Last updated: 1 July 2026
Platform name: Ruiya
Operator: Agus Sentosa, an individual operating the Ruiya pilot platform under the product name "Ruiya" ("Ruiya", "we", "our", or "us"). Ruiya is not currently operated by an incorporated company.
Privacy and Data Protection Officer: Agus Sentosa, Founder (support@ruiya.ai)
Ruiya is an artificial intelligence powered educational support platform for Singapore primary school students. This Privacy Policy explains how we collect, use, disclose, protect, retain, and delete personal data when you or your child use Ruiya.
We handle personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and take into account guidance from the Personal Data Protection Commission ("PDPC"), including guidance on children's personal data in the digital environment.
Parent Summary>
Ruiya is an artificial intelligence learning support tool for children. A parent or legal guardian must create and manage the account. Ruiya collects only the information reasonably needed to provide tutoring, run accounts, manage access, process payments or access records, keep the Platform secure, respond to support requests, provide parent learning summaries, and comply with law. Ruiya may analyse saved tutoring conversations, worksheet uploads, topics practised, usage patterns, and feedback to personalise learning and provide parent learning summaries, such as weekly reports, suggested practice areas, and parent guidance. These summaries are not grades, diagnoses, psychological assessments, or formal educational evaluations. Ruiya does not sell children's personal data, does not use children's personal data for advertising, and does not direct marketing to children. To keep children safe and improve Ruiya, the operator may occasionally review tutoring conversations. Human review is not routine monitoring; it is prompted by safety flags, quality checks, support requests, or approval of parent-facing report drafts.
Please do not upload unnecessary personal information, including identity documents, home addresses, phone numbers, medical records, unrelated school records, clear photos of children's faces, or private information about other people.>
This summary is provided for convenience. The full Privacy Policy below explains Ruiya's data practices in more detail.
- 1. Parent summary
- 2. Who this policy applies to
- 3. Personal data we collect
- 4. How we use personal data
- 5. Children's personal data
- 6. Artificial intelligence processing
- 7. When we disclose personal data
- 8. International transfers
- 9. Data retention and deletion
- 10. Data security
- 11. Data breaches
- 12. Cookies and similar technologies
- 13. Your rights under the PDPA
- 14. Third-party links
- 15. Changes to this Privacy Policy
- 16. Contact and Data Protection Officer
- 17. Governing law
This Privacy Policy applies to personal data collected through the Ruiya website, web application, accounts, login, access-code system, tutoring features, uploaded worksheet images, feedback tools, support channels, payment/access administration, analytics, and related services (together, the "Platform").
Ruiya is designed for children to use under the supervision of a parent or legal guardian. Only a parent or legal guardian aged 18 or above should create an account or purchase access for a child.
By creating an account, requesting access, or purchasing paid access for a child, you confirm that you are the child's parent or legal guardian, or that you otherwise have lawful authority to provide consent for the child's use of Ruiya and for the handling of the child's personal data as described in this Privacy Policy.
Children must not create their own accounts.
We collect personal data that is reasonably necessary for the purposes described in this Privacy Policy.
| Data | Why we collect it |
|---|---|
| Parent or guardian email address | Account creation, login, access-code administration, support, service notices, password reset, security, and payment/access communication |
| Password or other login credential | Authentication and account security |
| Child's first name or nickname | Personalising the tutoring experience |
| Child's primary level | Adapting explanations to the child's school level |
| Access code, access status, usage limits, message count, trial status, and paid-access status | Controlling trial access, discretionary free access, paid access, usage limits, fraud prevention, and support |
| Consent records, including policy version, timestamp, IP address, and user agent where available | Recording parental consent and demonstrating compliance |
We recommend using a nickname or first name instead of the child's full legal name where possible.
