PRIVACY POLICY — GENERAL SCHOOL PROGRAMME

A. Definitions

For the purpose of this Privacy Policy:

  • “Provider” refers to the organisation delivering, managing, and operating the Programme. 
  • “Partner” refers to the subscribing school, kindergarten, centre, or organisation that signs this Agreement and participates in the Programme. 
  • “Personal Data” refers to any information relating to an identified or identifiable individual, including names, contact details, allergy information, attendance records, and photographs. 
  • “Children’s Data” refers to Personal Data belonging to students participating in the Programme.

“Personal Data refers to any information relating to an identified or identifiable individual…”

B. Purpose of Data Collection

The Provider collects and processes Personal Data and Children’s Data for the following purposes:

  • Programme administration — enrolment, attendance tracking, lesson delivery, and programme coordination.
  • Safety and allergy management — ensuring safe participation and identifying dietary or health restrictions.
  • Communication — sending programme updates, training information, payment reminders, and operational notices.
  • Training and support — managing teacher onboarding, workshops, and support groups.
  • Payment processing — managing subscription fees through approved payment gateways.
  • Programme improvement — analysing participation data to enhance curriculum and delivery.
  • Compliance — meeting legal, regulatory, and audit requirements.

“The Provider collects and processes Personal Data… for programme administration… communication… payment processing…”

C. Types of Data Collected

The Provider may collect the following categories of data:

  1. Partner (School) Data
  • School name
  • Address
  • Contact person name
  • Email and phone number
  • Billing and payment information
  • Programme package selection
  1. Teacher Data
  • Name
  • Contact details
  • Attendance at training sessions
  1. Children’s Data
  • Name
  • Age/class
  • Allergy or health information
  • Attendance
  • Activity participation
  • Photographs or videos (only with consent)
  1. Payment Data
  • Transaction records
  • Payment status
  • Subscription cycle details

“The Provider may collect… school name… teacher data… children’s data… payment data.”

D. Consent Requirements

The Partner is responsible for obtaining written parental consent for:

  • Participation in the Programme
  • Collection of allergy or health information
  • Use of photographs or videos (if applicable)

The Provider may request proof of consent at any time.

“The Partner is responsible for obtaining written parental consent…”

E. Data Storage & Security

The Provider implements reasonable administrative, technical, and physical safeguards, including:

  • Secure digital storage
  • Restricted access to authorised personnel
  • Encrypted payment processing
  • Regular data backups

The Provider will take reasonable steps to prevent:

  • Unauthorised access
  • Data loss
  • Misuse
  • Alteration or disclosure

“The Provider implements reasonable administrative, technical, and physical safeguards…”

F. Data Sharing & Disclosure

Personal Data may be shared only under the following conditions:

  • With authorised staff involved in programme delivery
  • With payment processors for billing purposes
  • With regulatory authorities if required by law
  • With thirdparty service providers strictly for operational needs (e.g., training platforms)

The Provider does not sell, rent, or trade Personal Data to any third party.

“The Provider may share Personal Data only under the following conditions…”

G. Use of Photos & Videos

Photos or videos of children may be used only if parental consent is obtained, and only for:

  • Programme documentation
  • Training purposes
  • Marketing materials (optional, if consented)

Partners must ensure parents understand and approve the usage.

“Photos or videos… may be used only if parental consent is obtained…”

H. Data Retention

The Provider retains Personal Data only for as long as necessary to:

  • Deliver the Programme
  • Fulfil legal or audit requirements
  • Resolve disputes

Children’s Data will be deleted or anonymised within 12 months after programme completion unless required for compliance.

“Children’s Data will be deleted or anonymised within 12 months…”

I. Partner Responsibilities

The Partner agrees to:

  • Obtain all required parental consents
  • Provide accurate allergy and health information
  • Protect any Programme materials containing Personal Data
  • Report any data breach to the Provider immediately
  • Ensure teachers comply with privacy and safety guidelines

“The Partner agrees to… obtain all required parental consents… report any data breach…”

J. Data Access & Correction

Partners may request:

  • Access to their stored data
  • Correction of inaccurate information
  • Removal of data (where legally permissible)

Requests must be submitted in writing to the Provider.

“Partners may request access… correction… removal of data…”

K. Data Breach Notification

In the event of a data breach:

  • The Provider will notify the Partner as soon as reasonably possible
  • The Provider will take corrective actions to minimise impact
  • The Partner must cooperate in communicating with affected parents if necessary

“In the event of a data breach… the Provider will notify the Partner…”

L. Changes to This Policy

The Provider reserves the right to update or amend this Privacy Policy. Any changes will be communicated to the Partner in writing.

M. Governing Law

This Privacy Policy is governed by the laws of Malaysia.