iStoria Coach

Student Privacy Policy

Effective Date: 10/5/2026

1. Introduction

This Privacy Policy explains how iStoria Information Technology Company (شركة إيستوريا لتقنية المعلومات), Commercial Registration No. 1010632341, headquartered in Riyadh, Kingdom of Saudi Arabia ("iStoria", "we", "us", or "our"), collects, processes, stores, and protects the personal data of students ("you" or "Student") who use the iStoria Coach live tutoring service (the "Service").

This Policy is issued in compliance with the Saudi Personal Data Protection Law (PDPL), Royal Decree No. M/19 dated 9/2/1443H, and its Implementing Regulations. By registering for or using the Service, you acknowledge that you have read and understood this Policy.

If you are under 18 years of age, your parent or legal guardian must review and consent to this Policy on your behalf before you may use the Service. We do not knowingly allow minors to use the Service without verified parental or guardian consent.

2. Data Controller

The data controller responsible for your personal data is:

3. Personal Data We Collect

We collect the following categories of personal data in connection with your use of the Service:

3.1 Account and Identity Data

•         Full name

•         Email address

•         Phone number

•         Date of birth (to verify age and parental consent requirements)

•         Profile photograph (if voluntarily provided)

•         Language preferences

•         Calendar data synced via Google Calendar integration (session times, session titles, and associated email address)

3.2 Session and Learning Data

•         Tutoring session schedules, attendance, and duration

•         Instructor assignment and session history

•         Learning progress, assessment scores, and proficiency levels

•         Session notes recorded by instructors

3.3 Audio, Video, and Communications Data

•         Live audio and video streams transmitted during tutoring sessions

•         Session recordings (audio and video) stored for quality assurance, dispute resolution, and service improvement purposes

•         In-platform chat messages exchanged between Students and Instructors during or in connection with sessions

3.4 Payment and Billing Data

•         Transaction records (amount, date, package purchased)

•         Payment method type (e.g., Mada, Apple Pay, STC Pay, credit card)

Note: Full payment card details (card number, CVV) are processed directly by our PCI DSS-compliant payment processors (Tap Payments / HyperPay) and are never stored on iStoria systems.

3.5 Technical and Usage Data

•         IP address, device type, operating system, and browser type

•         Session connection quality and technical logs

•         Pages visited, features used, and interaction timestamps

•         Cookies and similar tracking technologies (see Section 10)

4. Special Provisions for Minors (Under 18)

iStoria Coach is open to Students aged 13 and above. We apply enhanced protections for minors:

4.1 Parental Consent

•         Registration of any Student under 18 requires the affirmative consent of a parent or legal guardian.

•         The consenting parent/guardian must provide their name, contact information, and relationship to the Student.

•         We may require additional verification of the parent/guardian relationship at our discretion.

•         The parent/guardian may withdraw consent at any time by contacting us, which will result in account deactivation and deletion of the minor’s data in accordance with Section 8.

4.2 Data Minimization for Minors

•         We collect only the minimum data necessary to deliver tutoring services to minors.

•         Profiling, automated decision-making, and behavioral advertising are never applied to minor Students.

•         Session recordings involving minors are retained for a maximum of 60 days (reduced from the standard 90-day period) unless a longer period is required for an active dispute or legal obligation.

4.3 Children Under 13

We do not knowingly collect personal data from children under the age of 13. If we become aware that a child under 13 has provided personal data without verified parental consent, we will promptly delete such data and terminate the associated account.

5. Purposes of Data Processing

We process your personal data for the following purposes:

We will not process your personal data for purposes incompatible with those stated above without providing you with prior notice and, where required, obtaining your consent.

6. Data Sharing and Disclosure

We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:

6.1 Instructors

Your name, proficiency level, learning objectives, session schedule, and in-session communications are shared with the Instructor assigned to your sessions. Instructors are independent contractors bound by confidentiality and data protection obligations under their service agreements with iStoria.

6.2 Payment Processors

Transaction data is shared with Gateway Payments to process your payments. These processors operate under their own privacy policies and are PCI DSS compliant.

6.3 Technology and Infrastructure Providers

We use third-party service providers for hosting, video conferencing infrastructure, analytics, and customer support tools. These providers process data on our behalf under data processing agreements that require them to protect your data and use it only as instructed by iStoria.

