Our Privacy Policy
Policy Approval date: 15 April 2026
This Data Protection Notice ("Notice") sets out the basis on which Nas Education Pte Ltd ("we", "us", or "our") may collect, use, disclose or otherwise process personal data of our customers. This Notice is designed to comply with:
The Personal Data Protection Act of the Republic of Singapore ("PDPA"); and
The EU General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679), to the extent we offer goods or services to individuals in the European Economic Area ("EEA") or monitor their behaviour.
This Notice applies to personal data in our possession or under our control, including personal data held by organisations we have engaged to process personal data on our behalf. Where there is any conflict between the PDPA and the GDPR in relation to EEA residents, the GDPR shall take precedence.
A. Personal Data
As used in this Notice:
"Customer" means an individual who (a) has contacted us through any means to find out more about any goods or services we provide, or (b) may, or has, entered into a contract with us for the supply of any goods or services by us, including as a student or prospective student.
"Personal data" means data, whether true or not, about a customer who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.
"EEA resident" means a natural person located in a European Economic Area member state at the time their data is collected or processed.
Depending on the nature of your interaction with us, personal data we may collect includes: name, identification numbers (such as NRIC, FIN, passport details, work permit, or birth certificate), residential address, email address, telephone number, nationality, gender, date of birth, employment information, educational attainment, payment information, and online identifiers such as IP addresses and cookie data.
B. Legal Basis for Processing (GDPR)
For customers who are EEA residents, we rely on the following legal bases under Article 6 of the GDPR to process personal data:
Contractual necessity: Contract performance Processing is necessary to provide the services you have requested, including running your community, managing your account, and processing payments via our payment processor (Stripe).
Legal obligation: We are required by applicable law to retain certain records (e.g. financial records, fraud prevention).
Legitimate interests: We may process data for security, fraud detection, platform integrity, and improving our services, where this does not override your fundamental rights.
Consent: For marketing communications or non-essential cookies, we will ask for your explicit consent. You may withdraw this consent at any time.
Where we rely on legitimate interests, you have the right to object to that processing (see Section F below).
C. Collection, Use and Disclosure of Personal Data
We generally do not collect your personal data unless it is provided to us voluntarily by you directly or via an authorised representative, after you have been notified of the purposes for which the data is collected and have provided consent, or collection is otherwise permitted by applicable law.
We may collect and use your personal data for any or all of the following purposes:
Performing obligations in connection with our provision of goods and/or services requested by you;
Verifying your identity;
Keeping a record of transactions and activities on the platform for customer safety;
Responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;
Managing your relationship with us;
Providing sellers, community creators and community managers with the ability to manage and communicate with their customers and community members;
Linking or combining information we collect from our Website, App, or Services to help understand your needs and provide better service;
Legitimate interests: Where you have previously subscribed to our services, we may contact you after cancellation with information about re-activating your subscription or related Nas.com offerings. We rely on legitimate interests as our legal basis for this processing. You may opt out of such communications at any time by clicking the unsubscribe link in any such email or by contacting us at help@nas.io.
Processing payment or credit transactions via our payment processor, Stripe;
Complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or assisting in law enforcement and investigations;
Sending you technical notices, updates, security alerts, and support and administrative messages;
Any other purposes for which you have provided the information; and
Transmitting to third party service providers, agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the above purposes.
We may disclose your personal data to third party service providers, agents and other organisations we engage to perform functions in connection with the above purposes. All such third parties are required to handle your personal data in accordance with applicable data protection law.
D. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights in relation to your personal data:
1. Right of Access
You may request a copy of the personal data we hold about you, and information about how we use or disclose it.
2. Right to Rectification
You may request that we correct or update any inaccurate or incomplete personal data we hold about you. Please note that grades and comments from teachers, trainers, tutors, facilitators and other staff/contractors are considered a "Teacher's Opinion" and are not subject to correction under this right. This does not affect your right under our separate appeal mechanisms.
3. Right to Erasure ("Right to be Forgotten")
EEA residents have the right to request that we delete their personal data in certain circumstances, including where: (a) the data is no longer necessary for the purpose it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed.
To request deletion of your personal data, please contact us at help@nas.io. We will process your request within the timeframes set out below.
Note: Even where you exercise the right to erasure, we may retain certain personal data where we are required to do so by law, or where retention is necessary for the establishment, exercise, or defence of legal claims.
4. Right to Data Portability
EEA residents have the right to receive personal data they have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where: (a) the processing is based on consent or a contract; and (b) the processing is carried out by automated means. To submit a data portability request, please contact us at help@nas.io.
5. Right to Object
EEA residents have the right to object to the processing of their personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
You also have an unconditional right to object to processing of your personal data for direct marketing purposes at any time.
6. Right to Restrict Processing
EEA residents may request that we restrict the processing of their personal data in certain circumstances, for example while the accuracy of the data is being verified or while an objection is being considered.
7. Rights Related to Automated Decision-Making
EEA residents have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. If we engage in such processing, we will inform you and provide mechanisms to request human review.
