VIVA-SG-EDU
Legal / Compliance

Privacy Policy.

Navigate Your Degree·护航你的学位之路

This policy explains how VIVA EDUCATION PTE. LTD. (UEN 202448391R, "VIVA", "we") collects, uses, discloses and protects your personal data in accordance with Singapore's Personal Data Protection Act 2012 ("PDPA") and the Personal Data Protection Regulations 2021 ("PDPR").

Effective date2026-05-24
Last updated2026-05-24
Governing lawSingapore / PDPA 2012

Section 1Data controller and DPO contact

The data controller for this website and the associated advisory channels is:

  • Legal name: VIVA EDUCATION PTE. LTD.
  • Singapore UEN: 202448391R
  • Registered address: 3 Little Road · #04-02 · Singapore
  • Primary email: [email protected]
  • Telephone / WhatsApp: +65 8686 3695
Data Protection Officer

All personal-data requests should be directed to the DPO.

Email: [email protected] (the DPO inbox appointed under PDPA s11(3)).

Telephone: +65 8686 3695

Section 2Categories of personal data we collect

VIVA only collects data directly relevant to the tutoring relationship. The usual categories are:

Identity data
Name, preferred form of address, preferred working language (English / Chinese).
Contact data
Email, telephone, WhatsApp number, postal address (only where invoices or physical materials are needed).
Academic data
Private education institution (PEI), awarding university, programme, degree level, year of study, module references, submission deadlines, prior transcripts (only if the student volunteers them).
Coursework and submission content
Draft essays, assignments, presentation slides, reading lists, exam-paper recall, viva-practice audio (only retained with the student's consent).
Payment data
Billing name, billing address, transaction reference. Full card numbers are never stored by VIVA — they are handled by PCI-DSS compliant third-party processors such as Stripe.
Communication records
Email threads, WhatsApp chats, contact-form submissions, tutoring meeting notes.
Technical data
IP address, browser type, access time, page-view trail, cookie identifiers (see the Cookie Policy).
Additional data for minors
Where the student is below 18, we also collect the parent's or legal guardian's name, contact details and a record of their signed consent (see Section 10).

Section 3Purposes for use and disclosure

VIVA only uses and discloses your personal data for the following purposes:

  1. Service delivery: including module match, tutor scheduling, lesson-material preparation, session arrangements, pre-submission review and viva practice.
  2. Tutor-student matching: pairing a student's discipline and module with a suitable tutor.
  3. Payments and invoicing: issuing GST-compliant invoices, collecting payment, processing refunds, recovering bad debt.
  4. Safeguarding minors: verifying parental / guardian identity and consent, logging contact circumstances during the relationship.
  5. Service improvement: conducting anonymised analysis of internal tutoring records to improve teaching method.
  6. Legal compliance: responding to lawful queries from regulators (PDPC, IRAS, CPE) and to court-issued process.
  7. Marketing communications: only after you have expressly opted in, we may send notices of VIVA programmes and events; you may opt out at any time.

Section 4Consent mechanism

VIVA processes your personal data only on the following bases:

  • Express consent: signing the Tutoring Service Agreement, submitting an enquiry form, responding to a WhatsApp enquiry, or sending us an email is taken as consent to the processing reasonably needed to handle that interaction.
  • Deemed consent (PDPA s15): where the processing is reasonably necessary to deliver the service the student has asked for (for example, a tutor reading a draft essay to provide feedback).
  • Authority of law: the exemptions listed in the First Schedule to the PDPA, such as legal proceedings or the investigation of an offence.

You may withdraw consent at any time by written notice to the DPO ([email protected]). Withdrawal does not affect any processing already lawfully carried out before the withdrawal. Note that withdrawing key consents may make it impossible for VIVA to continue providing the service.

Section 5Third-party data intermediaries and processors

VIVA shares only the personal data needed with the following service providers. Each provider is bound by a written agreement to process the data only as authorised; VIVA remains the data controller under the PDPA.

Stripe
Payment processing. Stripe is a PCI-DSS Level 1 compliant U.S.-listed company governed by its own privacy policy.
WhatsApp / Meta
Client communications via WhatsApp Business API; covers the chat record between you and VIVA.
Cloudflare
Website hosting, DNS, Email Routing, CDN and DDoS protection; edge servers located worldwide.
Google Workspace
Email, document collaboration, calendar; stored across Google's global data-centre footprint.
OpenAI / Anthropic
Only used during tutoring to assist tutors with idea structuring or language checking. We have opted out of model training at the API level so that student inputs are not used to train third-party models.
Accounting / tax agent [TBC]
Where required, transaction data is disclosed to VIVA's appointed accountant / tax agent (specific firm to be confirmed by user).
[TBC] The list above reflects VIVA's current vendors. Any new third-party data intermediary will be added to this page and active students will be notified by email.

