Whylio Privacy Policy V1
Operated under the domain whylio.com
Last Updated: 24 May 2026
1. Introduction
This Privacy Policy (the "Policy") explains how WHALEMATES LAB PTE. LTD. (UEN 202620755G), a Singapore-incorporated company with registered office at 7500A BEACH ROAD, #08-318, THE PLAZA, SINGAPORE 199591, operating under whylio.com ("Whylio", "we", "us", or "our"), collects, uses, discloses, protects, retains, and transfers personal data when you and your child access or use the website at whylio.com, the Whylio mobile or web application, and any related features or services (collectively, the "Service").
This Policy should be read together with our Terms of Use. Capitalised terms not defined here have the meanings given in the Terms of Use.
We are committed to protecting your and your child's privacy in accordance with the PDPA. This Policy is written, where possible, in plain language so that Singapore secondary school students can understand it, in line with the PDPC's guidance on age-appropriate communication.
If you have any question about this Policy, please email our Data Protection Officer at dpo@whylio.com .
NOTICE TO PARENTS: Because Whylio is designed for preschool, primary, and secondary students, the data subjects under this Policy are children. Where the child is under 13, this Policy is addressed primarily to the Parent or legal guardian as the consenting party. Students under 18 may not create their own account. Where the child is 13 to 17, the child may understand and engage with this Policy directly, but we still require a Parent, teacher, school, institution, or other authorised adult to create or approve the account and, where applicable, manage the subscription, given the educational context, AI processing involved, and payment relationship.
2. Scope and Definitions
This Policy applies to all personal data we collect through the Service.
For the purposes of this Policy:
"Personal data" has the meaning given in the PDPA -- data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which we have or are likely to have access. "Child" or "Student" means an individual under 18 years of age who uses the Service. "Parent" means the parent or legal guardian of a Student. "You" or "your" refers to whoever is reading this Policy: most often the Parent, sometimes the Student. "Aggregated or anonymised data" means data that has been processed so that it can no longer be used to identify any specific person. We do not consider such data to be personal data.
This Policy does not cover information collected by us offline (for example, in face-to-face meetings) or information collected by third parties through their own services that may be linked to or integrated with our Service. Their privacy practices are governed by their own policies.
3. Personal Data We Collect
We collect personal data:
(a) directly from you when you provide it (for example, at sign-up or when submitting work); (b) automatically as the Student uses the Service (for example, device and usage data); and (c) from third parties in limited cases, such as our payment processor confirming a successful payment.
The categories of personal data we collect are set out below.
3.1 Account and Identity Data (Parent and Student)
When a Parent registers an account, we collect:
Parent's name, email address, mobile number;
Student's first name or display name and month/year of birth (used for age assurance and to suggest age-appropriate content); Student's school level and subjects of interest (e.g. Primary 4 Math) -- for content personalisation only; An account password (stored as a salted hash, never in plain text).
We deliberately do not collect: NRIC numbers, FIN numbers, passport numbers, full home address, biometric identifiers, or precise GPS location. We may collect school level and learning-related information for content personalisation. If a school, teacher, or institutional account is used, we may process the information needed to manage that educational relationship.
3.2 Submitted Work and AI Interaction Data
When the Student uses the Service, we collect:
written answers, compositions, fill-in-the-blank answers, homework photos, and voice recordings that the Student submits; the AI Assist feedback, marks, and model essays generated for the Student; the conversation history between the Student and the AI.
This data is the core of the Service -- we cannot grade work or give feedback without it.
3.3 Payment Data
When the Parent subscribes:
the last 4 digits of the payment card, card type, expiry date, and billing country are stored by us; the full card number, CVV, and full bank account details are NOT stored by Whylio -- they are handled directly by our PCI-DSS compliant payment processor (Stripe).