| Data | Why we collect it |
|---|---|
| Text messages submitted by the user | Generating tutoring responses, maintaining conversation history, personalising learning, and creating parent learning summaries where relevant |
| Uploaded worksheet or question images | Reading the question, generating tutoring responses, and contextualising parent learning summaries where relevant |
| Artificial intelligence responses | Showing and storing the learning conversation and helping summarise what was practised |
| Conversation titles, identifiers, timestamps, message metadata, and selected learning mode | Operating conversation history, support, safety, debugging, learning continuity, and parent learning summaries |
| Primary level, detected level, and tutoring state | Keeping explanations age-appropriate, continuing a tutoring thread, and contextualising parent learning summaries |
| Feedback, ratings, reports, early-family beta comments, and support comments | Improving answer quality, investigating issues, responding to concerns, improving Ruiya around real homework usage, and contextualising parent guidance |
Worksheet images may contain personal data if the image includes names, school details, handwriting, marks, faces, or other identifying information. Please crop or cover unnecessary personal data before uploading where practicable.
| Data | Why we collect it |
|---|---|
| IP address, device type, browser type, operating system, access time, page path, and referrer | Security, fraud prevention, debugging, abuse prevention, and service reliability |
| User agent and request metadata | Detecting abuse, managing access requests, and troubleshooting |
| Campaign or referral parameters, such as source, medium, campaign, landing page, and referrer | Understanding which parent outreach channels led to account registration and product use |
| Session cookies, authentication cookies, and essential local storage | Keeping users logged in and operating account features |
We do not intentionally use advertising cookies, behavioural advertising pixels, or advertising identifiers on child-facing Platform pages.
We may use privacy-preserving analytics to understand aggregate Platform usage and reliability. Where available, we will avoid collecting analytics on admin pages and will provide reasonable opt-out controls.
If Ruiya offers paid access, we may collect or process:
| Data | Why we collect it |
|---|---|
| Payment amount, payment date, payment method type, transaction reference, invoice or receipt record, and plan or access entitlement purchased or redeemed | Processing paid access, granting access entitlements, handling support, refunds, disputes, and accounting records |
| Parent email linked to payment/access | Matching payment to the correct account and issuing access codes or credits |
If we use a third-party payment processor, payment information may be processed by that provider. Ruiya does not need to store full card numbers. The payment processor's own terms and privacy notice may apply to payment processing.
If payment is collected manually during the pilot, we will keep only records reasonably needed to confirm payment, grant access, handle support/refunds, and comply with tax or accounting obligations.
We use personal data for the following purposes:
1. Providing the Platform: creating accounts, authenticating users, managing trial access, access codes, discretionary free access, paid access, message limits, uploaded images, tutoring responses, conversation history, and parent learning summaries.
2. Personalising learning: adapting explanations to the child's primary level, learning mode, and recent conversation context.
3. Parent learning summaries: analysing saved tutoring conversations, worksheet uploads, topics practised, timestamps, usage patterns, and feedback to provide parents or guardians with learning summaries, weekly reports, suggested practice areas, and parent guidance.
4. Safety and moderation: detecting, preventing, reviewing, and responding to unsafe, abusive, inappropriate, unlawful, or privacy-risk content.
5. Support and communication: responding to account, access, technical, billing, feedback, or safety requests.
6. Security and fraud prevention: protecting accounts, detecting unauthorised access, preventing misuse, and investigating incidents.
7. Service improvement: analysing feedback, early-family beta comments, usage, reliability, answer quality, and user experience to improve Ruiya. Where practicable, we use aggregated, anonymised, or de-identified data for this purpose.
8. Payment and administration: processing payments, granting paid access entitlements, maintaining payment/access records, handling refunds, and complying with accounting obligations.
9. Legal compliance: complying with applicable laws, regulatory requirements, court orders, lawful requests, accounting obligations, dispute resolution needs, and data protection obligations.
Parent learning summaries are intended to support parent-supervised learning conversations. They are not grades, diagnoses, psychological assessments, or formal educational evaluations.
Automated or system-generated parent learning summaries may be created from saved conversation data for the purposes described above. Where the operator reviews individual conversations or report drafts for safety, quality, support, or approval purposes, that review is limited to those purposes. We do not routinely monitor all conversations, and we do not use children's conversations for purposes beyond those described in this Policy.
We do not sell children's personal data. We do not direct marketing communications to children. We do not use children's personal data for behavioural advertising.
