Privacy Policy

Code Gakko (operated by Code Gakko Holdings Pte. Ltd., UEN 201716134C, with registered office at 65 Mohamed Sultan Road, Singapore 239003) is a Singapore-based education company. This policy explains how we collect, use, store and protect personal data in connection with our maker programme — including our websites at codegakko.com and any subdomain we operate (e.g. makers.codegakko.com).

We are committed to complying with the Singapore Personal Data Protection Act 2012 (PDPA) and aligning with the EU General Data Protection Regulation (GDPR) for our international users. By using our service, you consent to the practices described in this policy.

We collect three categories of data:

(a) From parents

• Name, email address, mobile number, postal code (for kit delivery)
• Account credentials (handled by our authentication provider, Clerk — we never see your password)
• Payment metadata (handled by HitPay — we never store credit card numbers; we keep transaction IDs and amounts for reconciliation)

(b) From students (your child)

• First name and academic level (no email or phone — students log in with a username + code word created by you)
• Lesson responses, reflections, photos of their prototypes, and code (.hex) files they choose to upload
• Activity timestamps (when lessons are completed)

(c) Automatically

• Device + browser type, IP address (used only for security and abuse-prevention; not for advertising)
• Pages visited and feature usage (anonymised analytics — no third-party trackers)

Under PDPA we rely on consent for most processing. Under GDPR we rely on a mix of consent, contract performance, and legitimate interest. Specifically:

• Account + payment info — necessary to deliver the service you've subscribed to (contract)
• Student work — to render your child's lessons, save their progress across devices, and produce their portfolio (contract)
• Marketing emails — only if you opt in (consent — withdrawable at any time)
• Service improvement analytics — anonymised; legitimate interest

We treat any user under 13 as a child whose personal data must be processed with parental consent. Because all student accounts on Code Gakko are created by the parent through their own authenticated account, parental consent is implicit at the moment of child-account creation.

We do not market to children, do not place advertising on student-facing pages, and do not share student data with third parties for marketing or profiling. Student photos and code uploads are kept private to the parent's account by default; they only become public if you explicitly publish your child's portfolio via the “Publish” button (you can unpublish at any time).

• To operate the platform — sign-in, lesson delivery, progress tracking, portfolio rendering
• To process payments and deliver Tool Kits (where you've ordered one)
• To respond to your support requests at info@codegakko.com
• To send transactional notifications (account confirmations, receipts, password resets)
• To send weekly progress recaps and product updates if you've opted in (you can opt out at any time from /parent-account → Communication preferences)
• To investigate fraud, abuse, and security incidents
• To comply with legal obligations (tax records, court orders)

We do not sell personal data, and we do not use third-party advertising or behavioural-tracking cookies.

We use a small number of trusted sub-processors, each contractually bound to handle your data only as instructed. Current list:

• Clerk (USA) — authentication. Privacy policy
• Railway (USA) — hosting + database. Privacy policy
• Amazon Web Services (AWS S3) — file storage in Singapore (ap-southeast-1 region). Privacy policy
• HitPay (Singapore) — payment processing. Privacy policy
• Mailerlite (Lithuania, EU) — marketing email. Privacy policy
• Mailgun (USA) — transactional email. Privacy policy

We will update this list when sub-processors change. We will not transfer your data to any other third party except (i) where you have specifically consented, (ii) where compelled by Singapore law, or (iii) to enforce our terms or protect rights and safety.

Your account data lives in our Postgres database hosted by Railway, with primary servers located in the United States. File uploads (photos, code files) are stored in AWS S3 in the Singapore region (ap-southeast-1). Some sub-processors (e.g. Clerk, Mailerlite) may process data in the EU or US.

For transfers outside Singapore, we ensure data is protected to a standard comparable to PDPA via contractual safeguards and reputable providers' commitments. EU users: your data may be transferred under standard contractual clauses where required.

• Active accounts — for as long as you're a member.
• Cancelled accounts — when you cancel, you keep full access up until the period you paid for. After that, your child's public portfolio is automatically made private, and student work is kept in your account for 12 months so you can download or export it. At the end of that 12-month window we permanently delete all of your child's data — photos, code, reflections, portfolio entries — from our database and from S3. This deletion is irreversible.
• Payment + tax records — 5 years from the transaction date, as required under Singapore tax law.
• Anonymised analytics — kept indefinitely, but with no link back to you.

You can request earlier deletion at any time via privacy@codegakko.com; we will comply within 30 days unless we are required by law to retain specific records.

You have the right to:

• Access — request a copy of the personal data we hold about you and your child
• Correct — fix anything that's inaccurate (mostly self-service via /parent-account)
• Delete — ask us to permanently remove your account and child accounts
• Withdraw consent — for marketing or any non-essential processing, at any time
• Data portability (GDPR) — request your data in a machine-readable format
• Object to processing in specific circumstances
• Lodge a complaint with the Singapore Personal Data Protection Commission (PDPC) or your local data protection authority

To exercise any of these rights, contact our Data Protection Officer at privacy@codegakko.com.

We use industry-standard technical and organisational measures to protect your data: TLS encryption in transit, bcrypt-hashed passwords (handled by Clerk), encrypted-at-rest databases, access controls limiting which staff can see what, and regular security audits. We will notify affected users within 72 hours of becoming aware of a personal data breach where required by PDPA or GDPR.

No system is perfectly secure. Choose a strong code word for your child, share it only with people who need it, and report any concerns to privacy@codegakko.com immediately.

We use only essential cookies for authentication and session management. We do not use behavioural-advertising cookies, fingerprinting, or third-party analytics that track you across sites. Anonymous server-side analytics help us understand which features get used; nothing leaves our servers in identifiable form.

We may update this policy as the service evolves, the law changes, or our sub-processors shift. Material changes will be communicated by email to active members and posted on this page with a revised “Last updated” date. Continued use of the service after changes constitutes acceptance. If you don't agree to the new terms, you can request account deletion at any time.

Questions, requests, or concerns about your data?

• Data Protection Officer: privacy@codegakko.com
• General support: info@codegakko.com
• Address: 65 Mohamed Sultan Road, Singapore 239003

If you're unsatisfied with our response, you may also lodge a complaint with Singapore's Personal Data Protection Commission at pdpc.gov.sg, or your local data protection authority.