私隱政策 - 派學 PadLearn

1. 收集的個人資料類別及來源 / Categories and Sources of Personal Data Collected

我們可能收集以下類別的個人資料，來源包括你直接提供、自動收集或從第三方（如學校）取得：
We may collect the following categories of personal data from you directly, automatically, or from third parties (e.g., schools):

1.1 學生 / Students

註冊資料 / Registration information：姓名、學校電郵地址（或學生編號）、班級、學號、就讀學校名稱。
name, school email address (or student ID), class, student number, school name.
學習資料 / Learning data：作業答案（文字、圖片）、測驗成績、練習記錄、AI 對話記錄（問題與回覆）、觀看視頻的時間及完成度。
assignment answers (text, images), quiz results, practice records, AI conversation logs (questions and answers), video viewing time and completion.
行為資料 / Behavioural data：教師錄入的行為事件（正面／負面）、出席記錄、參與討論的頻率。
behavioural events recorded by teachers (positive/negative), attendance records, frequency of participation in discussions.
情感資料 / Emotional data：經家長明確同意後，透過 AI 情感分析功能收集的情緒標籤（如「沮喪」、「焦慮」），僅用於校園安全預警。此類資料不會用於其他目的。
emotion labels (e.g., "sad", "anxious") collected via AI sentiment analysis, only after obtaining explicit parental consent, used solely for campus safety alerts. Such data will not be used for other purposes.
技術資料 / Technical data：IP 地址、設備類型、操作系統版本、登入時間、應用程式使用時長。
IP address, device type, operating system version, login time, app usage duration.

1.2 教師 / Teachers

註冊資料 / Registration information：姓名、學校電郵地址、任教班級、任教科目、職位（科主任／班主任／普通教師）。
name, school email address, teaching classes, teaching subjects, position (subject head / class teacher / regular teacher).
教學資料 / Teaching data：布置的作業內容、批改記錄（含手動批改及 AI 輔助批改）、發布的模擬試卷、學生行為事件的錄入記錄。
assignment content, grading records (including manual and AI-assisted), mock exam papers released, student behavioural event records.
平台使用資料 / Platform usage data：登入頻率、使用的功能模組、下載的報告。
login frequency, feature modules used, reports downloaded.

1.3 家長 / Parents

註冊資料 / Registration information：姓名、聯絡電話、電郵地址、與子女的關聯關係（學生帳戶 ID）。
name, contact phone number, email address, relationship to child (student account ID).
溝通資料 / Communication data：與教師的私訊內容、對學校通告的回應。
private messages with teachers, responses to school notices.
使用資料 / Usage data：查看子女學習報告的頻率、接收預警通知的記錄。
frequency of viewing children's learning reports, records of receiving alert notifications.

1.4 學校管理員 / School Administrators

註冊資料 / Registration information：姓名、學校電郵地址、職位（校長／資訊科技主任／教務主任）。
name, school email address, position (principal / IT officer / academic affairs director).
管理資料 / Administrative data：用戶帳戶的建立、權限分配、全校數據的匯出記錄。
creation of user accounts, permission assignments, school-wide data export records.

1.5 自動收集的技術資料 / Automatically Collected Technical Data

當你使用派學平台時，我們會自動收集：
When you use the PadLearn Platform, we automatically collect:

日誌資料 / Log data：IP 地址、瀏覽器類型與版本、操作系統、訪問時間及日期、點擊流數據。
IP address, browser type and version, operating system, access time and date, clickstream data.
設備資料 / Device data：唯一設備識別碼、流動應用程式版本。
unique device identifier, mobile app version.
Cookies 及類似技術 / Cookies and similar technologies：用於記住登入狀態、語言偏好及安全驗證。
used to remember login status, language preferences, and security verification.

2. 收集及使用個人資料的目的 / Purposes of Collection and Use

你的個人資料只會用於以下合法目的：
Your personal data will only be used for the following lawful purposes:

