Privacy Policy - Multiply.Cards

Privacy Policy

Multiply.Cards by Fresh Online Pte Ltd
Last Updated: March 10, 2026

Summary: Multiply.Cards is an educational platform for learning times tables. Students sign in with simple share codes and provide no personal information. Teachers and parents provide only an email address and name to manage accounts. We never sell personal information.

Table of Contents

1. Who We Are

Multiply.Cards ("we", "our", or "us") is operated by Fresh Online Pte Ltd, a company registered in Singapore. We provide educational card-based learning games to help students improve their mathematical skills.

We are committed to protecting the privacy of our users, especially children. This Privacy Policy explains how we collect, use, and safeguard information when you use our website and applications.

2. How Our Platform Works

Understanding how Multiply.Cards works is important for understanding what data we collect. Our platform has three types of users, each with different data requirements:

  • Students sign in using a simple share code (e.g., sage.2026) provided by their teacher or parent. No account creation, no email, and no password is required.
  • Teachers create an account to set up classes, generate student share codes, and view learning progress reports.
  • Parents (Multiply@Home) create an account to manage their child's learning at home.

3. Information We Collect

3.1 Student Data

KEY POINT: Students do not create accounts and provide no personally identifiable information. No student email addresses, dates of birth, home addresses, or parent contact information are collected.

When a student uses Multiply.Cards, we collect only:

  • Share code: A teacher-assigned code used to sign in (e.g., sage.2026)
  • Nickname or label: A first name or nickname assigned by the teacher (e.g., "Mike") — no full names are required
  • Learning performance data: Game accuracy scores, which times tables were practiced, game modes played, and session duration
  • Device identifier: A locally-stored browser identifier (using browser local storage) that allows students to reconnect to their share code on the same device. This identifier is stored only on the student's device and is not transmitted to or stored on our servers.

IMPORTANT: Student performance data is completely anonymous and cannot be linked back to individual children. Because this data cannot identify students, it is not considered "personal data" under UK GDPR and is not subject to international transfer restrictions.

We do NOT collect the following from students:

  • Email addresses
  • Dates of birth or age
  • Full names or surnames
  • Home addresses
  • Parent or guardian contact information
  • Photos, videos, or location data
  • IP addresses (beyond standard web server logs)

3.2 Teacher Data

When a teacher creates an account, we collect:

  • Email address and name: Provided via sign-in with Google, Microsoft, or Apple (using OAuth 2.0)
  • Organisation name: Optional, provided by the teacher
  • License and subscription details: Plan type and activation status

OAuth Scope - What We Can and Cannot Access:

When teachers sign in with Google, Microsoft, or Apple, we request only the minimum 'openid profile email' scope. This means:

We receive: Your name and email address only

We CANNOT access:

  • Files, Google Drive, OneDrive, or iCloud
  • Gmail, Outlook, or any emails
  • Calendar events or appointments
  • Contacts or address books
  • Any other data in your Google Workspace, Microsoft 365, or Apple account
  • Your organization's tenant data

We cannot read, send, or access your emails. We cannot access files, calendar, contacts, or any other services. The OAuth integration is used solely for authentication (verifying your identity) and obtaining your email address for account communication and support.

3.3 Parent Data (Multiply@Home)

When a parent creates an account, we collect:

  • Email address and name: Provided via sign-in with Google, Microsoft, or Apple (same OAuth scope as teachers)
  • License details: Purchase and activation status

3.4 Automatically Collected Information

For all users, our web servers may automatically log:

  • Device information: Browser type, operating system, and device type
  • Session data: Session duration and features used within the app

We do not use third-party analytics services (such as Google Analytics) to track users. All learning analytics are stored internally in our own database.

4. How We Use Your Information

  • Deliver educational games and track learning progress
  • Generate progress reports for teachers and parents
  • Allow students to reconnect to their share code on the same device (via local browser storage)
  • Process teacher and parent subscriptions and payments
  • Improve our educational content and game design using anonymised, aggregated learning data
  • Provide technical support
  • Ensure platform security and prevent abuse

5. Children's Privacy

Our approach: Multiply.Cards is designed so that students never need to provide personal information. Students sign in with a share code — there is no account creation, no email required, and no password to manage.

5.1 How We Protect Children

  • Students provide no personally identifiable information
  • Student share codes are generated and managed by teachers or parents
  • No behavioural advertising or ad targeting of any kind
  • No social features, messaging, or communication between users
  • Teachers and parents can delete student data at any time

5.2 COPPA Compliance (US)

Because students do not provide personal information, the typical COPPA requirement for verifiable parental consent is addressed by design. Teacher or parent oversight is built into the platform through the share code system.

5.3 School Use

When used in schools, teachers act as the responsible party for their students' data. Teachers control the creation and deletion of student share codes and can remove student data at any time.

7. Data Sharing

7.1 We Do Not Sell Personal Information

We never sell, rent, or trade personal information to third parties for marketing or any other purpose.

7.2 Who Can See Student Data

  • Teachers can view learning progress for their own students only
  • Parents (Multiply@Home) can view their own child's progress only
  • Student data is never shared with other students, other schools, or third parties

7.3 Service Providers

We use the following third-party services to operate our platform:

Firebase / Google Cloud — Database, hosting, and authentication infrastructure. Processes all platform data (encrypted at rest and in transit). ISO 27001, SOC 2 Type II certified. Location: United States.

