Privacy Policy

ThruEdu ("Platform," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our Platform.

This policy is issued in compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR), as administered by the National Privacy Commission (NPC) of the Republic of the Philippines. It also reflects applicable provisions of:

• RA 8792 — Electronic Commerce Act of 2000
• RA 10175 — Cybercrime Prevention Act of 2012
• RA 7394 — Consumer Act of the Philippines
• NPC Circular No. 16-01 — Security of Personal Data in Government Agencies (applied by analogy to private entities)
• NPC Advisory Opinions and Circulars relevant to online platforms and educational data

By using the Platform, you consent to the collection and processing of your personal information as described in this policy.

ThruEdu acts as the Personal Information Controller (PIC) with respect to the personal data you provide through the Platform.

Our DPO is registered with the National Privacy Commission as required under NPC Circular No. 17-01.

We collect only the minimum personal data necessary to deliver the Platform's services (the principle of data minimization under RA 10173). The categories of data we collect include:

We do not knowingly collect sensitive personal information (as defined under Section 3(l) of RA 10173) unless strictly necessary and with your explicit consent.

Under Section 12 of RA 10173, we process your personal data on the following lawful bases:

• Consent — You have given clear, informed, and freely given consent for specific processing activities (e.g., marketing communications, AI training data use).
• Contractual Necessity — Processing is necessary to fulfill our agreement with you (e.g., account creation, course delivery).
• Legitimate Interests — Processing is necessary for our legitimate interests (e.g., platform analytics, security monitoring), provided these do not override your rights.
• Legal Obligation — Processing is required to comply with applicable Philippine laws (e.g., tax, audit, court orders).

We use your personal data only for specific, legitimate purposes:

• Creating and managing your account
• Delivering, personalizing, and improving Platform features and AI-generated content
• Tracking academic progress and generating learning analytics
• Sending transactional notifications (e.g., password resets, account alerts)
• Sending promotional communications, where you have consented
• Ensuring Platform security and preventing fraud or abuse
• Complying with legal obligations and responding to lawful requests from government authorities
• Conducting research and development to improve AI models, using anonymized or aggregated data

We will not use your personal data for purposes incompatible with those stated above without providing notice and, where required, obtaining fresh consent.

We use cookies and similar technologies to operate the Platform and analyze usage. Types of cookies used:

• Strictly Necessary Cookies: Required for core Platform functions (e.g., authentication sessions). Cannot be disabled.
• Functional Cookies: Remember your preferences (e.g., language, theme). Disabled by default.
• Analytics Cookies: Collect aggregated usage data to improve the Platform. Disabled by default; requires consent.

You can manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies may impair Platform functionality.

We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:

• Service Providers (Personal Information Processors): Third-party vendors (e.g., cloud hosting, email services, payment processors) engaged under Data Processing Agreements that require them to protect your data to at least our standard.
• Partner Institutions: Your enrolled institution may receive your academic progress and course data as part of the educational service delivery.
• Legal Compliance: We may disclose data when required by Philippine law, court order, or lawful government request, including the NPC, NBI, PNP, or other authorities.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity, subject to equivalent privacy protections and prior notice to you.

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Active account data: Retained for the duration of your account.
• Academic records: Retained for up to 5 years after account closure, consistent with CHED and DepEd records retention guidelines.
• Transaction records: Retained for 10 years to comply with BIR and accounting regulations.
• Technical/usage logs: Retained for 1 year for security and debugging purposes.
• Deleted accounts: Personal data is anonymized or securely deleted within 30 days of account deletion, unless retention is required by law.

We implement appropriate technical, organizational, and administrative safeguards to protect your personal data against unauthorized access, disclosure, alteration, or destruction, consistent with NPC standards and NPC Circular No. 16-01. Measures include:

• TLS/HTTPS encryption for all data in transit
• Encryption of sensitive data at rest using industry-standard algorithms
• Role-based access controls limiting data access to authorized personnel only
• Regular security audits, vulnerability assessments, and penetration testing
• Incident response procedures including mandatory NPC notification within 72 hours of discovering a personal data breach (per NPC Circular No. 16-03)
• Employee training on data privacy and security obligations

Under Chapter IV of RA 10173, you have the following rights with respect to your personal data:

• Right to be Informed — Know how your data is collected, used, and shared.
• Right to Access — Request a copy of the personal data we hold about you.
• Right to Rectification — Request correction of inaccurate or incomplete data.
• Right to Erasure / Right to be Forgotten — Request deletion of your personal data, subject to legal retention obligations.
• Right to Object — Object to the processing of your data on grounds of legitimate interest or for direct marketing purposes.
• Right to Data Portability — Receive your data in a structured, commonly used, and machine-readable format.
• Right to Lodge a Complaint — File a complaint with the National Privacy Commission if you believe your rights have been violated.
• Right to Damages — Seek compensation for any damages sustained due to inaccurate, incomplete, outdated, or unlawfully obtained personal data.

To exercise any of these rights, submit a written request to our DPO at privacy@thruedu.ph. We will respond within 15 business days of receiving a verifiable request.

Consistent with Section 13 of RA 10173 on sensitive personal information and the special protection of minors:

• We do not knowingly collect personal data from individuals under 18 years of age without verifiable parental or guardian consent.
• If you are a minor, a parent or legal guardian must review and consent to this Privacy Policy on your behalf before you use the Platform.
• If we discover that we have collected personal data from a minor without proper consent, we will promptly delete such data.

Some of our service providers and infrastructure may be located outside the Philippines. Any transfer of personal data outside the Philippines is conducted in accordance with Section 21 of RA 10173 and relevant NPC issuances, ensuring that adequate data protection safeguards are in place in the recipient country or that you have consented to the transfer.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or Philippine law. Material changes will be communicated via email to registered Users at least 15 days before the change takes effect, along with the updated policy posted on this page. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

For privacy-related questions, data subject requests, or complaints, please contact our Data Protection Officer:

If you are not satisfied with our response, you may file a complaint with the National Privacy Commission (NPC) or seek redress through the Department of Trade and Industry (DTI).