-conformities which includes the provision of notification upon wrong use of the information system, including breach of security

• Security audits The Data Processor shall establish and maintain those security measures that security and technology risk assessments have revealed a need for.

8. Updates of processing activities and security audits

The list of processing activities, cf. clause 7.2 (b) above, shall be subject to verification and updated at least once a year or after substantial changes to the processing activities.

The Data Processor shall regularly, at least once a year or after substantial changes or discrepancies, carry out security audits of systems and anything else which is relevant for the processing of Personal Data pursuant to this Agreement. The security audit shall verify that the technical, physical and organisational security measures which have been established, are complied with and function as planned, as well as identify potential improvements.

The result of the security audit shall be documented and be made available to the Data Controller, inter alia for use in the Data Controller's security audit.

The Data Processor's systems and processes will be regularly audited and certified, and any applicable certifications will be made available to the Data Controller upon request.

Expenses that accrue as a consequence of special audits requested or performed by the Data Controller shall be covered by the Data Controller.

9. Term of the Agreement

This Agreement is valid from the date of the Partnership Agreement and will be in effect as long as the Partnership Agreement is in force and supersedes any previous Data Processor Agreements of the Parties. Upon breach of this Agreement or Applicable Data Protection Legislation, the Data Controller can instruct the Data Processor to stop further processing of Personal Data.

Return and deletion upon termination of the Agreement

Upon termination of this agreement, the Data Processor shall return, overwrite, delete, cf. routines on deletion included in Appendix 2, and/or properly destroy all documents, storage media and anything else which contains Personal Data falling within the scope of this agreement. This applies also in respect of any back-up copies. The Data Processor shall document in writing that such action has taken place in accordance with this agreement within a reasonable time after the termination of this agreement. The Data Controller shall bear all costs in connection with the fulfilment of this clause, unless otherwise specified in the Partnership Agreement.

Governing Law

Governing Law is regulated in the Partnership Agreement, or as otherwise agreed between the Parties to this Agreement.

Notices

Notices given pursuant to this Agreement shall be sent to the contacts referenced in the Partnership Agreement.

Technical enquires from the Data Controller regarding the services provided under this Agreement shall be sent to the Data Processor’s Data Privacy Officer set out in KIDSLOOP DATA PRIVACY OFFICER.

By accepting this Privacy Policy, Kidsloop and its Partner(s) are deemed to accept the terms of this Data Processor Agreement.

APPENDIX 1

Subject matter and details of Personal Data being processed

Native and purpose of processing

Kidsloop as Data Processor is processing Personal Data received via the applicable service (Service), on the Platform(s) or Partner Platform(s) upon the terms set out in the Partnership Agreement, on behalf of the Data Controller for the following purposes:

• Providing the Service in accordance with the Data Processor Agreement and the Partnership Agreement

• Providing basic and technical support related to the Service in accordance with the Data Processor Agreement and the Partnership Agreement

• Secure backup of the Data Controller's data

• Collecting information on the Data Controller's use of the Service for internal statistical and invoicing purposes and Derivative Data.

Duration of the Processing

The term in the Partnership Agreement plus the period from the expiry of the term until deletion of all Personal Data by Data Processor in accordance with the terms of its Privacy Policy.

Categories of Personal Data

Data Processor processes Personal Data that is submitted, stored, imported, sent or received via the Service, by (or at the direction of) the Data Controller and by authorised Partner users. The extent of the data is determined and controlled by these subjects’ sole discretion.

Personal Data means any information relating to an identifiable natural person including without limitation: contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, discussions, comments to posts, notifications, etc.); user profile data including course material ( assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to the Data Controller and/or Processor.

Data subjects

The Data Processor's processing of Personal Data via the service on behalf of Data Controller, may include, but is not limited to Personal Data relating to the Data Subjects as defined below.

Data subjects or authorized Partner user include the Partner’s employees including teachers, administrators, lecturers, mentors and others, the Partner's other employees and contractors, and any other user authorised by the Partner who transmits Personal Data via the service, including children, teacher and parents or guardians.

APPENDIX 2 | ROUTINES OF DELETION

Deletion of data upon termination of the Agreement

Personal Data shall be deleted by the Data Processor once it is no longer necessary to fulfil the processing activities under the Agreement. Either way, within 12 months from the termination of the Agreement between the Data Controller and Data Processor, all data processed on behalf of the Data Controller will be permanently deleted, including backups other than Derivative Data.

Decommissioned storage media and erase policy

Storage media/Disks (including HDDs, SSDs, memory sticks and tapes) containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned. Every decommissioned storage media is subject to a series of data destruction processes before leaving Data Processor’s premises either for reuse or destruction, to ensure that all data is completely and securely wiped off and destructed. The erase results are logged by the decommissioned storage media’s serial number for tracking. We are also relying on public cloud storage. When data is deleted from the cloud, removal of the mapping from the public name to the stored information starts immediately and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the deleted object. That storage area is then made available only for write operations and the data is overwritten by newly stored data.

