Privacy Policy

ACTASA GROUP LIMITED (“ACTASA”, “we”, “us”, or “our”), a company incorporated in the Hong Kong Special Administrative Region, operates the Tutor Wong (補習天王) AI-powered learning platform accessible via the website at tutorwong.com and via mobile applications on iOS and Android (collectively, the “Platform” or “Service”). This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you access or use our Platform, in accordance with the Personal Data (Privacy) Ordinance (Cap. 592) of the Laws of Hong Kong (“PDPO”) and other applicable data protection laws.

The data user (as defined under the PDPO) responsible for the collection, holding, processing, and use of your personal data is:

ACTASA GROUP LIMITED, Hong Kong SAR.

You may contact us via the Contact page on our Platform for any data protection inquiries.

We collect and process the following categories of personal data:

(a) Account Information — name, email address, hashed password, profile picture (if provided via Google OAuth sign-in), preferred language setting, and account creation date.

(b) Child Profile Data — child’s name or nickname, grade level (K1–S6), school type (e.g. local, international, DSS, private), school name (optional), region, and avatar selection. Child profiles are created and controlled exclusively by the parent or guardian account holder.

(c) Educational Content — photographs of homework submissions uploaded to the Platform, text extracted via optical character recognition (OCR), AI-generated grading results, question-and-answer data, error analysis classifications, step-by-step solutions, AI tutor interaction logs, video tutorial requests, AI-generated worksheet content, and academic performance reports.

(d) Payment and Subscription Information — subscription tier, Stripe customer identifier, subscription identifier, price identifier, and payment history. We do not directly store full credit or debit card numbers; payment processing is handled by Stripe, Inc. in accordance with PCI DSS. For in-app purchases, we store transaction identifiers and platform identifiers received from Apple App Store or Google Play.

(e) Usage and Device Data — IP address, browser type and version, device type and operating system, referring URLs, pages and features accessed, timestamps, session duration, and interaction patterns.

(f) Analytics Data — anonymised and aggregated product usage metrics collected via PostHog for service improvement, including feature engagement rates, error rates, and performance metrics.

(g) Communication Data — email address or WhatsApp number provided for newsletter subscriptions, customer support correspondence, and feedback you submit to us.

(h) Referral Data — referral codes, invite codes, referral relationships between users, and bonus credit records.

(i) Push Notification Tokens — device tokens for delivering push notifications on iOS, Android, or web platforms, associated with your user account.

In accordance with Data Protection Principle 1 (DPP1) of the PDPO, we process your personal data for the following lawful purposes directly related to the functions of the Platform:

(a) Service Delivery — to provide AI-powered homework grading, step-by-step solutions, AI tutoring (text and video), adaptive worksheet generation, question bank features, and academic progress reports.

(b) Account Management — to create and maintain your account, authenticate your identity, manage child profiles, and facilitate sign-in via email/password credentials or Google OAuth.

(c) Subscription and Billing — to process subscription payments, manage tier access and usage quotas, verify in-app purchase receipts, process refund requests, and maintain billing records.

(d) Service Improvement — to analyse usage patterns, identify and resolve technical issues, improve AI model accuracy and grading quality, optimise algorithms, and enhance user experience.

(e) Communication — to send transactional messages (account verification, password resets, payment confirmations), newsletter content (where you have opted in), and service announcements.

(f) Security and Fraud Prevention — to detect and prevent fraud, unauthorised access, and abuse of the Platform, including through rate limiting, session management, and account protection measures.

(g) Legal Compliance — to comply with applicable laws, regulations, and codes of practice in Hong Kong SAR, respond to lawful requests from courts or regulatory authorities, and establish, exercise, or defend legal claims.

(h) AI Model Processing — to process homework images through OCR providers (Google Cloud Vision API), route educational content to appropriate AI models for grading and solution generation, and generate personalised educational feedback. Your data may be transmitted to third-party AI service providers as detailed in Section 6.

Tutor Wong is designed for use by parents, guardians, and tutors on behalf of children. We recognise the sensitivity of children’s educational data and apply the following safeguards:

(a) Parental Control — child profiles are created and managed exclusively by parent or guardian account holders. Children do not independently create accounts on the Platform.

(b) Data Minimisation — we collect only the child data necessary to deliver the grading, tutoring, and analytics services, primarily the child’s name or nickname, grade level, and school information for curriculum alignment.

(c) Purpose Limitation — children’s homework submissions and educational data are used solely for providing grading, tutoring, analytics, and reporting services to the parent or guardian, and for improving AI model accuracy in an anonymised or aggregated manner.

(d) No Marketing to Children — we do not use children’s personal data for marketing purposes, nor do we direct any advertising or promotional content at children.

(e) Parental Rights — parents and guardians may access, correct, or request deletion of their children’s data at any time through the Platform’s account settings or by contacting us.

We may share personal data with the following categories of third parties, in each case only to the extent necessary and subject to appropriate safeguards:

(a) AI and Cloud Service Providers — we use third-party AI services (including but not limited to OpenAI, Google Cloud, and other model providers accessed via OpenRouter) to process homework images and generate grading results and educational content. Homework images and extracted text are transmitted to these providers for processing. These providers operate under their own privacy policies and, where applicable, data processing agreements.

