Legal
Privacy Policy
Last updated:
This Privacy Policy explains what personal data LearnSys collects, why we collect it, how long we keep it, and the choices you have. It applies to our marketing site, web application, and mobile apps (iOS, Android).
1. Who we are
LearnSys is operated by iGears Technology Limited (科擎科技有限公司), the data controller for personal data we collect directly. Where LearnSys is provided to you by your training centre, school, or employer (the “Tenant”), the Tenant is the data controller and we act as a data processor on their behalf.
Contact: [email protected] · Postal: iGears Technology Limited, #307, 9488 51 Avenue, Edmonton, AB, T6E 5A6, Canada
2. Categories of data we collect
The table below summarises each category, why we collect it, and the legal basis under GDPR Article 6 (where applicable).
| Category | Examples | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Name, email, hashed password, role (owner/admin/operator/member/student), Tenant ID | Authenticate users, enforce role-based access | Contract (6(1)(b)) |
| Student profile data | Phone, date of birth (optional), parent/guardian contact (if minor), ID number where required by Tenant | Enrolment, attendance, certification | Contract (6(1)(b)) |
| Learning data | Enrolled courses, attendance records, assessment scores, certificates issued | Deliver the service the Tenant offers | Contract (6(1)(b)) |
| Financial data | Invoice line items, payment records (cash, FPS, PayMe, bank transfer, cheque, Stripe, Alipay HK, WeChat Pay) | Billing, reconciliation, statutory record-keeping | Contract (6(1)(b)) & Legal obligation (6(1)(c)) |
| Device data | FCM push token, device platform (iOS/Android/web), app version | Deliver push notifications you've consented to receive | Legitimate interest (6(1)(f)) |
| Diagnostic | Crash logs, request logs, IP, user-agent | Service reliability, abuse prevention | Legitimate interest (6(1)(f)) |
3. How we use your data
- Provide and operate the LearnSys platform.
- Authenticate users and enforce Tenant-level data isolation.
- Process enrolments, attendance, assessments, certificates, invoices, and payments.
- Send transactional notifications (enrolment confirmations, password resets, payment receipts, session reminders).
- Diagnose crashes and prevent abuse.
- Comply with legal, tax, and accounting obligations.
4. We do not use your data for advertising
5. Sub-processors
We rely on the following sub-processors to operate the service. Each is bound by a written data-processing agreement.
| Sub-processor | Purpose | Region | Privacy notice |
|---|---|---|---|
| Google — Firebase Cloud Messaging | Push notification delivery | Global (Google infrastructure) | firebase.google.com/support/privacy |
| Stripe, Inc. (if enabled by Tenant) | Card payment processing | Global (US-headquartered) | stripe.com/privacy |
| Tenant's hosting provider | Application hosting and database storage for the LearnSys backend | Hong Kong (default) or as agreed with Tenant | Per Tenant's chosen provider |
6. Children's privacy
Students using LearnSys may be minors. Tenants are responsible for obtaining parental or guardian consent under their local law — including the Personal Data (Privacy) Ordinance (Hong Kong), GDPR Article 8 (EU), and COPPA (United States) where applicable. LearnSys does not knowingly collect data directly from children outside a Tenant relationship.
A parent or guardian who believes a child's data has been collected without consent should contact [email protected]; we will work with the relevant Tenant to investigate and, where appropriate, delete the data.
7. Security
- In transit: all traffic between our apps and backend uses HTTPS (TLS 1.2+).
- At rest: databases and backups are encrypted; passwords are hashed with bcrypt.
- Access control: role-based access; Tenant-level data isolation; audit logging on sensitive actions.
- On device: auth tokens stored in iOS Keychain / Android Keystore via
flutter_secure_storage. - Vulnerability reports: please disclose responsibly to [email protected].
8. Data retention
- Account and learning data: retained while membership is active.
- After an account-deletion request: removed from production within 30 days; backups purged on a rolling 30-day cycle.
- Invoice and payment records: retained for 7 years as required by Hong Kong tax law (or longer if your jurisdiction requires).
- Crash and request logs: retained for up to 90 days.
9. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion — see Account & Data Deletion Instructions
- Request data portability (export)
- Object to or restrict processing based on legitimate interest
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with your local data-protection authority (e.g., the PCPD in Hong Kong)
For Tenant-managed accounts, please contact your Tenant administrator first. Where LearnSys acts as processor we will route your request to the Tenant.
10. International transfers
Our default hosting region is Hong Kong. Some sub-processors (e.g., Google FCM, Stripe) operate global infrastructure that may transfer data to the United States or other regions. Where required, transfers from the EEA/UK rely on Standard Contractual Clauses or equivalent safeguards.
11. Changes to this policy
Material changes will be announced in-app and by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact
Privacy enquiries: [email protected]
Security disclosure: [email protected]
Postal: iGears Technology Limited, #307, 9488 51 Avenue, Edmonton, AB, T6E 5A6, Canada
Need a printable copy? Use your browser's Print function — this page has a print stylesheet.