Auth0 — Secure teacher and parent sign-in (OAuth 2.0). Processes email address and name only for authentication. ISO 27001, SOC 2 Type II certified. Location: United States.

LemonSqueezy — Payment processing. Processes payment details. We do not store payment card data on our servers. Location: United States.

Netlify — Website hosting and Content Delivery Network (CDN). Serves static website files globally. Netlify is certified under the EU-U.S. Data Privacy Framework. No teacher or student personal data is stored on Netlify servers — only technical data like IP addresses are processed for rate limiting and security purposes. Location: United States (with global CDN).

All service providers are contractually required to protect your information and process it only as instructed. We have Data Processing Agreements in place with all processors handling personal data.

8. Data Storage and International Transfers

Our database is hosted on Google Cloud (Firebase Firestore) in the nam5 multi-region (United States). Google Cloud infrastructure is:

  • ISO 27001 certified
  • SOC 1, SOC 2, and SOC 3 audited
  • GDPR compliant

International Transfer Safeguards

For users in the UK and EU, international data transfers to the United States are protected by:

  1. Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office (ICO-approved Article 46 mechanism under UK GDPR)
  2. UK Extension to the EU-U.S. Data Privacy Framework — Google Cloud is certified under this framework, providing additional adequacy-level protections for UK data transfers
  3. Technical safeguards:
    • All data encrypted at rest using AES-256 encryption
    • All data encrypted in transit using TLS 1.3
    • Regular third-party security audits
    • Google Cloud ISO 27001 and SOC 2 Type II certifications

Student Data: Because student performance data is anonymous and cannot identify individual children, it is not considered "personal data" under UK GDPR and is not subject to international transfer restrictions.

Teacher Data: Only minimal teacher data (name and email address) is transferred to the United States, and this is fully protected by the safeguards listed above.

Our website content is served via a global Content Delivery Network (CDN), meaning static assets are delivered from the server closest to each user.

9. Data Security

We implement industry-standard security measures to protect your data:

  • All data encrypted in transit using HTTPS / TLS 1.3
  • All data encrypted at rest using AES-256 on Google Cloud infrastructure
  • Secure authentication via OAuth 2.0 (Google, Microsoft, Apple) and Auth0
  • Firebase Security Rules enforce role-based access controls at the database level
  • Multi-factor authentication (MFA) available for teacher and parent accounts
  • Automatic session timeout after 30 minutes of inactivity
  • Account lockout after multiple failed login attempts
  • No payment card data stored on our servers (handled by LemonSqueezy)
  • Regular security monitoring and updates
  • Staff access limited on a need-to-know basis
  • Audit logging of data access and modifications

While no system is 100% secure, we continuously monitor and update our security practices to protect your information.

10. Data Retention

  • Active accounts: Data retained while the account remains active
  • Deleted accounts: Personal data soft-deleted immediately upon request, then permanently deleted within 30 days. Backup data is automatically purged within 90 days of deletion.
  • Student data: Deleted when the student's share code is removed by the teacher or parent, or when the teacher/parent account is deleted
  • Anonymised data: Aggregated, anonymised learning data may be retained indefinitely to improve our educational content

11. Local Storage

Multiply.Cards uses browser local storage (not tracking cookies) to:

  • Remember your sign-in session
  • Store your preferences and settings (e.g., sound on/off, language)
  • Allow students to reconnect to their share code on the same device (device identifier stored locally only)

We do not use third-party tracking cookies or advertising cookies. Essential cookies may be set by our hosting providers for basic site functionality and security.

12. Your Rights

Under GDPR, UK GDPR, and similar laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Restriction: Limit how we use your data
  • Objection: Object to certain processing activities
  • Withdraw Consent: Withdraw previously given consent at any time

How to Exercise Your Rights

For Teachers and Parents:

  • Access & Modify: View and update your name and email address in your account dashboard at any time
  • Export Data: Download your account data and anonymous student performance data in JSON format from your account settings
  • Delete Account: Request account deletion via your account settings or by contacting privacy@freshonline.sg
  • Delete Student Groups: Teachers can delete individual student groups and all associated anonymous performance data directly from their dashboard

Deletion Timeline:

  • Accounts are soft-deleted immediately upon request (you can recover during a 30-day grace period)
  • After 30 days, accounts are permanently deleted and cannot be recovered
  • Backup data is automatically purged within 90 days of deletion
  • You can request a final data export before deletion

For All Users:

To exercise any of these rights, contact us at privacy@freshonline.sg. We will respond within 30 days.

UK and EU residents: You also have the right to lodge a complaint with your local data protection authority:

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify account holders of significant changes by email. The "Last Updated" date at the top indicates when the policy was last revised.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

For privacy-related inquiries, data requests, or questions about this policy:

Email

privacy@freshonline.sg

Postal Address

Fresh Online Pte Ltd
68 Circular Road #02-01
Singapore 049422

Data Protection Authorities

UK Data Protection Authority:
If you are in the UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — https://ico.org.uk/

EU Data Protection Authority:
If you are in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority — https://edpb.europa.eu/about-edpb/about-edpb/members_en

By using Multiply.Cards, you acknowledge that you have read and understood this Privacy Policy.

© 2026 Fresh Online Pte Ltd. All rights reserved.