Privacy Policy
Effective Date: March 16, 2026
This Privacy Policy describes how TeachCRM ("we," "us") collects, uses, shares, and protects personal data. It applies to all users of the Service.
The Short Version
- You (the teacher) decide what student data goes in. We process it on your behalf.
- We never sell data, and we never send student names, LRNs, or grades to AI providers.
- We use Google Gemini for AI features, Render for hosting, PayMongo for payments, and Google Analytics for usage metrics. That's it.
- You can request deletion of your account and data at any time.
- If something goes wrong (data breach), we notify you within 72 hours.
1. Who We Are & Our Role
TeachCRM is operated from the Republic of the Philippines and is primarily intended for teachers and school administrators in the Philippines. We comply with the Philippine Data Privacy Act of 2012 (RA 10173).
For student personal data you enter into the Service, you (the teacher) act as the Personal Information Controller (PIC), and we act as a Personal Information Processor (PIP). For operational data we process for our own purposes (account security, fraud prevention, analytics, AI sub-processor selection), we act as the controller.
2. Information We Collect
Teacher Account Information:
- Name, email address, school name, department, optional phone number.
- Authentication data via Google OAuth (Google profile, email).
- Encrypted password (if registered via email/password).
Student Data You Enter:
- Personal information: names, LRN, contact details.
- Sensitive personal information: birthdates, gender, academic grades, attendance records.
- Any other content you input through the Service.
Subscription & Payment Information:
- Plan type, subscription dates, transaction references.
- We do NOT store credit card numbers, GCash credentials, or Maya credentials. All payment details are handled directly by PayMongo (PCI-DSS compliant).
Usage & Operational Data:
- AI feature usage counters and token consumption (for fair-use enforcement).
- Support chat history with our AI assistant ("Teachy").
- Tour completion status, feature usage timestamps.
- Server logs containing IP address, browser type, request timestamps, and pages visited.
Cookies & Tracking: See Section 8 for details.
3. How We Use Information
We process personal data for the following purposes:
- To provide the Service: create accounts, store records you input, generate AI content you request, deliver reports and exports.
- To secure the Service: detect and prevent unauthorized access, abuse, or fraud; enforce rate limits; investigate security incidents.
- To improve the Service: aggregate, anonymized usage analysis. We do not use student data for product improvement.
- To communicate: send transactional emails (subscription receipts, password resets, security alerts, terms updates). We do not send marketing emails without separate consent.
- To comply with law: respond to lawful requests from authorities, including the National Privacy Commission, BIR, and courts of competent jurisdiction.
4. Legal Basis for Processing
We rely on the following lawful bases under RA 10173 §12-13, and where applicable, the EU General Data Protection Regulation (GDPR):
- Contract: processing necessary to deliver the Service you signed up for.
- Consent: for cookies/analytics requiring opt-in, and for any future marketing communications.
- Legitimate interests: for security, fraud prevention, and basic usage analytics, balanced against your privacy rights.
- Legal obligation: for tax records, breach notification, and lawful requests.
For student personal data, the lawful basis is the teacher's authority and consent as the PIC. The teacher warrants that the necessary parental or institutional consent has been obtained under RA 10173 §27 and any applicable foreign law.
5. AI Processing & Sub-Processors
The Service includes optional AI features powered by Google Gemini, operated by Google LLC. When you use AI features:
- We transmit your curriculum topics, lesson context, and teacher-supplied instructions to Google's AI API to generate the requested content.
- We do NOT transmit student names, LRNs, grades, attendance, or any other identifying personal data of students to AI providers.
- Google processes the prompt on its infrastructure (which may be located outside the Philippines, including in the United States), generates a response, and returns it to us.
- Google's data handling for the Gemini API is governed by Google's API Terms and the Gemini API Additional Terms of Service. As of the effective date of this Policy, paid-tier Gemini API inputs are not used to train Google's models.
We may change AI sub-processors as the Service evolves. Material changes (e.g., switching providers or changing what data is sent) will be reflected in an updated version of this Policy.
6. Third-Party Service Providers
We use the following service providers ("sub-processors") to operate the Service. Each is bound by their own data protection terms:
- Render — cloud hosting and database infrastructure.
- Google LLC — OAuth authentication, Gemini AI processing, Google Analytics.
- PayMongo — payment processing (PCI-DSS compliant).
- Resend — transactional email delivery.
- Upstash / Redis provider — task queue and caching infrastructure.
We do not sell, rent, or trade personal data to any third party. We share data with these providers only as necessary to operate the Service.
7. International Data Transfers
Our infrastructure and sub-processors may be located outside the Philippines, including in the United States and other jurisdictions. In particular:
- Google's Gemini and Analytics services may process data in Google data centers globally.
- Render hosts servers in multiple regions; the specific region may change.
- Resend, PayMongo, and other providers may store operational metadata outside the Philippines.
In accordance with RA 10173 §21, we take reasonable steps to ensure that cross-border data transfers maintain a comparable level of protection. Where required by GDPR or similar laws, we rely on the sub-processor's Standard Contractual Clauses or equivalent safeguards.
8. Cookies & Analytics
We use cookies and similar storage to operate the Service:
- Essential cookies: Django session cookie and CSRF token. Required to keep you logged in and prevent cross-site request forgery. These cannot be disabled.