8. How to Exercise Your Rights
To exercise any of the rights set out above, please submit your request in writing to our Data Protection Officer at help@nas.io. We will aim to respond within 30 days of receiving your request. Where a request is particularly complex or we receive a number of requests, we may extend this period by a further two months and will notify you accordingly.
A reasonable fee may be charged for manifestly unfounded or excessive access requests. We will inform you of any applicable fee before processing your request.
Access requests made under this Policy for grades where the release date for such grades has not yet passed will be declined.
E. Withdrawing Your Consent
Where we process your personal data on the basis of consent, you may withdraw that consent at any time by submitting your request in writing or via email to our Data Protection Officer at help@nas.io. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal.
We will process your withdrawal request within 14 business days of receiving it. Please note that withdrawal of consent may affect our ability to continue providing goods or services to you, and we will inform you of this before completing the processing of your request.
F. International Data Transfers
We are headquartered in Singapore and host our data infrastructure on Amazon Web Services ("AWS") in Singapore. We use Stripe for payment processing. Some processing activities may involve the transfer of personal data outside Singapore or, for EEA residents, outside the European Economic Area.
For EEA residents, we ensure that any such transfers are subject to appropriate safeguards as required by the GDPR:
AWS: We rely on the Standard Contractual Clauses (SCCs) incorporated in the AWS GDPR Data Processing Addendum, which applies automatically to transfers of personal data subject to GDPR. You can review AWS's GDPR compliance at https://aws.amazon.com/compliance/gdpr-center/
Stripe: We rely on Standard Contractual Clauses and/or other appropriate safeguards in Stripe's Data Processing Agreement for transfers of payment data. You can review Stripe's privacy practices at https://stripe.com/en-sg/privacy
Other third parties: Where we engage other third-party processors that involve international data transfers, we ensure appropriate safeguards are in place, such as SCCs or adequacy decisions recognised by the European Commission.
For transfers outside Singapore under the PDPA, we take steps to ensure that personal data transferred to overseas organisations receives a standard of protection comparable to the PDPA, including through contractual arrangements with recipients.
Nas.io does not share any user data obtained from Google with third party tools, including AI models.
G. Data Breach Notification
We maintain procedures to detect, investigate, and respond to personal data breaches. In the event of a breach that is likely to result in a risk to individuals' rights and freedoms:
For EEA residents: We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
For Singapore residents: We will notify the Personal Data Protection Commission (PDPC) and affected individuals in accordance with the mandatory breach notification obligations under the PDPA.
We will maintain records of all personal data breaches, including their effects and the remedial actions taken
H. Protection of Personal Data
To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, we have implemented appropriate administrative, physical, and technical measures including:
Encryption of personal data in transit and at rest;
Access controls and disclosure of personal data on a need-to-know basis only;
Use of secure hosting infrastructure via AWS;
Regular review and enhancement of our information security measures;
Staff training on data protection obligations.
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
I. Accuracy of Personal Data
We generally rely on personal data provided by you or your authorised representative. To ensure your personal data is current, complete, and accurate, please notify our Data Protection Officer promptly of any changes to your personal data.
J. Retention of Personal Data
We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.
We will cease to retain your personal data, or remove the means by which the data can be associated with you, within six (6) months after it has been identified that retention no longer serves the purpose for which it was collected, and is no longer necessary for legal or business purposes.
For EEA residents, we apply the principle of storage limitation and do not retain personal data for longer than necessary for the specified, explicit, and legitimate purposes for which it was collected.
K. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on our Website and App. These may include essential cookies (necessary for the operation of our services) and non-essential cookies (such as analytics or advertising cookies).
For EEA residents, we will obtain your explicit consent before placing any non-essential cookies on your device, in accordance with the ePrivacy Directive and applicable national implementing legislation. You can manage your cookie preferences at any time through our Cookie Consent Manager on our Website.
For more information about the cookies we use and how to manage them, please refer to our separate Cookie Policy available on our Website.
L. EU Representative
As we offer goods and services to EEA residents, we are in the process of designating an EU representative as required by Article 27 of the GDPR. Details of our EU representative will be published on our Website and updated in this Notice when appointed. In the meantime, EEA residents may direct all queries to our Data Protection Officer at help@nas.io.
M. Complaints
If you are an EEA resident and believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
For Singapore residents, complaints may be directed to the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg/
We encourage you to contact us first at help@nas.io so we can address your concerns directly.
N. Data Protection Officer
You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:
Name: Kelvin Pui
Email: help@nas.io
Role: Data Protection Officer, Nas Education Pte Ltd
Users may also request deletion of their personal data by contacting us at help@nas.io.
O. Effect of Notice and Changes to Notice
This Notice applies in conjunction with any other notices, contractual clauses, and consent clauses that apply in relation to the collection, use, and disclosure of your personal data by us.
We may revise this Notice from time to time. Where we make material changes, we will provide reasonable notice to affected users (for example, by email or by posting a prominent notice on our Website) prior to the changes taking effect. Your continued use of our services following any changes to this Notice constitutes your acknowledgement and acceptance of those changes.
You may determine if any revision has taken place by referring to the date on which this Notice was last updated, as shown at the top of this document.
Life is too short
to work for others.
Free to start
·
30-second setup
