Legal
Privacy Policy
Effective date: 8 May 2026 · Last updated: 8 May 2026
1. Introduction
Neuroflix Pte. Ltd. ("Neuroflix", "we", "us", or "our") operates a learning management system that enables organisations to deliver video-based training courses, assessments, and certifications to their learners. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you access or use our platform at neuroflix.io and any related services (collectively, the "Platform").
This policy applies to all users of the Platform, including organisation administrators, staff members, and learners. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of your personal data as described in this Privacy Policy.
This Privacy Policy is drafted in compliance with the Singapore Personal Data Protection Act 2012 (the "PDPA").
2. Data Controller
The data controller responsible for your personal data is:
3. Data We Collect
We collect and process the following categories of personal data, depending on how you interact with the Platform:
3.1 Account and Identity Data
When you sign up or are provisioned into the Platform — whether via email, Google Sign-In, or enterprise single sign-on (SSO) — we collect:
- Email address
- First name and last name
- Profile photo (if available from your Google account or other identity provider)
- Organisation membership and role (e.g., owner, admin, manager, learner)
If you choose to sign in using Google, we receive your name, email address, and profile photo (if available) from Google's OAuth service. This information is used solely to create and maintain your account on the Platform. We do not access your Google contacts, calendar, files, or any other Google account data beyond what is required for authentication.
3.2 Learner Profile Data
Learners are asked to provide the following information before accessing course content. Some fields are mandatory for course enrolment:
- Legal first name and legal last name (required)
- Employee ID (optional)
- Department (optional)
- Company name (optional)
- Job title (optional)
For organisations using enterprise directory integration (SCIM), some of these fields may be automatically provisioned from your organisation's identity provider.
3.3 Learning Activity Data
As you engage with course content, we collect data about your learning progress, including:
- Video viewing behaviour (playback position, segments watched, pause and seek counts, playback speed, session duration)
- Assessment responses (multiple-choice selections, short-answer text submissions)
- Scores, grades, and pass/fail outcomes
- Attempt history and timestamps
- Course enrolment status and completion dates
- Video player interaction events (play, pause, seek, speed changes)
3.4 AI-Graded Assessment Data
When you submit short-answer or essay-type responses, the text of your answer is sent to a third-party AI service (Google Gemini) for automated grading. Only the question text, model answer, marking rubric, and your written response are sent — no personally identifiable information such as your name or email is included in the grading request.
The AI service returns a score, feedback on strengths and areas for improvement, and a confidence rating, which are stored on the Platform and displayed to you.
3.5 Payment Data
If you enrol in a paid course, we use Stripe to process payments. We do not store your credit card number or payment method details on our servers. Stripe processes your payment in a PCI DSS-compliant environment. We store:
- Transaction reference IDs (Stripe session and payment intent identifiers)
- Amount paid and currency
- Payment timestamp
- Your email address (for receipt delivery via Stripe)
3.6 Certificate Data
When you complete a course, a certificate may be issued containing:
- Your legal name
- Course title and completion date
- Final score
- Certificate number and a unique verification identifier
- Organisation name, logo, and certificate signer details
Certificates are designed to be permanent, verifiable records of achievement. A public verification page displays the certificate holder's name, course title, organisation, score, and completion date. Your email address is not displayed on the verification page.
3.7 Organisation Data
Organisation administrators provide branding and configuration data, including:
- Organisation name and logo
- Certificate signer name and title
- Email sender name
- SSO and directory integration configuration (for enterprise accounts)
3.8 Communication Data
We send transactional emails related to your use of the Platform. These emails may contain your name, email address, course details, deadlines, and certificate information. We do not send marketing emails or newsletters without your explicit consent.
4. How We Use Your Data
We use your personal data for the following purposes:
- Authentication and access control — to verify your identity, manage your account, and enforce role-based permissions
- Course delivery — to provide course content, track your learning progress, deliver assessments, and calculate scores
- AI-powered assessment grading — to grade short-answer responses using automated AI and provide feedback
- Certificate issuance — to generate, store, and enable verification of completion certificates
- Analytics and reporting — to provide organisation administrators with aggregated and individual learner performance data, engagement metrics, and completion reports
- Payment processing — to facilitate payments for paid courses via Stripe
- Transactional communications — to send enrolment confirmations, deadline reminders, and certificate notifications
- Platform administration — to maintain, secure, and improve the Platform, and to comply with legal obligations
- SCORM export — to package course content for use in external learning management systems (learner data is not included in SCORM exports)
5. Legal Basis for Processing
Under the PDPA, we process your personal data on the following legal grounds:
- Consent — by creating an account and using the Platform, you consent to the collection and use of your personal data as described in this policy. You may withdraw your consent at any time by contacting us, subject to legal or contractual restrictions
- Contractual necessity — we process data that is necessary to perform our obligations under the terms of service between you (or your organisation) and Neuroflix, including delivering course content, tracking progress, and issuing certificates
- Legitimate interests — we may process data for purposes such as improving our Platform, preventing fraud, and ensuring security, provided these interests do not override your data protection rights
- Legal obligations — we may process or retain data when required by applicable law, regulation, or legal proceedings
6. Third-Party Service Providers
We engage trusted third-party service providers to operate the Platform. These providers process your data on our behalf and are contractually obligated to protect it. We do not sell your personal data to any third party.
