Privacy Policy - Ruiya

Last updated: 1 July 2026
Platform name: Ruiya
Operator: Agus Sentosa, an individual operating the Ruiya pilot platform under the product name "Ruiya" ("Ruiya", "we", "our", or "us"). Ruiya is not currently operated by an incorporated company.
Privacy and Data Protection Officer: Agus Sentosa, Founder (support@ruiya.ai)

Ruiya is an artificial intelligence powered educational support platform for Singapore primary school students. This Privacy Policy explains how we collect, use, disclose, protect, retain, and delete personal data when you or your child use Ruiya.

We handle personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and take into account guidance from the Personal Data Protection Commission ("PDPC"), including guidance on children's personal data in the digital environment.


1. Parent summary

Parent Summary
Ruiya is an artificial intelligence learning support tool for children. A parent or legal guardian must create and manage the account. Ruiya collects only the information reasonably needed to provide tutoring, run accounts, manage access, process payments or access records, keep the Platform secure, respond to support requests, provide parent learning summaries, and comply with law. Ruiya may analyse saved tutoring conversations, worksheet uploads, topics practised, usage patterns, and feedback to personalise learning and provide parent learning summaries, such as weekly reports, suggested practice areas, and parent guidance. These summaries are not grades, diagnoses, psychological assessments, or formal educational evaluations. Ruiya does not sell children's personal data, does not use children's personal data for advertising, and does not direct marketing to children. To keep children safe and improve Ruiya, the operator may occasionally review tutoring conversations. Human review is not routine monitoring; it is prompted by safety flags, quality checks, support requests, or approval of parent-facing report drafts.
>
Please do not upload unnecessary personal information, including identity documents, home addresses, phone numbers, medical records, unrelated school records, clear photos of children's faces, or private information about other people.
>
This summary is provided for convenience. The full Privacy Policy below explains Ruiya's data practices in more detail.

Table of contents

- 1. Parent summary
- 2. Who this policy applies to
- 3. Personal data we collect
- 4. How we use personal data
- 5. Children's personal data
- 6. Artificial intelligence processing
- 7. When we disclose personal data
- 8. International transfers
- 9. Data retention and deletion
- 10. Data security
- 11. Data breaches
- 12. Cookies and similar technologies
- 13. Your rights under the PDPA
- 14. Third-party links
- 15. Changes to this Privacy Policy
- 16. Contact and Data Protection Officer
- 17. Governing law


2. Who this policy applies to

This Privacy Policy applies to personal data collected through the Ruiya website, web application, accounts, login, access-code system, tutoring features, uploaded worksheet images, feedback tools, support channels, payment/access administration, analytics, and related services (together, the "Platform").

Ruiya is designed for children to use under the supervision of a parent or legal guardian. Only a parent or legal guardian aged 18 or above should create an account or purchase access for a child.

By creating an account, requesting access, or purchasing paid access for a child, you confirm that you are the child's parent or legal guardian, or that you otherwise have lawful authority to provide consent for the child's use of Ruiya and for the handling of the child's personal data as described in this Privacy Policy.

Children must not create their own accounts.


3. Personal data we collect

We collect personal data that is reasonably necessary for the purposes described in this Privacy Policy.

3.1 Account, access, and registration data

DataWhy we collect it
Parent or guardian email addressAccount creation, login, access-code administration, support, service notices, password reset, security, and payment/access communication
Password or other login credentialAuthentication and account security
Child's first name or nicknamePersonalising the tutoring experience
Child's primary levelAdapting explanations to the child's school level
Access code, access status, usage limits, message count, trial status, and paid-access statusControlling trial access, discretionary free access, paid access, usage limits, fraud prevention, and support
Consent records, including policy version, timestamp, IP address, and user agent where availableRecording parental consent and demonstrating compliance

We recommend using a nickname or first name instead of the child's full legal name where possible.

