1Who We Are

Sri Bintang Academy Sdn Bhd Sdn. Bhd. ("SBE", "we", "us", or "our") is the data controller responsible for the personal information collected through the SBE Tuition 3.0 platform. We are a private education company operating in Malaysia.

For the purposes of this Privacy Policy, "platform" refers to the SBE Tuition 3.0 website, student booking portal, student wallet system, and all related automated communications.

2What Information We Collect

We collect different categories of information depending on how you use the platform.

3How We Use Your Information

We use your information only for the following purposes:

Purpose	Information Used
Create and manage your account	Name, email, password hash
Process and confirm session bookings	Student profile, booking data, payment status
Send session confirmations, reminders, and Zoom links	Email, phone number, booking data
Process payments and manage your Wallet	Stripe reference, Wallet balance, transaction history
Assign teachers and manage rosters	Student level, subject, session time
Send automated session reports to parents	Phone number, session summary
Provide AI-powered study tools (flashcards, quiz generation)	Subject, curriculum level; prompts are not stored beyond the session
Improve the platform and troubleshoot issues	Usage data, error logs
Comply with legal obligations	As required by applicable law

We do not use your information for advertising, profiling for commercial sale, or any purpose unrelated to the operation of this educational platform.

4Legal Basis for Processing

Under Malaysia's Personal Data Protection Act 2010 (PDPA) and general data protection principles, we process your personal data on the following grounds:

• Contractual necessity: Processing is required to provide the services you have booked and paid for (e.g. booking confirmations, Zoom links, payment processing).
• Consent: Where you have given explicit consent — for example, to receive WhatsApp session reports or marketing updates. You may withdraw consent at any time.
• Legitimate interests: To improve our service, prevent fraud, and ensure platform security, provided these interests are not overridden by your rights.
• Legal obligation: To comply with applicable Malaysian law or lawful requests from competent authorities.

5How We Share Your Information

We do not sell your personal information. We only share it with the following categories of parties, and only to the extent necessary:

• SBE Teachers: Your first name, subject, level, and the Zoom meeting details for your booked session are shared with the assigned teacher. Teachers do not receive your payment details.
• Stripe: Payment processing. See Section 6 for details.
• Zoom: Meeting creation and access. We share session scheduling data with Zoom to generate meeting links. See Section 8.
• Green API (WhatsApp Gateway): Used to send automated session reminders and reports to the phone number on your account. See Section 7.
• OpenAI: Used to power AI study tools. See Section 9.
• Legal authorities: If required by law, court order, or to protect the rights and safety of SBE, its staff, or its users.

All third-party service providers are required to handle your data in accordance with applicable data protection laws and are not permitted to use your data for their own purposes.

6Payments & Stripe

All card payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. When you enter your card details on the platform, that information is transmitted directly and securely to Stripe — it never passes through or is stored on SBE's servers.

We retain only the payment reference number, amount, and status returned by Stripe to record your transaction history. Stripe's own privacy policy governs how they handle your card data: stripe.com/privacy.

7Communications (Email & WhatsApp)

• Transactional email (booking confirmations, Zoom links, session reminders) is sent via our email service provider. These are essential to the service and cannot be opted out of while you have an active account.
• WhatsApp messages are sent via the Green API gateway to the mobile number registered on your account. These include booking confirmations, pre-session reminders, and post-session reports to parents. By registering your phone number, you consent to receiving these automated messages.
• If you wish to stop WhatsApp notifications, please contact us and we will update your preferences. Note that this may affect your ability to receive timely session information.
• We do not send unsolicited promotional messages without your explicit consent.

8Zoom & Session Data

• We use the Zoom API to automatically create meeting rooms and generate links for your sessions. To do this, we share the session date, time, and subject with Zoom.
• SBE does not record Zoom sessions. Recording by any participant is prohibited without the consent of all parties (see Terms of Use).
• Zoom's handling of data within their platform is governed by Zoom's own privacy policy. We encourage you to review it at zoom.us/privacy.
• Zoom meeting IDs are stored against your booking record to allow us to resolve any technical issues. They are not used for any other purpose.

9AI Features

The SBE platform includes AI-powered study tools for students, including flashcard generation, MCQ creation, and an AI study assistant. These features are powered by OpenAI (GPT-4o).

• When you use an AI study tool, the text of your query and the relevant subject/curriculum context is sent to OpenAI's API for processing.
• We do not send your name, email, or other directly identifying personal information to OpenAI.
• Prompts and AI responses are not permanently stored by SBE beyond your current session; they are used solely to generate the response shown to you.
• OpenAI's API usage is subject to OpenAI's own privacy and data usage policies. Uploaded documents used for text extraction are processed transiently and are not retained by OpenAI for model training (under the API terms). See openai.com/privacy.

10Cookies & Local Storage

The platform uses the following technologies to operate correctly:

• Session cookies: A secure, HTTP-only cookie is used to maintain your login session. This cookie expires when you close your browser or explicitly log out.
• Functional local storage: Your browser may store minimal preference data (e.g. last viewed subject) to improve your experience. This data does not leave your device.
• We do not use third-party advertising cookies, tracking pixels, or analytics platforms that share your data with advertisers.

11Data Retention

We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods are as follows:

Data Type	Retention Period
Account & profile information	For the life of the account, plus 1 year after closure
Booking and session records	3 years (for educational and financial record purposes)
Payment transaction records	7 years (as required by Malaysian financial regulations)
Support communications	2 years after resolution
Server and access logs	90 days

When data is no longer required, it is securely deleted or anonymised.

12Data Security

We take the security of your personal information seriously. Our measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Password security: Passwords are stored as salted cryptographic hashes. We never store or have access to your plain-text password.
• Payment security: Card data is handled entirely by Stripe and never stored on our infrastructure.
• Access controls: Access to personal data within SBE is restricted to staff who need it to perform their role. Staff access is logged and audited.
• Database security: Our database is hosted in a secure environment with access restricted by IP and authentication credentials.

Despite these measures, no system can be guaranteed 100% secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify you as required by applicable law.

13Your Rights

Under the Personal Data Protection Act 2010 (PDPA) of Malaysia, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us using the details in Section 16. We will respond within 30 days. We may need to verify your identity before processing the request.

14Children's Privacy

SBE Tuition 3.0 is an educational service intended to be used by students of all ages, including minors. We are committed to protecting the privacy of children.

• Accounts for students under the age of 18 must be registered and managed by a parent or legal guardian.
• We collect only the minimum information necessary to provide the service to a student. We do not collect unnecessary personal information from children.
• We do not display advertising to any users, including children.
• Student session data and academic notes are accessible only to the student's account holder and authorised SBE staff.
• If you believe we have inadvertently collected personal information from a child without appropriate parental consent, please contact us immediately and we will take steps to delete that information.

15Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify you by email or by posting a notice on the platform before the change takes effect.

The "Last updated" date at the top of this page will be revised whenever the policy is updated. We encourage you to review this page periodically.

16Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our data team:

• Platform support: Use the Help section within the student portal
• Email: Available on the SBE website
• Operating hours: Monday – Saturday, 9:00 AM – 6:00 PM

We will acknowledge your request within 3 business days and aim to resolve it within 30 days.