| Provider | Purpose | Data Processed |
|---|---|---|
| WorkOS | Authentication, SSO, SCIM directory sync | Email, name, organisation membership, roles |
| Social authentication (Google Sign-In) | Name, email, profile photo | |
| Stripe | Payment processing | Email, payment details, transaction amounts |
| Supabase | Database hosting, file storage | All platform data (hosted in Singapore) |
| Google Gemini | AI-powered assessment grading | Assessment question and answer text (no PII) |
| Resend | Transactional email delivery | Email address, name, course and certificate details |
| Vercel | Application hosting and deployment | Server logs, application traffic |
Each provider maintains its own privacy policy governing how it handles data. We encourage you to review their respective policies.
7. International Data Transfers
Our primary database is hosted in Singapore (Asia-Pacific Southeast) via Supabase. However, some of our third-party service providers operate servers outside of Singapore:
- WorkOS (authentication) — United States
- Stripe (payments) — United States
- Resend (email) — United States
- Google (authentication via Google Sign-In, AI grading via Gemini) — United States / Global
- Vercel (hosting) — Global CDN with edge nodes
Where personal data is transferred outside of Singapore, we ensure that appropriate safeguards are in place in accordance with the PDPA, including contractual obligations on the receiving party to provide a comparable standard of data protection.
8. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention practices include:
- Account data — retained for the duration of your account and for a reasonable period thereafter to comply with legal, tax, and audit requirements
- Learning activity data — retained for the duration of your enrolment and a reasonable period thereafter. Withdrawn enrolments are deactivated (not deleted) so that historical records remain intact for organisational reporting
- Certificates — retained indefinitely as permanent, verifiable records of achievement. Certificates are legal documents that persist even if an enrolment is withdrawn
- Payment records — retained for a minimum of seven (7) years in accordance with applicable tax and financial record-keeping regulations. Stripe retains payment data independently under its own policies
- Organisation data — organisations are archived (not deleted) when deactivated. All associated data is retained unless a formal data erasure request is submitted
We use a soft-deletion model — when data is removed from active use, it is deactivated or archived rather than permanently erased, unless a formal data erasure request is made.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
- Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
- Encryption at rest — our database is encrypted at rest using industry-standard encryption
- Secure session management — authentication sessions are managed server-side with encrypted tokens; no sensitive session data is stored in your browser
- Access controls — all Platform routes enforce role-based authorisation checks at both the layout and action level. Database access is restricted to server-side operations only
- Webhook verification — all incoming webhooks from third-party services are cryptographically verified before processing
- Secret management — all API keys and credentials are stored as environment variables in secure hosting infrastructure, never in source code
- Signed URLs — certificate downloads and sensitive file access use time-limited signed URLs
While we take reasonable precautions, no method of transmission or storage is completely secure. If you believe your account has been compromised, please contact us immediately.
10. Your Rights
Under the PDPA, you have the following rights with respect to your personal data:
- Right of access — you may request information about the personal data we hold about you and obtain a copy of such data
- Right of correction — you may request that we correct any inaccurate or incomplete personal data
- Right to withdraw consent — you may withdraw your consent for the collection, use, or disclosure of your personal data at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect your ability to use the Platform
- Right to data portability — where technically feasible, you may request a copy of your data in a structured, commonly-used format
- Right to erasure — you may request the deletion of your personal data. We will process such requests within 30 days, subject to retention obligations described in this policy
To exercise any of these rights, please contact our Data Protection Officer at general@neuroflix.sg. We will respond to your request within 30 days.
Please note that certain data may be exempt from access, correction, or deletion requests under the PDPA — for example, data that is subject to legal privilege, data that could compromise an ongoing investigation, or data whose disclosure could threaten the safety of another individual.
11. Cookies and Tracking Technologies
We use minimal cookies and do not deploy third-party tracking, analytics scripts, advertising pixels, or session-recording tools on our Platform.
- Authentication cookies — we use encrypted, server-side session cookies strictly for maintaining your authenticated session. These are essential cookies required for the Platform to function
- Preference cookies — we may store non-sensitive display preferences (such as light/dark mode) in your browser's local storage
We do not use Google Analytics, advertising trackers, social media pixels, or any third-party behavioural tracking tools. Your browsing activity on the Platform is not shared with advertisers or data brokers.
12. Children's Privacy
The Platform is designed for use by adults aged 18 and over in professional and enterprise training contexts. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at general@neuroflix.sg.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify affected users via email or an in-app notice.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact our Data Protection Officer:
Data Protection Officer
Neuroflix Pte. Ltd.
65 Mohamed Sultan Road, Singapore 239003
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.