(b) Payment Processors — Stripe, Inc. processes subscription payments on our behalf. Apple Inc. and Google LLC process in-app purchases through their respective app stores. These processors handle payment card information directly and maintain PCI DSS compliance.

(c) Cloud Infrastructure — we use Amazon Web Services (AWS) for image storage (S3) and Neon Inc. for managed PostgreSQL database hosting. Personal data stored with these providers may reside on servers located outside Hong Kong.

(d) Analytics — we use PostHog for product analytics. Data collected by PostHog is anonymised or pseudonymised where practicable.

(e) Email Delivery — we use Resend for transactional email delivery and newsletter distribution.

(f) Legal and Regulatory — we may disclose personal data where required by law, regulation, court order, or request of a governmental or regulatory authority, or where necessary to protect the rights, property, or safety of ACTASA, our users, or the public.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

Your personal data may be transferred to and processed in jurisdictions outside Hong Kong SAR, including but not limited to the United States, where our cloud infrastructure and AI service providers maintain servers. In accordance with Data Protection Principle 3 (DPP3) of the PDPO, when transferring data outside Hong Kong we take reasonable steps to ensure that the receiving parties provide a level of data protection substantively similar to the standards of the PDPO, including through contractual data processing agreements, compliance assessments, and industry-standard security certifications maintained by our providers.

In accordance with Data Protection Principle 4 (DPP4) of the PDPO, we implement appropriate technical and organisational measures to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use, including:

(a) encryption of data in transit using TLS/HTTPS and encryption of data at rest where supported by our infrastructure providers;

(b) password storage using industry-standard one-way hashing algorithms;

(c) role-based access controls and the principle of least privilege for internal access to personal data;

(d) JWT-based authentication with secure session management and token expiry;

(e) rate limiting and abuse detection mechanisms;

(f) regular security reviews of our application codebase and infrastructure configuration.

While we take commercially reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your personal data and shall not be liable for events beyond our reasonable control.

In accordance with Data Protection Principle 2 (DPP2) of the PDPO, we retain personal data for no longer than is necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law:

(a) Account Data — retained for the duration of your active account and for up to 12 months following account closure, to facilitate potential reactivation and to comply with legal and regulatory obligations.

(b) Homework Submissions and Grading Data — retained for as long as your account remains active and for a reasonable period thereafter to support the question bank and progress analytics features.

(c) Payment and Transaction Records — retained for 7 years in accordance with Hong Kong tax legislation and commercial record-keeping requirements under the Inland Revenue Ordinance (Cap. 112).

(d) Usage Logs — retained for up to 24 months for service improvement, security, and audit purposes.

(e) Newsletter Subscriptions — retained until you unsubscribe or request deletion of your subscription.

You may request deletion of your account and associated data by contacting us. We will action such requests within a reasonable timeframe, subject to any legal retention obligations and legitimate business needs (e.g. fraud prevention, dispute resolution, tax compliance).

Under the Personal Data (Privacy) Ordinance, you have the following rights with respect to your personal data held by us:

(a) Right of Access (Section 18, DPP6) — you may request a copy of the personal data we hold about you. We will respond to valid data access requests within 40 days. We may charge a reasonable fee to cover the administrative cost of complying with a data access request, as permitted by the PDPO.

(b) Right of Correction (Section 22, DPP6) — you may request correction of any personal data we hold about you that is inaccurate. We will action valid correction requests within 40 days.

(c) Right to Withdraw Consent — where processing is based on your voluntary consent (e.g. newsletter subscriptions), you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

(d) Right to Request Deletion — you may request erasure of your personal data, subject to any overriding legal retention obligations and our legitimate business needs.

(e) Right to Opt Out of Direct Marketing (Section 35C) — you have the right to opt out of receiving direct marketing communications at any time by using the unsubscribe link in our emails or by contacting us. We will action opt-out requests without charge.

To exercise any of these rights, please contact us via the Contact page on our Platform. We may require reasonable verification of your identity before processing your request.

Our Platform uses the following categories of cookies and similar technologies:

(a) Essential Cookies — strictly necessary for the Platform to function, including session management, authentication tokens, language/locale preferences, and security features. These cookies cannot be disabled without impairing core functionality.

(b) Analytics Cookies — used by PostHog to collect anonymised usage data for service improvement and product analytics. You may manage or disable these via your browser settings.

(c) Third-Party Cookies — our payment provider (Stripe) may set cookies necessary for secure payment processing.

We do not use cookies for the purpose of behavioural advertising or cross-site tracking.

Our Platform employs AI-powered automated processing to grade homework, generate solutions, analyse error patterns, and produce educational feedback. These automated processes:

(a) are advisory and supplementary in nature and do not produce legal effects or similarly significant effects on any individual;

(b) may be supplemented by deterministic verification mechanisms (e.g. mathematical calculation verification);

(c) should not be relied upon as the sole basis for any educational, academic, or professional decision.

Parents, guardians, and tutors retain full responsibility for reviewing and verifying AI-generated results.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or through a prominent notice on the Platform. The “Effective date” stated at the top of this Policy indicates when the latest revision took effect. Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms.

This Privacy Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Hong Kong SAR.

For privacy-related inquiries, data access requests, data correction requests, or complaints regarding our handling of your personal data, please contact us via the Contact page on our Platform.

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (https://www.pcpd.org.hk).