PDPA · Compliant

Privacy Policy

How we protect your family's data under Singapore's Personal Data Protection Act. Plain language. No fine print.

Last updated · 16 May 2026 Effective Singapore-wide
At a glance

The short version

  • No ads, ever. We do not sell your personal data or run advertisements.
  • Data stored in Singapore. Encrypted and hosted locally on AWS Singapore.
  • Right to forget. Request full deletion of your account at any time, processed within 30 days.
§ 01 — Who we are

Who we are & scope

Superholic Lab is an online educational platform operated by Superholic Lab Pte. Ltd. (UEN 202621641M), a company incorporated in Singapore on 15 May 2026.

We comply fully with Singapore's Personal Data Protection Act 2012 (PDPA) and act as the Data Controller. This policy applies to all personal data collected through www.superholiclab.com for parents, guardians, and children.

§ 02 — What we collect

Data we collect & how we use it

  • Account data Parent's name and email. Children's profiles require only a first name and school level.
  • Usage data Quiz results, topic progress, and AI tutor chat history — used exclusively to personalise learning and build your dashboard.
  • Payment data Processed securely via Stripe, Inc. We do not store your credit card numbers on our servers.

We never use your data for advertising or sell it to third parties.

§ 03 — Security

Security & storage

Your data is stored in Supabase (PostgreSQL), hosted on secure AWS servers located physically in Singapore (ap-southeast-1).

We enforce strict row-level security (RLS) policies so users can only access their own data. All data is transmitted over HTTPS, and passwords are cryptographically hashed using bcrypt.

§ 04 — Third parties

Sharing with service providers

We share data only with essential service providers who are contractually bound to protect it:

  • Supabase Database and authentication.
  • Stripe Secure payment processing.
  • Anthropic The engine behind our AI Tutor. Anthropic does not use any API inputs (your child's chat logs) to train their foundation models.
  • Plausible Analytics A privacy-first, cookie-free analytics provider.
§ 05 — Your rights

Children's data & your PDPA rights

Under the PDPA, you have complete control over your family's data. You have the right to:

  • Access & correction View or fix the data we hold about you.
  • Withdrawal Withdraw your consent for data usage (which will pause your service).
  • Right to forget Request full deletion of your account and child's data. Processed within 30 days.
Data Protection Officer

To exercise these rights, email our DPO. We respond within 5 working days.

[email protected]
§ 06 — Cookies

Cookies & tracking

We do not use tracking cookies. Our analytics provider (Plausible) is entirely cookie-free and respects your privacy. We only use local browser storage for functional necessities — like keeping you safely logged into your session.

§ 07 — Past-Year Papers downloads

Past-Year Papers downloads

When you download a past-year paper from our archive at superholiclab.com/papers, we record the following for service-quality, abuse-prevention, and analytics purposes:

  • The paper identifier you downloaded;
  • The timestamp of the download;
  • For signed-in users, your account ID;
  • A one-way hashed identifier derived from your IP address combined with a monthly-rotating salt (used solely for rate-limiting and abuse detection — we cannot reverse-engineer this hash to your IP address);
  • The referring page (where you arrived from).

We do not store your raw IP address with past-paper download records. We retain these records for up to 24 months, after which they are deleted or anonymised for long-term analytics. Aggregate, non-identifying download counts (e.g., "Downloaded 234 times this month") may be displayed publicly on the archive page.