3.4 Device, Log, and Usage Data (Automatically Collected)
When the Student uses the Service, our servers automatically log:
IP address (used in truncated form for analytics and fraud prevention); browser type and version, operating system, device type, screen size; approximate location derived from IP address (city/region level only -- we do not use GPS); pages visited, features used, time spent, click events, errors encountered; timestamps of access.
3.5 Cookies and Similar Technologies
We use cookies and similar technologies. See Section 7 for full detail.
3.6 Communications with Us
If you contact us by email, in-app chat, or any support channel, we keep a record of the correspondence and any information you provide so we can help you and improve the Service.
3.7 Optional Information
If the Student or Parent voluntarily participates in a survey, feedback form, or testimonial, we will collect what is provided. Participation is always optional.
3.8 What We Do Not Collect
We have designed the Service with data minimisation in mind. We do not:
collect NRIC, FIN, passport, or other government-issued identity numbers; collect biometric identifiers, fingerprints, or facial-recognition data; collect precise GPS location; ask Students to upload photos of themselves; collect information about the Student's school or specific class for the purpose of identifying it; track the Student's activity on websites outside the Service.
4. How We Use Personal Data (Purposes)
Under the PDPA, we may only collect, use, and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. Below are the specific purposes for which we use personal data, grouped by the legal basis under the PDPA (consent / deemed consent / legitimate interests / legal obligation).
4.1 To Provide the Service (Consent + Performance of Contract)
Create and manage the Parent's account and the Student profile under it; Receive the Student's submitted work and produce AI-generated marks, feedback, and model essays; Show the Student their progress and history; Process subscription payments and issue receipts; Send transactional emails (account confirmation, payment receipts, password resets, renewal reminders).
4.2 To Improve the Service (Legitimate Interests)
Analyse aggregated usage trends to decide what to build next; Debug and fix technical errors; Improve our own internal AI prompts, content libraries, grading rubrics, and analytics using aggregated or anonymised data where reasonably possible.
We do not use the Student's identifiable personal data, submitted work, or AI conversation history to train or fine-tune Whylio models. We do not intentionally request or permit third-party providers to use Student content to train their general-purpose models. Where provider settings or contractual options are available, Whylio will use reasonable efforts to disable or restrict third-party model training on customer content.
4.3 To Protect the Service and Our Users (Legitimate Interests + Legal Obligation)
Detect and prevent fraud, abuse, and unauthorised access; Enforce our Terms of Use; Investigate misuse of the AI (for example, attempts to generate harmful content); Comply with applicable Singapore law and respond to lawful requests from authorities.
4.4 To Communicate With You (Consent)
Respond to your support requests; Send service announcements (for example, planned maintenance); Send marketing emails about new features or promotions -- only with your separate opt-in, and you can unsubscribe at any time.
4.5 No Sale of Personal Data, No Behavioural Advertising
We do not sell personal data. We do not show third-party advertising inside the Service. We do not use the Student's data for behavioural ad targeting on other websites.
5. Special Protections for Children's Personal Data
In line with the PDPC's Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment (March 2024), we apply the following enhanced safeguards.
5.1 Verifiable Parental Consent
Students under 18 may not create their own account. For children under 13, a Parent must create or approve the account and provide consent on the child's behalf. For Students aged 13 to 17, Whylio still requires a Parent, teacher, school, institution, or other authorised adult to create or approve the account. Where a paid subscription is required, we use the Parent's payment authorisation through Stripe as part of the adult authorisation and consent process. Consent obtained from a Parent or authorised adult remains valid when the Student turns 18, in line with PDPC guidance. A Student who has reached 18 may request to take over their own account and update consents.
5.2 Default Privacy
Student profiles are not public, not searchable, and not discoverable by other users by default; We do not enable child-to-child messaging or social features that expose children to other users; If any social, community, or child-to-child messaging feature is added in future, this Policy will be updated and additional consent will be obtained where required.
5.3 Data Minimisation
We only collect personal data that is necessary for the educational purpose. We avoid optional data collection that is not strictly needed.
