Family Privacy Policy

Effective date: 01-Nov-2025
Controller: Beamly Pte. Ltd., Singapore. For some activities we act as a processor for Organizations you authorize. This Policy explains how we handle data under: Singapore PDPA, Malaysia PDPA 2010, Philippines Data Privacy Act of 2012, and GDPR-aligned best practices.

1) What we collect

Parent/Guardian data

• Name, relationship to child, contact details (email, phone), account credentials.

Child data

• Name or identifier, date of birth, gender.

• Screening inputs and responses, educator observations, generated scores, flags, and reports.

• Optional notes you add (e.g., concerns, family context).

Device and usage

• App/device identifiers, OS version, IP address, time zone, in-App events, cookies/SDK telemetry for security and performance.

Organization linkage

• Organization name, class, screening session metadata.

2) How we collect

• Directly from you in the App.

• From authorized organization you select.

• Automatically via the App/SDKs for security, analytics, and service delivery.

3) Why we use data (purposes)

• Provide the App, create profiles, run screenings, generate insights and reports.

• Share results back to you and to your authorized organization.

• Account security, fraud prevention, incident response, and audit logs.

• Customer support and service communications.

• Research and improvement using anonymized/aggregated data.

• Legal compliance and enforcement of Terms.

4) Our legal bases

• Consent (primary): You give parental consent to process child data and to share with selected organizations. You can withdraw any time in the App.

• Contract: We process data to provide the services you request.

• Legitimate interests: Security, debugging, service analytics, product improvement using non-identifiable data, provided these do not override your rights.

• Legal obligations: To comply with applicable laws, regulatory requests, or court orders.

Country alignment

• Singapore PDPA: Consent-based with access/correction and withdrawal rights.

• Malaysia PDPA 2010: General, notice-and-choice, security, retention, data integrity, access principles.

• Philippines DPA 2012: Consent as lawful basis; data subject rights; privacy-by-design; breach notification to NPC where required.

• GDPR-aligned structure: Transparency, purpose limitation, data minimization, storage limitation, integrity/confidentiality, accountability.

5) Sharing your data

We share data only as needed to deliver the service:

• Organizations you authorize. Access limited to screenings and related insights.

• Service providers (processors). Cloud hosting, security monitoring, analytics, support, email/SMS, and logging providers under data-processing agreements and access controls.

• Legal and safety. If required by law, regulation, or to protect users and the service from harm.

• Corporate transactions. If we enter a merger, acquisition, or asset transfer, we will ensure protections travel with the data and notify you where required.

We do not sell personal data.

6) International transfers

Data may be processed in and transferred to Singapore and other countries where we or our providers operate. When transferring across borders, we implement safeguards such as contractual clauses, due-diligence of vendors, encryption, and access controls. For PH residents, we follow NPC cross-border guidelines. For MY and SG residents, we ensure comparable protections as required by law.

7) Security

• Encryption in transit and at rest for personal data.

• Role-based access control, MFA for staff, background-checked limited-access teams.

• Network segregation, vulnerability management, and regular audits.

• Event logging and tamper-resistant audit trails.
  No system is perfect; we will notify you and regulators of a data breach where required by law.

8) Retention and deletion

• Active use: We retain parent and child data while the account is active and for service provision.

• After inactivity or deletion request: We will delete or anonymize personal data within 90 days, unless we must retain limited records for legal, security, fraud prevention, dispute resolution, or compliance (typically up to 7 years for logs/records required by law).

• Backups: Secure backups roll off on a set schedule; deletion propagates to backups within the backup retention window.

• You can request erasure through in-App controls or by contacting the DPO.

9) Your rights

Subject to local law and verification of your identity/authority:

• Access your or your child’s personal data.

• Correction of inaccurate or incomplete data.

• Deletion of data, subject to lawful retention.

• Withdrawal of consent and restriction of certain processing.

• Data portability where technically feasible.

• Complaint to your data protection authority.

How: Use in-App settings or contact the DPO (below). We will respond within statutory timelines (SG: reasonable period; MY: 21–30 days where applicable; PH: within reasonable period aligned with NPC rules).

10) Children

The Family App is intended for use by parents/guardians on behalf of minors. We rely on the parent/guardian’s authority. If we learn we collected a child’s data without proper authority, we will delete it.

11) Cookies and SDKs

We use necessary cookies/SDKs for login, security, and core features, and limited analytics to improve performance. You can manage preferences in-App or at device level; some features may not work without required cookies/SDKs.

12) Automated decision-making

We generate screening insights and flags to support educators and parents. These outputs do not constitute medical diagnosis and are subject to human review by you and educators.

13) Changes to this Policy

We may update this Policy to reflect changes in law or our services. Material changes will be notified in-App or by email, with the effective date shown above.

14) Contact and complaints

Data Protection Officer (primary contact)
Beamly Pte. Ltd.
Email: hello@beamly.sg
Address: 6 Boon Tiong Road, 04-37 Boon Tiong Arcadia, Singapore, 164006

Regulators

• Singapore PDPC: https://www.pdpc.gov.sg

• Malaysia Personal Data Protection Department (JPDP): https://www.pdp.gov.my

• Philippines National Privacy Commission (NPC): https://www.privacy.gov.ph
  You may contact your local authority at any time. We encourage contacting our DPO first.

Country-specific notes (supplement)

Singapore (PDPA)

• Rights: access, correction, data portability (when in force), and withdrawal of consent.

• Cross-border: we ensure comparable protection for overseas recipients.

• Breach: we notify PDPC and affected individuals where thresholds are met.

Malaysia (PDPA 2010)

• Principles: General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access.

• Marketing: no direct marketing without consent/opt-out rights.

• Transfers: restricted unless permitted exceptions or adequate safeguards are in place.

Philippines (DPA 2012)

• Rights: to be informed, object, access, rectify, erase/block, data portability, and damages.

• PIC/PIP roles: Beamly may act as Personal Information Controller for Family App accounts and as Personal Information Processor for Schools/Educators.

• Breach: report to NPC and notify data subjects per NPC rules.