Privacy Policy

The Service is operated by SkorAI Education, based in Kuala Lumpur, Malaysia. For the purposes of the Malaysian Personal Data Protection Act 2010 (“PDPA”) and, where it applies, the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, we are the data controller for the personal data we collect through the Service.

The capitalised terms used in this policy have the meanings below.

“Account”

The user record we create when you sign up, including your email, display name, and authentication credentials.

“App”

The SkorAI mobile application for iOS and Android.

“Personal Data”

Any information that identifies you or, in combination with other information we hold, makes you identifiable. Equivalent to “personal information” under MY PDPA and “personal data” under the GDPR.

“Process / Processing”

Any operation performed on Personal Data — collection, storage, use, disclosure, transfer, or deletion.

“Service”

The App, our website at https://skorai.my, and the back-end systems that power them.

“Submissions”

Photos of handwritten working, typed answers, and any text you send to the AI tutor or AI grader.

“Sub-processor”

A third party we engage to Process Personal Data on our behalf — e.g. our hosting, payments, AI, and analytics vendors. Listed in §8.

“You”

The natural person using the Service, including a student under 18 whose parent or legal guardian has agreed to this policy on their behalf.

This policy describes how we Process Personal Data through the Service. We Process Personal Data only when we have a lawful basis to do so. Depending on which laws apply to you, the bases we rely on are:

• Performance of a contract — to deliver the App, run drills, store progress, fulfil paid subscriptions, and provide support (PDPA s. 6(2)(b); GDPR Art. 6(1)(b)).
• Consent — for optional features like push notifications, advertising identifiers, and personalised ads. You can withdraw consent at any time without affecting the lawfulness of past Processing (PDPA s. 6(1)(a); GDPR Art. 6(1)(a)).
• Legitimate interests — to keep the Service safe, prevent abuse, debug issues, measure engagement in aggregate, and improve the product. We balance our interest against your rights and freedoms and only rely on this basis where the impact on you is limited (GDPR Art. 6(1)(f); not separately listed under PDPA, where we rely on contract / consent).
• Legal obligation — where the law requires us to retain billing records, respond to authorities, or otherwise comply (PDPA s. 6(2)(c); GDPR Art. 6(1)(c)).

• We do not collect your IC number, passport number, or other government identifiers.
• We do not collect precise GPS location or any continuous location stream.
• We do not access your camera roll or microphone outside of the explicit photo upload flow.
• We do not collect contacts, calendar entries, SMS, or browsing history.
• We do not sell your Personal Data. Ever. Not to advertisers, not to data brokers, not to anybody.
• We do not use your Submissions to train third-party AI models that are not part of grading you.

• Run the Service — sign you in, save progress, deliver lessons and drills, run the AI tutor, manage your wallet, send you push notifications you have enabled.
• Grade your work — Submissions are sent to our AI grader so it can return marks and feedback. See §7.
• Personalise your study — recommend the next lesson or drill based on your current progress, accuracy, and time-on-task.
• Process payments — handle subscriptions and diamond top-ups via Apple, Google, or Stripe.
• Customer support — answer your emails and resolve issues you raise.
• Product analytics & improvement — measure feature adoption and find drop-off points so we can make the Service better.
• Safety & abuse prevention — detect fraud, account-sharing, prompt-injection attempts, and abuse of free credits or trials.
• Legal compliance — meet our obligations under tax, accounting, consumer protection, and data-protection law.

A core part of the Service uses large language models and vision models (collectively, “AI”) to mark photos of your handwritten working, answer your tutor questions, and grade typed answers. We are transparent about what this means for your data:

• Where it goes — Submissions are sent over TLS to our AI providers (currently OpenAI and Google). They Process the data on our behalf as Sub-processors and only for the purpose of returning a grading or tutor response.
• No model training on your data — we use API tiers and contracts that prohibit our providers from using your Submissions to train their general models. Each provider’s data-processing terms are referenced in §8.
• AI is not a human SPM examiner — its marks approximate the official skema but may differ from a real examiner. Treat the result as practice signal, not a guarantee.
• Automated decision-making — none of our AI processing produces a decision that has a legal or similarly significant effect on you within the meaning of GDPR Art. 22. AI marks affect XP and in-app standing, not external grades, certifications, or admissions decisions.
• Hallucination caveat — AI may occasionally produce inaccurate or misleading content. Do not rely on its outputs as professional, medical, legal, or definitive academic advice.

We use a small number of trusted Sub-processors to actually run the Service. They only receive the Personal Data they need to deliver their function and are bound by data-processing addenda or equivalent confidentiality terms.

We may also disclose Personal Data (a) when required by valid legal process, (b) to protect the rights, property, or safety of SkorAI, our users, or others, (c) in connection with a corporate transaction (merger, acquisition, asset sale) — in which case we will give you advance notice and ensure the recipient is bound by terms no less protective than this policy.

We are based in Malaysia. To run the Service we transfer Personal Data outside Malaysia and outside the EEA / UK to the regions listed in §8. When transferring data of users in the EEA, UK, or Switzerland we rely on:

• European Commission adequacy decisions, where the receiving country has one;
• Standard Contractual Clauses (SCCs) with our Sub-processors, supplemented where needed by additional technical measures (encryption in transit and at rest, access controls);
• Your explicit consent, where the transfer is necessary at your request and the bases above do not apply.

You may request a copy of the relevant transfer mechanism by emailing support@skorai.my.

