App Privacy Policy
1. Who We Are
Learning Time ("Learning Time", "we", "our", "us") is operated by:
Learning Time Digital Limited
5/F, 88 Lockhart Road, Wan Chai, Hong Kong
Hong Kong Business Registration No. 79301879-000-12-25-4
Privacy Contact: privacy@learningtime.com.hk
Learning Time is not currently offered in the European Economic Area or United Kingdom. If you access the Service from the EEA/UK despite our market restrictions, you still have the rights described in Section 12.7. We will appoint a representative under Article 27 GDPR before expanding availability to those markets.
2. Scope of This Policy
This Privacy Policy describes how we collect, use, store, share, and protect personal data when you:
- Download, install, or use the Learning Time mobile application on iOS or Android;
- Create or manage a Learning Time account;
- Interact with our customer support or marketing communications;
- Visit the Learning Time website at https://www.learningtime.com.hk.
3. Personal Data We Collect
3.1 Information You Provide Directly
| Category | Specific Data | Why We Need It |
|---|---|---|
| Account | Email address, display name (optional), password (hashed), preferred language, time zone | To create and secure your account; service communications; language/timezone preferences |
| Authentication | Apple ID or Google account identifier, OTP codes (expire within 5 minutes) | To authenticate you securely |
| Child Profile | Child's first name or nickname, date of birth, sex (optional), profile photo (optional) | To personalise developmental tracking; age drives milestone suggestions |
| Developmental Records | Observations (free text), milestone statuses, activity completions, mood check-ins (1–5 scale) | To power progress view, weekly recap, AI narratives, and personalised reminders |
| Subscription & Purchases | Subscription tier, start date, renewal state — received from Apple/Google. No credit-card data stored. | To give paying users access to paid features and honour restore-purchase requests |
3.2 Information Collected Automatically
| Category | Specific Data | Purpose |
|---|---|---|
| Device & App | Device model, OS and version, app version, install date, language, country (from locale) | Compatibility and regional content delivery |
| Usage / Analytics | Pages viewed, buttons tapped, time on screens, feature flags — processed by PostHog | Understand how people use the app; run A/B tests |
| Diagnostic / Crash | Crash reports, error stack traces, performance metrics — processed by Sentry | Detect and fix bugs |
| Server-side Logs | IP address (truncated after 30 days), request timestamps, API endpoint, HTTP status | Security, fraud detection, and service reliability |
3.3 What We Do NOT Collect
- Precise GPS location
- Contacts, photos library beyond the single profile photo, microphone, or camera without explicit permission
- Advertising identifier (IDFA) — NSPrivacyTracking = false
- Biometric or health data from Apple Health or Google Fit
- Data from third-party social media beyond the single identifier from Sign in with Apple/Google
- Personal data directly from children
4. How We Use Your Personal Data
4.1 Purposes
| Purpose | Examples | Data Used |
|---|---|---|
| Provide the service | Show milestone progress; generate weekly recap; send reminders | Account, child profile, developmental records |
| Personalise the service | Pick age-appropriate activities; select AI narrative tone | Child profile, developmental records, language |
| Communicate with you | Password resets; push notifications; customer support | Email, push token, support tickets |
| Improve the service | Measure feature usage; fix bugs; run A/B experiments | Usage analytics, diagnostic data |
| Keep the service safe | Rate-limit abuse; detect fraud | Server logs, authentication records |
| Comply with law | Respond to lawful regulator or court requests | Any of the above, as strictly necessary |
| Billing | Recognise subscription state; honour restore-purchases | Subscription identifiers from Apple / Google |
4.2 Legal Bases
We rely on one or more of the following legal bases depending on purpose and jurisdiction:
- Contract: Contract — to deliver the Learning Time service you signed up for
- Consent: Consent — for push notifications, personalised communications, and (in Indonesia) analytics and AI narratives. In Indonesia, analytics are only activated after explicit opt-in. You can withdraw consent at any time.