Children's personal data deserves a higher level of protection. Ruiya is designed so that a parent or legal guardian creates the account, purchases or requests access, and supervises use.
For children below 13 years old, Ruiya requires consent from a parent or legal guardian before collecting, using, or disclosing the child's personal data.
For children aged 13 to 17, Ruiya still requires parent or legal guardian account creation and supervision as a Platform rule, even where the law may recognise that some older children can understand and give consent in appropriate circumstances.
At registration, purchase, or access activation, the parent or legal guardian should confirm that they have read the Terms and this Privacy Policy and consent to the child's use of Ruiya.
We try to limit children's personal data to what is reasonably needed for tutoring, parent learning summaries, safety, support, security, payment/access administration, and service operation. Parents and children should avoid submitting unnecessary personal data.
Children's profiles and conversations are not public, searchable, or visible to other users by default.
A parent or legal guardian may request to:
1. access personal data linked to their account or child;
2. correct inaccurate personal data;
3. delete the account, child-related data, or specific conversations where technically feasible;
4. withdraw consent for further collection, use, or disclosure of the child's personal data; or
5. ask questions about how Ruiya handles children's personal data.
We may need to verify that the requester is the account holder or otherwise has lawful authority before acting on a request. Withdrawal of consent or deletion may limit or prevent further use of Ruiya.
Ruiya uses third-party artificial intelligence providers to understand messages and worksheet images, generate tutoring responses, and, where used, help prepare parent learning summaries.
This means text messages, uploaded images, conversation context, and related metadata may be transmitted to artificial intelligence service providers for processing.
We take reasonable steps, through provider settings, contractual terms, technical controls, or equivalent measures where available and appropriate, to limit service provider use of personal data to providing, securing, maintaining, and supporting Ruiya.
Ruiya does not use children's identifiable conversations to train Ruiya-owned foundation models. If we later wish to use children's identifiable tutoring data for a materially different purpose, we will update this Privacy Policy and obtain any consent required by law before doing so.
Artificial intelligence services can make mistakes. Parents and children should not submit information that is unnecessary for the tutoring question.
We disclose personal data only where reasonably necessary for the purposes described in this Privacy Policy.
We may disclose personal data to service providers acting for us, including:
| Service provider category | Purpose | Data that may be shared |
|---|---|---|
| Artificial intelligence processing providers | Processing text and image inputs, generating responses, and supporting parent learning summaries where used | Messages, uploaded images, conversation context, selected level/mode, and related metadata |
| Cloud hosting and database providers | Hosting, storing, securing, and operating Ruiya | Platform data needed to host and operate the service |
| Analytics providers | Privacy-preserving usage and reliability analytics | Page path, device/browser data, usage events, and technical metadata |
| Email and support providers | Service notices, parent learning reports, access support, and user support | Email address, parent learning report content, support content, and account/access details needed to respond |
| Payment or payment-record providers | Processing or recording paid access | Payment/access records, parent email, transaction reference, and relevant account information |
| Security, legal, accounting, or professional advisers | Security, compliance, accounting, tax, legal, and dispute support | Relevant records needed for that purpose |
We do not publish our vendor list in this Privacy Policy. We maintain internal records of service provider categories and the purposes for which they process data.
We may disclose personal data where required or permitted by law, court order, regulator, government authority, or where we reasonably believe disclosure is necessary to protect rights, safety, security, property, users, children, service providers, or the public.
If Ruiya is later transferred to, assigned to, or operated by a newly incorporated Ruiya company, we may transfer relevant personal data to that successor operator where reasonably necessary to continue the Platform, provided that the successor operator handles personal data in accordance with this Privacy Policy or gives notice of any material change where required.
Personal data may be transferred to, stored, or processed outside Singapore where our service providers, infrastructure, or artificial intelligence services are located.
When we transfer personal data outside Singapore, we take reasonable steps to ensure that the transferred personal data receives a standard of protection comparable to the protection under the PDPA. These steps may include contractual terms, provider data protection terms, transfer safeguards, technical controls, provider due diligence, or other appropriate measures.
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, or as required or permitted by law.