Outside the above, VIVA does not sell, rent or disclose your personal data to any third party, unless: (a) required by law; (b) you give express consent; or (c) it is necessary to protect VIVA, students or the public's legitimate interests.

Section 6Cross-border data transfers

Some of the service providers in Section 5 are located outside Singapore (USA, EU, etc.). VIVA relies on PDPA s26 read with PDPR 2021 regs 10, 11 and 12 to ensure those overseas transfers are protected to a standard comparable to or higher than the PDPA:

  • Reg 10 — Recipient's obligations: each overseas recipient must be bound by a legally enforceable contract (such as standard contractual clauses) to protect the data at PDPA-equivalent standards;
  • Reg 11 — Form of contract: the contract lists the data categories, processing purpose, retention period, security measures and breach-notification duties;
  • Reg 12 — Exceptions: the transfer is also lawful where you have expressly consented, where it is necessary to perform a contract with you, or where it is in your interest.

A summary of VIVA's current cross-border transfer arrangements is available from the DPO on request.

Section 7Retention periods

VIVA only retains your personal data for as long as needed for the purposes set out in Section 3, and applies the following retention rules:

Enquiry without contract
12 months from last contact, then deleted.
Contracted students
Retained throughout the engagement; for 5 years after the engagement ends, in line with IRAS Income Tax Act record-keeping requirements.
Financial vouchers
Invoices and bank confirmations retained for 5 years as required by IRAS.
Minors
Retained until the student turns 21, or 5 years after the engagement ends, whichever is longer.
Communication records (email / WhatsApp)
Throughout the engagement; for 24 months afterwards as a basis for complaint handling and legal self-defence.

At the end of the retention period the data will be deleted irreversibly or permanently anonymised, unless another legal obligation requires continued storage.

Section 8Your rights

Under PDPA ss21, 22 and 24 you have the following rights:

  1. Access: to find out what data VIVA holds about you and how it has been used and disclosed in the past 12 months.
  2. Correction: to ask VIVA to correct any inaccurate or incomplete data.
  3. Withdrawal of consent: to withdraw a previously given consent for a specific processing purpose.
  4. Deletion: to ask VIVA to delete data that is not within a legal or financial retention obligation.
  5. Data portability: once the PDPC's data-portability provisions take effect, you may ask for your data to be transmitted in a machine-readable format to another service.

Please send written requests to [email protected]. VIVA will respond within 30 calendar days (the reasonable period contemplated in PDPA s21(2)). For access requests requiring significant manpower, VIVA may charge a reasonable fee in accordance with PDPA s28, and will give you written notice of the fee in advance.

Section 9Data security and breach notification

VIVA takes reasonable and appropriate physical, administrative and technical security measures, including:

  • All stored electronic files sit on encrypted volumes; transfers use TLS 1.2 or higher;
  • Staff and tutors access student data on a least-privilege basis;
  • Third-party service providers are due-diligenced for SOC 2, ISO 27001 or equivalent security controls;
  • Passwords and access keys are rotated regularly.

In the event of a data breach VIVA will follow the Mandatory Data Breach Notification framework under Part VIA (s26A–26E) of the PDPA:

  • Assess whether the incident causes "significant harm" or affects 500 or more individuals (significant scale);
  • If the threshold is met, notify the PDPC within 3 calendar days of becoming aware of the breach;
  • Notify affected individuals by reasonably practical means at the same time.

Section 10Minors

VIVA serves students who may be minors. We follow the PDPC's 2024 Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment and tier consent accordingly:

Under 13
Consent must be given by a parent or legal guardian. VIVA does not market directly to children under 13.
13 to 17
Consent is given by the student, with subsequent ratification by a parent or guardian via a signed acknowledgment.
18 and above
Treated as an adult who may consent independently.

Parents or guardians may contact the DPO at any time to exercise the minor's access, correction or withdrawal rights on their behalf.

Section 11Updates to this policy

VIVA may update this privacy policy from time to time. Material changes (such as new processing purposes, new overseas transfers, longer retention periods) will be announced at least 14 days in advance in a prominent place on this website and notified by email to active students and parents. Continuing to use the website or VIVA's services is taken as acceptance of the updated policy.

The "last updated" date at the top of this page makes it easy to track changes. Historical versions are available from the DPO on request.

Section 12Complaints and the regulator

If you believe VIVA has not handled your personal data in line with this policy or the PDPA, please address a written complaint to the DPO first: [email protected]. VIVA will acknowledge receipt within 14 calendar days and report the outcome of the investigation within 30 days.

If you are not satisfied with VIVA's response, you may complain to the Personal Data Protection Commission (PDPC):

  • Website: https://www.pdpc.gov.sg
  • Complaint form: PDPC website "Lodge a Complaint"
  • You may also use the PDPC / IMDA Alternative Dispute Resolution channel.