目的 / Purpose	法律依據（PDPO）/ Legal Basis (PDPO)
提供、維護及改進派學的核心服務（AI 批改、學習路徑推薦、校園安全預警） Provide, maintain, and improve PadLearn's core services (AI grading, personalised learning paths, campus safety alerts)	直接相關（第1保障資料原則）/ Directly related (DPP1)
管理學校、教師、學生及家長帳戶 Manage school, teacher, student, and parent accounts	直接相關 / Directly related
驗證用戶身份及防止未經授權存取 Verify user identity and prevent unauthorised access	直接相關 / Directly related
處理查詢、投訴及技術支援 Handle enquiries, complaints, and technical support	直接相關 / Directly related
進行匿名化數據分析以優化 AI 模型（所有可識別身份的資料會在分析前移除） Conduct anonymised data analysis to improve AI models (all identifiable data removed before analysis)	合法權益（已匿名化）/ Legitimate interests (anonymised)
遵守法律義務（如回應法庭命令、監管機構要求） Comply with legal obligations (e.g., court orders, regulatory requests)	法律義務 / Legal obligation
預防及偵測詐騙、安全威脅或非法活動 Prevent and detect fraud, security threats, or illegal activities	合法權益 / Legitimate interests
日後推出付費服務時處理款項及結算（將另獲你同意） Process payments and settlements for future paid services (subject to separate consent)	同意 / Consent

校園安全功能的特別說明 / Special Note on Campus Safety Feature：

情感分析僅在獲得家長明確同意後啟動。我們會分析學生在平台上的文字輸入（問題、留言、私訊），使用可解釋 AI 模型（CyberPuppy）識別負面情緒。該模型的判斷依據可追溯，不會自動作出處置。預警通知僅發送給教師及家長，用於及早介入。你可隨時選擇退出該功能，不影響其他學習服務。

Sentiment analysis is activated only after obtaining explicit parental consent. We analyse students' text input (questions, comments, private messages) using an explainable AI model (CyberPuppy) to identify negative emotions. The model's reasoning is traceable, and no automated action is taken. Alert notifications are sent only to teachers and parents for early intervention. You may opt out of this feature at any time without affecting other learning services.

3. 個人資料的儲存、保安及保留 / Storage, Security, and Retention

3.1 儲存地點 / Storage Location

所有個人資料均儲存於 香港境內的伺服器（選用阿里雲香港數據中心）。我們不會將個人資料轉移至香港境外，除非 (a) 獲得你明確同意；(b) 法律要求；或 (c) 為提供服務而與境外第三方合作（如雲端服務商），在此情況下我們會確保該第三方提供與 PDPO 相當的保護水平。
All personal data is stored on servers located within Hong Kong (Alibaba Cloud Hong Kong data centre). We do not transfer personal data outside Hong Kong unless (a) we have obtained your explicit consent; (b) required by law; or (c) necessary for cooperating with overseas third parties (e.g., cloud service providers) to provide services, in which case we ensure that such third parties provide a level of protection equivalent to the PDPO.

3.2 保安措施 / Security Measures

我們採取以下技術及組織措施保護你的資料：
We implement the following technical and organisational measures to protect your data:

傳輸加密 / Transmission encryption：使用 TLS 1.3 加密所有網絡通訊。
TLS 1.3 for all network communications.
靜態加密 / Static encryption：資料庫使用 AES-256 加密。
AES-256 for databases.
存取控制 / Access control：只有經授權的員工可存取個人資料，並採用「最小權限」原則。所有存取均留下審計日誌。
Only authorised employees can access personal data under the principle of least privilege. All access is logged.
定期安全測試 / Regular security testing：每半年進行弱點掃描及滲透測試。
Vulnerability scanning and penetration testing every six months.
事故應變計劃 / Incident response plan：設有資料外洩應急流程，包括通知受影響用戶及私隱公署（如適用）。
A data breach response process, including notifying affected users and the Privacy Commissioner (if applicable).

3.3 保留期限 / Retention Periods

我們會在達成收集目的所需的期限內保留個人資料。具體期限如下：
We retain personal data for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

學生帳戶 / Student accounts：帳戶活躍期間持續保留。學生畢業或離校後，應學校要求，帳戶資料將於 90 天內刪除或匿名化。匿名化後的學習數據可用於改進 AI 模型，但無法識別個人身份。
Retained while account is active. After graduation or leaving school, upon school request, account data will be deleted or anonymised within 90 days. Anonymised learning data may be used to improve AI models but cannot identify individuals.
教師及家長帳戶 / Teacher and parent accounts：帳戶關閉後 90 天內刪除。
Deleted within 90 days after account closure.
學校管理員 / School administrators：學校終止服務合約後 90 天內刪除，但合約記錄（如報價、發票）會保留 7 年以符合稅務及法律要求。
Deleted within 90 days after service contract termination, but contract records (e.g., quotations, invoices) will be retained for 7 years for tax and legal compliance.
技術日誌（IP 地址等）/ Technical logs (IP addresses, etc.)：保留 12 個月，之後自動刪除或匿名化。
Retained for 12 months, then automatically deleted or anonymised.
備份資料 / Backup data：備份系統中的資料保留期限最長不超過 90 天，備份只用於災難恢復，不會用於其他用途。
Retained for no more than 90 days in backup systems, used only for disaster recovery, not for other purposes.

