Data Protection and Privacy Policy

This Data Protection and Privacy Policy outlines how StudentPay collects, uses, stores, and protects personal, biometric, and location data. The objective is to maintain the highest standards of data security, privacy, and Shariah compliance, in accordance with the Personal Data Protection Act 2010 (PDPA). StudentPay is committed to respecting user privacy, protecting sensitive data, and ensuring ethical and lawful handling, particularly for children.

1. Data Collection

Types of Data Collected:

Personal Information: Student’s name, student ID, guardian’s name,guardian's ID, contact information, and relationship to the student.
Facial Biometric Information: Collected solely for transaction authentication within a registered school. Never used for monitoring, surveillance, or unrelated purposes. Requires guardian consent.
Location Information: Captured only for verifying attendance within the school compound and never used outside school activities.

Data Collection Process:

Data is provided directly by guardians during registration or by students with verified parental consent.
Biometric data is captured only through registered and authorized devices.

Guardian Consent:

Guardians are fully informed of the data collection process, purposes, and limitations.
Explicit consent is required before biometric data is collected or used, ensuring compliance with PDPA and Shariah standards.

2. Data Usage

Purpose of Data Usage:

Authentication: Facial recognition is used solely to authenticate student identity for school transactions.
Transaction Processing: Used only for attendance, payments, and in-school transactions.
Location Verification: Used exclusively to verify the student’s presence inside the school compound during check-in and check-out.

Restrictions on Data Usage:

Face data is never shared or repurposed outside its intended purpose.
Location data is securely stored and used only for attendance verification, not for marketing or tracking outside the school.
No data is ever used for profiling, advertising, or commercial gain.

Data Minimization:

Only the minimum data required for each transaction is collected.
Unnecessary identifiers are excluded to reduce exposure risks.

3. Data Protection and Security

Data Encryption:

All personal, biometric, and location data is encrypted using AES-256 during storage and TLS 1.3 during transmission.
Biometric templates are stored as encrypted hashes — raw biometric images are never retained.

Access Management:

Access is restricted using Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC).
Access reviews are conducted periodically to maintain security.

Data Storage and Backups:

Data is stored on secure PDPA-compliant servers.
Encrypted backups are maintained securely to prevent unauthorized access or loss.
Biometric and location data are stored separately from personal data for additional security.

Data Retention and Deletion:

Biometric data is retained only as long as necessary or required by law.
Location data is retained for 180 days and then securely deleted.
Upon guardian request or account termination, all data is permanently deleted.

4. User Rights (PDPA)

Right to Access: Guardians may request copies of their personal or child’s data after verification.
Right to Rectification: Corrections can be requested for inaccurate or outdated data.
Right to Erasure: Data can be deleted upon guardian request.
Right to Withdraw Consent: Consent withdrawal may affect certain features but will be respected.
Right to Data Portability: StudentPay may provide standard-format data copies upon request.

All requests can be submitted via email to: hello@mysp.ai.

5. Compliance and Monitoring