Skip to content
TreehouseOS

PDPA (Taiwan)

Last updated: 2026-04-18

TreehouseOS complies with Taiwan's Personal Data Protection Act (個人資料保護法 / PDPA) across all pilot and production deployments. The full notice below describes what we collect about your child, why, how long we keep it, and what rights you have. Review it before you complete the parental consent form.

1. Who we are

The data controller is your child's school (the school is the "data user" under PDPA). TreehouseOS is the software processor acting on the school's instructions. TreehouseOS is operated by SupraAgent Ltd., a Taiwan-registered entity. Contact your school directly for day-to-day questions; escalate to privacy@treehouseos.com for TreehouseOS-specific concerns.

2. What we collect

About your child: display name, preferred name, birth date, enrollment date, optional photo. About their learning: teacher observations (text, tagged strands/virtues), photos taken at school, reading logs (title, level, optional audio recording), AI tutor session transcripts, mastery records per concept, quarterly reports. About you: name, email, optional phone, optional LINE user ID (only if you link LINE). We collect no third-party tracking identifiers, no advertising cookies, and no device-fingerprinting.

3. Why we collect it

To produce learning stories and quarterly reports for you; to give your child's teachers a bilingual copilot for observation and narrative drafting; to provide optional AI reading fluency feedback and Socratic tutoring; to send you in-app, email, and (optional) LINE notifications about your child's progress; to operate the school's admissions pipeline. Data is never used to advertise to you or to train general-purpose AI models outside the scope of your child's learning.

4. Legal basis

We process your child's personal data under PDPA Article 8 (explicit consent for sensitive data about a minor). You provide this consent per category (photos, audio, AI tutor) separately — none is bundled. You can revoke any category at any time from the parent dashboard. Consent is captured with a typed signature, timestamp, IP address, and user-agent; this record lives in the ParentalConsent audit table.

5. Who can see the data

Inside the school: only your child's teachers, school admin, and owner. Parents/guardians linked to a specific student see only that student. Row-level security in the database enforces this — it is not only a UI check. No other parent, no other student, and no employee of another school can see your child's data.

6. Third-party processors

We use the following vendors to operate the platform: Supabase (PostgreSQL database + authentication, region: Asia-Pacific/Tokyo); Anthropic (Claude AI — used to draft reports and AI tutor responses, no training on your child's data); Resend (transactional email delivery); LINE (only if you opt in to LINE notifications); Sentry (error monitoring, personal identifiers scrubbed). Each vendor is bound by a data-processing agreement.

7. International transfers

The primary database lives in Supabase's Tokyo region. AI inference requests to Anthropic may be routed to their US infrastructure — we send only the specific observation/report text required for generation and no standing copies are retained there. Email delivery via Resend transits US infrastructure. You can opt your child out of all AI-powered features (tutor, report auto-draft, fluency analysis) using the consent toggles; in that mode, no data leaves the Tokyo region.

8. Retention

While your child is enrolled: we keep their learning records for as long as the school chooses to keep them in your child's learning story, typically through the end of enrollment plus one school year. On withdrawal or transfer: a 30-day grace period during which you can request a data export. After that the school admin permanently deletes the archived record (observations, reading logs, photos, audio, tutor transcripts, reports tied to your child). An automated 30-day purge job will ship in a following release; until it does, deletion is a named admin action, not a scheduled task. Audit logs (who accessed what) are retained for two years for legal compliance and then purged.

9. Your rights (PDPA Article 3)

You may: (a) inquire about and view your child's data; (b) request a copy (export); (c) request corrections; (d) request cessation of collection, processing, or use; (e) request deletion. To exercise any of these, use the tools in the parent dashboard where available, or email your school admin. We will respond within 30 days.

10. Children's specific protections

Because all our end-users' children are minors, we apply stricter defaults than PDPA requires: every media and AI feature is opt-in, never opt-out; photos are not shared outside the parent dashboard and never used for marketing; audio samples can be deleted on request within 48 hours; the AI tutor will not attempt to extract personal information from your child and is instructed to hand off to a teacher on any distress signal.

11. Contact

For access, correction, or deletion requests, contact your school admin. For platform-level concerns, email privacy@treehouseos.com. For Taiwan PDPA complaints unresolved by the school or TreehouseOS, you may contact the Ministry of Digital Affairs (數位發展部).

TreehouseOS — the school that writes home in your voice