5.4 Parental Access and Control
A Parent may, at any time, by emailing dpo@whylio.com from the email address registered to the account:
request a copy of their child's personal data held by us; request correction of inaccurate data; request deletion of the child's data and account; withdraw consent (which will result in account closure where consent is the basis of processing).
Our DPO or authorised company staff will verify and process these requests. For deletion requests sent from the registered parent email address, we aim to delete the Student's active account records and learning records within 14 days, then confirm completion by email to the Parent, except where retention is required by law, dispute handling, fraud prevention, or time-limited backups. We will respond to other verified access/correction requests within 30 days, in line with PDPA practice.
5.5 Age-Appropriate Communications
Where we ask for consent or notify the Student about a privacy matter, we will use plain language. For Students aged 13-17, we will speak to them directly; for under-13s, we communicate primarily with the Parent.
5.6 Data Protection by Design
We consider children's data protection from the design stage of the Service. This includes private-by-default settings, minimising data collection, restricting data sharing, limiting retention, and periodically reviewing data protection risks for children's data and AI processing.
6. AI Processing and Third Parties
This is the most important section about how Student data interacts with AI. Please read it carefully.
6.1 What Happens When the Student Submits Work
When the Student submits a piece of work for grading or feedback:
- The submission is sent to our backend servers hosted on Amazon Web Services in the ap-southeast-1 (Singapore) region;
- The submission is forwarded to our AI service provider(s) for processing;
- The AI returns marks, written feedback, and/or a model answer;
- The result is shown to the Student and stored in their account history.
6.2 AI Service Providers
We use or may use the following AI and media service providers: OpenAI and ByteDance/Volcengine services including Seedance where applicable. Whylio does not currently use Google Gemini or DeepSeek for children's personal data.
| Provider | What we may send | Purpose | Training / storage position |
|---|---|---|---|
| OpenAI | Student compositions, written answers, fill-in-the-blank answers, voice inputs or transcripts, and prompts needed to generate feedback | AI grading, feedback, explanations, and model answers | Whylio will use reasonable efforts to use API settings or contractual options that restrict third-party model training on customer content |
| ByteDance/Volcengine / Seedance | Voice, media, prompts, or related inputs where voice/video/media features are used | Voice, video, or media-related AI features | Whylio will use reasonable efforts to use API settings or contractual options that restrict third-party model training on customer content |
We choose AI providers that:
offer API settings or contractual commitments that restrict use of customer API data for training general-purpose models, where available; maintain appropriate security standards; and offer written data processing terms or a Data Processing Agreement (DPA) where available.
6.3 Other Service Providers
We also engage these categories of third-party service providers, all under written contracts that include data protection obligations:
Cloud hosting: Amazon Web Services (AWS) -- server hosting and storage in ap-southeast-1 (Singapore); Payment processing: Stripe -- handles card payments; Email delivery: AWS SES or other configured transactional email provider -- sends account, verification, payment, and support emails; Analytics: Whylio does not currently use third-party analytics tools; Customer support tools: email-based support unless otherwise introduced; Error monitoring: no separate third-party error monitoring tool is currently confirmed.
6.4 We Do Not Sell or Rent Personal Data
We do not sell, rent, or otherwise commercially exploit your personal data.
6.5 Legal and Safety Disclosures
We may disclose personal data to law enforcement or regulators when:
required by Singapore law, court order, or a lawful regulatory request; or necessary to protect the safety of a child or another person (for example, if a Student appears to be at imminent risk of self-harm based on what they submit).
Where lawful and not contrary to safety, we will notify the Parent before making such a disclosure.
If a Student submission suggests self-harm, abuse, imminent danger, or another serious safety concern, Whylio may provide supportive non-diagnostic guidance, encourage the Student to contact a Parent, teacher, trusted adult, emergency service, or local helpline, and trigger an email alert to legal@whylio.com for review. Where we reasonably believe there is an immediate or serious risk to a child or another person, we may notify the Parent or guardian and, where legally permitted or required, relevant authorities or emergency services.