3.2 Tutoring and learning data

DataWhy we collect it
Text messages submitted by the userGenerating tutoring responses, maintaining conversation history, personalising learning, and creating parent learning summaries where relevant
Uploaded worksheet or question imagesReading the question, generating tutoring responses, and contextualising parent learning summaries where relevant
Artificial intelligence responsesShowing and storing the learning conversation and helping summarise what was practised
Conversation titles, identifiers, timestamps, message metadata, and selected learning modeOperating conversation history, support, safety, debugging, learning continuity, and parent learning summaries
Primary level, detected level, and tutoring stateKeeping explanations age-appropriate, continuing a tutoring thread, and contextualising parent learning summaries
Feedback, ratings, reports, early-family beta comments, and support commentsImproving answer quality, investigating issues, responding to concerns, improving Ruiya around real homework usage, and contextualising parent guidance

Worksheet images may contain personal data if the image includes names, school details, handwriting, marks, faces, or other identifying information. Please crop or cover unnecessary personal data before uploading where practicable.

3.3 Technical, security, and analytics data

DataWhy we collect it
IP address, device type, browser type, operating system, access time, page path, and referrerSecurity, fraud prevention, debugging, abuse prevention, and service reliability
User agent and request metadataDetecting abuse, managing access requests, and troubleshooting
Campaign or referral parameters, such as source, medium, campaign, landing page, and referrerUnderstanding which parent outreach channels led to account registration and product use
Session cookies, authentication cookies, and essential local storageKeeping users logged in and operating account features

We do not intentionally use advertising cookies, behavioural advertising pixels, or advertising identifiers on child-facing Platform pages.

We may use privacy-preserving analytics to understand aggregate Platform usage and reliability. Where available, we will avoid collecting analytics on admin pages and will provide reasonable opt-out controls.

3.4 Payment and paid-access data

If Ruiya offers paid access, we may collect or process:

DataWhy we collect it
Payment amount, payment date, payment method type, transaction reference, invoice or receipt record, and plan or access entitlement purchased or redeemedProcessing paid access, granting access entitlements, handling support, refunds, disputes, and accounting records
Parent email linked to payment/accessMatching payment to the correct account and issuing access codes or credits

If we use a third-party payment processor, payment information may be processed by that provider. Ruiya does not need to store full card numbers. The payment processor's own terms and privacy notice may apply to payment processing.

If payment is collected manually during the pilot, we will keep only records reasonably needed to confirm payment, grant access, handle support/refunds, and comply with tax or accounting obligations.


4. How we use personal data

We use personal data for the following purposes:

1. Providing the Platform: creating accounts, authenticating users, managing trial access, access codes, discretionary free access, paid access, message limits, uploaded images, tutoring responses, conversation history, and parent learning summaries.
2. Personalising learning: adapting explanations to the child's primary level, learning mode, and recent conversation context.
3. Parent learning summaries: analysing saved tutoring conversations, worksheet uploads, topics practised, timestamps, usage patterns, and feedback to provide parents or guardians with learning summaries, weekly reports, suggested practice areas, and parent guidance.
4. Safety and moderation: detecting, preventing, reviewing, and responding to unsafe, abusive, inappropriate, unlawful, or privacy-risk content.
5. Support and communication: responding to account, access, technical, billing, feedback, or safety requests.
6. Security and fraud prevention: protecting accounts, detecting unauthorised access, preventing misuse, and investigating incidents.
7. Service improvement: analysing feedback, early-family beta comments, usage, reliability, answer quality, and user experience to improve Ruiya. Where practicable, we use aggregated, anonymised, or de-identified data for this purpose.
8. Payment and administration: processing payments, granting paid access entitlements, maintaining payment/access records, handling refunds, and complying with accounting obligations.
9. Legal compliance: complying with applicable laws, regulatory requirements, court orders, lawful requests, accounting obligations, dispute resolution needs, and data protection obligations.

Parent learning summaries are intended to support parent-supervised learning conversations. They are not grades, diagnoses, psychological assessments, or formal educational evaluations.

Automated or system-generated parent learning summaries may be created from saved conversation data for the purposes described above. Where the operator reviews individual conversations or report drafts for safety, quality, support, or approval purposes, that review is limited to those purposes. We do not routinely monitor all conversations, and we do not use children's conversations for purposes beyond those described in this Policy.

We do not sell children's personal data. We do not direct marketing communications to children. We do not use children's personal data for behavioural advertising.


5. Children's personal data

Children's personal data deserves a higher level of protection. Ruiya is designed so that a parent or legal guardian creates the account, purchases or requests access, and supervises use.

