Privacy Policy

Who This Policy Applies To

This policy applies to:

• Teachers who create and use AralSync accounts to manage classroom records
• School administrators who access AralSync with admin-level privileges
• Any person whose personal information is processed through the AralSync platform, including students whose records are entered by their teachers

Our Role Under Philippine Law

Under Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations (IRR), AralSync acts as a Personal Information Processor (PIP) — we process personal data on behalf of teachers and schools, who act as the Personal Information Controllers (PICs).

This distinction is explained in detail in Section 2 below. If you have questions about this policy, please contact us at privacy@aralsync.com.

Republic Act 10173 — Data Privacy Act of 2012

AralSync processes personal information in accordance with RA 10173 Section 12, which permits processing when at least one of the following criteria is met:

• Section 12(a) — The data subject has given consent prior to collection and processing. Teachers consent when they register on AralSync.
• Section 12(b) — Processing is necessary for the fulfillment of a contract with the data subject. AralSync’s Terms of Service constitute such a contract.
• Section 12(e) — Processing is necessary to fulfill functions of public authority, which necessarily includes processing for the fulfillment of a mandate.
• Section 12(f) — Processing is necessary for the legitimate interests pursued by the personal information controller, except where overridden by fundamental rights of the data subject.

DepEd Mandates

Recording student attendance and academic grades is a legal obligation of every classroom teacher under DepEd policy. Specifically:

• DepEd Order No. 8, s. 2015 requires teachers to maintain complete and accurate grade records using the prescribed K–12 grading system.
• DepEd Order No. 3, s. 2018 and related issuances require teachers to maintain School Form 2 (SF2 — Daily Attendance Record) and submit it to the school principal monthly.
• DepEd Order No. 32, s. 2023 and related issuances govern the privacy and data protection obligations of schools and DepEd personnel with respect to learner data.
• SF10 (Learner’s Permanent Academic Record) is a mandatory document every teacher must maintain.

AralSync is a digital tool that assists teachers in fulfilling these existing legal obligations — it does not create new obligations.

Personal Information Controller vs. Processor

Under RA 10173:

• A Personal Information Controller (PIC) decides the purpose and means of processing personal information. In AralSync, the teacher or school is the PIC. They decide what student data to enter, how it is used, and are directly responsible to students and families for proper data handling.
• A Personal Information Processor (PIP) processes personal information on behalf of the PIC. AralSync is the PIP. We provide the software platform and infrastructure that enables teachers to record and manage data, but we do not decide what data is collected or how it is used.

This means:

• Teachers and schools are primarily responsible for obtaining proper consents from students and parents.
• AralSync is responsible for maintaining a secure and compliant technical platform.
• Both parties have obligations under RA 10173 and both must uphold them.

3.1 Teacher Account Data

3.2 Student Data (Entered by Teachers — Not by Students Directly)

3.3 System Data (Collected Automatically)

3.4 What We Do NOT Collect

AralSync does not collect any of the following:

• Student photographs or biometric data
• Payment card numbers or financial information
• Social media accounts or profiles
• GPS location or geographic tracking data
• Advertising cookies or behavioral tracking identifiers
• Data for advertising, profiling, or marketing purposes
• Any data from students under 18 directly — all student data is entered by teachers
• Any data that is sold, traded, or shared with third parties for commercial purposes

AralSync uses collected data exclusively for the following purposes:

4.1 Core Service Delivery

• Enabling teachers to create and manage class rosters, sections, and subject assignments
• Recording and displaying daily student attendance (Present, Absent, Late, Excused) per session (AM/PM) per subject
• Encoding and computing student grades using the DepEd K–12 component-weighted grading system (Written Works, Performance Tasks, Quarterly Assessment)
• Applying the official DepEd transmutation table to convert raw percentages to transmuted quarterly grades

4.2 Official Report Generation

• Generating SF2 (Daily Attendance Record) in PDF and Excel formats
• Generating SF10 (Learner’s Permanent Academic Record) per student
• Generating class grade summaries and honor roll reports

4.3 Offline Functionality and Device Sync

• Storing all records locally on the teacher’s device using IndexedDB so the app works fully without internet
• Synchronizing records between the teacher’s own authorized devices over a local area network (LAN), using authenticated Socket.IO connections
• Managing an offline sync queue that pushes local changes to cloud backup when internet becomes available

4.4 Cloud Backup (Optional, Teacher-Controlled)

• If the teacher enables cloud sync, their records are encrypted and stored in our cloud database (MongoDB) solely as a backup for their own data
• Cloud backup can be disabled or all cloud data deleted at any time from within app settings

4.5 App Improvement

• Anonymized and aggregated system logs (error rates, feature usage patterns, sync success rates) may be used to improve app performance and stability
• No personal data is included in any analytics or improvement activities
• We do not use behavioral tracking, advertising analytics, or third-party analytics services that process personal data

4.6 What We Do NOT Do With Your Data

• We do not sell your data or student data to anyone, ever
• We do not use student data for advertising or marketing
• We do not profile students or teachers for any commercial purpose
• We do not share personal data with third parties except as described in Section 7

5.1 Local Storage (Primary)

All attendance records, grade entries, and student data are stored primarily on the teacher’s own device using the browser’s IndexedDB — a local database that does not leave the device unless the teacher chooses to sync. Local data is protected by the teacher’s device security (device PIN, biometrics, or password). The teacher retains full control over locally stored data at all times.

