Last updated: October 7, 2025

This Privacy Policy explains how Punya Idiomas (“we”, “us”, “our”) collects and processes personal data through our websites (including https://punyaidiomas.com), applications, and services for:

1) Students/subscribers (we teach you directly)
2) Teachers/academies (we create materials and services for third-party education providers)
3) Parents (we design custom materials or lessons for your children, with parental/guardian oversight)

This policy is designed to align with major privacy frameworks (EU/UK GDPR, ePrivacy cookie rules, California CCPA/CPRA, Brazil LGPD, Indonesia PDP Law) and common best practices. It does not constitute legal advice.

Who we are (Controller)

Controller: Punya Idiomas
Registered address: Indonesia
Contact (privacy): support@punyaidiomas.com

For services we deliver to third-party academies, we usually act as a processor on their instructions. In those cases, the academy is the controller and our processing is governed by a Data Processing Addendum (DPA) available on request.

What data we collect

Depending on how you interact with us, we may collect:

  • Account & identity data: name, email, password (hashed), username/role (student, teacher, parent), preferred language, time zone.
  • Contact & profile data: phone number (optional), billing/shipping address (for paid materials), profile photo (optional).
  • Class/learning data: enrolled courses, assignments, progress, feedback, quiz results, messages with teachers, scheduling/attendance, and (if enabled) audio/video session metadata and recordings.
  • Content you provide: messages, comments, uploaded files, homework, voice notes.
  • Teacher/academy data: work contact details, subjects, institution name, license usage, materials you create for us or for client academies.
  • Payment data: transaction identifiers and limited billing details (payments handled by certified payment processors; we do not store full card numbers).
  • Device & usage data: IP address, device/browser type, settings, crash logs; cookie identifiers and similar technologies.
  • Support data: tickets, emails or chats with our support team.

We do not intentionally collect special categories of data (e.g., health, religion) unless you choose to share them where strictly relevant (e.g., accessibility needs), and then only with appropriate safeguards.

Why we use your data (Purposes) & legal bases

Where GDPR/UK GDPR applies, our legal bases are:

  • Contract – to provide the service (account creation, lessons, progress tracking, payments, support).
  • Consent – non-essential cookies/analytics, marketing emails, publishing testimonials, recording classes where required; you can withdraw consent at any time.
  • Legitimate interests – security, fraud prevention, service analytics and improvement, B2B relationships with teachers/academies (balanced against your rights).
  • Legal obligations – tax, accounting, responding to lawful requests.

We use data to: deliver lessons and materials; manage subscriptions and orders; personalize content; communicate with you; maintain security; and comply with law.

Children & parents

  • Services for minors are accessed by parents/guardians or by schools with appropriate authority. Where a child can access an online area, we require parental/guardian consent when required by law and apply local age thresholds.
  • We do not knowingly collect personal data from children under 13 without verifiable parental consent.
  • If you believe a child provided data without consent, contact support@punyaidiomas.com and we will take appropriate action.

Parents/guardians can manage consent and may request access, correction or deletion of a child’s data via support@punyaidiomas.com.

Cookies & similar technologies

We use essential cookies to run our site. With your consent, we may also use analytics and advertising cookies. You can manage preferences any time via Cookie Settings (see our separate Cookie Policy).

Embedded content, social plugins & external tools

Third-party content (e.g., videos, maps, fonts, classroom tools, video-conferencing, anti-spam) may set cookies or collect data under their own policies. When feasible, we load such tools only after consent (for non-essential purposes) or provide privacy-friendly defaults.

Payment processing

We use third-party payment providers that act as controllers for card data. They share limited payment metadata with us (e.g., transaction ID, status). Please review their privacy notices.

Service providers (processors) & sharing

We share data with trusted service providers strictly as needed to operate our services, under contracts that require confidentiality and security. Typical categories:

  • Hosting & infrastructure (web hosting, CDN, backup)
  • Classroom & communications (video calls, chat, email delivery)
  • Analytics & performance monitoring
  • Payments & billing
  • Anti-spam and security
  • Customer support tools

We may also share data: i) with academies where we act as processor; ii) to comply with law; iii) in a merger/acquisition (with notice); iv) with your explicit consent.

International transfers

If your data is transferred internationally, we use safeguards such as Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, adequacy decisions, or other mechanisms allowed by law. Where we transfer personal data to service providers in the United States that are certified under the EU-U.S. Data Privacy Framework (and the UK/Swiss extensions, where applicable), we may rely on that certification. We assess local laws when necessary and implement additional measures when required.

