Data Protection Policy and Privacy Notice

Our privacy is important.

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

This Data Protection Policy sets out the basis on which any personal data you provide to Illumine Labs Private. Ltd. (Company No. 226606) (“we” or “our” or “us”), either itself or through its subsidiaries or licensees, via various electronic platforms such as mobile applications, web (admin.illumine.app) or any other platforms designated by us (the “Portal“) is processed .

General

We will be collecting and processing personal data provided by you or any third parties and/or further information and data that may be required by us from time to time.

By using our Portal and services provided via our Portal (the ” Services”) in any manner, you agree that you have read this Data Protection Policy and accept the terms stated herein. We may need to change this Policy from time to time as well, but we will do our best to alert you to changes by placing a notice on http://www.illumine.app/privacy, by sending you an email, and/or by some other means. Please note that if we aren’t able to send a notification or if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), you are still responsible for reading and understanding the changes. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. Use of information we collect now is subject to the Privacy Policy in effect at the time such information is used.

You agree and acknowledge that your continued use of our Services after this Data Protection Policy has been revised constitutes your acceptance of the Data Protection Policy as amended, provided that if such revision materially impacts your use of our Services, we may notify you through such avenues as we deem appropriate. What constitutes a material change, will be determined by us at our sole and absolute discretion.

When Do We Collect Personal Data?

We collect personal data when you:

1. or the School (as defined below) sets up and/or registers an account with us,
2. use the Services,
3. provide comments or submit a problem to us,
4. request information from us and provide your name or return contact information,
5. join any contests or surveys organised by us, or
6. register an account with us either through manual registration.

We may also process the personal data of your child if they are provided by your child’s school or the school’s headquarters or administrator (individually and/or collectively referred as the “School”, where appropriate) or by you. You agree and consent to us processing your child’s personal data in accordance with the terms and conditions of this Data Protection Policy.

What Personal Data Do We Collect?

In this Data Protection Policy, “Personal Data” refers to any data, whether true or not, about an individual who can be identified:

1. from that data; or
2. from that data and other information to which we have or are likely to have access to (including data in our records as may be updated from time to time).

We may collect and process the following personal data:

1. your name, and contact details;
2. your child’s personal data such as his or her name, photo,NRIC or birth certificate number, emergency contact information for your child and Content as provided by you, the School or any third parties.

Your name, contact details and child’s personal data are obligatory and if we are not allowed to process such information, we may not be able to provide you with the Services. We may also process other personal data such as:

1. your activities through the Portal;
2. transactional history in order to document a transaction you may have had with us or other users; and
3. any information collected through the use of Cookies (as defined below).

Some of the information collected by us may not be explicitly submitted by you as we do from time to time also automatically receive and record information on our server logs from your browser, including your IP address, cookie information, your requested web pages, your browser type and language, access times, and the referring website address.

If you give us information about another person, you undertake that you can:

• give consent on his/her behalf for the collection and/or processing of his or her personal data;
• receive in his/her behalf any data protection notices; and
• warrant that you have obtained his/her consent for us or have the right to allow us to collect, store and/or use his/her personal data.

What about Cookies?

“Cookies” are data files that may be downloaded to your computer when you visit the Portal and permit the Portal to identify your browser whenever you interact with the Portal. We use cookies to recognize repeat visits by users of the Portal and to collect information about our users’ interactions with the Portal. These cookies contain identification information that enables us to streamline your experiences using the Portal. You may set your browser software to reject cookies, but you may not be able to optimize the features of the Portal. In some cases, you may not be able to access the Portal if cookies are disabled.

How do We Use the Personal Data Collected by Us?

In general, other than providing you with the Services and other services incidental or related to the Services, we may use the information provided to us for the following purposes:

1. provide, maintain, protect and improve the Portal, to develop new services, and to protect ourselves and our users;
2. develop and display content tailored to your interests on the Portal.
3. enforce any Terms of Use between us;
4. research and reporting purposes including historical and statistical purposes;
5. general operation and maintenance of the Portal including audit and its related portal(s);
6. provide you with regular communications (other than direct marketing materials) from us relating to the Portal;
7. investigate complaints, suspected suspicious transactions and research for service improvement;
8. respond to any enquiries from our users; and
9. conduct market surveys and analytics, and inform our users of any updates or changes regarding our Services.

Who do We Share the Personal Data With?

We may share your personal data with:

1. third party service providers under contract who help with our business operations (such as merchants, partners, fraud investigations, bill collection, monitoring of user behaviour on the Portal and the processing of payments for any products or services);
2. third parties (including those overseas) who provide data processing services; and
3. any person, who is under a duty of confidentiality to which has undertaken to keep such data confidential, which we have engaged to fulfil our obligations to you.

We do not share your child’s personal data with third parties for marketing purposes. However, we may need to share your child’s personal data provided to us through our Portal with the School in order to ensure that we are able to provide the Services to you and also to fulfil our obligations to the School. Your child’s personal data such as his / her name and picture may be inevitably or incidentally disclosed to other users of the Portal (e.g. other parents and guardians). For example, your child may appear in a photograph published on the Portal with other children of our users.

1. We may disclose personal data if required to do so by law or if we have good faith belief that such disclosure is necessary to protect and/or defend our rights and interests. We may, as permitted by applicable law, disclose personal data to third parties in connection with an investigation of fraud, infringement, piracy, tax avoidance and evasion or other unlawful activity and you expressly authorize us to make such disclosures.
2. If we are merged or acquired by another entity, personal data may be transferred to such an entity as a part of the merger or acquisition.

As an individual, what are your rights?

We will, upon your written request to us (see Contact below), allow you to enquire about the ways in which your personal data has been or may have been used or disclosed within a year before the request, unless we are required or authorised to do so by law, to deny your request for access to your personal data.

