Last updated: 22 September 2025
Company: 5 Steps Academy, 143 East Coast Rd, Singapore, 428833
Contact: admin@takespace.com

This policy explains what data we collect, why we collect it, how we use it, and your choices. It covers the iOS and Android apps and the web dashboard for students, tutors, and schools.

Who is responsible for your data?

We offer two modes:

1. School-Managed Accounts (School Mode).
   Your school is the data controller and we act as a data processor under the school’s instructions.
   
   

2. Direct Accounts (Personal Mode).
   When you sign up yourself, 5 Steps Academy is the data controller.
   
   

Data we collect

Account & identity

• Name, email, role (student/tutor/admin), school/class
  
  

• Optional profile info (photo, username)
  
  

Learning & usage

• Subjects, topics, goals, exam dates, weekly study time
  
  

• Quiz answers, scores, attempts, time-on-task, mastery levels
  
  

• App activity (feature use, timestamps), device language/OS version
  
  

Support & diagnostics

• Messages to support, error reports, crash logs
  
  

Payments 

• Limited payment metadata from our payment provider (we do not store full card details)
  
  

Device permissions

• Camera/Microphone (e.g., voice notes for feedback)
  
  

• Notifications (study reminders)
  
  

We do not collect precise GPS location.
We do not sell personal data.

Why we use data (and legal bases)

Provide and run the service

• Accounts, login, daily study plan, sync progress
  
  

• Legal basis: contract (GDPR Art. 6(1)(b)); in School Mode, we act on the school’s instructions
  
  

Personalize study plans

• Pick the next topic and schedule reviews based on predicted forgetting
  
  

• Legal basis: contract / legitimate interests (better learning outcomes)
  
  

Reliability and security

• Fix bugs, prevent misuse, keep systems safe
  
  

• Legal basis: legitimate interests / legal duty
  
  

Messages to you

• Service updates, policy changes, support replies
  
  

• Legal basis: contract / legal duty; marketing only with consent where required (opt-out anytime)
  
  

Payments & billing 

• Subscriptions and invoices
  
  

• Legal basis: contract / legal duty
  
  

In School Mode, the school sets the legal basis and we process data under our DPA.

Sharing

We share data only with service providers that help us run the app, under strict terms.

Typical providers (replace with your stack):

• Cloud hosting/databases (AWS/Google Cloud/Azure)
  
  

• Analytics & crash reports (e.g., Firebase Crashlytics/Sentry)
  
  

• Email & push (e.g., SendGrid/OneSignal)
  
  

• Payments (e.g., Stripe)
  
  

No data sales. We disclose data to authorities only if the law requires it.

International transfers

If data moves to another country (e.g., EU/UK/US regions), we use safeguards such as Standard Contractual Clauses (SCCs) or UK IDTA plus technical and organisational measures.

Retention

• Active accounts: kept while the account is open
  
  

• School-Managed: as directed by the school; we delete/return data when the contract ends or on request
  
  

• Direct accounts after closure: delete within 30 days; backups rotate within 90 days
  
  

• Logs/diagnostics: typically 12 months, longer only for security or legal reasons
  
  

Your rights

Depending on your location, you may:

• Access your data
  
  

• Fix incorrect data
  
  

• Delete your data
  
  

• Restrict or object to certain uses
  
  

• Get a copy (data portability)
  
  

• Withdraw consent (where we rely on consent)
  
  

School-Managed: contact your school first.
Direct accounts: use in-app Settings → Account → Delete account.

Children

Students under 18 may use the app under school or parent oversight.

• Under 13 (COPPA, U.S.): School or verified parent consent is required before creating accounts or using features that collect personal data.
  
  

• EU/UK: We follow local “digital age of consent” rules (13–16).
  
  

• No ads targeting or unrelated profiling.
  
  

Parents/guardians can request access or deletion via the school (School Mode) or at privacy@takespace.com (Direct accounts).

Cookies (web)

We use necessary cookies for sign-in and optional analytics cookies. Control analytics from the cookie banner or your browser.

Security

Encryption in transit (TLS) and at rest, role-based access, audit logs, least-privilege access, and regular reviews. No method is 100% secure, but we work to keep data safe and respond quickly to incidents.

Learning analytics

We create progress stats and model outputs (e.g., “next topic,” “review due”). In School Mode, authorised teachers/admins may see these to support learning and reporting. We do not build ads profiles.

Third-party links

If you follow a link to another site, their policy applies.

Region notes

• EU/EEA & UK: You may contact our DPO at admin@takespace.com and your local data authority.
  
  

• Singapore (PDPA): Contact our DPO for access/correction or transfer questions.
  
  

• U.S. (COPPA/FERPA): For under-13 users, we obtain school/parent consent. With U.S. schools, we act as a “school official” under FERPA.
  
  

Changes

We will update this page and change the “Last updated” date. For major changes, we will notify you in-app or by email.

Contact

• Email: admin@takespace.com
  
  

• Postal:  5 Steps Academy, 143 East Coast Rd, Singapore, 428833

Data Processing Addendum (schools)

A DPA is available on request and covers processor duties, sub-processors, security, breach notices, and data return/deletion. Contact: admin@takespace.com.