Specifically, the Service integrates with Google Calendar (operated by Google LLC) to manage session scheduling. When this integration is active, your session times, session titles, and associated email address are shared with Google Calendar. Google processes this data in accordance with its own Privacy Policy (https://policies.google.com/privacy). You may disconnect the Google Calendar integration at any time by contacting us, after which no further calendar data will be shared.

6.4 Legal and Regulatory Disclosures

We may disclose personal data when required by Saudi law, regulation, court order, or a binding request from a competent governmental authority. We may also disclose data to protect the rights, property, or safety of iStoria, our Students, or others.

6.5 Corporate Transactions

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.

7. Cross-Border Data Transfers

Your personal data is primarily stored and processed within the Kingdom of Saudi Arabia. If we need to transfer your data outside the Kingdom, we will do so only in compliance with PDPL requirements, including:

•         Ensuring the receiving country provides an adequate level of data protection, or

•         Implementing appropriate safeguards such as contractual clauses approved by the Saudi Data & Artificial Intelligence Authority (SDAIA), or

•         Obtaining your explicit consent after informing you of the potential risks of such transfer.

We will never transfer minor Students’ data to jurisdictions that lack adequate data protection without explicit parental/guardian consent.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy.

9. Your Rights Under PDPL

Subject to the conditions and exceptions set forth in the PDPL, you (or your parent/guardian, if you are a minor) have the following rights:

•         Right to be Informed: You have the right to know what personal data we hold about you and the purposes for which it is processed.

•         Right of Access: You may request a copy of your personal data in a structured, commonly used format.

•         Right to Correction: You may request that we correct inaccurate or incomplete personal data.

•         Right to Deletion: You may request deletion of your personal data where the purpose of processing has been fulfilled, or where you withdraw consent, subject to legal retention obligations.

•         Right to Restrict Processing: You may request restriction of processing in certain circumstances as provided under the PDPL.

•         Right to Object: You may object to the processing of your personal data where processing is based on legitimate interest.

•         Right to Data Portability: You may request that your data be transferred to another controller in a machine-readable format, where technically feasible.

•         Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@istoria.com. We will respond within 30 days of receiving your verified request. We may request additional information to verify your identity before processing the request.

10. Cookies and Tracking Technologies

The Service uses cookies and similar technologies for the following purposes:

•         Essential cookies: Required for authentication, session management, and security. These cannot be disabled.

•         Functional cookies: Remember your preferences (language, time zone, display settings).

•         Analytics cookies: Help us understand how the Service is used so we can improve it. These are anonymized and aggregated.

We do not use advertising or behavioral tracking cookies. You may manage cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.

11. Data Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

•         Access controls restricting data access to authorized personnel on a need-to-know basis

•         Regular security assessments and vulnerability testing

•         Secure video conferencing infrastructure with end-to-end session encryption

•         Instructor access limited to assigned student data only, with no bulk data export capability

•         Incident response procedures for data breach notification in accordance with PDPL requirements

No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that poses a high risk to your rights, we will notify you and the competent authority in accordance with PDPL requirements.

12. Automated Decision-Making

The Service may use automated systems to assess language proficiency levels and recommend learning pathways. These recommendations are advisory and can be overridden by your Instructor. No automated decision with legal or similarly significant effect is made without human review.

Automated decision-making and profiling are never applied to minor Students.

13. Third-Party Links and Services

The Service may contain links to third-party websites or services not operated by iStoria. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

•         We will notify you via email to the address associated with your account and/or through a prominent notice within the Service.

•         For minor Students, material changes that expand data collection or sharing require renewed parental/guardian consent before taking effect.

•         The updated Policy will indicate the revised effective date at the top.

Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the updated terms, except where renewed consent is required.

15. Complaints

If you believe your personal data rights have been violated, you have the right to file a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) or any other competent authority in the Kingdom of Saudi Arabia. We encourage you to contact us first at hi@istoria.com so we can attempt to resolve your concern directly.

16. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact:

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its Implementing Regulations. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in Riyadh, Kingdom of Saudi Arabia.

iStoria Information Technology Company

Riyadh, Kingdom of Saudi Arabia

Effective Date: 10/5/2026