4. 資料的披露及轉移 / Disclosure and Transfer of Data

我們不會出售、出租或交易你的個人資料。在以下有限情況下，我們可能分享資料：
We will not sell, rent, or trade your personal data. We may share your data only in the following limited circumstances:

4.1 向第三方服務供應商披露 / Disclosure to Third-Party Service Providers

我們可能將個人資料分享給協助營運派學的服務供應商，例如：
We may share personal data with service providers that assist in operating PadLearn, for example:

雲端基礎設施 / Cloud infrastructure：阿里雲（香港伺服器託管）/ Alibaba Cloud (Hong Kong server hosting)
客戶服務工具 / Customer service tools：SleekFlow（客服對話記錄 / customer service chat logs）
數據分析工具 / Analytics tools：Google Analytics（匿名化流量數據，不含個人識別資訊 / anonymised traffic data, no personally identifiable information）
社交媒體平台 / Social media platforms：如你選擇使用 Facebook 或 Google 登入，僅用於身份驗證，不會分享額外資料。/ If you choose to log in via Facebook or Google: used only for authentication, no additional data shared.

以上供應商均須簽署資料處理協議，嚴格遵守 PDPO 規定，且不得將資料用於非合約目的。
All such providers are required to sign data processing agreements, strictly comply with the PDPO, and may not use the data for non-contractual purposes.

4.2 向學校披露 / Disclosure to Schools

倘你是學生或家長，學校作為你的教育服務提供者，有權查閱與其學生相關的學習資料（如作業成績、行為事件），以便履行教學及關顧責任。學校資料使用者會遵守其自身的私隱政策。
If you are a student or parent, your school, as your education service provider, has the right to access learning data related to its students (e.g., assignment scores, behavioural events) to fulfil teaching and caring responsibilities. The school as a data user will comply with its own privacy policy.

4.3 法律要求 / Legal Requirements

倘法律、法庭命令或政府機關（如私隱專員公署）要求我們披露個人資料，我們將在法律許可的範圍內盡力通知你（除非被禁止）。
If required by law, court order, or government authority (e.g., the Privacy Commissioner), we will endeavour to notify you to the extent permitted by law (unless prohibited).

5. Cookies 及追蹤技術 / Cookies and Tracking Technologies

我們使用 Cookies 及類似技術來：
We use cookies and similar technologies to:

絕對必要的 Cookies / Strictly necessary cookies：維持登入狀態、安全性、負載平衡（無法關閉）。
Maintain login status, security, load balancing (cannot be disabled).
功能性 Cookies / Functional cookies：記住你的語言偏好及界面設定。
Remember your language preferences and interface settings.
分析性 Cookies / Analytics cookies：收集匿名使用數據以改進平台（可選擇禁用）。
Collect anonymised usage data to improve the platform (can be disabled).

你可透過瀏覽器設定刪除或封鎖 Cookies，惟可能影響部分功能（如自動登入）。有關 Cookies 的管理方法，請參閱瀏覽器的說明文件。
You may delete or block cookies via your browser settings, but this may affect some features (e.g., automatic login). For cookie management instructions, please refer to your browser's documentation.

6. 未滿 18 歲用戶的安排 / Arrangements for Users Under 18

派學的目標用戶包括中學生（可能未滿 18 歲）。我們對此作出以下安排：
PadLearn's target users include secondary school students who may be under 18. We have made the following arrangements:

註冊時的同意 / Consent at registration：學生註冊時，須由家長或學校代表確認已獲得家長同意。家長註冊時須同意本私隱政策，並特別確認同意收集子女的情感分析數據（用於校園安全功能）。
When a student registers, a parent or school representative must confirm that parental consent has been obtained. When parents register, they must consent to this Privacy Policy and specifically confirm consent to the collection of their child's emotional data for the campus safety feature.
家長的權利 / Parental rights：家長可隨時查閱其子女的個人資料，並要求改正或刪除（須透過學校或直接電郵至 data@padlearn.hk）。
Parents may access their child's personal data at any time and request correction or deletion (via the school or by email to data@padlearn.hk).
直接行銷 / Direct marketing：我們不會在未經家長同意下，向學生發送直接行銷資訊。
We will not send direct marketing messages to students without parental consent.
年齡核實 / Age verification：我們不會刻意收集年齡資料，但如發現用戶未滿 13 歲且未有家長同意，我們將刪除其帳戶。
We do not intentionally collect age data, but if we discover a user is under 13 and lacks parental consent, we will delete the account.