5.2 Cloud Storage (Optional)

If the teacher enables cloud backup, data is transmitted over TLS 1.2 or higher (encrypted in transit) and stored in an encrypted MongoDB database (AES-256 encryption at rest). Cloud data is accessible only to the authenticated teacher whose data it is — AralSync staff do not access individual teacher records in the normal course of operations.

5.3 LAN Synchronization

LAN sync between the teacher’s own devices uses an authenticated, encrypted Socket.IO channel — devices must be explicitly paired by the teacher before sync is permitted. LAN sync does not expose data to the general network.

5.4 Authentication Security

• Passwords are hashed using bcrypt — plain-text passwords are never stored anywhere in our system
• JWT access tokens expire after 15 minutes
• Refresh tokens are rotated on each use and immediately invalidated after use
• Device ID binding — tokens are tied to the specific registered device, preventing use on unauthorized devices
• Failed login attempt limits are enforced to prevent brute-force attacks

5.5 Access Controls

• Role-based access control (RBAC) — teachers see only their own students and class records; school administrators see records within their school only
• Advisory teachers can view sensitive notes (health, behavioral) for their advisory section; subject teachers cannot
• AralSync staff have no routine access to personal records — administrative access requires documented justification and is logged

5.6 Audit Logging

• All data creation, modification, and deletion events are logged with user ID and timestamp
• Audit logs are immutable — they cannot be edited or deleted by regular users
• Logs do not contain student data in plain text — they reference internal record IDs only

5.7 Data in URLs and Error Logs

Student names, LRNs, and grade data never appear in URLs or error log messages. Error logs reference internal record IDs only, which are meaningless outside the authenticated application context.

6.1 Active Accounts

Data for active teacher accounts is retained for the duration of the active school year and carries over to subsequent school years unless the teacher deletes it. Teachers can archive or delete specific school year data from within the app at any time.

6.2 Account Deletion

When a teacher deletes their AralSync account:

• The teacher is given a 30-day grace period to export data after requesting deletion
• Cloud-stored data is permanently deleted within 30 days after the grace period ends (up to 60 days total from the deletion request)
• A confirmation of deletion is provided by email upon completion

6.3 Local Device Data

Data stored on the teacher’s device (IndexedDB) is fully under the teacher’s control — AralSync cannot remotely delete or access local data. The teacher can clear local data at any time through the browser’s storage settings or through AralSync’s built-in "Clear Local Data" option.

6.4 Cloud Backup Retention

Cloud backups are retained for a maximum of 2 completed school years unless the teacher requests deletion earlier. At the end of the retention period, data is either anonymized (all identifying fields stripped) or securely deleted using cryptographic erasure.

6.5 System and Audit Logs

• Anonymized system logs (no personal data) are retained for 12 months
• Audit logs (record IDs + timestamps + user IDs) are retained for 3 years, consistent with RA 10173 Section 21 obligations and the applicable statute of limitations for data privacy complaints under Philippine law

7.1 We Do Not Sell Your Data

AralSync does not sell, rent, trade, or transfer personal information to any third party for commercial purposes. This applies to teacher data, student data, and all other information processed through AralSync.

7.2 We Do Not Share Data With Advertisers

AralSync does not use advertising networks, does not allow advertisers to target users based on their AralSync data, and does not share any user or student information with advertising or marketing companies.

7.3 Limited Third-Party Sub-Processors

AralSync uses the following third-party service providers solely for technical infrastructure. They process data only to the extent necessary to provide those infrastructure services and are bound by equivalent data protection obligations:

These providers do not receive data for their own purposes and are contractually prohibited from using AralSync data for any purpose other than providing their infrastructure services.

7.4 LAN Sync

LAN sync only transfers data between devices the teacher has explicitly authorized and paired — it does not broadcast data to the general network. No third party receives data through LAN sync.