Data retention

We keep data only as long as necessary to provide the service and for legitimate purposes such as legal, tax or accounting requirements. Example defaults (adjust as needed):

  • Account data: for the life of the account, then delete or anonymize within 90 days.
  • Class/learning data: 24 months after last activity unless law or contract requires longer/shorter.
  • Payment/tax records: 6–10 years (jurisdiction-dependent).
  • Support tickets: 24 months.
  • Security/anti-fraud logs: typically 30–180 days.

Security

We apply appropriate organizational and technical measures (access controls, encryption in transit, backups, vulnerability management, least-privilege). No system is 100% secure; if we detect a breach affecting your data, we will notify you and regulators when required.

Your rights

Depending on where you live, you may have rights to access, rectify, delete (erasure), restrict, object, port your data, and to withdraw consent. You also have the right to lodge a complaint with your local data-protection authority. We honor these rights under applicable laws (e.g., GDPR/UK GDPR, CCPA/CPRA, LGPD, Indonesia PDP Law).

How to exercise your rights

  • Email support@punyaidiomas.com from the address associated with your account, or use Account → Privacy where available.
  • We will verify your identity, evaluate the request, and respond within legal timeframes (generally one month under GDPR/UK GDPR, extendable by up to two months for complex requests; 45 days under CCPA/CPRA, extendable with notice).
  • When we act as a processor for an academy, we will forward your request to the relevant controller and assist as required.

Right to deletion (erasure)

You can ask us to delete your personal data at any time. We will honor your request unless an exception applies (e.g., information we must keep to comply with tax/accounting laws, to establish or defend legal claims, to detect/prevent fraud or abuse, to meet contractual obligations, or where retention is otherwise required by law). Where deletion is not possible, we will restrict processing to the minimum necessary and explain the reason.

Marketing and analytics

You can withdraw consent for non-essential cookies/analytics at any time via Cookie Settings and opt-out of marketing communications using the unsubscribe link in emails.

Complaints

You can contact us at any time. You also have the right to complain to your local data-protection authority (for EEA: see your national DPA; for UK: ICO; for Brazil: ANPD; for Indonesia: the supervisory authority designated under the PDP Law).

Regional supplements

EEA & UK (GDPR/UK GDPR)

  • Legal bases include contract, consent, legitimate interests, and legal obligation.
  • You can object to processing based on legitimate interests and opt out of direct marketing at any time.
  • For children using online services, parental consent thresholds apply per local law.

California (CCPA/CPRA)

  • You have rights to know/access, delete, correct, opt-out of sale or sharing of personal information, and to limit use of sensitive personal information.
  • We do not sell personal information in the common understanding of that term, nor do we profile students for behavioral advertising. If we ever engage in cross-context behavioral advertising, we will provide a prominent “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control signals.
  • Notice at Collection: for California residents, we provide a summary of the categories of personal information we collect, the purposes, and whether we sell/share or use it for targeted advertising, at or before the point of collection.
  • Timing: We will respond to verifiable consumer requests within 45 days, extendable by another 45 days with notice when reasonably necessary.
  • Non-discrimination: we will not discriminate against you for exercising your rights.

Brazil (LGPD)

You have rights including confirmation, access, correction, anonymization/blocking/deletion, portability, information about sharing, and review of automated decisions.

Indonesia (PDP Law)

We follow principles of lawful, fair, and transparent processing, purpose limitation, data minimization, security, and accountability; we honor rights of access, correction, and deletion and obtain parental consent where required for minors.

Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects without human involvement.

Legal notice (no legal advice)

This policy is designed to align with major privacy frameworks and best practices. It does not constitute legal advice. Laws evolve and may apply differently to your specific circumstances (e.g., school contracts, children’s data, cross-border transfers). If you operate in regulated sectors or multiple jurisdictions, consider a review by qualified counsel.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or in-app notice. The “Last updated” date shows the latest version.

Contact

Punya Idiomas
Indonesia
support@punyaidiomas.com

Appendix A — Example list of processors (replace with your actual vendors)

  • Hosting/CDN: (e.g., Hostinger/Cloudflare)
  • Email delivery/CRM: (e.g., MailerLite/SendGrid)
  • Video-conferencing/classroom: (e.g., Zoom/Google Meet/Jitsi)
  • Payments: (e.g., Stripe/PayPal)
  • Analytics: (e.g., Matomo / Google Analytics – consent-based in EEA/UK)
  • Anti-spam: (e.g., Akismet / hCaptcha / reCAPTCHA)

Keep this list current. Link to vendors’ privacy notices where required.

Short cookie notice (to link from banner)

We use cookies to run our site and, with your consent, for analytics and personalization. Click Cookie Settings to manage preferences. For more details, read our Cookie Policy.