Privacy Policy

Effective Date: March 30, 2026 · Last Updated: March 30, 2026

PlayTrain ("we," "us," "our") is committed to protecting the privacy of parents and children who use our platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal information in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and the rules and regulations issued by the National Privacy Commission (NPC) of the Philippines.

1. Data We Collect

1.1 Parent Account Data

Data	Purpose	Required?
Name	Account identification and personalization	Yes
Email address	Account login, transactional emails, password reset	Yes
Password	Authentication (hashed; never stored in plaintext)	Yes
Preferred language (English/Filipino)	Interface localization	Yes (default: English)
FCM device tokens	Push notification delivery	Optional (if notifications enabled)
Payment information	Payment processing via PayMongo	Only when purchasing paid content

Note: Payment card details are processed directly by PayMongo and are never stored on PlayTrain servers.

1.2 Child Data

Data	Purpose	Required?
First name only	Profile identification (minimum data principle)	Yes
Birthdate	Age bracket calculation for milestone recommendations	Yes
Avatar photo	Visual profile identification	Optional
Milestone records	Developmental tracking	Parent-created
Activity completions	Learning progress tracking	Parent-created
Photos attached to milestones/activities	Visual milestone documentation	Optional

We adhere to the minimum data principle: we only collect child data that is necessary to provide the Service. We do not collect a child's last name, home address, school name, or any data beyond what is listed above.

2. How We Use Your Data

Account management — creating and maintaining your account, authenticating your identity;
Milestone tracking — providing age-appropriate milestone suggestions, recording and displaying developmental progress;
Content recommendations — suggesting learning activities tailored to your child's age and enrolled tracks;
Badge engine — evaluating achievement badge triggers and awarding badges;
Explore feed & community — displaying public milestones in the community feed (only data you have chosen to make public);
Notifications — sending push notifications for badges, milestone prompts, reactions, and age bracket changes (subject to your notification preferences);
Payment processing — processing transactions when you purchase paid content (via PayMongo);
Platform improvement — aggregated, anonymized analytics to improve the Service (never using identifiable child data).

3. Legal Basis for Processing

Under RA 10173 (Data Privacy Act), we process your data on the following legal bases:

Consent — you provide explicit consent when you register and agree to the Terms & Conditions. You may withdraw consent at any time by deleting your account.
Contract performance — processing is necessary to provide you with the Service you signed up for.
Legitimate interest — for security purposes (fraud prevention, abuse detection) and platform improvement using anonymized data.

4. Children's Data Protections

PlayTrain takes the protection of children's data very seriously. In accordance with NPC Advisory Opinions on children's data:

All child data is collected and managed exclusively by the parent or legal guardian, never directly from the child;
No child can create an account or interact with the platform independently;
Child data is never sold, shared with advertisers, or used for behavioral targeting;
Child photos are stored in Firebase Storage with access controls and are not indexed by search engines;
No facial recognition or biometric analysis is ever performed on uploaded photos;
No analytics trackers (Google Analytics, Facebook Pixel, etc.) are placed on any page or screen that displays child data.

5. Public Data Disclosure

When you choose to make a milestone public (the default setting), the following data becomes visible to other PlayTrain users:

Your child's first name;
Your child's age bracket (e.g., "2-3 years") — not their exact birthdate;
The milestone title and developmental domain;
Any photo attached to the milestone.

What is NEVER shown publicly:

Child's last name;
Exact birthdate;
Parent's name, email, or identity;
Location data (EXIF/GPS data is stripped from all photos);
Private milestones, notes, or activity details.

You can change the visibility of any milestone at any time. Setting a milestone to private immediately removes it from the Explore feed and public timeline.

6. Photo Safeguards

EXIF stripping — all uploaded photos have EXIF metadata (GPS location, camera information, timestamps) automatically stripped server-side before storage. This prevents location leakage from public photos.
No facial recognition — PlayTrain will never use facial recognition or biometric analysis on uploaded photos.
Right to be forgotten — when you delete a photo, it is permanently deleted from our storage within 24 hours. CDN caches are purged. No backups of deleted photos are retained.
Download restrictions — public timeline photos cannot be directly downloaded by other users (implemented as a friction layer).