APPENDIX 3 | SECURITY MEASURES

PARTNER Applicable Data Protection Regulations

EUROPEAN UNION AND UNITED KINGDOM

GDPR Partner requirements (applicable to Partners established in the EU/EEA or the UK, or providing products and services to Data Subjects in the EU/EEA and the UK)

In general, GDPR requires you to:

Document and assess all processing of Personal Data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process Personal Data that is not needed for the defined purpose.
Ensure the organisational and technical security of the processing and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
When you are using third-party services, like ours, to process Personal Data, you need to make sure that the data processing requirements are compliant with GDPR.
When acquiring new technology that is likely to result in a high risk to Personal Data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing Partner, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
Users (data subjects) have stronger rights under GDPR. Our Partners need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
A particularly important data subject right is transparency and information. Make sure the information to your users on everything required under GDPR is easily accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
Review the Kidsloop Data Processor Agreement, which purpose is to regulate the rights and duties pursuant to the European Data Protection Legislation, including the GDPR regulations, applicable to the Data Controller in connection with the Partnership Agreement.

BRAZIL

In general, the LGPD requires you to:

Document and assess all processing of Personal Data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process Personal Data that is not needed for the defined purpose.
Ensure the organisational and technical security of the processing and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
When you are using third-party services, like ours, to process Personal Data, you need to make sure that the data processing requirements are compliant with GDPR.
When acquiring new technology that is likely to result in a high risk to Personal Data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing Partner, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
Users (data subjects) have stronger rights under LGPD. Our Partners need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
A particularly important data subject right is transparency and information. Make sure the information to your users on everything required under LGPD is easily accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
Review the Kidsloop Data Processor Agreement, which purpose is to regulate the rights and duties pursuant to the LGPD, applicable to the Data Controller in connection with the Partnership Agreement.
Ensure you have obtained consent from parents or guardians to process children (under 18 years of age) Personal Data, as required by LGPD, and that such consent includes our services and the transfer of the Personal Data to us so we can carry out the processing activities instructed by you according to the Kidsloop Data Processor Agreement.

HONG KONG

The Data Processor agrees to take all reasonable measures necessary to:

prevent any Personal Data transferred to the Data Processor from being kept longer than is necessary for processing of the Personal Data; and

prevent any unauthorised or accidental access, processing, erasure, loss or use of the Personal Data transferred to the Data Processor for processing.

PEOPLE’S REPUBLIC OF CHINA

When a Personal Data Controller entrusts a third party to process Personal Data, the following requirements shall be met:

The entrustment made by the Personal Data Controller shall not go beyond the scope of the consents of Personal Data Subjects or the requirement of the PRC’s legislation;
The Personal Controller shall conduct a Personal Data security impact assessment for the entrustment, and ensure that the trustee meets the data security capacity requirements;
The Personal Data Controller shall supervise the trustee through methods including but not limited to:
Specify the responsibilities and obligations of the trustee through contracts or otherwise;
Audit the trustee.

The Personal Data Controller shall accurately record and store the entrusted Personal Data processing; and
If the Personal Data Controller learns or discovers that the trustee has failed to process the Personal Data in accordance with the entrustment requirements, or failed to effectively fulfill the responsibility for Personal Data protection, the Personal Data Controller shall immediately require the trustee to stop relevant activities and shall take or require the trustee to take effective remedial measures (such as changing the password, revoking access, and disconnecting the network) to control or eliminate the security risks to the Personal Data. If necessary, the Personal Data Controller shall terminate its business relationship with the trustee and require the trustee to delete the Personal Data obtained from the Personal Data Controller in time.

When sharing and transferring Personal Data for reasons other than entrusted processing, Personal Data Controllers shall pay full attention to risks. If Personal Data is shared and transferred not due to acquisition, merger, reorganization or bankruptcy, the following requirements shall be met:

A security impact assessment of Personal Data shall be conducted in advance, and effective measures to protect Personal Data Subjects shall be taken based on the assessment results.
The Personal Data Subjects shall be informed of the purpose of the sharing and transfer, the type of the data recipient and possible consequences, and consents of the Personal Data Subject s shall be obtained in advance. Cases are except ed where the Personal Data to be shared is de-identified and it is ensured that the data recipient cannot re-identify or associate the Personal Data Subjects;
Before sharing or transferring sensitive Personal Data, the Personal Data Controllers shall also inform the Personal Data Subject s of the types of sensitive Personal Data involved, the identity of the recipient and their data security capabilities, and obtain explicit consents of the Personal Data Subjects in advance;
The Personal Data Controllers shall specify the responsibilities and obligations of the data recipient through contracts or otherwise;
The Personal Data Controllers shall accurately record and store information about Personal Data sharing and transfer, including the date, scale, purpose of the sharing and transfer, and basic information of the data recipient;
If a Controller discovers that the data recipient has processed the Personal Data in violation of the requirements of laws or regulations or the agreement between the two parties, the Personal Data Controller shall immediately require the data recipient to stop relevant activities and shall take or require the data recipient to take effective remedial measures (such as changing the password, revoking access, and disconnecting the network) to control or eliminate the security risk s to the Personal Data; if necessary, the Personal Data Controller shall terminate its business relationship with the data recipient, and require the data recipient to delete the Personal Data obtained from the Personal Data Controller in time;
The Personal Data Controllers shall bear the corresponding responsibility for any damage on the legitimate rights and interests of the Personal Data Subjects incurred by security incidents due to the sharing and transfer of Personal Data;
The Personal Data Controllers shall help the Personal Data Subjects to understand the storage and use of Personal Data by data recipients, as well as the rights of the Personal Data Subjects, such as the right to access, rectify, delete information and to de-register; and
Personal biometric information shall not, in principle, be shared or transferred. If it is necessary to share or transfer due to business needs, the Personal Data Controller shall inform Personal Data Subject to obtain separate consents.