5.1 Parent or guardian consent

For children below 13 years old, Ruiya requires consent from a parent or legal guardian before collecting, using, or disclosing the child's personal data.

For children aged 13 to 17, Ruiya still requires parent or legal guardian account creation and supervision as a Platform rule, even where the law may recognise that some older children can understand and give consent in appropriate circumstances.

At registration, purchase, or access activation, the parent or legal guardian should confirm that they have read the Terms and this Privacy Policy and consent to the child's use of Ruiya.

5.2 Data minimisation

We try to limit children's personal data to what is reasonably needed for tutoring, parent learning summaries, safety, support, security, payment/access administration, and service operation. Parents and children should avoid submitting unnecessary personal data.

Children's profiles and conversations are not public, searchable, or visible to other users by default.

5.3 Parent and guardian rights

A parent or legal guardian may request to:

1. access personal data linked to their account or child;
2. correct inaccurate personal data;
3. delete the account, child-related data, or specific conversations where technically feasible;
4. withdraw consent for further collection, use, or disclosure of the child's personal data; or
5. ask questions about how Ruiya handles children's personal data.

We may need to verify that the requester is the account holder or otherwise has lawful authority before acting on a request. Withdrawal of consent or deletion may limit or prevent further use of Ruiya.


6. Artificial intelligence processing

Ruiya uses third-party artificial intelligence providers to understand messages and worksheet images, generate tutoring responses, and, where used, help prepare parent learning summaries.

This means text messages, uploaded images, conversation context, and related metadata may be transmitted to artificial intelligence service providers for processing.

We take reasonable steps, through provider settings, contractual terms, technical controls, or equivalent measures where available and appropriate, to limit service provider use of personal data to providing, securing, maintaining, and supporting Ruiya.

Ruiya does not use children's identifiable conversations to train Ruiya-owned foundation models. If we later wish to use children's identifiable tutoring data for a materially different purpose, we will update this Privacy Policy and obtain any consent required by law before doing so.

Artificial intelligence services can make mistakes. Parents and children should not submit information that is unnecessary for the tutoring question.


7. When we disclose personal data

We disclose personal data only where reasonably necessary for the purposes described in this Privacy Policy.

7.1 Service providers

We may disclose personal data to service providers acting for us, including:

Service provider categoryPurposeData that may be shared
Artificial intelligence processing providersProcessing text and image inputs, generating responses, and supporting parent learning summaries where usedMessages, uploaded images, conversation context, selected level/mode, and related metadata
Cloud hosting and database providersHosting, storing, securing, and operating RuiyaPlatform data needed to host and operate the service
Analytics providersPrivacy-preserving usage and reliability analyticsPage path, device/browser data, usage events, and technical metadata
Email and support providersService notices, parent learning reports, access support, and user supportEmail address, parent learning report content, support content, and account/access details needed to respond
Payment or payment-record providersProcessing or recording paid accessPayment/access records, parent email, transaction reference, and relevant account information
Security, legal, accounting, or professional advisersSecurity, compliance, accounting, tax, legal, and dispute supportRelevant records needed for that purpose

We do not publish our vendor list in this Privacy Policy. We maintain internal records of service provider categories and the purposes for which they process data.

7.2 Legal, safety, and protection reasons

We may disclose personal data where required or permitted by law, court order, regulator, government authority, or where we reasonably believe disclosure is necessary to protect rights, safety, security, property, users, children, service providers, or the public.

7.3 Business transition

If Ruiya is later transferred to, assigned to, or operated by a newly incorporated Ruiya company, we may transfer relevant personal data to that successor operator where reasonably necessary to continue the Platform, provided that the successor operator handles personal data in accordance with this Privacy Policy or gives notice of any material change where required.


8. International transfers

Personal data may be transferred to, stored, or processed outside Singapore where our service providers, infrastructure, or artificial intelligence services are located.

When we transfer personal data outside Singapore, we take reasonable steps to ensure that the transferred personal data receives a standard of protection comparable to the protection under the PDPA. These steps may include contractual terms, provider data protection terms, transfer safeguards, technical controls, provider due diligence, or other appropriate measures.


9. Data retention and deletion

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, or as required or permitted by law.