You have the right, without any cost, to request access to personal data that we may process about you. If you wish to exercise this right, you should:

• put your request in writing
• include proof of your identity and address (e.g. a copy of your driving licence or passport, and a recent utility or credit card bill); and
• specify the personal data you want access to, including any account or reference numbers where applicable

Right of rectification of errors –

You have the right to require us to correct, amend, or delete inaccurate data any inaccuracies in your data free of charge. If you wish to exercise this right, you should:

• put your request in writing;
• provide us with enough information to identify you (e.g. account number, username, registration details); and
• specify the information that is incorrect and what it should be replaced with.

Right of deletion/right to be forgotten –

You also have the right to ask us to stop processing your personal data for direct marketing purposes. If you wish to exercise this right, you should:

• put your request in writing (an e–mail sent to dpo@illumine.app with a header that says ‘Unsubscribe’ is acceptable);
• provide us with enough information to identify you (e.g. account number, username, registration details); and
• if your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g. email or telephone), please specify the channel you are objecting to.
• If requested to remove data, We will respond and delete the data within a reasonable timeframe.

Please note that if your request concerns information in the portal please contact your school.

Data retention

• We will retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, the legal or business purposes of Illumine, or as required by relevant laws. We will usually keep the following data: (a) child’s and parents details, (b) school fees, (c) child’s overall health records, (d) child’s attendance including photos taken which is linked to the check-in/out; and (e) child’s portfolio (pictures and learning outcome), till the school uses our services

• When We have no ongoing legitimate business need to process your personal information, We will either delete or anonymize it, or, if this is not possible, then We will securely store your personal information and isolate it from any further processing until deletion is possible.

 

Data storage and backups

We are using Google Cloud & Firebase for storing and processing the data.

Updated firewalls and other technical methods are used to protect the Operations Center network against unauthorized access. Customer’s data is stored logically separated from other customers’ data. We have data backups for 30 days stored in Google cloud and encrypted by Google. Older data is automatically churned by the cloud. Incase of an incident the affected parties are informed and data is restored using the latest backup. Our data servers and storage servers are located in the USA and Europe.

Data Security

All Firebase(database and storage) services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process. Firebase services encrypt data in transit using HTTPS and logically isolate customer data. All our website and network calls are encrypted and use HTTPS protocol.

Illumine utilizes end-to-end SSL encryption from the end user’s device all the way to the database as well as between internal services on the servers.

 Data Privacy

Illumine has a permission system as part of Portal, lets you choose who can see and access what information. No parent can access any other parents’ data in the system.

Illumine’s database service restricts access to select employees who have a business purpose to access data stored. Database service logs employee access to systems whenever access is made. Illumine database service only permits access to data by employees who sign in with Google Sign-In and 2-factor authentication.

What is a security breach procedure?

Provided that Illumine detects a security breach or threat thereof in relation to the portal, Illumine will seek to locate and identify such breach or threat as well as the scope of the issue as soon as possible, seek to limit the potential or occurred damage to the extent possible, seek to hinder such a security breach in the future and to the extent possible, restore any lost data.

In the case of a security breach where unauthorized people gain access to the Customer’s data or where the loss of data has occurred, Illumine will, when possible, cf. e.g. the section “Procedure”, notify the Customer in a written notice about the security breach. Such notifications will contain information about which data Illumine deems to have been accessed unauthorized, whether Illumine has initiated special precautions, and the notification will inform whether the Customer, according to Illumine’s evaluation, must take special precautions.

 

Contact

If you wish to make a request access or request correction of the personal data or have any inquiries or complaints in respect of your personal data, please contact us at:

Data Protection Officer

info@illumine.app

Illumine Labs Pvt. Ltd.

 

Personal Data collected for the following purposes and using the following services:

– Analytics

• Google Analytics and WordPress Stats
  Personal Data: Cookies; Usage Data
• Contacting the User for new signups
• Signup and demo request form
  Personal Data: company name; country; email address; first name; last name; phone number

– Handling payments

• Stripe
  Personal Data: various types of Data as specified in the privacy policy of the service
• Hosting and backend infrastructure
• Google Cloud Services

Personal Data: various types of Data as specified in the privacy policy of the service

Infrastructure monitoring

• Bugsnag
  Personal Data: Crash information; device information; Universally unique identifier (UUID)
• Mixpanel
  Personal Data: various types of Data as specified in the privacy policy of the service.

Personal Data: Crash information; device information; Universally unique identifier (UUID)

• Location-based interactions
• Geolocation (applicable only if bus tracking feature is used)
  Personal Data: geographic position – Only bus driver location is stored. We never store individual user’s Geolocation.

Support and troubleshooting tickets

• Apple App Store and Google Play Store
  Personal Data: Usage Data

WordPress.com

• Hubspot
  Personal Data: Cookies; email address;; language; unique device identifiers; Usage Data; various types of Data as specified in the privacy policy of the service
• Platform services and hosting

Further information about Personal Data

• • Push notifications
    This Application may send push notifications to the User to achieve the purposes outlined in this privacy policy.
    Users may in most cases opt-out of receiving push notifications by visiting their device settings, such as the notification settings for mobile phones, and then change those settings for this Application, some or all of the apps on the particular device.
    Users must be aware that disabling push notifications may negatively affect the utility of this Application.
  • User identification via a universally unique identifier (UUID)
    This Application may track Users by storing a so-called universally unique identifier (or short UUID) for analytics purposes or for storing Users’ preferences. This identifier is generated upon installation of this Application, it persists between Application launches and updates, but it is lost when the User deletes the Application. A reinstall generates a new UUID