Legal
Privacy Policy
1. Introduction
Anthoria AI Academy(“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform at https://learn.anthoria.tech.
This Policy is drafted in compliance with:
- The Personal Data Protection Act 2010 (PDPA) of Malaysia
- The Communications and Multimedia Act 1998 of Malaysia
- The EU General Data Protection Regulation (GDPR) 2016/679 (for users in the European Economic Area)
- The California Consumer Privacy Act (CCPA) / CPRA (for California residents)
- General internationally recognised privacy principles
2. Data Controller
The data controller responsible for your personal data is:
3. Personal Data We Collect
We collect the following categories of personal data:
3.1 Data You Provide Directly
- Account data: Full name, email address, password (hashed), profile picture (if provided via Google SSO).
- Payment data: Transaction reference, amount, currency, and payment status. We do not store full credit or debit card numbers — these are handled by our payment processor (Stripe).
- Communications: Messages, support requests, or feedback you send us.
3.2 Data Collected Automatically
- Usage data: Pages visited, courses accessed, lesson progress, completion status, time spent on Platform.
- Device and log data: IP address, browser type and version, operating system, referring URLs, and timestamps of access.
- Cookies and similar technologies: Session cookies, authentication tokens, and analytics cookies. See Section 9 for details.
3.3 Data from Third Parties
- Google OAuth: If you sign in via Google, we receive your name, email address, and profile picture from Google, subject to their privacy policy.
- Payment processor: Stripe provides us with payment confirmation, transaction IDs, and billing country.
4. How We Use Your Personal Data
We use your personal data for the following purposes:
| Purpose | Lawful Basis (GDPR / PDPA) |
|---|---|
| Create and manage your account | Contract performance / Consent |
| Provide access to purchased courses | Contract performance |
| Process payments and issue invoices | Contract performance / Legal obligation |
| Track learning progress and issue certificates | Contract performance |
| Respond to customer support enquiries | Legitimate interests / Contract |
| Send transactional emails (password reset, receipt) | Contract performance |
| Send course updates or platform announcements (opt-in) | Consent |
| Detect fraud and ensure platform security | Legitimate interests / Legal obligation |
| Improve the Platform through analytics | Legitimate interests |
| Comply with applicable laws and regulations | Legal obligation |
We will not use your personal data for purposes incompatible with those listed above without your prior consent.
5. Disclosure and Sharing of Personal Data
We do not sell, rent, or trade your personal data to third parties. We may share your data in the following limited circumstances:
- Service providers: We share data with trusted third-party service providers who assist in operating the Platform (e.g., Supabase for database and authentication, Stripe for payment processing, Vercel for hosting, email delivery providers). These providers process data on our behalf under contractual obligations consistent with this Policy.
- Legal requirements: We may disclose your data where required by applicable law, court order, or governmental authority, including the Royal Malaysian Police or the Personal Data Protection Commissioner of Malaysia.
- Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity, subject to the same protections described in this Policy.
- Protection of rights: We may disclose data when we believe disclosure is necessary to protect the rights, property, or safety of Anthoria AI Academy, our users, or the public.
6. International Data Transfers
Our Platform is hosted on infrastructure operated by Vercel (United States) and Supabase (United States). Your personal data may be stored and processed in countries outside Malaysia, including the United States and the European Union.
Where we transfer personal data outside Malaysia or the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the processor's EU-U.S. Data Privacy Framework certification, as applicable.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:
- Account data: Retained for the duration of your account and up to 3 years after account closure, for audit and legal purposes.
- Payment records: Retained for 7 years to comply with Malaysian financial record-keeping requirements under the Companies Act 2016.
- Course progress and certificates: Retained for 5 years, or until you request deletion.
- Log and usage data: Retained for up to 12 months.
After the applicable retention period, data is securely deleted or anonymised.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 Rights Under Malaysian PDPA
- Right of Access: Request a copy of personal data we hold about you.
- Right of Correction: Request correction of inaccurate or incomplete personal data.
- Right to Withdraw Consent: Withdraw consent for processing where consent is the lawful basis.
- Right to Prevent Processing: Request that we cease or not begin processing your data for direct marketing purposes.
8.2 Additional Rights for EEA / UK Users (GDPR)
- Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to Restriction: Request that we restrict processing of your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests or direct marketing.
- Rights related to automated decision-making: Not be subject to solely automated decisions that significantly affect you.
- Right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant national DPA in the EEA).
8.3 Rights for California Residents (CCPA / CPRA)
- Right to know what personal information we collect, use, disclose, or sell.
- Right to delete personal information we have collected.
- Right to opt-out of the sale or sharing of personal information (we do not sell personal information).
- Right to non-discrimination for exercising your privacy rights.
- Right to correct inaccurate personal information.
To exercise any of the above rights, contact us at support@anthoria.tech. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
9. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Platform. The categories of cookies we use are:
| Type | Purpose | Basis |
|---|---|---|
| Essential / Strictly Necessary | Authentication tokens, session management, CSRF protection. Required for Platform to function. | Necessary |
| Functional | Remembering your theme preferences and UI settings. | Legitimate interests |
| Analytics | Anonymous usage statistics to understand how the Platform is used and improve it. | Legitimate interests / Consent |
| Payment | Set by Stripe to facilitate secure payment processing. | Contract performance |
You can control cookies through your browser settings. Note that disabling essential cookies may prevent some features of the Platform from functioning. For detailed information about managing cookies, visit allaboutcookies.org.
10. Children's Privacy
The Platform is not directed at children under the age of 13 (or under 16 for users in the EEA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at support@anthoria.tech and we will take steps to delete such information promptly.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- Encryption of data in transit using TLS/HTTPS.
- Encryption of data at rest using industry-standard encryption.
- Password hashing using bcrypt or equivalent algorithms.
- Role-based access controls limiting employee access to personal data.
- Regular security assessments and vulnerability management.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by applicable law (within 72 hours for GDPR-covered breaches).
12. Links to Third-Party Websites
Our Platform may contain links to third-party websites and services (including YouTube for video content, LinkedIn for certificate sharing, and payment processors). This Privacy Policy does not apply to those third-party sites. We encourage you to read the privacy policies of any third-party sites you visit.
13. Malaysian PDPA Compliance Statement
In compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, we confirm:
- We have obtained your consent to process your personal data, or rely on another lawful basis under the PDPA, before processing.
- We do not process sensitive personal data (as defined under the PDPA) without your explicit consent, except where required by law.
- We have implemented appropriate security standards as required under the PDPA Security Principle.
- We retain personal data only for as long as necessary for the purpose for which it was collected (Retention Principle).
- We ensure personal data is accurate and up to date (Integrity Principle).
- We do not transfer personal data outside of Malaysia unless the destination country provides adequate data protection, or appropriate safeguards are in place, as required by the Transfer of Personal Data Abroad Principle under the PDPA.
You may direct PDPA-related enquiries or complaints to the Personal Data Protection Department of Malaysia (JPDP) at www.pdp.gov.my.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. We will notify you of material changes by posting a notice on the Platform or via email at least 14 days before the changes take effect.
The “Effective Date” at the top of this Policy indicates when it was last revised. We encourage you to review this Policy periodically.
15. Contact and Data Protection Enquiries
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our privacy team:
For Malaysian PDPA complaints, you may also contact the Personal Data Protection Department (JPDP) at www.pdp.gov.my.