Privacy Policy
1. Who we are
settlesoal.ai ("SettleSoal", "we", "us") provides an AI-assisted study app for Malaysian secondary school students preparing for SPM examinations. The service is operated by SETTLESOALAI ENTERPRISE, with primary contact at support@settlesoalai.com.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights under the Malaysian Personal Data Protection Act 2010 (PDPA).
2. Who may use the service
SettleSoal is intended for users aged 16 and above. If you are under 18, you confirm that you have permission from a parent or legal guardian to use the service. We do not knowingly collect personal data from anyone under 16. If you believe a user under 16 has provided us with personal data, please contact us so we can delete it.
3. What we collect
We collect the following categories of personal data, only as needed to run the service:
3.1 Account & profile data
- Email address, display name, and (for Google Sign-In users) profile photo URL
- Password (stored hashed by Firebase Authentication; we never see the plaintext)
- Date of birth or age confirmation, school name, form level (Form 4 / Form 5), Malaysia state, and preferred study language (English / Bahasa Melayu)
- Subject preferences and self-reported study goals
3.2 Study content you submit
- Photographs of homework or past-year exam questions that you upload
- OCR-extracted text from those photographs
- Subject hints, free-text follow-up questions, and the conversation history of any AI tutor or live tutor session you start
Please avoid uploading images that contain your own or another person's private information, faces, identity documents, health information, religious information, contact details, or other sensitive personal data unless it is necessary for the question and you have the right to provide it.
3.3 Usage & operational data
- Daily AI escalation count, follow-up message count, tutor session count (used to enforce plan quotas)
- App version, device platform (Android, Web), language setting, and basic event telemetry
- Crash and error reports (via Sentry, when enabled in release builds)
- App Check tokens issued by Google Play Integrity (Android) or reCAPTCHA Enterprise (Web), when enabled
3.4 Payment data
- For mobile (Android) purchases: a RevenueCat user ID, subscription tier, renewal status, and entitlement timestamps. We do not receive or store your card or Google Play payment credentials.
- If we offer web or FPX payments in the future, we will update this Privacy Policy before collecting the related payment data.
- The currency of all transactions is Malaysian Ringgit (MYR).
3.5 Tutor session data (Pro users only)
- Tutor identity (for the matched tutor only), session timestamps, message contents, and a post-session rating you may submit
4. How we use your data
| Purpose | Why it is necessary |
|---|---|
| Provide the core service (retrieve similar SPM past questions, generate AI explanations, route to a live tutor) | To perform the service you requested and agreed to use |
| Enforce daily / monthly plan quotas and prevent abuse | To operate the service fairly and protect our systems |
| Process subscription payments and detect refunds / chargebacks | To administer your subscription and payment status |
| Diagnose crashes, monitor error rates, and improve reliability | To maintain security, availability, and service quality |
| Send service-related communications (e.g. account verification, payment receipts) | To manage your account and subscription |
| Comply with Malaysian law, respond to lawful requests, and protect against fraud | To meet legal and operational obligations |
We process personal data in accordance with the PDPA principles, including notice and choice, disclosure, security, retention, data integrity, and access. Where consent is required, we collect and rely on that consent for the stated purposes.
We do not sell your personal data. We do not run advertising and do not share your study content with advertising networks.
5. Who we share your data with (sub-processors)
We use a small set of carefully selected service providers to operate SettleSoal. Each receives only the data they need to perform their function.
| Provider | Purpose | Data shared |
|---|---|---|
| Google Cloud / Firebase | Authentication, database, file storage, hosting, App Check, analytics | Account data, study content, usage data |
| Google Vertex AI (Gemini) | OCR, subject detection, embeddings, and AI explanations | Question text + image, conversation history (no account email) |
| Google Cloud Vision | Image safety checks, if enabled | Question image only |
| RevenueCat | Mobile in-app subscription management | Anonymous user ID, purchase events |
| Sentry | Crash and error reporting | Stack traces, device metadata (no study content) |
6. Where your data is stored
Your app data is primarily stored in Google Cloud's asia-southeast1 (Singapore) region. Vertex AI / Gemini processing for OCR, embeddings, and AI explanations is configured to use asia-southeast1. Some service providers, such as RevenueCat or Sentry, may process limited account, subscription, device, or error data outside Malaysia or Singapore. We use these providers only for the purposes described in §4 and take reasonable steps to ensure appropriate protection for cross-border processing.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account profile | Until you delete your account, then 30-day grace period before permanent purge |
| Question images and conversation history | For the life of your account, then purged with the account |
| Payment records | 7 years (Malaysian tax and audit requirements) |
| Crash and error logs | 90 days |
| App Check tokens | Hours (per Google's defaults) |
8. Your rights under PDPA
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data (mostly via the in-app profile screen; otherwise email us)
- Withdraw consent for processing, where processing is based on consent — note that this may mean we can no longer provide the service to you
- Request deletion of your account and associated data (subject to retention obligations in §7)
- Request data portability, where applicable under Malaysian law
- Lodge a complaint with the Personal Data Protection Department of Malaysia (JPDP) at www.pdp.gov.my
To exercise any of these rights, email support@settlesoalai.com from the email address on your account. We will respond within 21 days.
9. How we secure your data
- All traffic between the app and our servers is encrypted with TLS
- Passwords are hashed by Firebase Authentication (we never see plaintext)
- Firestore access is governed by per-user security rules — your data is only readable by you (and moderators in narrowly scoped admin contexts)
- Image uploads are written to a dedicated Google Cloud Storage bucket with per-user write paths
- App Check (Play Integrity / reCAPTCHA Enterprise) reduces automated abuse of our APIs
- Internal access to production data is limited to named administrators
10. Minors and guardian requests
Because our users may include students aged 16 or 17, parents or guardians may contact us at support@settlesoalai.com to:
- Request access to or deletion of a minor's account, subject to reasonable identity and authority checks
- Review the data we hold about a minor
- Withdraw consent for further data processing
11. Data incidents
If we become aware of a personal data breach affecting your personal data, we will investigate and take reasonable containment and remediation steps. Where required by Malaysian law, we will notify the Personal Data Protection Commissioner and affected users.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified in-app and by email at least 14 days before they take effect. Continued use of SettleSoal after the effective date constitutes acceptance.
13. Contact
For any privacy-related question or request, contact:
SettleSoal.ai Data Protection
Email: support@settlesoalai.com
Business details: SETTLESOALAI ENTERPRISE