Privacy policy
v1.0.0
April 12, 2025
1. Introduction
Knobase (“we,” “us,” or “our”) operates an AI-driven educational platform designed to enhance learning experiences and support student well-being. This Privacy Policy outlines how we collect, use, disclose, and protect personal data in compliance with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) (Cap. 486). By using our services, you consent to the practices described herein.
2. Scope and Applicability
This policy applies to:
• Students, parents, and educators at participating schools.
• Administrators managing school accounts.
• Visitors interacting with Knobase websites or applications.
3. Types of Personal Data Collected
3.1 Directly Provided Data
• Account Information: Names, email addresses, school IDs, and roles (student/teacher/administrator).
• Academic Data: Course enrollment, assignment submissions, and grades.
• Wellness Metrics: Chat history, keyword interactions, and AI-generated wellness insights.
3.2 Automatically Collected Data
• Technical Data: IP addresses, device identifiers, browser types, and usage patterns.
• Behavioral Data: Interaction frequency, session duration, and feature engagement.
3.3 Sensitive Data
• Wellness Indicators: Anonymized aggregates of stress/anxiety signals detected via AI analysis.
• Special Categories: Only collected with explicit consent (e.g., health-related data for crisis intervention).
4. Purposes of Data Collection
We collect data to:
1. Deliver educational services (e.g., assignment tracking, feedback).
2. Monitor student well-being through AI-driven insights.
3. Secure accounts and prevent unauthorized access.
4. Improve platform functionality via usage analytics.
5. Comply with legal obligations (e.g., responding to subpoenas).
Data minimization is strictly enforced: We only collect information necessary for these purposes.
5. Legal Basis for Processing
• Consent: Obtained from schools/parents for minors (<18 years).
• Contractual Necessity: To fulfill service agreements with schools.
• Legitimate Interests: Enhancing platform security and performance.
6. Data Sharing and Third Parties
6.1 With Schools
• Wellness reports and academic analytics are shared with authorized school personnel (e.g., counselors).
6.2 With Service Providers
• Cloud Hosting: Data stored in PDPO-compliant facilities with encryption-at-rest.
• AI Processors: Third-party models trained on anonymized datasets; contracts ensure PDPO adherence.
6.3 Legal Disclosures
• Shared only when required by law or to protect users’ vital interests (e.g., suicide risk alerts).
7. Cross-Border Data Transfers
• Data transferred outside Hong Kong is protected via:
• Standard Contractual Clauses with GDPR-aligned partners.
• Due Diligence ensuring recipients meet PDPO’s Data Protection Principles.
8. Data Retention
• Academic Data: Retained for 5 years post-graduation or account termination.
• Wellness Metrics: Anonymized after 2 years; raw data deleted.
• Technical Logs: Retained for 90 days for security monitoring.
9. Security Measures
9.1 Technical Safeguards
• Encryption: AES-256 for data-at-rest and TLS 1.3 for data-in-transit.
• Access Controls: Role-based permissions; multi-factor authentication for administrators.
• Audits: Biannual penetration testing and vulnerability assessments.
9.2 Incident Response
• Breaches reported to the Privacy Commissioner for Personal Data (PCPD) within 72 hours. Affected users notified via email.
10. AI and Automated Processing
• Transparency: Wellness insights generated by AI are explainable upon request.
• Bias Mitigation: Models audited quarterly for fairness across demographics.
• Opt-Out: Schools may disable wellness monitoring features.
11. Children’s Privacy
• Parental Consent: Required for students under 18.
• Access Rights: Parents may review/correct their child’s data via school administrators.
• Deletion: Data erased upon parental request unless legally retained.
12. Your Rights Under PDPO
1. Access: Request a copy of your data.
2. Correction: Update inaccurate/incomplete information.
3. Erasure: Delete data no longer necessary for its purpose.
4. Withdraw Consent: Opt out of non-essential processing.
Submit requests to: info@knobase.ai. Responses provided within 40 days.
13. Policy Updates
• Material changes notified via email and in-app alerts 30 days prior.
14. Contact Us
Data Protection Officer
Email: info@knobase.ai
Address: Metalympics Limited, Rm 16, Entrepreneurship Centre, 5/F, Core F, Cyberport 3