This Privacy Policy explains how HASHSPARKS PTE. LTD. (UEN: 202325470E) (“KiasuLabs”, “we”, “us”, “our”) collects, uses, discloses, stores, and otherwise processes personal data when you use our websites, mobile applications, and related services (together, the “Services”).
This policy is intended to support our users in Singapore and applies across our web, iOS, and Android experiences unless we provide a separate notice for a specific product, school partnership, or feature.
1. Who this policy covers
Our Services are designed for educational use by students, parents or guardians, and in some cases teachers, tutors, schools, or other education partners. This policy applies to personal data we handle as an organisation under applicable law, including Singapore’s Personal Data Protection Act 2012 (“PDPA”).
2. Children and minors
We take extra care with personal data relating to children and teenagers.
- Users under 13: a parent or legal guardian must consent before we collect, use, or disclose the child’s personal data, unless an exception under applicable law applies.
- Users aged 13 to 17: we may rely on the user’s own consent where appropriate and where our notices are readily understandable, but we may also require parent or guardian consent in educational contexts or where we consider it appropriate for the feature or risk involved.
- Parents and guardians: if you believe a child has used the Services without the consent required for that child, contact us and we will take reasonable steps to review the matter.
Student accounts are not intended to be publicly searchable or visible to other users by default, unless a feature clearly says otherwise and the user intentionally shares content.
3. What we collect
Depending on how you use the Services, we may collect the following categories of personal data:
- Account and profile data — for example, your email address, password hash or authentication credentials, display name, age band, school level, subjects of interest, and account preferences.
- Study activity and product usage data — such as topics viewed, practice attempts, scores, revision history, familiarity indicators, streaks, bookmarks, session activity, and learning analytics.
- Content you submit — including messages you send to the AI tutor, answers you type, prompts, feedback, support requests, and any other text you submit through the Services.
- Technical and device data — such as device type, operating system, browser type, app version, crash reports, error logs, timestamps, IP address or approximate location inferred from IP, time zone, and identifiers reasonably needed to run the Services securely and reliably.
- Transaction and subscription data — such as plan type, subscription status, renewal status, purchase platform, order or transaction identifiers, and limited payment-related records. We do not store full payment card numbers on our own systems when payment is processed by Apple, Google, or another payment provider.
- Communications data — records of messages we send to you, and communications you send to us for support, safety, dispute resolution, or legal matters.
4. Data we generally ask you not to provide
Unless a feature specifically asks for it and we clearly explain why, please do not submit sensitive personal data through the Services, such as government identification numbers, health information, financial account credentials, or information about another person that you are not authorised to provide.
5. How we use personal data
We may use personal data to:
- provide, operate, maintain, and improve the Services;
- create and manage accounts, authenticate users, and secure accounts and systems;
- deliver educational features such as AI tutoring, practice questions, revision workflows, personalisation, and progress tracking;
- respond to support requests, troubleshoot issues, investigate complaints, and communicate with you about the Services;
- monitor service quality, measure performance, analyse usage trends, and improve reliability, accessibility, safety, and content quality;
- detect, prevent, and address abuse, cheating, fraud, security incidents, or other misuse of the Services;
- comply with legal obligations and enforce our Terms of Service and other policies; and
- create aggregated, statistical, or de-identified insights that do not reasonably identify you.
6. AI features and model providers
When you use AI-powered features, your prompts, study context, and related outputs may be processed by third-party AI or cloud providers that help us generate responses, feedback, hints, or other educational content. These providers may include providers such as Google, OpenAI, Anthropic, DeepSeek, and other infrastructure or model providers we may engage from time to time.
We use these providers to operate and improve the Services, support safety and abuse monitoring, and maintain service quality. We aim to configure provider relationships and settings in a manner appropriate to the feature and applicable law, but processing may still involve transmission to third-party systems and overseas servers.
AI-generated content may be inaccurate, incomplete, or inappropriate in some cases. You should verify important information, especially for schoolwork, exams, or submissions that matter.
7. Legal bases where required by applicable law
Singapore’s PDPA does not generally use the same “legal bases” framework found in some other jurisdictions. Where another law requires us to identify a legal basis, we may rely on one or more of the following: performance of a contract, compliance with legal obligations, legitimate interests, consent, or another basis available under applicable law.
