Privacy Policy

Introduction

Pocket Apps Studio Pte. Ltd. (UEN 202549990M), with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914 (hereinafter referred to as the “Controller”), as the operator of the “XueTang” app, is the controller responsible for the processing of personal data in connection with the use of the app.

The Controller takes the protection of your privacy and your private data very seriously. Your personal data will only be collected, stored and used in accordance with the content of this privacy policy and applicable data protection regulations — in particular, the Singapore Personal Data Protection Act 2012 (“PDPA”) and, for users resident in the European Economic Area (EEA) or the United Kingdom, the EU/UK General Data Protection Regulation (“GDPR”).

With this privacy policy, the Controller informs you to what extent and for what purposes personal data is processed in connection with the use of the app.

Data Protection Officer

In accordance with PDPA s.11, the Controller has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the PDPA and serving as the contact point for all questions, requests, or complaints regarding the processing of personal data.

The DPO can be reached at: dpo@pocketapps.studio

Written correspondence may be addressed to:
Data Protection Officer, Pocket Apps Studio Pte. Ltd., 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914.

Personal data

Personal data is data, whether true or not, about an individual who can be identified from that data, or from that data combined with other information to which the Controller has or is likely to have access. This definition aligns with both PDPA s.2 and Art. 4 GDPR. Examples include your e-mail address or a chosen username. Information that cannot be linked to your identity (such as statistical or anonymized usage data) is not considered personal data.

In principle, you can use the app without disclosing your identity. However, to access certain features such as account creation or cloud-based progress tracking, personal data will be collected. Specifically, the Controller only collects and stores the following personal data:

• E-mail address
• Username
• Password (securely hashed)

No additional identity-related information (such as your real name, date of birth, or address) is required or collected. If further information is ever requested, it will be used solely for analytics purposes and only in anonymous form. Any such data collection will be explicitly marked as voluntary.

Automated decision-making based on your personal data does not take place in connection with the use of the app.

Processing of personal information

Your personal data is stored on specially protected servers operated by the Controller’s processors, including Firebase (Google). These servers may be located inside or outside Singapore and are protected by technical and organizational measures against loss, destruction, unauthorized access, modification, or dissemination of your data. Access to personal data is restricted to a limited number of authorized individuals responsible for technical, administrative, or operational maintenance of the service. Despite regular checks, complete protection against all risks is not possible.

User account data (email, username, and password) as well as learning progress and user-generated vocabulary are securely stored using Firebase services. All data transfers to Firebase or other service providers are encrypted.

Your personal data is transmitted in encrypted form over the Internet. We use Transport Layer Security (TLS) to ensure secure data transfer.

Disclosure of personal data to third parties

Your personal data will only be used by the Controller to provide the services you have requested. Where external service providers are involved in delivering these services, their access to your data is strictly limited to what is necessary for fulfilling their specific function. The Controller takes technical and organizational measures to ensure compliance with data protection regulations and requires all service providers to do the same.

The Controller uses the following external services in connection with the XueTang app:

• Firebase (Google): for storing account data, learning progress, and user-generated vocabulary.
• Crashlytics: for crash reporting and diagnostics.
• PostHog: for product analytics.
• RevenueCat: for managing in-app purchases and subscription tracking.

These providers may process certain personal data such as device information, session data, or purchase status. Where such data is transmitted to countries outside Singapore or the European Union (e.g., the United States), the Controller ensures that a comparable standard of protection is maintained. This is achieved through contractual safeguards in compliance with PDPA s.26 (covering the transfer of personal data out of Singapore) and, for EEA/UK data subjects, through the European Commission’s 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) adopted under Art. 46 GDPR.

Your data will never be sold or disclosed to third parties for advertising purposes. Data will only be disclosed to third parties where you have explicitly consented or where the Controller is legally entitled or obliged to do so — for example, in the context of criminal investigations or to enforce legal rights.

Legal basis for data processing

Under Singapore’s PDPA, the Controller processes your personal data on the basis of your consent (express or deemed), or on an applicable exception set out in the First Schedule to the PDPA (including deemed consent by contractual necessity (PDPA s.15), the Legitimate Interests exception, and processing required to comply with a legal obligation). You may withdraw your consent at any time in accordance with PDPA s.16, subject to legal or contractual restrictions and upon reasonable notice.