7.5 Legal Requests

AralSync may be required to disclose information in response to valid legal orders, court orders, or government requests under Philippine law. In such cases, AralSync will:

• Verify the legal validity of the request before complying
• Disclose only the minimum information required to satisfy the legal order
• Notify affected users of the request as soon as legally permitted
• Maintain a record of all legal disclosures

7.6 Business Transfers

In the event of a merger, acquisition, or sale of AralSync, users will be notified 30 days in advance via email and in-app notification. Successor entities will be required to honor this Privacy Policy or provide users the option to delete their data before the transfer is completed.

Under RA 10173, Section 16, every person whose personal information is processed has the following rights. To exercise any of these rights, contact us at privacy@aralsync.com or use the in-app data request feature (Settings → Privacy → Data Rights). AralSync will respond within 15 business days of receiving a verified request, extendable by an additional 15 business days where reasonably necessary, in accordance with the DPA IRR.

a. Right to Be Informed

What it means: You have the right to know what personal information about you is being collected, why it is being collected, how it will be used, and who it will be shared with before or at the time of collection.

How AralSync honors this right: This Privacy Policy is made available before account creation. A summary of data collected is presented on the registration screen. Material changes to data practices are announced 30 days in advance.

b. Right to Access

What it means: You have the right to request a copy of the personal information AralSync holds about you, and to know how it has been processed.

How to exercise it: Log in to AralSync → Settings → Privacy → Request My Data, or email privacy@aralsync.com with the subject line "Data Access Request." We will provide a complete, machine-readable export within 15 business days.

c. Right to Object

What it means: You have the right to object to the processing of your personal information, including processing based on legitimate interests.

How to exercise it: Email privacy@aralsync.com with the subject line "Objection to Data Processing." We will assess your objection and respond within 15 business days. Note: objecting to core processing may require account deletion.

d. Right to Erasure or Blocking

What it means: You have the right to request deletion or suspension of processing of your personal information — for example, if the data is no longer necessary for the purpose it was collected.

How to exercise it: For account deletion: Log in → Settings → Account → Delete My Account. For specific record deletion: email privacy@aralsync.com. Cloud data is deleted within 30 days after the applicable grace period.

e. Right to Rectification

What it means: You have the right to have inaccurate or incomplete personal information corrected.

How to exercise it: Teacher account information can be corrected directly in the app (Settings → Profile → Edit). Student data can be corrected by teachers directly in the class roster. For corrections that cannot be made in-app, email privacy@aralsync.com.

f. Right to Data Portability

What it means: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another service.

How to exercise it: Log in → Settings → Privacy → Export My Data. AralSync provides exports in JSON format (full data) and Excel/CSV format (student records and grades). PDF exports of SF2 and SF10 are available from the Reports module. Exports are free of charge at any time.

g. Right to Damages

What it means: You have the right to claim compensation if you suffer damages as a result of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information.

How to exercise it: Contact us at privacy@aralsync.com to attempt resolution first. If unresolved, you may file a complaint with the National Privacy Commission or pursue claims through the appropriate courts of the Philippines.

h. Right to File a Complaint with the NPC

What it means: Regardless of any resolution attempted with AralSync, you have the absolute right to lodge a complaint with the National Privacy Commission (NPC) at any time.

NPC Contact Information:

• Website: privacy.gov.ph
• Email: info@privacy.gov.ph
• Complaints: complaints@privacy.gov.ph
• Address: 3/F, Core G, GSIS Headquarter Building, Roxas Boulevard, Pasay City, Metro Manila, Philippines

9.1 Students Are Not AralSync Account Holders

AralSync accounts are created by and for teachers only. Students do not create accounts, do not log in to AralSync, and do not interact with the platform directly. All student data in AralSync is entered by the responsible teacher.

9.2 Students Are Minors — Extra Care Applies

The overwhelming majority of students in the Philippine K–12 system are minors. Under RA 10173 Section 13 and the IRR, the processing of personal information of minors requires heightened protection. AralSync applies additional safeguards:

• Student records are accessible only to the teacher assigned to that class load and to authorized school administrators — not to other teachers
• Sensitive student data (health notes, behavioral notes) is accessible only to the advisory teacher and school administrator for that section
• Student data is never used for any commercial, advertising, or analytical purpose
• Student data is never shared with any third party except as required by law

9.3 Parental Consent Is the School’s Responsibility

Under the PIC/PIP framework, the school and teacher (as PIC) are responsible for ensuring that appropriate parental or guardian consent has been obtained for the collection and use of student data, as required by DepEd policy, DepEd Order No. 32, s. 2023, and RA 10173. Schools using AralSync are encouraged to include reference to AralSync in their own school privacy notices distributed to parents.