- Legitimate Interest: Legitimate interest — for service security, fraud prevention, and product improvement
Legal Obligation: Legal obligation — to respond to valid regulatory, tax, or law-enforcement requests
5. Third Parties That Process Data on Our Behalf
| Vendor | Role | Data Shared | Region |
|---|---|---|---|
| Supabase | Cloud database, authentication, serverless functions | Account, child profile, developmental records, server logs | Singapore (ap-southeast-1) |
| Apple Inc. | Sign in with Apple; App Store purchases; TestFlight | Apple identifier, subscription state | Worldwide |
| Google LLC | Sign in with Google; Google Play purchases | Google account identifier, subscription state | Worldwide |
| Alibaba Cloud International (Qwen) | AI-generated narrative text | Child age in months, pillar category, up to 3 observation summaries — never name or date of birth | Singapore (ap-southeast-1) |
| PostHog, Inc. | Product analytics, feature flags, A/B testing | Pseudonymised user ID, device type, event names — no child names or observation text | European Union |
| Sentry | Crash and error reporting | Device model, OS version, stack trace, pseudonymised user ID | United States |
| Resend | Transactional email (OTP, password reset) | Email address, email content | Ireland (EU region) |
6. International Data Transfers
Your personal data is stored primarily in Singapore (Supabase region ap-southeast-1). We apply the following safeguards:
- Contractual safeguards — Standard Contractual Clauses (SCCs) with each processor that stores data outside your jurisdiction
- Technical safeguards — encryption in transit (TLS 1.2+) and at rest (AES-256)
- Organisational safeguards — Row-Level Security ensures each user can only read their own data
- Data minimisation — AI requests strip identifying fields (name, date of birth) before leaving our infrastructure
7. How Long We Keep Your Data
| Category | Retention |
|---|---|
| Active account data | For as long as your account is active |
| Server-side request logs | 30 days, then deleted |
| Crash and error reports | 90 days, then deleted or anonymised |
| Analytics events | 24 months, then aggregated and anonymised |
| Data after account deletion | Deleted from production within 30 days; from backups within 90 days |
| Billing records | 7 years (or minimum required by local tax law) after last transaction |
| Records of consent | Duration of consent plus 2 years |
8. Children's Data
Important: Learning Time is a tool for parents, not a service directed to children. Children do not create accounts and do not directly use the app.
Because the app stores information about a child, we treat that information with extra care:
- Parental consent — by creating an account and adding a child profile, you confirm you are the child's parent or legal guardian
- No direct marketing to children — we never send marketing to children or show advertising inside the app
- No tracking across apps or websites — we do not use the Apple advertising identifier (IDFA) or equivalent
- Limited AI processing — AI narrative requests contain only de-identified developmental signals; we never send the child's name, date of birth, or photo to the AI provider
- Parental rights — access, correct, export, or delete your child's data from Settings or by writing to privacy@learningtime.com.hk
Users must be 18 years of age or older and the child's parent or legal guardian to create an account.
9. Your Rights
| Right | What It Means | How to Use It |
|---|---|---|
| Access | Get a copy of the personal data we hold about you | Email privacy@learningtime.com.hk — JSON format within 30 days |
| Rectification / Correction | Fix inaccurate data | In-app: edit profile fields, or email us |
| Erasure / Deletion | Delete your account and associated data | In-app: Settings → Account → Delete account |
| Portability | Receive your data in machine-readable JSON format | Email privacy@learningtime.com.hk — JSON within 30 days |
| Restriction | Ask us to pause processing while a dispute is resolved | Email privacy@learningtime.com.hk |
| Objection | Object to processing based on legitimate interest | Email privacy@learningtime.com.hk |
| Withdraw Consent | Withdraw any consent you gave (e.g., notifications) | In-app: Settings → Notifications; or email us |
| Complain to a Regulator | Lodge a complaint with your data-protection authority | See Section 12 for local authorities |
10. Security
We protect your data with:
- Encryption in transit — all network traffic uses TLS 1.2 or higher
- Encryption at rest — databases use AES-256; passwords stored as salted hashes (bcrypt/argon2)
- Row-Level Security — database enforces that you can only read and write your own data and your child's data
- Least-privilege access — administrative access limited to named engineers with multi-factor authentication
- Continuous monitoring — anomalous activity monitoring and automated secret-scanning on every code change
- Incident response — we will notify the relevant regulator within 72 hours of a data breach and notify affected users without undue delay
11. Cookies and Similar Technologies
The Learning Time mobile app does not use cookies.