Additional legal bases under the GDPR (users in the EEA/UK). For users resident in the EEA or the UK, the Controller also processes personal data under the GDPR, on the following legal bases:

• Art. 6 (1) (a) GDPR — where you have given consent (for example, when you create an account or agree to non-essential analytics). This also applies when you choose to register or log in using third-party services such as Apple or Google, which share selected account information (e.g., your email address) with us based on your authorization.
• Art. 6 (1) (b) GDPR — where processing is necessary for the performance of a contract or in the context of a quasi-contractual relationship (for example, storing your learning progress, managing your account, or handling in-app purchases).
• Art. 6 (1) (c) GDPR — where processing is necessary for compliance with a legal obligation to which the Controller is subject.
• Art. 6 (1) (f) GDPR — where processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party (for example, to ensure the technical stability and improvement of the app through anonymized analytics), provided your interests or fundamental rights do not override those interests.

Where relevant, the Controller will indicate the legal basis applicable to each type of data processing throughout this privacy policy.

Data erasure and storage duration

The Controller deletes or blocks your personal data as soon as the purpose for which it was stored no longer applies — for example, if you delete your account or withdraw your consent.

You may request the deletion of your account and associated personal data (such as your email and username) at any time via the app or by contacting the Controller directly. Once the request is processed, this personal data will be permanently removed from our systems, unless legal retention obligations require otherwise.

User-generated content such as vocabulary entries or exercise data created within the app is not considered personal data and may be retained for the continued operation and improvement of the app. This data is stored separately from personally identifiable information and is processed in anonymized form.

In some cases, data may be retained for longer periods where required by legal obligations — for example, tax-record retention under the Singapore Income Tax Act (typically 5 years from the end of the relevant year of assessment), accounting-record retention under the Companies Act 1967 (typically 5 years from the end of the relevant financial year), or equivalent tax and commercial retention requirements in the EEA/UK where applicable. In such cases, the data will be deleted or anonymized once the statutory period has expired.

Use of the app

Information about your end device

Each time you access the app, the following information about your device is collected, regardless of whether you are logged in: the IP address of the device, the request from the app and the time of the request. In addition, technical details such as device model, operating system version, app version, and the status and volume of data transferred are recorded.

This data may also be collected through integrated services such as Firebase, PostHog, and Crashlytics to help monitor performance, detect errors, and improve app stability and functionality. The IP address is only stored for the duration of your app session and is then either deleted or anonymized. Other device data is retained for a limited period and used solely for operational purposes.

The Controller uses this data to maintain and optimize the app, identify issues, and analyze usage patterns. This processing is based on the Controller’s legitimate interests under the PDPA First Schedule — Legitimate Interests exception and — for users in the EEA/UK — Art. 6 (1) (f) GDPR.

Use of device identifiers and tracking technologies

As a native mobile application, XueTang does not use HTTP cookies. Instead, the app may rely on device identifiers, local device storage, and SDK-level tracking technologies provided by integrated services such as Firebase, PostHog, and Crashlytics. These may include Firebase installation IDs, session tokens, analytics event identifiers stored locally on the device, anonymous device fingerprints, and — where applicable — the Identifier for Advertisers (IDFA).

Where Apple’s App Tracking Transparency (ATT) framework applies, the app will request your permission before accessing the IDFA or using any identifier for cross-app tracking purposes. You may decline or revoke this permission at any time via your device’s Settings.

Strictly necessary device identifiers — for example, identifiers required to deliver core app functionality, synchronize your learning progress, or deliver a feature you have explicitly requested — are processed on the basis of the Controller’s legitimate interests in the proper provision of the app (PDPA First Schedule; for EEA/UK users, Art. 6 (1) (f) GDPR) and, where applicable, for the performance of a contract (PDPA s.15 — deemed consent by contractual necessity; for EEA/UK users, Art. 6 (1) (b) GDPR).

Non-essential analytics or tracking identifiers — for example, those used for product optimization, attribution, or cross-app tracking — are processed only with your consent under the PDPA and, for EEA/UK users, Art. 6 (1) (a) GDPR. You may revoke this consent at any time via your device’s tracking permissions or the in-app settings, with effect for the future.

Children’s privacy

The XueTang app is not directed at, or intended for use by, children under the age of 13. The Controller does not knowingly collect personal data from children under 13. If you are under 13, please do not use the app and do not provide any personal data to the Controller.

