Privacy Policy

Table of contents (14 sections)

PRIVACY POLICY

Applies to the School Ops AIOS platform

This English version is provided for convenience. If there is any inconsistency, the Vietnamese version will prevail to the extent permitted by applicable law.

1. General commitment

XSCORE LIMITED COMPANY ("we", "Company") respects and is committed to protecting your personal data when you use the School Ops AIOS platform (the "Service"). This policy is prepared in line with the Personal Data Protection Law 2025 (Law No. 91/2025/QH15, effective 01/01/2026), Decree 356/2025/ND-CP, the Law on Children 2016, the Cybersecurity Law 2018, and other relevant Vietnamese regulations.

This policy explains what personal data we collect, why we process it, how it is stored and shared, and the rights available to you as a data subject.

2. Data controller

  • Personal data controller: XSCORE LIMITED COMPANY
  • MST / tax code: 0318073634
  • Data protection contact: [email protected]

3. Personal data we collect

3.1. Data you provide directly

  • Account information: full name, email, phone number, username, encrypted password.
  • Profile information: organization or school, job title, system role.
  • Content you create in the Service: SOPs, documents, tasks, and notes.
  • Content shared when you contact support.

3.2. Data collected automatically

  • Technical data: IP address, browser type, device, operating system.
  • Usage data: pages visited, timestamps, and in-service interactions.
  • Data collected via cookies and analytics tools (see our Cookie Policy).

We do not intentionally collect sensitive personal data unless necessary. Where required, we will provide notice and request explicit consent in accordance with applicable law.

4. Purposes and legal bases for processing

We process personal data to:

  • Create, authenticate, and manage your account;
  • Provide, operate, maintain, and improve Service features;
  • Support customers and handle user requests;
  • Protect system safety and security and prevent fraud;
  • Analyze usage and statistics to improve experience, using aggregated or anonymized data where possible;
  • Send Service notices and marketing information where you consent;
  • Comply with legal obligations.

Processing may be based on your consent, performance of a contract or requested Service, compliance with law, and/or our legitimate interests to the extent permitted by law.

5. Consent

You consent to personal data processing when registering for and using the Service. Consent must be clear, specific, and verifiable. You may withdraw consent at any time; withdrawal does not affect processing lawfully conducted before withdrawal and may affect our ability to provide the Service.

6. Sharing and disclosure

We do not sell personal data. We share data only in limited cases:

  • Data processors: infrastructure, cloud hosting, analytics, and technical support partners, only as necessary and under data protection terms or agreements.
  • Within your organization: Service data may be visible to administrators and authorized members of the same organization or school according to permissions.
  • Legal requests: when required by a lawful request from a competent authority.
  • Corporate restructuring: mergers, acquisitions, or transfers, subject to equivalent data protection commitments.

7. Cross-border data transfer

Some infrastructure providers may host data outside Vietnam. Where cross-border transfer occurs, we will comply with the Personal Data Protection Law 2025 and Decree 356/2025/ND-CP, including preparing and retaining a personal data cross-border transfer impact assessment dossier where required.

8. Storage and retention

Personal data is retained for as long as necessary for the purposes in Section 4 or as required by law. When no longer needed, data will be securely deleted or anonymized.

9. Data security

We apply appropriate technical and organizational measures to protect personal data (see Security), including encryption in transit, access control, backups, and monitoring. However, no transmission or storage method is completely secure.

10. Data subject rights

Under Article 4 of the Personal Data Protection Law 2025, you may have the following rights regarding your personal data:

  • Right to know about data processing activities;
  • Right to consent, refuse consent, and withdraw consent;
  • Right to access and correct data or request correction;
  • Right to request provision, deletion, or restriction of processing;
  • Right to object to processing;
  • Right to complain, denounce, initiate proceedings, and claim damages in accordance with law.

To exercise these rights, contact [email protected]. We will respond within the timeframe required by law, except in special cases.

11. Children's data

The Service is intended for education organizations and may involve children's data. Under the Personal Data Protection Law 2025 and Decree 356/2025/ND-CP, processing data of children under 16 is subject to stricter requirements:

  • Consent from a parent or legal guardian is required;
  • For children aged 7 or older, consent from both the child and the parent/legal guardian is required;
  • The school or organization managing the processing is responsible for ensuring and recording consent, including who consented, when, and for what purposes.

12. Data breach notification

If a personal data protection breach occurs, we will notify the competent authority (Ministry of Public Security) within 72 hours of detection as required by law, and notify affected data subjects where necessary.

13. Policy changes

We may update this Policy from time to time. The latest version will be posted on the website with its effective date, and material changes will be notified where appropriate.

14. Contact

Questions?

Contact us to discuss security, data, or terms that fit your school.

Contact