Our website at https://www.learningtime.com.hk uses only strictly necessary cookies and a single analytics cookie set by PostHog. You can reject non-essential cookies from the banner shown on your first visit. Full details are available in our Cookie Policy at https://www.learningtime.com.hk/pages/cookie-policy.
12. Country- and Region-Specific Disclosures
12.1 Indonesia
For users in Indonesia, we comply with Law No. 27 of 2022 concerning Personal Data Protection ("UU PDP") and its implementing regulations.
- Data controller (pengendali data pribadi): Learning Time Digital Limited
- Legal basis: explicit consent (Article 20(a)), the contract between you and us (Article 20(b)), and legitimate interest (Article 20(f))
- An official Bahasa Indonesia translation is available at https://www.learningtime.com.hk/id/pages/privacy-policy-1. For Indonesian users, the Indonesian version prevails in case of conflict.
- Regulator: Ministry of Communication and Informatics (Direktorat Jenderal Aplikasi Informatika), to be replaced by the independent Lembaga Pelindungan Data Pribadi once established
12.2 Hong Kong SAR
For users in Hong Kong, we comply with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") and the six Data Protection Principles (DPPs).
- Data User: Learning Time Digital Limited, 5/F, 88 Lockhart Road, Wan Chai, Hong Kong
- You may make a Data Access Request or Data Correction Request under sections 18 and 22 of the PDPO by writing to privacy@learningtime.com.hk
- Regulator: Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) — pcpd.org.hk
12.3 Singapore
For users in Singapore, we comply with the Personal Data Protection Act 2012 ("PDPA"). Regulator: Personal Data Protection Commission (PDPC) — pdpc.gov.sg.
12.4 Malaysia
For users in Malaysia, we comply with the Personal Data Protection Act 2010 (PDPA) and its 2024 amendments. Regulator: Jabatan Perlindungan Data Peribadi (JPDP) — pdp.gov.my.
12.5 Thailand
For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (2019). Regulator: Personal Data Protection Committee (PDPC) — pdpc.or.th.
12.6 Philippines
For users in the Philippines, we comply with the Data Privacy Act of 2012 (Republic Act No. 10173). Regulator: National Privacy Commission (NPC) — privacy.gov.ph.
12.7 European Economic Area and United Kingdom
Learning Time is not currently offered in the EEA or UK. If you access the Service from the EEA or UK, we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR / Data Protection Act 2018. You may lodge a complaint with your local data-protection authority. We will appoint an Article 27 representative before expanding availability to these markets.
12.8 California, United States
If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) gives you additional rights:
- Right to know what personal information we collect, use, disclose, and sell or share
- Right to delete personal information we have collected from you
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information — we do not sell or share personal information as defined under California law
- Right to limit use and disclosure of sensitive personal information
- Right to non-discrimination for exercising any of these rights
You may exercise these rights by emailing privacy@learningtime.com.hk.
13. Changes to This Policy
When we make a material change, we will:
- Update the "Last updated" date at the top of this Policy
- Post the revised Policy in the app (Settings → Privacy) and on our website
- Where the change materially reduces your rights or expands how we use your data, notify you directly (in-app banner and/or email) and, where required by law, obtain your fresh consent before the change takes effect
We keep an archive of past versions. To request a previous version, email privacy@learningtime.com.hk.
14. Contact Us
Learning Time Digital Limited
5/F, 88 Lockhart Road, Wan Chai, Hong Kong
Email: privacy@learningtime.com.hk
Web: https://www.learningtime.com.hk/pages/contact-us
In-app: Settings → Help → Contact support
We aim to acknowledge your message within 3 business days and provide a substantive response within 30 calendar days.