Unless a different period is required for legal, security, accounting, dispute, backup, or operational reasons, our intended retention approach is:
| Data category | Intended retention approach |
|---|---|
| Account data | Until account deletion or 24 months of inactivity, unless retention is required or permitted |
| Child profile data | Until child profile deletion, account deletion, or no longer needed |
| Tutoring messages and uploaded images | Up to 12 months from interaction, after which they should be deleted or anonymised where technically feasible |
| Parent learning summaries and service email records | As long as needed for delivery, audit, support, unsubscribe or preference handling, and dispute handling, unless deletion or anonymisation is appropriate earlier |
| Feedback and support records | As long as needed for support, quality improvement, safety, and dispute handling |
| Usage and technical logs | Up to 24 months, unless needed longer for security, legal, or abuse-prevention reasons |
| Payment, tax, and accounting records | At least 5 years or as required by applicable tax/accounting obligations |
Upon verified account deletion, we will take reasonable steps to delete or irreversibly anonymise personal data from active systems within 60 calendar days, except where retention is required or permitted for legal, security, safety, accounting, audit, backup, dispute, fraud-prevention, or legitimate operational reasons.
Backup copies may take longer to expire according to backup cycles, but we will not actively use deleted personal data from backups except where needed for restoration, security, legal, or compliance reasons.
We implement reasonable and appropriate technical, administrative, and organisational safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.
These safeguards should include:
1. encryption of data in transit using HTTPS/TLS;
2. passwords stored using one-way salted hashing or an equivalent secure authentication method;
3. access controls limiting personal data access to authorised administrators only;
4. secure authentication controls for administrators;
5. reasonable limits on unnecessary data collection and unnecessary admin access; and
6. deletion, anonymisation, or retention controls appropriate to the data type.
No electronic storage or transmission method is completely secure. We cannot guarantee absolute security.
If we have credible grounds to believe that a data breach has occurred, we will take reasonable and expeditious steps to assess the breach, contain it, determine whether it is notifiable, and mitigate potential harm.
Where required by law, we will notify the PDPC and affected individuals. Where a breach is determined to be notifiable under the PDPA, notification to the PDPC will be made no later than 3 calendar days after that determination, unless the law provides otherwise.
Even where formal notification is not legally required, we may notify affected parents or account holders where we consider it appropriate, especially where child data may be affected.
We use essential cookies and similar technologies needed to operate Ruiya, including login sessions, authentication, security, and account features.
We may use privacy-preserving analytics to understand aggregate usage and reliability. We do not intentionally use third-party advertising cookies, behavioural advertising pixels, or social media tracking pixels on child-facing Platform pages.
You may disable cookies in your browser settings, but this may affect Platform functionality.
Subject to the PDPA and applicable exceptions, you may request to:
1. access personal data about you or your child that is in our possession or control;
2. correct inaccurate or incomplete personal data;
3. withdraw consent for the collection, use, or disclosure of personal data;
4. request deletion of your account and associated data; and
5. ask questions or make complaints about how Ruiya handles personal data.
To exercise these rights, contact support@ruiya.ai. We may require verification of your identity and authority before processing a request. We will respond within 30 calendar days where reasonably practicable.
Withdrawal of consent or deletion may limit or prevent further use of Ruiya.
Ruiya may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of those third parties. Please review their privacy notices before providing personal data to them.
We may update this Privacy Policy to reflect changes in our practices, technology, product features, legal requirements, or business structure.
For material changes, we will take reasonable steps to notify account holders, such as by email or in-product notice. Where a change materially affects how children's personal data is handled, we will obtain fresh parental consent where required by law.
Your continued use of Ruiya after the effective date of an updated Privacy Policy means you acknowledge the updated Privacy Policy. If you do not agree, you should stop using Ruiya and may request account deletion.
Data Protection Officer: Agus Sentosa, Founder
Email: support@ruiya.ai
We will acknowledge privacy-related enquiries within 5 business days where reasonably practicable and aim to resolve them within 30 calendar days, subject to verification and the nature of the request.
If you are dissatisfied with our response, you may contact the Personal Data Protection Commission of Singapore.
This Privacy Policy is governed by the laws of the Republic of Singapore.