- Analytics cookies: Google Analytics (GA4) sets cookies prefixed
_gato measure aggregate usage and improve the Service. You may opt out via your browser settings or the Google Analytics opt-out browser add-on. - Local storage: Your cookie consent choice and minor UI state (e.g., support chat open/closed) are stored in your browser's localStorage and sessionStorage. This data does not leave your device.
Upon first visit, the Service presents a cookie notice. By continuing to use the Service after acknowledging the notice, you consent to non-essential cookies. You may withdraw consent at any time by clearing your browser storage and adjusting your browser cookie settings.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy:
- Active accounts: data is retained for as long as your account is active.
- Account deletion: upon your request, account data and User Content are removed from active systems within approximately 30 days. Residual copies in encrypted backups may persist for up to 90 days before automated rotation.
- Inactive Free-tier accounts: we may archive or delete Free-tier accounts that have been inactive for an extended period, with reasonable advance notice via the email on file.
- Financial records: payment transaction metadata is retained for at least five (5) years as required by Philippine tax law.
- Security & legal logs: server logs and audit trails (including the Terms Agreement Log) may be retained longer where necessary to investigate incidents or comply with legal obligations.
- Anonymized data: aggregated, non-identifying usage statistics may be retained indefinitely for product analysis.
10. Security Measures
We implement reasonable technical and organizational measures to protect personal data, including:
- HTTPS/TLS encryption in transit; HSTS enforced.
- Encrypted storage at rest by our cloud providers.
- Hashed and salted passwords using Django's standard cryptography.
- Role-based access controls and authentication on all endpoints.
- Automatic session expiry after 30 minutes of inactivity and on browser close.
- Rate limiting and abuse detection on sensitive endpoints.
- Regular dependency updates and security patches.
No security measure is perfect. You are responsible for the security of your own account credentials and the device you use to access the Service.
11. Data Breach Notification
In the event of a personal data breach affecting your account, we will:
- Notify the National Privacy Commission within 72 hours of becoming aware of the breach, as required by RA 10173 and NPC Circular 16-03.
- Notify affected users without undue delay, including the nature of the breach, likely consequences, and steps taken.
As the PIC for student data, you are responsible for further notifying affected data subjects (students and parents) in your role under RA 10173 and any applicable foreign law (e.g., GDPR Article 34, US state breach notification laws). We will provide the technical information necessary for you to fulfill this obligation.
12. Your Privacy Rights
Under RA 10173 (all users): You have the right to be informed, the right to access, the right to object, the right to erasure or blocking, the right to damages, the right to file a complaint with the NPC, the right to rectify inaccurate data, and the right to data portability.
If you are located in the European Union or United Kingdom: You may have additional rights under the GDPR, including the right to restrict processing, withdraw consent, and lodge a complaint with your local supervisory authority. To exercise GDPR rights, contact us at the email below.
If you are a California resident: You may have rights under the CCPA/CPRA, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of "sale" or "sharing" of personal information (note: we do not sell personal information), and the right to non-discrimination for exercising your rights.
How to exercise your rights: Send a written request to support.teachcrm@gmail.com from the email associated with your account. We will respond within the timeframe required by applicable law, typically within 30 days. We may request additional information to verify your identity.
For student/parent requests: Students or parents wishing to exercise rights over data entered by a teacher must contact the teacher or the school directly, as they are the PIC for that data. We will provide tools to the teacher to fulfill such requests.
13. Children's Data
The Service is not intended for direct use by children under 18. Accounts are restricted to teachers and education professionals.
However, the Service is designed for record-keeping about minor students by their teachers. We process this data under the lawful authority of the teacher and the school. By inputting data about minors, you (the teacher) warrant that you have obtained the consents required by:
- RA 10173 §27 (Philippines) — consent of parent or guardian for sensitive personal information of minors.
- The Children's Online Privacy Protection Act ("COPPA") (United States) — verifiable parental consent or operation under the "school authority" exception.
- GDPR Article 8 (European Union) — parental consent for processing of personal data of children under 16 (or lower age set by Member State).
- Any other applicable child data protection law in your jurisdiction.
We rely on the teacher's warranty in this regard. If you believe a minor's data has been entered into the Service without proper consent, contact us immediately at support.teachcrm@gmail.com.
14. Account & Data Deletion
You may delete your account at any time by:
- Using the account deletion option in the Service, where available; or
- Emailing support.teachcrm@gmail.com from the email address associated with your account.
Deletion is irreversible. Upon deletion, your account and User Content are removed as described in Section 9. Certain records (financial transactions, security logs, terms agreement records) may be retained as required by law.
15. Changes to This Policy
We may revise this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" and version identifier at the top of this document and notify active users in-app, by email, or by requiring re-acknowledgment before continued use.
Continued use of the Service after the Effective Date constitutes acceptance of the revised Policy.
Governing Law
This Privacy Policy is governed by the laws of the Republic of the Philippines, without regard to its conflict of law principles. Nothing in this Policy waives non-waivable rights you may have under the mandatory privacy laws of your country of residence.
Contact
For privacy-related questions, requests, or complaints under RA 10173, GDPR, CCPA, or any applicable law, contact:
Data Protection inquiries: Concerns regarding the processing of personal data under RA 10173 should be directed to the email address above. We will route your inquiry to the appropriate responsible party and respond within the timeframes required by law.
You may also file a complaint with the National Privacy Commission if you believe your rights under RA 10173 have been violated.