Privacy Policy
Last updated: 3 May 2026
1. Introduction
Headstart Language Center ("Headstart", "we", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use headstart.asia.
We comply with the Philippines Data Privacy Act of 2012 (Republic Act No. 10173), and to the extent applicable, the European Union General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL).
2. Data We Collect
Identity data: name, email address, profile photo, government-issued ID (for tutor verification only).
Account data: role (student/tutor), locale preference, timezone, registration date.
Payment data: wallet balance, transaction history. We do not store full card numbers; payment processing is handled by Stripe and PayMongo.
Session data: lesson start/end times, duration, video session metadata, connection quality indicators.
Communication data: messages exchanged on the Platform between students and tutors.
AI-generated data: lesson transcripts (where enabled), vocabulary lists, lesson summaries.
Learning data: lesson history, language goals, progress notes.
Technical data: IP address, browser type, device type, operating system, access logs.
3. How We Use Your Data
Service delivery: to match students with tutors, process bookings, enable video lessons, and manage payments.
Account management: to create and maintain your account, verify tutor credentials.
Safety and fraud prevention: to detect and prevent abuse, unauthorized access, and fraudulent transactions.
Communications: to send booking confirmations, lesson reminders, and service updates via email.
AI improvements: de-identified and aggregated lesson data may be used to improve AI-generated summaries and vocabulary suggestions. We do not sell personal data.
Legal obligations: to comply with applicable laws, regulations, and lawful government requests.
4. Third-Party Service Providers
We share data with the following service providers only as necessary for the purposes described above:
Stripe (United States) — payment processing. PayMongo (Philippines) — payment processing for Philippine pesos. Daily.co / Agora (United States) — video conferencing for lessons. Anthropic / OpenAI (United States) — AI-generated lesson summaries and vocabulary (de-identified transcripts only). Resend (United States) — transactional email delivery. Cloudflare R2 (Global) — file and media storage. Vercel (United States) — hosting and edge delivery.
We require all providers to maintain appropriate security measures and to process data only as instructed.
5. Cross-Border Data Transfers
Some of our service providers are located outside the Philippines. Where personal data is transferred internationally, we rely on appropriate safeguards including standard contractual clauses approved under applicable data protection law.
6. Data Retention
Account data: retained while your account is active and for 90 days after deletion, to allow for reactivation or dispute resolution.
Financial records: retained for 7 years to comply with Philippines Bureau of Internal Revenue (BIR) requirements.
Lesson transcripts: retained for 12 months and then permanently deleted unless you export them.
AI model training data: only de-identified aggregated statistics are retained; raw transcripts are not used for training.
7. Your Rights
You have the right to: access your personal data; correct inaccurate data; request deletion of your account and associated data; object to or restrict certain processing; receive a portable copy of your data (export functionality coming soon).
To exercise any of these rights, contact privacy@headstart.asia. We will respond within 30 days.
8. Children
The Platform is intended for users aged 18 and over. Users aged 13–17 may use the Platform only with verified parental consent. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with data, contact privacy@headstart.asia and we will delete it.
9. Cookies
We use essential session cookies to maintain your login state (powered by Auth.js). We do not currently use third-party tracking or advertising cookies.
You may disable cookies in your browser settings, but this will prevent you from logging in.
10. Security
We implement industry-standard security measures including TLS encryption in transit, bcrypt hashing for passwords, rate limiting on authentication endpoints, and access controls on all data stores. No system is perfectly secure; if you discover a vulnerability, please disclose it responsibly to security@headstart.asia.
11. Data Protection Officer
Our Data Protection Officer is Darrel Terrado (Founder). Philippines NPC registration is pending.
Contact: privacy@headstart.asia
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. Continued use of the Platform after the effective date constitutes acceptance.
13. Contact
For privacy questions or requests: privacy@headstart.asia
Headstart Language Center Philippines