6.6 Business Transfers
If Whylio is involved in a merger, acquisition, financing, or sale of all or part of its business, personal data may be transferred to the acquiring entity. In any such transfer, we will require the acquirer to honour the protections of this Policy or notify you of any material change so that you can withdraw consent.
7. Cookies and Similar Technologies
A cookie is a small text file stored on your device when you visit a website. We currently use cookies primarily for strictly necessary functions such as login sessions, authentication, security, and service operation.
| Category | Purpose | Can you disable? |
|---|---|---|
| Strictly necessary | Login session, authentication, security, load balancing, and service operation | No -- the Service will not work without these |
| Functional | Remember limited preferences where enabled | Yes, where the product provides settings |
| Analytics | Whylio does not currently use third-party analytics tools | N/A |
| Marketing | Whylio does not currently use marketing or behavioural advertising cookies inside the Service | N/A |
Because no third-party analytics or marketing cookies are currently used, a non-essential cookie banner is not currently required for those categories. If non-essential cookies are introduced, we will provide appropriate notice and controls.
We respect "Do Not Track" browser signals where technically feasible.
8. How We Protect Personal Data
We implement administrative, technical, and physical safeguards to protect personal data, in line with the PDPA's Protection Obligation. Measures include:
Encryption in transit (HTTPS/TLS) for communication between the user's device and our servers; encryption at rest where supported by our cloud database and storage providers; salted scrypt password hashing -- we never store plaintext passwords; access control so only authorised staff or teachers with a legitimate need can access relevant personal data; operational logs where available, with more detailed administrative audit logging to be implemented as the Service matures; vendor due diligence, including review of data processing terms or DPAs with key processors where available; cloud/database backups according to configured provider settings; monitoring for suspicious activity and unauthorised access; and staff training on data protection responsibilities.
No method of transmission or storage is 100% secure. While we work hard to protect personal data, we cannot guarantee absolute security. Please help us by choosing a strong password and not sharing your account credentials with anyone outside your household.
9. Data Breach Notification
If a data breach occurs that is likely to result in significant harm to affected individuals, or that affects 500 or more individuals, we will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessing that the breach is notifiable, in compliance with the Personal Data Protection (Notification of Data Breaches) Regulations 2021.
Where the affected data is a child's personal data, we will, in addition to notifying affected individuals, also notify the Parent of the affected child so that the Parent can take steps to protect the child, even if not strictly required by law. This reflects the heightened standard of care expected for children's data.
We will provide affected individuals with: a clear description of what happened, the categories of data affected, what we are doing in response, and steps you can take to protect yourself.
Our data breach response process is led by the DPO and includes containment, investigation, an incident record, assessment of whether the breach is notifiable, notification where required, remediation, and post-incident review. Under PDPA guidance, Whylio should assess whether a suspected breach is notifiable within 30 calendar days where credible grounds exist to believe a breach occurred, and notify the PDPC as soon as practicable and in any case no later than 3 calendar days after determining that a breach is notifiable.
10. Retention of Personal Data
We retain personal data only as long as it is needed for the purposes for which it was collected, or as required by law.
| Category | Retention period |
|---|---|
| Account profile while account is active | For the duration of the active account or subscription |
| Submitted work, voice recordings, homework photos, fill-in-the-blank answers, and AI conversation / feedback history | Retained while the account remains active so the Student can review learning history, unless deletion is requested earlier |
| Payment and accounting records | At least 5 years where required for Singapore tax, accounting, dispute, and compliance purposes |
| Marketing consent records | Until consent is withdrawn, plus 1 year for audit and compliance records |
| Server access logs | Up to 90 days, depending on hosting and operational log configuration |
| Backups | According to configured cloud/database provider backup settings |
When you close an account, we will delete or anonymise personal data within 180 days of account closure, except where retention is required by law (for example, payment records for tax purposes), for legitimate dispute or fraud prevention, or while data remains in time-limited backups. Anonymised data may be retained indefinitely for analytics.