7. Data Sharing

We share your data only with the following third-party service providers, and only the minimum data necessary for each service:

Service Provider	Data Shared	Purpose
Firebase (Google Cloud)	Email, authentication tokens, photos, device tokens	Authentication, file storage, push notifications
PayMongo	Payment details (processed by PayMongo, not stored by us)	Payment processing for paid content
Semaphore	Phone number	SMS delivery (OTP, notifications)
Resend	Email address	Transactional email delivery

We do not sell your data to any third party. We have no advertising partners. We do not share child data with any entity other than those listed above, and only for the stated purposes.

8. Cookies & Tracking

PlayTrain uses minimal cookies:

Session authentication cookie — required for the Service to function. This identifies your logged-in session.

We do not use:

Third-party tracking cookies;
Facebook Pixel, Google Analytics, or any analytics tracker on pages displaying child data;
Advertising cookies or cross-site tracking of any kind.

Any future use of analytics will be limited to aggregated, anonymized platform metrics that cannot identify individual users or children.

9. Data Retention

Scenario	Retention Period
Active account	Data retained while account is active
Account deletion requested	30-day grace period, then permanently deleted
Individual milestone/photo deleted	Permanently deleted within 24 hours
Financial records (purchases, payouts)	Retained as required by Philippine tax law

10. Your Rights Under RA 10173

As a data subject under the Data Privacy Act of 2012, you have the following rights:

10.1 Right to Access

You may view all data associated with your account and your children's profiles at any time through the app.

10.2 Right to Rectification

You may edit your account information, child profiles, milestones, and all other data at any time.

10.3 Right to Erasure

You may delete individual milestones, photos, child profiles, or your entire account. Deleted data is permanently removed within 30 days (account) or 24 hours (individual items).

10.4 Right to Data Portability

You may request a complete export of your data in a standard, machine-readable format (JSON/CSV plus photos as a ZIP archive). Export requests are fulfilled within 72 hours via email.

10.5 Right to Object

You may opt out of:

Public visibility of milestones (set to private);
Push notifications (toggle individual categories or disable all);
Email notifications (toggle in preferences);
Content recommendations (by unenrolling from tracks).

10.6 Right to File a Complaint

If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission (NPC) at www.privacy.gov.ph.

11. Data Security

We implement the following security measures to protect your data:

All data is transmitted over HTTPS (TLS 1.2+);
Passwords are hashed using industry-standard algorithms (handled by Firebase Auth);
Database access is restricted to authenticated, authorized services only;
Firebase Storage access rules enforce per-user access controls;
Admin access requires multi-factor authentication;
API endpoints enforce role-based access control;
Rate limiting is applied to prevent abuse.

12. Data Breach Notification

In the event of a personal data breach:

Affected users will be notified within 72 hours of the breach being confirmed;
The National Privacy Commission will be notified as required by RA 10173 and NPC Circular 16-03;
Notifications will include: the nature of the breach, data affected, measures taken, and recommended protective actions.

13. Data Protection Officer

A Data Protection Officer (DPO) will be formally appointed once PlayTrain exceeds 1,000 users processing personal data, consistent with NPC thresholds. DPO contact details will be published here upon appointment.

In the interim, all data privacy inquiries may be directed to: privacy@playtrain.ph

14. International Data Transfers

Your data is processed and stored on servers located in the Asia-Southeast 1 (Singapore) region of Google Cloud Platform. This region is chosen for proximity to the Philippines. Data is processed within Google Cloud's infrastructure and is subject to Google's data processing terms and security standards.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-app notification at least fifteen (15) days before they take effect. The "Last Updated" date at the top of this page indicates when the latest revision was published.

16. Contact Us

If you have questions or concerns about this Privacy Policy or your data, please contact us:

Email: privacy@playtrain.ph
General inquiries: hello@playtrain.ph
Website: https://playtrain.ph

You may also contact the National Privacy Commission at www.privacy.gov.ph for data privacy concerns.