Privacy Policy
Effective date: 26 June 2026 · Last updated: 26 June 2026
1. About This Policy
This Privacy Policy explains how Intech Art Sdn. Bhd. ("we", "us", "our") collects, uses, discloses, and safeguards personal data in connection with the IRIS Integrated RC ISMI System — including the IRIS web portal, IRIS Staff mobile application, and IRIS Parent mobile application (collectively, "IRIS" or "the System").
We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. By using IRIS, you consent to the practices described in this policy.
2. Who We Are
IRIS is operated by Intech Art Sdn. Bhd. on behalf of Red Camel ISMI preschool centres. Each preschool branch is an independent data user in relation to the students, parents, and staff enrolled at that branch. Intech Art Sdn. Bhd. acts as a data processor providing the technology platform.
For data protection enquiries, contact us at: hello@intech-art.com
3. Personal Data We Collect
We collect and process the following categories of personal data depending on your role:
3.1 Parents & Guardians
- Full name, email address, phone number, and password (stored encrypted)
- Identity card (MyKad) or passport number, date of birth, gender, nationality
- Home address, occupation, employer name, and office contact details
- Emergency contact name, phone number, and relationship
- Profile photo (optional, uploaded by you)
- Communication preferences (language, notification channels)
- Device tokens for push notifications (device name, platform, app version)
3.2 Students (Children)
- Full name, student ID, MyKid / IC number, birth certificate number
- Date of birth, gender, nationality, race, religion
- Home address, sibling information
- Medical conditions, allergies, dietary restrictions, behavioural and learning notes
- Enrolment date, programme, previous school, referral source
- Father's and mother's full names, IC numbers, occupations, company details, and contact information
- Guardian details (name, IC number, relationship, contact)
- Emergency contact details
- Profile photo (optional)
- Daily attendance records including check-in and check-out times, method used, and temperature readings
- Facial encoding data (if face recognition check-in is enabled at the branch)
- Photos taken in class activities and uploaded to the gallery by teachers
- Uploaded identity documents (birth certificate, MyKid, parent IC copies)
- Academic progress, reading records, hafazan records, and development assessments
3.3 Teachers & Staff (Drivers, Assistants)
- Full name, email address, phone number, employee ID, and password (stored encrypted)
- IC number, date of birth, gender, nationality, home address
- Employment status, qualifications, and specialisations
- Salary type and amount, bank name, bank account number
- EPF number, SOCSO number, income tax number
- Emergency contact details
- Profile photo (optional)
- Daily lesson plans, staff reflections, cleaning reports, and activity reports
- Performance evaluations submitted by branch managers
- Expense claims including mileage (start and end location text, distance) and receipt images
- Device tokens for push notifications
3.4 Data Collected Automatically
- Device information (device name, platform, app version) when you use the mobile apps
- Push notification delivery logs (token, status, timestamps)
- In-app message read receipts and announcement read status
4. How We Use Your Personal Data
We use your personal data for the following purposes:
- Account management — creating and authenticating your account
- School operations — student enrolment, class management, attendance tracking
- Parent communication — daily reports, announcements, messages, and notifications
- Safety & security — face recognition check-in, QR code check-in, temperature logging
- Academic records — lesson plans, student progress reports, hafazan and reading records
- HR & payroll — staff records, salary management, expense claim processing
- Compliance — internal audits, manager evaluations, SOP compliance reporting
- Billing — generating invoices and recording fee payments
- Gallery & media — sharing class photos and activities with parents (subject to consent settings)
- Push notifications — delivering attendance alerts, announcements, and messages to your device
- System improvement — usage analytics to improve the platform
5. Biometric Data
Where a branch enables face recognition for student check-in, we collect and store facial encoding data (mathematical vectors derived from a photo — not the photo itself, except for one sample reference image). This data is used solely for attendance verification. It is stored securely and is not shared with any third party. You may request deletion of facial encoding data at any time by contacting your branch administrator.
6. Photo & Media Sharing
Teachers may upload class photos to the gallery. Each student's enrolment record includes explicit consent settings for photo sharing, video sharing, and public display. Parents may update these preferences at any time through the IRIS Parent app or by contacting the branch. We will honour these preferences when sharing content.
7. Disclosure of Personal Data
We do not sell your personal data. We may share your data with:
- Supabase — our cloud database provider (hosted in AWS ap-southeast-1, Singapore). Data is processed under Supabase's data processing agreement.
- Cloudflare R2 — our file storage provider for photos, documents, and media uploads.
- Expo / Expo Notifications — used to deliver push notifications to your mobile device via Apple APNs and Google FCM.
- Your preschool branch — branch administrators and authorised teaching staff have access to data relevant to their branch.
- Legal authorities — where required by Malaysian law or a valid court order.
8. Data Security
We implement the following security measures:
- Passwords are hashed using bcrypt (cost factor 10) — never stored in plain text
- All API communication is over HTTPS/TLS
- Sensitive fields are encrypted at rest using AES-256-GCM
- File uploads are validated by type and magic bytes to prevent malicious uploads
- Access is role-based — staff only see data relevant to their branch and role
- JWT tokens are used for session authentication with short expiry windows
Despite these measures, no system is completely secure. Please keep your password confidential and notify us immediately if you suspect unauthorised access to your account.
9. Data Retention
We retain personal data for as long as your account is active or as required for operational, legal, or regulatory purposes. Student records are typically retained for seven (7) years after the student's last enrolment date. Staff records are retained for seven (7) years after employment ends. You may request earlier deletion — see Section 10.
10. Your Rights
Under the PDPA 2010, you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Withdrawal of consent — withdraw consent for non-essential processing (e.g. photo sharing)
- Deletion — request deletion of your data, subject to legal retention obligations
To exercise any of these rights, contact your branch administrator or email us at hello@intech-art.com. We will respond within 21 days.
11. Children's Privacy
IRIS processes data about children below the age of 18. This data is provided by parents or guardians at the time of enrolment and is used solely for educational and operational purposes. We do not knowingly collect data from children directly. Parents may review, correct, or request deletion of their child's data at any time.
12. Push Notifications
IRIS uses push notifications to deliver attendance alerts, messages, and announcements to your mobile device. You can manage notification preferences within the app or disable push notifications through your device settings at any time. Disabling notifications does not affect your ability to use the app.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes via in-app announcement or email. Continued use of IRIS after the effective date of any changes constitutes acceptance of the updated policy.
14. Contact Us
For any privacy-related questions, requests, or complaints:
If you are not satisfied with our response, you may lodge a complaint with the Department of Personal Data Protection (JPDP) Malaysia at www.pdp.gov.my.