9.4 Sensitive Personal Information

Under RA 10173 Section 3(l), certain categories of information are classified as sensitive personal information and receive heightened protection. The following student data entered in AralSync may constitute sensitive personal information:

• Health and medical notes entered by teachers (e.g., health conditions affecting attendance or performance)
• Behavioral notes that may reflect psychological or mental health observations

For these data categories, AralSync applies additional restrictions:

• Access is limited to the advisory teacher and school admin — subject teachers without advisory roles cannot view these notes
• These fields are stored separately and are not exported in general-purpose data exports unless explicitly requested
• Teachers are advised to enter only the minimum information necessary and to follow their school’s guidelines on documenting sensitive student information

10.1 What Is a Personal Data Breach

A personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal information processed by AralSync. This includes unauthorized access to teacher or student records, accidental deletion of records with no backup, unauthorized disclosure to a third party, or a security vulnerability that exposes personal data.

10.2 Our Internal Response

Upon discovery or credible report of a potential breach, AralSync will:

• Immediately contain the breach and limit further exposure
• Within 24 hours — notify affected controllers (teachers/schools) of the suspected breach and the data that may be affected
• Within 48 hours — complete initial assessment of the breach scope, affected data subjects, and likely consequences
• Within 72 hours — if the breach is likely to harm 500 or more individuals, file a mandatory breach notification with the NPC as required by RA 10173 Section 20(f) and NPC Circular No. 16-03

10.3 Notification to Affected Users

AralSync will notify affected teachers and schools within 72 hours of discovery of a breach that creates significant risk of harm. The notification will include: date and time of discovery, nature of breach, categories and number of records affected, likely consequences, and measures taken or proposed.

10.4 Reporting a Breach to AralSync

If you suspect or discover a security vulnerability affecting AralSync, please report it immediately to security@aralsync.com with the subject line "Security Incident Report." We treat all security reports as high priority.

AralSync teacher accounts are for adults 18 years of age and older only. We do not knowingly allow minors to register as teachers.

Age verification is performed at registration: users must confirm they are 18 years of age or older before an account is created. If we discover that a person under 18 years of age has created a teacher account, we will suspend the account immediately upon discovery, notify the email address on the account, and permanently delete all data associated with the account within 30 days.

Student data is entered by teachers — students do not use AralSync directly. AralSync does not knowingly collect personal information directly from any person under 18 years of age. If you believe a minor has registered an account, please contact us immediately at privacy@aralsync.com.

12.1 What AralSync Uses Instead of Cookies

AralSync does not use tracking cookies. Instead, AralSync uses:

12.2 No Advertising or Tracking

• AralSync uses no third-party advertising cookies
• AralSync uses no tracking pixels or analytics beacons
• AralSync does not embed any third-party scripts that could track you across other websites (no Google Analytics, no Facebook Pixel, no similar services)

12.3 What You Can Do

You can clear all locally stored AralSync data at any time through your browser’s storage settings. You can also use the in-app option: Settings → Privacy → Clear Local Data. Clearing local data will remove all attendance, grade, and student records from your device — make sure you have a cloud backup or export before doing this.

13.1 How We Will Notify You

AralSync will notify teachers of changes through:

• In-app notification — a banner on the dashboard informing you of the update
• Email notification to the email address on your account

13.2 Notice Period

For material changes (changes that significantly affect how we collect or use personal information, or changes that affect your rights), we will provide at least 30 days advance notice before the changes take effect. For minor or technical changes (corrections, clarifications), we may update the policy immediately but will still provide in-app notification.

13.3 Acceptance

Your continued use of AralSync after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree, you may delete your account before the effective date.

13.4 Version History

A version history of this Privacy Policy is maintained and available upon request at privacy@aralsync.com.

Data Protection Officer

AralSync has designated a Data Protection Officer (DPO) responsible for overseeing compliance with RA 10173 and this Privacy Policy. The DPO is registered with the National Privacy Commission in accordance with NPC Circular 17-01.

• ARALSYNC SOFTWARE DEVELOPMENT SERVICES
• DTI Registration No.: 8212747
• Tagbilaran City, Bohol, Philippines
• Email: privacy@aralsync.com
• Website: aralsync.com
• Response time: within 15 business days

NPC Registration

AralSync’s data processing systems involving sensitive personal information are registered with the National Privacy Commission as required under NPC Circular 17-01 and applicable registration rules.

National Privacy Commission

If you are not satisfied with our response, or if you believe your rights under RA 10173 have been violated, you have the right to lodge a complaint directly with the National Privacy Commission (NPC):

• Website: privacy.gov.ph
• Complaint email: complaints@privacy.gov.ph
• General inquiries: info@privacy.gov.ph
• Address: 3/F, Core G, GSIS Headquarter Building, Roxas Boulevard, Pasay City, Metro Manila 1307, Philippines

Filing a complaint with the NPC does not waive your right to also pursue legal remedies through the courts of the Philippines.