8. When we disclose personal data
We may disclose personal data to:
- service providers and processors that help us host infrastructure, store data, authenticate users, send emails, process payments, monitor performance, provide customer support, detect abuse, or deliver AI functionality;
- app stores and payment partners such as Apple and Google where needed to manage subscriptions, purchases, refunds, or compliance;
- professional advisers and counterparties where reasonably necessary for audits, corporate transactions, financing, insurance, or legal advice;
- schools, parents, or guardians where this is part of the relevant product flow, where the user or account setup expects it, or where we are otherwise authorised or required by law to do so; and
- regulators, authorities, law enforcement, or other third parties where required by law, court order, regulation, or where reasonably necessary to protect rights, safety, security, or the integrity of the Services.
9. International transfers
We may process or store personal data in Singapore and other countries where we or our service providers operate. Where personal data is transferred outside Singapore, we take steps designed to ensure a standard of protection comparable to that required under the PDPA, including by using contractual safeguards or relying on other legally recognised mechanisms where appropriate.
10. Retention
We keep personal data only for as long as it is reasonably needed for business or legal purposes. The exact period depends on the type of data, why it was collected, whether the account remains active, and our legal or operational needs.
As a general guide, we aim to follow these retention practices unless a longer period is reasonably necessary:
- account data and study records — retained while the account is active and for a limited period afterwards to support reactivation, support, fraud prevention, dispute handling, and legal compliance;
- support communications — typically retained for up to 24 months after the matter is closed;
- security, audit, and technical logs — typically retained for up to 12 months unless needed longer for incident investigation or legal reasons;
- billing, tax, and accounting records — retained for as long as required by applicable legal, accounting, or tax obligations;
- backups — may persist for a limited additional period before being overwritten in the ordinary course.
When personal data is no longer needed, we will delete it, anonymise it, or securely dispose of it in accordance with our retention practices and applicable law.
11. Account deletion and data deletion requests
If you create an account, you may request deletion of your account and associated personal data through the in-app settings where available or by contacting us at contact@kiasulabs.com. Until a dedicated deletion request page is published, email requests sent to this address may be used for deletion requests.
Deletion requests are subject to verification and may not result in immediate removal from all systems. We may retain certain data where reasonably necessary for security, fraud prevention, legal compliance, tax or accounting requirements, dispute resolution, enforcing our agreements, or backup recovery.
12. Your rights and choices
Subject to applicable law, you may have rights to request access to personal data we hold about you, request correction of inaccurate data, withdraw consent where processing is based on consent, request deletion in appropriate cases, object to certain processing, or request a copy of certain data. Some of these options may also be available directly in your account settings.
To exercise a privacy request, contact our Data Protection Officer using the details below. We may need to verify your identity before acting on a request.
13. Cookies and similar technologies
Our websites may use cookies, pixels, local storage, or similar technologies for essential site functionality, login sessions, security, analytics, remembering preferences, and measuring service performance. Where applicable law requires consent for non-essential cookies or similar technologies, we will ask for that consent through the mechanisms we provide on the website.
14. Security
We use administrative, technical, and organisational measures designed to protect personal data. These measures may include access controls, authentication safeguards, encryption in transit where appropriate, monitoring, logging, and restricted personnel access. No security measure is perfect, and no method of transmission or storage is completely secure.
15. Data breach response
If we become aware of a data breach affecting personal data, we will investigate and take steps required by applicable law. Where required, we may notify affected users, parents or guardians, schools, regulators, or other relevant parties.
16. Third-party services and links
The Services may contain links to third-party sites or rely on third-party services and SDKs. Their processing practices are governed by their own terms and privacy notices, and we encourage you to review those materials where relevant.
17. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and update the “Last updated” date. If changes are material, we may provide additional notice through the Services, by email, or by another appropriate method.
18. Contact us
KiasuLabs is operated by HASHSPARKS PTE. LTD. (UEN: 202325470E).
For privacy questions, complaints, access or correction requests, consent withdrawal, or deletion requests, contact our Data Protection Officer at:
- Email: contact@kiasulabs.com
- Privacy and support requests: contact@kiasulabs.com