For users between the ages of 13 and the applicable age of majority in their country of residence, the app should only be used with the involvement of a parent or legal guardian. Where required by applicable law (including Art. 8 GDPR for users resident in the EEA or the UK), any consent to the processing of personal data must be given or confirmed by the parent or legal guardian.

If the Controller becomes aware that personal data of a child under 13 has been collected without verified parental consent, the Controller will delete that data without undue delay. Parents or guardians who believe that their child has provided personal data to the Controller may contact the DPO at dpo@pocketapps.studio to request deletion.

Integration of the services of third-party providers

Google Firebase

The Controller uses various services from Google Firebase in connection with the app. Google Firebase is a platform that provides tools for app development and analytics and is operated by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and its affiliates, including Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) (“Google”).

Firebase is used in XueTang for purposes including:

• Managing user authentication (e.g., email/password or social login)
• Storing user account data (email, username)
• Storing individual learning progress and user-generated vocabulary
• Tracking technical performance, crashes (via Crashlytics), and usage behavior (e.g., session duration, device type, operating system)

A detailed overview of the data collected by Google Firebase can be found at:
https://support.google.com/firebase/answer/6318039

Additional information is also available at:
https://firebase.google.com/ and https://firebase.google.com/support/privacy

In connection with the use of Firebase services, personal data may be transmitted to the USA or other jurisdictions outside Singapore and the EEA. To ensure the protection of such data, the Controller relies on the Data Processing Addendum published by Google, which incorporates the contractual safeguards required under PDPA s.26 and, for EEA/UK data subjects, the European Commission’s 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) adopted under Art. 46 GDPR.

Firebase is used for operational functionality and the technical improvement of the app. This represents a legitimate interest under the PDPA and, for EEA/UK users, Art. 6 (1) (f) GDPR. Where Firebase services rely on non-essential identifiers, these are only activated with your consent (PDPA; Art. 6 (1) (a) GDPR for EEA/UK users).

PostHog

The Controller uses the functions of PostHog to improve the app. PostHog is an open source platform and offers various functions for analyzing software products. PostHog is operated by PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. When PostHog is used, the IP address, session duration, operating system, device model and a range of other data are stored. A detailed overview of the data collected by PostHog can be found at https://posthog.com/dpa. Further information about PostHog is available at https://posthog.com/ and https://posthog.com/privacy. In connection with the use of the service, personal data may be transferred to the USA. To protect the data, the Controller relies on the Data Processing Addendum published by PostHog, which incorporates the contractual safeguards required under PDPA s.26 and, for EEA/UK data subjects, the European Commission’s 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) adopted under Art. 46 GDPR.

PostHog is used to optimize the app. This constitutes a legitimate interest under the PDPA and — for EEA/UK users — Art. 6 (1) (f) GDPR. Insofar as non-essential identifiers are used for PostHog, this is only done with your consent.

In-app purchases/subscriptions

In the app, you have the option of purchasing paid content via the Apple App Store. The Controller uses your personal data for in-app purchases and subscriptions only within the company and with the company commissioned to process orders.

Storage and data transfer for in-app purchases

The Controller uses the technical interface provided by RevenueCat to manage in-app purchases and subscriptions. RevenueCat is operated by RevenueCat, Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA.

When a purchase is initiated in the app, RevenueCat forwards the transaction to the Apple App Store. Payment is processed using the payment method stored in the user’s App Store account (e.g. credit card, PayPal, or store credit). After successful payment processing, the App Store sends confirmation to RevenueCat, which then updates the subscription status.

In the course of providing this service, RevenueCat may process data including subscription status, payment metadata, device identifiers, and technical details related to the purchase. A detailed overview of the data collected by RevenueCat is available at: https://www.revenuecat.com/dpa/

Further information can be found at: https://www.revenuecat.com/privacy/

As RevenueCat is based in the United States, personal data may be transferred to the USA. To protect this data, the Controller relies on the Data Processing Addendum published by RevenueCat, which incorporates the contractual safeguards required under PDPA s.26 and, for EEA/UK data subjects, the European Commission’s 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) adopted under Art. 46 GDPR.

The legal basis for this data processing is the performance of a contract to which you are a party (PDPA s.15 — deemed consent by contractual necessity and, for EEA/UK users, Art. 6 (1) (b) GDPR), as it is required for processing your purchase or subscription.