On the website at https://skorai.my we use only the minimum set of cookies and similar storage technologies required to deliver the page you requested and to remember your accessibility preferences. We do not run third-party advertising trackers on the website.

Inside the App we use the following identifiers and storage:

• Authentication tokens stored in secure device storage so you stay signed in.
• Anonymous installation ID generated locally on first launch, used by PostHog and Sentry to deduplicate events for the same install. It is not linked to your real-world identity.
• Apple IDFA / Android Advertising ID — only if you grant App Tracking Transparency permission on iOS, or do not opt out on Android. Used solely by AdMob to fill rewarded ads (see §11).
• Local cache — recently viewed lessons, queued submissions, and a small offline scoreboard, stored on your device only.

The Service is free to use. To keep it that way for free-tier users, we show optional rewarded video ads inside the “Get more diamonds” sheet. Ads are powered by Google AdMob. Watching an ad is always opt-in — you tap “Watch a short ad” to start one, and you can dismiss any ad mid-play.

• Premium subscribers see no ads. Super SkorAI removes the ad row entirely and the App never makes ad requests for you.
• Personalised vs. non-personalised. On iOS we ask for App Tracking Transparency permission before allowing AdMob to use your advertising identifier for personalisation. If you choose “Don’t Allow”, AdMob still serves ads but they will not be personalised.
• EEA / UK / Switzerland. We show a Google-certified consent message before any ad request is made. You can change your choices later from Settings → Manage ad consent.
• Children. Ad requests are configured for the “non-child-directed” treatment, consistent with the SPM-candidate audience (typically 16–18). We do not knowingly serve targeted ads to children under 13.

For more on how Google handles advertising data see policies.google.com/technologies/ads.

Subject to the law applicable to you, you have the following rights regarding your Personal Data. We respect these rights for every user, regardless of where they are located, except where doing so would require disproportionate effort.

• Right of access — ask us for a copy of the Personal Data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — ask us to delete your Account and the Personal Data associated with it. Some records may need to be retained where law requires.
• Right to restrict Processing — ask us to pause certain uses of your data while a dispute or correction is pending.
• Right to data portability — ask us to export your data in a machine-readable format.
• Right to object — object to Processing based on our legitimate interests; we will stop unless we have compelling grounds that override your rights.
• Right to withdraw consent — where Processing is based on consent (e.g. push, ATT, personalised ads), withdraw it at any time without affecting the lawfulness of past Processing.
• Right to lodge a complaint — see §19.

California, Colorado, Virginia, and similar US-state residents may also have rights to opt out of “sale” or “sharing” of Personal Data. We do not sell or share Personal Data within the meaning of those statutes, so no opt-out is required, but you may still exercise the access and deletion rights described above.

• From the App — open Settings → Delete account for self-service erasure, or Settings → Profile to update your name, email, and form/stream.
• By email — send your request to support@skorai.my stating which right you wish to exercise. We may need to verify your identity before responding.
• Response time — we will acknowledge your request within 7 days and respond substantively within 30 days. If your request is complex we may extend by up to 60 additional days and tell you why.
• Fees — requests are free of charge except where they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

The Service is built for SPM candidates, who are typically aged 16–18. The App is not intended for children under the age of 13. If you are under 13, please do not use the Service. If you are between 13 and 18, you may use the Service only with the awareness and consent of a parent or legal guardian, who agrees to this policy on your behalf.

If we discover that we have collected Personal Data from a child under 13 without verifiable parental consent, we will delete it without delay. Parents and guardians may contact support@skorai.my to request deletion of a child’s data.

We take the protection of your Personal Data seriously and implement administrative, technical, and physical safeguards proportional to the risk and to industry good practice for SaaS at our stage:

• TLS 1.2+ for all data in transit.
• Encryption at rest at our database, storage, and backup layers (provided by Supabase).
• Row-level security and least-privilege roles enforce per-user data isolation.
• Secrets and API keys held in a dedicated secret manager; rotation on personnel changes.
• 2FA on all administrative accounts; access logged and reviewed.
• Edge Functions enforce rate limits and authentication on all sensitive endpoints (grading, billing, account deletion).
• Crash and error monitoring via Sentry, configured to scrub email addresses and Submissions before storage.

No system is perfectly secure. If you suspect that your account or data has been compromised, please email support@skorai.my immediately so we can investigate.

If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected users without undue delay and where feasible within 72 hours of becoming aware of it (consistent with GDPR Art. 33–34). For users in Malaysia, we will follow the breach-notification guidance issued by the Personal Data Protection Department (JPDP).

We keep Personal Data only for as long as needed for the purpose we collected it, summarised below.

When the retention period for a category expires we delete or irreversibly anonymise the data. Backups are rotated and overwritten on a rolling schedule.

We may update this policy as the Service evolves. The version number and effective date at the top of this page change with every material revision. Material changes will be flagged inside the App and, where required, by email. Continuing to use the Service after the new policy takes effect means you accept it. Past versions are available on request.

For privacy questions, requests, or complaints, email support@skorai.my. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

• Malaysia. Personal Data Protection Department (Jabatan Perlindungan Data Peribadi — JPDP), Ministry of Digital, Putrajaya. See pdp.gov.my.
• European Union / EEA. The data-protection authority of the EU member state where you live, work, or where the alleged infringement took place.
• United Kingdom. The Information Commissioner’s Office (ico.org.uk).