Privacy Policy

Phos

Last Updated: January 1, 2025

At Phos, we are committed to protecting your privacy and the privacy of children whose photos are shared through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.

1. Information We Collect

1.1 Personal Information

We collect information that you provide directly to us, including: • Name and contact information (email address, phone number) • Account credentials (email, password) • Profile information (role: parent, teacher, or administrator) • Organization information (school name, address) • Student information (name, age, class assignment) - only for authorized educational purposes • Photos and media content uploaded to the platform

1.2 Automatically Collected Information

When you use our services, we automatically collect certain information: • Device information (device type, operating system, unique device identifiers) • Usage data (features used, time spent, interactions) • Log data (IP address, access times, pages viewed) • Location data (only if you grant permission, used for geotagging photos)

1.3 Face Recognition Data

We use AI-powered face recognition technology to automatically tag students in photos. This process involves: • Facial feature analysis (mathematical representations, not actual images) • Face detection and recognition algorithms • Tagging metadata associated with photos All face recognition data is processed locally when possible and stored securely. Parents can opt out of AI face recognition while still receiving manually tagged photos.

2. How We Use Your Information

We use the information we collect to:

•Provide and maintain our photo sharing services

•Enable AI-powered face recognition and automatic tagging

•Send notifications about new photos and announcements

•Facilitate communication between teachers and parents

•Ensure privacy and security through Row-Level Security (RLS)

•Comply with legal obligations, including PDPA and GDPR requirements

•Improve our services and develop new features

•Respond to your inquiries and provide customer support

3. Privacy-First Architecture

Phos is built with privacy at its core:

3.1 Row-Level Security (RLS)

Our database uses Row-Level Security to ensure that parents can only access photos of their own children. Even if a parent attempts to access another child's photos through technical means, the database will deny access. This is enforced at the database level, not just the application level.

3.2 Data Isolation

Each parent's data is completely isolated. Photos are tagged with student IDs, and access is restricted based on parent-student relationships. Teachers can see all photos for their classes, but parents can only see photos of their own children.

3.3 Consent Management

We require explicit consent before processing any personal data, especially for children. Parents must consent to photo sharing and can opt out of AI face recognition at any time. Consent can be withdrawn at any time through the app settings.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

•With your explicit consent

•With authorized school administrators and teachers for educational purposes

•With service providers who assist us in operating our platform (e.g., cloud storage, analytics) under strict confidentiality agreements

•To comply with legal obligations or respond to lawful requests from authorities

•To protect our rights, privacy, safety, or property, or that of our users

•In connection with a business transfer (merger, acquisition, etc.) with notice to users

5. Data Security

We implement industry-standard security measures to protect your data:

•End-to-end encryption for data in transit

•Encrypted storage for data at rest

•Secure authentication and access controls

•Regular security audits and vulnerability assessments

•Database-level security (Row-Level Security)

•Secure API endpoints with authentication tokens

•Regular backups and disaster recovery procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Children's Privacy

Phos is designed specifically for sharing photos of children in educational settings. We take children's privacy extremely seriously:

•We only collect information about children with explicit parental consent

•Parents have full control over their child's data and can delete it at any time

•Photos are only visible to authorized parents and teachers

•We do not use children's data for advertising or marketing purposes

•Parents can opt out of AI face recognition for their children

•We comply with COPPA (Children's Online Privacy Protection Act) and similar regulations

7. Your Rights (PDPA & GDPR Compliance)

Under PDPA (Malaysia) and GDPR (EU), you have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you and your children. This includes photos, account information, and usage data.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data through the app settings or by contacting us.

7.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data and your children's data at any time. We will delete all data within 30 days, except where we are required to retain it for legal purposes.

7.4 Right to Data Portability

You can request your data in a machine-readable format to transfer to another service.

7.5 Right to Object

You can object to processing of your personal data, including AI face recognition. You can opt out at any time through app settings.

7.6 Right to Withdraw Consent

You can withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

8. Data Retention

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:

•Active accounts: Data is retained while your account is active

•Deleted accounts: Data is deleted within 30 days of account deletion

•Photos: Retained until deleted by the user or organization, or upon account deletion

•Legal requirements: Some data may be retained longer if required by law

•Backups: Deleted data may remain in backups for up to 90 days before permanent deletion

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We use cloud infrastructure providers (Supabase) that may store data in various locations. We ensure that:

•Data transfers comply with applicable data protection laws

•Appropriate safeguards are in place (e.g., Standard Contractual Clauses)

•Data is encrypted during transfer and at rest

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

•Maintain your session and authentication state

•Remember your preferences and settings

•Analyze usage patterns to improve our services

You can control cookies through your browser or device settings. However, disabling cookies may affect the functionality of our services.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

•Posting the new Privacy Policy on this page

•Updating the 'Last Updated' date

•Sending you an email notification (for significant changes)

•Displaying a notice in the app

Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or wish to exercise your rights regarding your personal data, please contact us:

Email: privacy@getphos.app

Support: support@getphos.app

Address: Phos by SAFR+, Malaysia

We will respond to your request within 30 days as required by PDPA and GDPR.

Your privacy is our priority. We are committed to protecting your data and the data of children using our platform.