Unless a different period is required for legal, security, accounting, dispute, backup, or operational reasons, our intended retention approach is:

Data categoryIntended retention approach
Account dataUntil account deletion or 24 months of inactivity, unless retention is required or permitted
Child profile dataUntil child profile deletion, account deletion, or no longer needed
Tutoring messages and uploaded imagesUp to 12 months from interaction, after which they should be deleted or anonymised where technically feasible
Parent learning summaries and service email recordsAs long as needed for delivery, audit, support, unsubscribe or preference handling, and dispute handling, unless deletion or anonymisation is appropriate earlier
Feedback and support recordsAs long as needed for support, quality improvement, safety, and dispute handling
Usage and technical logsUp to 24 months, unless needed longer for security, legal, or abuse-prevention reasons
Payment, tax, and accounting recordsAt least 5 years or as required by applicable tax/accounting obligations

Upon verified account deletion, we will take reasonable steps to delete or irreversibly anonymise personal data from active systems within 60 calendar days, except where retention is required or permitted for legal, security, safety, accounting, audit, backup, dispute, fraud-prevention, or legitimate operational reasons.

Backup copies may take longer to expire according to backup cycles, but we will not actively use deleted personal data from backups except where needed for restoration, security, legal, or compliance reasons.


10. Data security

We implement reasonable and appropriate technical, administrative, and organisational safeguards to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

These safeguards should include:

1. encryption of data in transit using HTTPS/TLS;
2. passwords stored using one-way salted hashing or an equivalent secure authentication method;
3. access controls limiting personal data access to authorised administrators only;
4. secure authentication controls for administrators;
5. reasonable limits on unnecessary data collection and unnecessary admin access; and
6. deletion, anonymisation, or retention controls appropriate to the data type.

No electronic storage or transmission method is completely secure. We cannot guarantee absolute security.


11. Data breaches

If we have credible grounds to believe that a data breach has occurred, we will take reasonable and expeditious steps to assess the breach, contain it, determine whether it is notifiable, and mitigate potential harm.

Where required by law, we will notify the PDPC and affected individuals. Where a breach is determined to be notifiable under the PDPA, notification to the PDPC will be made no later than 3 calendar days after that determination, unless the law provides otherwise.

Even where formal notification is not legally required, we may notify affected parents or account holders where we consider it appropriate, especially where child data may be affected.


12. Cookies and similar technologies

We use essential cookies and similar technologies needed to operate Ruiya, including login sessions, authentication, security, and account features.

We may use privacy-preserving analytics to understand aggregate usage and reliability. We do not intentionally use third-party advertising cookies, behavioural advertising pixels, or social media tracking pixels on child-facing Platform pages.

You may disable cookies in your browser settings, but this may affect Platform functionality.


13. Your rights under the PDPA

Subject to the PDPA and applicable exceptions, you may request to:

1. access personal data about you or your child that is in our possession or control;
2. correct inaccurate or incomplete personal data;
3. withdraw consent for the collection, use, or disclosure of personal data;
4. request deletion of your account and associated data; and
5. ask questions or make complaints about how Ruiya handles personal data.

To exercise these rights, contact support@ruiya.ai. We may require verification of your identity and authority before processing a request. We will respond within 30 calendar days where reasonably practicable.

Withdrawal of consent or deletion may limit or prevent further use of Ruiya.


14. Third-party links

Ruiya may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of those third parties. Please review their privacy notices before providing personal data to them.


15. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, product features, legal requirements, or business structure.

For material changes, we will take reasonable steps to notify account holders, such as by email or in-product notice. Where a change materially affects how children's personal data is handled, we will obtain fresh parental consent where required by law.

Your continued use of Ruiya after the effective date of an updated Privacy Policy means you acknowledge the updated Privacy Policy. If you do not agree, you should stop using Ruiya and may request account deletion.


16. Contact and Data Protection Officer

Data Protection Officer: Agus Sentosa, Founder
Email: support@ruiya.ai

We will acknowledge privacy-related enquiries within 5 business days where reasonably practicable and aim to resolve them within 30 calendar days, subject to verification and the nature of the request.

If you are dissatisfied with our response, you may contact the Personal Data Protection Commission of Singapore.


17. Governing law

This Privacy Policy is governed by the laws of the Republic of Singapore.