Privacy Policy

ZenForge Technologies ("we," "us," "our") is the Personal Information Controller (PIC) responsible for the processing of personal data collected through PathForge.

Business name registered with the Department of Trade and Industry (DTI), Philippines. We are committed to protecting your personal data in accordance with the Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations (IRR), and issuances by the National Privacy Commission (NPC).

We collect the following categories of personal information:

• Account identifiers: email address, username, optional full name, hashed password (we never store plaintext passwords)
• Learner profile: grade level (1–12), picked subjects, optional dream career
• Parent/guardian email: required for learners under 13. Used only for progress notifications and account recovery.
• Activity data: lessons completed, XP earned, level, streaks, achievements unlocked, in-lesson answer history
• Tutor messages: text the learner sends to ForgeBot and the tutor's replies (used to maintain conversation context)
• Subscription data: subscription tier (free/pro/family), and the GCash/Maya payment proof you submit (reference number, amount, optional screenshot) for manual verification
• Technical data: IP address, browser type, device information, page views, feature interactions (anonymized analytics)

Sensitive personal information. We do not collect government-issued IDs, biometric data, medical records, religious affiliation, political beliefs, sexual orientation, or other sensitive personal information as defined under Section 3(l) of R.A. 10173.

What we do NOT collect from kids. No real-name requirement, no physical address, no phone number, no school name, no photos or biometric data, no location tracking.

• Directly from you (signup forms, profile updates, project submissions)
• Automatically through your use of the Service (cookies, analytics)
• From third-party authentication providers (if you sign in via OAuth)

Under Section 12 and 13 of R.A. 10173, we process your data based on:

• Consent — given when you create an account and accept these terms
• Contract necessity — to deliver the Service you signed up for
• Legitimate interest — to improve the Service, prevent abuse, and provide customer support
• Legal obligation — to comply with applicable Philippine laws (e.g., tax records, NPC investigations)

We use your personal data to:

• Provide, operate, and maintain the Service
• Match lessons to the learner's grade and adapt the tutor to their age tier
• Track progress (XP, levels, achievements, streaks)
• Show the leaderboard within the learner's age cohort
• Send transactional emails (welcome, weekly progress to parents, password reset)
• Process subscription payments and prevent fraud
• Improve the Service through anonymized analytics
• Respond to support inquiries
• Moderate inappropriate content and ensure age-safe interactions
• Comply with legal obligations and protect against legal claims

We will never sell your personal data. We do not share personally identifiable information with third parties for advertising purposes. We do not target ads to children — there are no ads in PathForge at all.

Limited information is visible to other learners on PathForge:

• Leaderboard: username, current level, total XP, streak. Visible only to other signed-in learners.
• Friends: username, level, XP, streak. Visible only to learners you accept as friends. Friend requests are restricted to learners in the same user mode (kids only connect with kids).

Email, full name, parent email, and grade are NEVER shown to other learners. You can decline any friend request and remove friends at any time. There are no public-facing learner profile pages.

We share your data only with the following Data Processors under strict data sharing agreements that comply with Section 20 of R.A. 10173:

• Supabase (USA) — database, authentication, file storage. Privacy policy
• Vercel (USA) — hosting and content delivery. Privacy policy
• OpenAI (USA) — powers ForgeBot tutor responses. Only the learner's message text and minimal context (grade, picked subjects, dream career, level) are sent. The OpenAI API does not use this data for training under their no-training policy for API customers. Privacy policy
• GCash / Maya (Philippines) — you pay through your own GCash or Maya app. We only receive the payment proof you choose to submit (reference number, amount). We never see your wallet credentials or PIN.
• Resend (USA) — transactional email delivery (payment confirmations, account notices). Privacy policy
• Vercel Analytics (USA) — anonymized page view tracking.

Cross-border data transfer. Some of our processors are based outside the Philippines. We rely on the contractual safeguards required under Section 21 of R.A. 10173 to ensure your data maintains an equivalent level of protection.

Under Sections 16–18 of R.A. 10173, you have the following rights:

• Right to be informed — about how your data is collected and used
• Right to access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure or blocking — delete or restrict processing under qualifying conditions
• Right to damages — seek redress for violations
• Right to data portability — receive your data in a structured, commonly used, machine-readable format
• Right to object — refuse processing for direct marketing or profiling
• Right to file a complaint — with the National Privacy Commission if you believe your rights are violated

To exercise any of these rights, email privacy@pathforger.app with your request. We will respond within seven (7) business days. Verification of identity may be required.

You may also file a complaint with the National Privacy Commission (NPC).

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, including:

• Active account data — for the duration your account is active
• Account deletion — personal data removed within thirty (30) days of your deletion request, except where retention is required by law
• Financial records — retained for ten (10) years as required by the Bureau of Internal Revenue (BIR) under the Tax Reform Act
• Anonymized analytics — retained indefinitely for service improvement (no personal identifiers)

In compliance with Section 20 of R.A. 10173 and the NPC's privacy and security standards, we implement appropriate organizational, physical, and technical security measures:

• Encryption — all data is encrypted in transit (HTTPS/TLS) and at rest
• Password security — bcrypt hashing (industry standard)
• Row-level security — database access controls ensure users can only access their own data
• Access controls — internal access limited to authorized personnel on a need-to-know basis
• Audit logs — administrative actions are logged for security review
• Incident response — breach notification within 72 hours to affected users and NPC as required by law

PathForge is built for Filipino students ages 6 to 15. We treat children's data with extra care under R.A. 10173, NPC Advisory Opinions on minors' personal data, and aligned with international best practices (UN CRC General Comment No. 25).

For learners under 13 years old:

• Account creation requires the consent of a parent or legal guardian, who must provide a verifiable parent/guardian email during signup.
• Parents may request to access, correct, or delete their child's data at any time by emailing privacy@pathforger.app.
• Weekly progress emails are sent to the parent/guardian email on Pro and Family plans.

Universal child-safety measures:

• No ads, no in-app purchases marketed to kids. Subscriptions are sold only to adults via the parent-facing pricing page.
• AI tutor guardrails. ForgeBot is age-tier calibrated. It refuses violence, adult content, drugs/alcohol, self-harm, and any sensitive topic outside school subjects. Sensitive personal topics (mental health, family stress) are gently redirected to trusted adults or PH crisis lines (e.g., NCMH 1553).
• No external links surfaced to kids. The app never sends a learner outside PathForge.
• Friend connections are restricted to learners in the same user mode. There are no DMs, no chat, no group messaging — only friend connections that show shared leaderboard standings.
• No photos, no biometrics, no location data are collected from learners — ever.
• Profiles are private by default. There are no public-facing profile pages.
• Right to be forgotten: a parent or learner can request full account deletion at any time. We remove all personal data within 30 days, except where retention is required by Philippine law.

If you believe a child has signed up without parental consent or if you have any concern about a learner's safety on PathForge, please email privacy@pathforger.app and we will act within 24 hours.

We use essential cookies (for authentication and session management) and anonymized analytics cookies. See our Cookie Policy for full details and your choices.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least fourteen (14) days before taking effect. The "Last updated" date at the top of this page reflects the latest revision.

For any questions, concerns, or requests regarding your personal data, contact our Data Protection Officer:

If you are unsatisfied with our response, you may lodge a complaint with the National Privacy Commission (NPC).