Legal

Privacy Policy

Last updated:

This Privacy Policy explains what personal data LearnSys collects, why we collect it, how long we keep it, and the choices you have. It applies to our marketing site, web application, and mobile apps (iOS, Android).

1. Who we are

LearnSys is operated by iGears Technology Limited (科擎科技有限公司), the data controller for personal data we collect directly. Where LearnSys is provided to you by your training centre, school, or employer (the “Tenant”), the Tenant is the data controller and we act as a data processor on their behalf.

Contact: [email protected] · Postal: iGears Technology Limited, #307, 9488 51 Avenue, Edmonton, AB, T6E 5A6, Canada

2. Categories of data we collect

The table below summarises each category, why we collect it, and the legal basis under GDPR Article 6 (where applicable).

Category Examples Purpose Legal basis (GDPR Art. 6)
Account data Name, email, hashed password, role (owner/admin/operator/member/student), Tenant ID Authenticate users, enforce role-based access Contract (6(1)(b))
Student profile data Phone, date of birth (optional), parent/guardian contact (if minor), ID number where required by Tenant Enrolment, attendance, certification Contract (6(1)(b))
Learning data Enrolled courses, attendance records, assessment scores, certificates issued Deliver the service the Tenant offers Contract (6(1)(b))
Financial data Invoice line items, payment records (cash, FPS, PayMe, bank transfer, cheque, Stripe, Alipay HK, WeChat Pay) Billing, reconciliation, statutory record-keeping Contract (6(1)(b)) & Legal obligation (6(1)(c))
Device data FCM push token, device platform (iOS/Android/web), app version Deliver push notifications you've consented to receive Legitimate interest (6(1)(f))
Diagnostic Crash logs, request logs, IP, user-agent Service reliability, abuse prevention Legitimate interest (6(1)(f))

3. How we use your data

  • Provide and operate the LearnSys platform.
  • Authenticate users and enforce Tenant-level data isolation.
  • Process enrolments, attendance, assessments, certificates, invoices, and payments.
  • Send transactional notifications (enrolment confirmations, password resets, payment receipts, session reminders).
  • Diagnose crashes and prevent abuse.
  • Comply with legal, tax, and accounting obligations.

4. We do not use your data for advertising

5. Sub-processors

We rely on the following sub-processors to operate the service. Each is bound by a written data-processing agreement.

Sub-processorPurposeRegionPrivacy notice
Google — Firebase Cloud Messaging Push notification delivery Global (Google infrastructure) firebase.google.com/support/privacy
Stripe, Inc. (if enabled by Tenant) Card payment processing Global (US-headquartered) stripe.com/privacy
Tenant's hosting provider Application hosting and database storage for the LearnSys backend Hong Kong (default) or as agreed with Tenant Per Tenant's chosen provider

6. Children's privacy

Students using LearnSys may be minors. Tenants are responsible for obtaining parental or guardian consent under their local law — including the Personal Data (Privacy) Ordinance (Hong Kong), GDPR Article 8 (EU), and COPPA (United States) where applicable. LearnSys does not knowingly collect data directly from children outside a Tenant relationship.

A parent or guardian who believes a child's data has been collected without consent should contact [email protected]; we will work with the relevant Tenant to investigate and, where appropriate, delete the data.

7. Security

  • In transit: all traffic between our apps and backend uses HTTPS (TLS 1.2+).
  • At rest: databases and backups are encrypted; passwords are hashed with bcrypt.
  • Access control: role-based access; Tenant-level data isolation; audit logging on sensitive actions.
  • On device: auth tokens stored in iOS Keychain / Android Keystore via flutter_secure_storage.
  • Vulnerability reports: please disclose responsibly to [email protected].

8. Data retention

  • Account and learning data: retained while membership is active.
  • After an account-deletion request: removed from production within 30 days; backups purged on a rolling 30-day cycle.
  • Invoice and payment records: retained for 7 years as required by Hong Kong tax law (or longer if your jurisdiction requires).
  • Crash and request logs: retained for up to 90 days.

9. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion — see Account & Data Deletion Instructions
  • Request data portability (export)
  • Object to or restrict processing based on legitimate interest
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with your local data-protection authority (e.g., the PCPD in Hong Kong)

For Tenant-managed accounts, please contact your Tenant administrator first. Where LearnSys acts as processor we will route your request to the Tenant.

10. International transfers

Our default hosting region is Hong Kong. Some sub-processors (e.g., Google FCM, Stripe) operate global infrastructure that may transfer data to the United States or other regions. Where required, transfers from the EEA/UK rely on Standard Contractual Clauses or equivalent safeguards.

11. Changes to this policy

Material changes will be announced in-app and by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

Privacy enquiries: [email protected]
Security disclosure: [email protected]
Postal: iGears Technology Limited, #307, 9488 51 Avenue, Edmonton, AB, T6E 5A6, Canada