11. International Transfer of Personal Data
Personal data collected through the Service is hosted on AWS in Singapore, but may be transferred to and processed in countries other than Singapore where our AI, payment, email, media, or support providers process data. These jurisdictions may include the United States, China, or other locations depending on the provider and feature used. We review and update our processor footprint as our providers and features change.
In line with section 26 of the PDPA, before transferring personal data overseas we ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the PDPA. We typically achieve this through:
contractual clauses in our Data Processing Agreements that import PDPA-equivalent obligations; relying on the recipient being subject to a comparable framework (e.g. APEC Cross-Border Privacy Rules); selecting providers that have published commitments to international privacy standards (e.g. SOC 2 Type II, ISO 27701).
You may request a copy of the safeguards used for a specific transfer by emailing our DPO.
12. Your Rights Under the PDPA
You have the following rights regarding your (or, as a Parent, your child's) personal data. To exercise any of these rights, email dpo@whylio.com with your full name, account email, and a description of the request.
12.1 Right of Access
You may request a copy of the personal data we hold about you or your child. We will respond within 30 days unless an exemption applies. We may charge a reasonable fee for retrieval where permitted by the PDPA.
12.2 Right of Correction
If any personal data is inaccurate or incomplete, you may request correction. We will correct the data and, where appropriate, send the corrected data to third parties to whom we previously disclosed it.
12.3 Right to Withdraw Consent
You may withdraw consent for any processing that is based on consent. We will give effect to the withdrawal within a reasonable time. Note: withdrawing consent for processing essential to the Service will result in your account being closed, because we cannot operate the Service without that data.
12.4 Right to Data Portability
The Data Portability Obligation has been introduced in the PDPA but has not yet come into force. Once it takes effect, we will support applicable requests to transmit personal data in a commonly used machine-readable format, subject to the PDPA and any regulations then in force.
12.5 Right to Lodge a Complaint
If you believe we have not handled your personal data properly, please contact us first at dpo@whylio.com so we can resolve the matter. You also have the right to lodge a complaint with the PDPC at https://www.pdpc.gov.sg.
13. Marketing Communications
We will only send you marketing emails or messages if you have opted in. Every marketing email contains an unsubscribe link, and you can also opt out at any time by emailing support@whylio.com . Transactional and account-related emails (such as receipts and security notices) are not marketing and cannot be opted out of while your account is active.
We do not send marketing communications to Students. All marketing is directed to the Parent.
14. Third-Party Links
The Service may include links to third-party sites or content (for example, links to MOE-published syllabus pages or open educational resources). We do not control those third parties and are not responsible for their privacy practices. Please read their privacy policies before providing them with personal data.
15. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date at the top reflects the latest version. For material changes, we will notify Parents by email and give at least 14 days' notice before the change takes effect.
For changes that materially expand the categories of personal data collected, the purposes of processing, or the third parties with whom data is shared, we will obtain fresh consent from the Parent or authorised adult account holder before applying the change to a Student account.
16. Governing Law
This Policy is governed by the laws of the Republic of Singapore. Disputes arising out of or in connection with this Policy follow the dispute resolution mechanism set out in our Terms of Use.
17. Contact Us
| Purpose | |
|---|---|
| Data Protection Officer (privacy questions, access/correction/deletion requests) | dpo@whylio.com |
| General support | support@whylio.com |
| Legal | legal@whylio.com |
WHALEMATES LAB PTE. LTD.
UEN: 202620755G
Registered office: 7500A BEACH ROAD, #08-318, THE PLAZA, SINGAPORE 199591
Operating under whylio.com
DPO: LIANG TAO
You also have the right to contact the Personal Data Protection Commission (PDPC) of Singapore directly at https://www.pdpc.gov.sg if you believe we have not adequately addressed your privacy concern.