The data is stored for as long as necessary to fulfill the contract and for compliance with legal obligations. This includes tax-record retention under the Singapore Income Tax Act (typically 5 years from the end of the relevant year of assessment) and accounting-record retention under the Companies Act 1967 (typically 5 years from the end of the relevant financial year), or longer where equivalent EEA/UK tax or commercial retention rules apply to the transaction.

During the payment process, data may also be processed by Apple, as the operator of the App Store, and by the respective payment service provider. The Controller has no influence over how Apple or payment providers process your data, and they do not act as processors on behalf of the Controller. For more information on Apple’s data practices, see: https://www.apple.com/legal/privacy/data/en/app-store/

Please note that data collected by Apple in this context may also be transferred outside Singapore and the European Union.

Communication with us

You can contact the Controller in various ways, including via the in-app feedback feature or by email at support@pocketapps.studio. For privacy-related queries, please contact the DPO at dpo@pocketapps.studio.

Contact via email or in-app feedback

If you contact the Controller via email or through the in-app feedback feature, the Controller will collect the personal data that you provide — in particular your name and email address. In addition, the Controller may store the IP address, device-related information such as the device model, and the date and time of the request. The Controller processes the data transmitted solely for the purpose of responding to your inquiry or request.

You can decide for yourself what information you send to the Controller. The legal basis for the processing of your data is your consent under the PDPA and — for EEA/UK users — Art. 6 (1) (a) GDPR.

After the matter has been processed by the Controller, the data will initially be stored in case of any queries. Deletion of the data can be requested at any time; otherwise we will delete the data after the matter has been fully dealt with. Statutory retention obligations remain unaffected in each case.

Your rights and contact

The Controller attaches great importance to explaining the processing of your personal data as transparently as possible and to informing you of the rights to which you are entitled. If you would like more information or wish to exercise your rights, you can contact the DPO at any time at dpo@pocketapps.studio.

Rights of data subjects

Under Singapore’s PDPA, you have the right to:

• Request access to the personal data the Controller holds about you and information about how that data has been used or disclosed within the year preceding your request (PDPA Part V — Access);
• Request correction of any error or omission in your personal data (PDPA Part V — Correction);
• Withdraw any consent you have previously given to the processing of your personal data (PDPA s.16), subject to legal or contractual restrictions and upon reasonable notice.

In the context of the XueTang app, this includes the ability to request the deletion of your account and all associated personal data (e.g. email and username). Please note that learning progress and vocabulary data created within the app is not classified as personal data and will not be included in such deletion requests.

If you wish to assert one of your rights or receive further information, you can contact the DPO at any time.

Additional rights for EEA/UK users

If you are resident in the EEA or the UK, you additionally have the following rights under the GDPR:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure — “right to be forgotten” (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR)

To exercise any of these rights, please contact the DPO at dpo@pocketapps.studio.

Withdrawal of consent and objection

Once you have given your consent — for example, to create an account or to allow analytics — you may withdraw it at any time with effect for the future (PDPA s.16; for EEA/UK users, Art. 7 (3) GDPR). Withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal.

If the processing of your personal data is based on a legal ground other than consent, you also have the right to object to that processing. Your objection will trigger a review and, if applicable, lead to the termination of the processing. You will be informed of the outcome and, if the processing continues, the Controller will explain why it is considered permissible.

Complaints

If you are of the opinion that the processing of your personal data by the Controller does not comply with this privacy policy or applicable data protection law, you may lodge a complaint with the DPO at dpo@pocketapps.studio. The Controller will then investigate the matter and inform you of the outcome of the investigation.

You also have the right to lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) via https://www.pdpc.gov.sg. If you are resident in the EEA or the UK, you may additionally lodge a complaint with the data protection supervisory authority of your country of residence (for example, the UK Information Commissioner’s Office, or the data protection authority in your EEA member state).

Further information and changes

Links to other websites

Our app may contain links to other websites. These links are usually marked as such. We have no influence on the extent to which the applicable data protection regulations are complied with on the linked websites. We therefore recommend that you also inform yourself about the data protection declarations of other websites.

Changes to this privacy policy

The status of this privacy policy is indicated by the date (below). The Controller reserves the right to amend this privacy policy at any time with effect for the future. Changes will be made in particular in the event of technical adjustments to the app or changes to data protection regulations. The current version of the privacy policy can always be accessed directly via the app. We recommend that you inform yourself regularly about changes to this privacy policy.

Status of this privacy policy: April 2026