7. 用戶的權利（資料當事人）/ Your Rights (Data Subject)

根據 PDPO，你有權：
Under the PDPO, you have the right to:

查閱 / Access：要求我們確認是否持有你的個人資料，並提供副本。
Request confirmation of whether we hold your personal data and to obtain a copy.
改正 / Correction：要求更正不準確的個人資料。
Request correction of inaccurate personal data.
刪除 / Deletion：在特定情況下要求刪除你的個人資料。
Request deletion of your personal data in certain circumstances.
反對 / Objection：反對我們基於合法權益使用你的資料（如直接行銷，但派學目前不進行直接行銷）。
Object to our use of your data based on legitimate interests (e.g., direct marketing, but PadLearn does not currently engage in direct marketing).

如何行使權利 / How to Exercise Your Rights

請以書面形式（電郵）向 privacy@padlearn.hk 提交請求。
Please submit your request in writing (email) to privacy@padlearn.hk.

為核實身份，我們可能需要你提供姓名、註冊電郵及學校名稱（如適用）。/ To verify your identity, we may ask for your name, registered email, and school name (if applicable).

我們會於收到請求後 30 天內回覆。如請求複雜，可能延長至 90 天，屆時會通知你。/ We will respond within 30 days. For complex requests, we may extend to 90 days and will notify you.

查閱資料可能收取合理費用（每份請求上限為港幣 150 元），但改正及刪除請求免費。/ A reasonable fee (max HKD 150 per request) may be charged for access requests, but correction and deletion requests are free.

8. 資料外洩通報 / Data Breach Notification

若發生個人資料外洩事故，可能對你的權益造成重大風險，我們會：
If a personal data breach occurs that poses a significant risk to your rights and interests, we will:

盡快（通常 72 小時內）通知受影響的用戶及學校。
Notify affected users and schools as soon as possible (usually within 72 hours).
通知香港個人資料私隱專員公署（除非外洩不太可能對受影響人士造成損害）。
Notify the Office of the Privacy Commissioner for Personal Data (unless the breach is unlikely to cause harm).
提供事故詳情、影響評估及建議的緩解措施。
Provide details of the incident, impact assessment, and recommended mitigation measures.

9. 直接行銷 / Direct Marketing

目前派學不進行直接行銷活動。如日後推出付費服務或進行推廣，我們將事先取得你的明確同意（Opt-in），並為你提供拒絕接收的選擇（Opt-out）。
PadLearn does not currently engage in direct marketing. If we introduce paid services or promotions in the future, we will first obtain your explicit opt-in consent and provide you with an opt-out option.

10. 本政策的修改 / Changes to This Policy

我們可能不時更新本私隱政策。重大變更（例如新增資料收集類別、改變資料使用方式）會提前 30 天透過平台公告或電郵通知你。較小變更（如修正錯字、更新聯絡方式）會即時更新並於網站顯示「最後更新」日期。
We may update this Privacy Policy from time to time. Material changes (e.g., new data collection categories, changes in data usage) will be notified to you at least 30 days in advance via platform announcement or email. Minor changes (e.g., typographical corrections, contact details updates) will be posted immediately with an updated "Last Updated" date.

11. 聯絡我們 / Contact Us

如對本私隱政策有任何疑問，或欲行使你的權利，請聯絡：
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

資料保護主任 / Data Protection Officer：cs@padlearn.ai

一般查詢 / General enquiries：cs@padlearn.ai

郵遞地址 / Postal address：
LittleP AI Limited, Units 01-03, 25/F, CDW Building, 388 Castle Peak Road, Tsuen Wan, Hong Kong

投訴 / Complaints：

如你認為我們未能妥善處理你的個人資料，你有權向香港個人資料私隱專員公署投訴（地址：香港灣仔皇后大道東248號大新金融中心13樓，電話：2827 2827）。
If you believe we have not properly handled your personal data, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (Address: 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wan Chai, Hong Kong; Tel: 2827 2827).