THAILAND

In addition to the foregoing, the Data Processor agrees to:

comply with all requirements of the Thai Personal Data Protection Act and regulations;
review security measures when necessary or when the security technology is changed;
notify the Personal Data Controller of any data breach that occurs within a time which would afford the Personal Data Controller sufficient time to itself notify the proper authorities within 72 hours; and
for foreign (non-Thai based) Data Processors, they must identify a DPO and Local Representative in Thailand, if required, and provide their address, contact information and method.

PHILIPPINES

Processing by a Data Processor shall be governed by a contract or other legal act that binds the Data Processor to the Personal Data Controller.

The contract or legal act shall set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, the obligations and rights of the Personal Data Controller, and the geographic location of the processing under the subcontracting agreement.

The contract or other legal act shall stipulate, in particular, that the Data Processor shall:

process the Personal Data only upon the documented instructions of the Personal Data Controller, including transfers of Personal Data to another country or an international organization, unless such transfer is authorized by law;
ensure that an obligation of confidentiality is imposed on persons authorized to process the Personal Data;
implement appropriate security measures and comply with the Data Privacy Act and applicable rules, and other issuances of the National Privacy Commission;
not engage another processor without prior instruction from the Personal Data Controller: Provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
assist the Personal Data Controller by adopting appropriate technical and organizational measures and to the extent possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;
assist the Personal Data Controller in ensuring compliance with the Data Privacy Act and the applicable rules, other relevant laws, and other issuances of the National Privacy Commission, taking into account the nature of processing and the information available to the Data Processor;
at the choice of the Personal Data Controller, delete or return all Personal Data to the Personal Data Controller after the end of the provision of services relating to the processing: Provided, that this includes deleting existing copies unless storage is authorized by the Data Privacy Act or another law;
make available to the Personal Data Controller all information necessary to demonstrate compliance with the obligations laid down in the Data Privacy Act, and allow for and contribute to audits, including inspections, conducted by the Personal Data Controller or another auditor mandated by the latter;
and immediately inform the Personal Data Controller if, in its opinion, an instruction infringes the law or any other issuance of the National Privacy Commission.

COOKIES POLICY

WHAT ARE COOKIES

Cookies (or similar technologies) are pieces of information which include a unique reference code that a website transfers to your device to store and sometimes track information about you. A number of cookies we use last only for the duration of your web session (session cookies) and expire when you close your browser. Other cookies are used, for example, to remember you when you return to platform(s) owned and operated by us (Platform(s) listed on KIDSLOOP PLATFORM LIST page) and will last for longer (persistent cookies). Cookies cannot be used to run programs or deliver viruses to your computer. They are uniquely assigned to your device and are sent back to the originating website on each subsequent visit (if they last longer than a web session) or to another website that recognises that cookie.

Some of the cookies used on our Platform(s) are set by us, and we may use some set by third parties who are delivering services (such as interest based advertising and web analytics) on our behalf.

WHAT DO WE USE COOKIES FOR?

We use the following categories of cookies on our Platform(s):

Category 1: Strictly Necessary Cookies

These cookies are essential to enable you to move around the Platform(s) and use its features, such as accessing secure areas of the Platform(s) or areas with paid-for content. Without these cookies, certain services cannot be provided. As cookies are essential for using the Platform(s), these cookies cannot be turned off without severely affecting your use of the Platform(s).

Category 2: Performance Cookies

These cookies collect anonymous information on how people use our Platform(s). For example, we use Google Analytics cookies to help us understand how customers arrive at our Platform(s), browse or use our Platform(s) and highlight areas where we can improve our Platform(s) such as navigation, use of course materials. The data stored by these cookies never shows personal details from which your individual identity can be established.

Category 3: Functional Cookies

These cookies remember choices you make such as the country you visit Platform(s) from, language and search parameters. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Category 4: Targeting cookies or advertising cookies

These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers.

Category 5: Social Media Cookies

These cookies allow you to share what you have been doing on the platform(s) on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies for how their cookies work.

HOW TO VIEW YOUR COOKIE SETTINGS AND CHANGE THEM?

If you want to delete any cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

Please refer to the useful links below for your browser:

Chrome: https://support.google.com/chrome/answer/95647

Internet Explorer: https://support.microsoft.com/en-gb/help/17442/

Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Safari: https://support.apple.com/en-us/HT201265

Opera: https://help.opera.com/en/latest/web-preferences/#cookies

Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our Platform(s).