Privacy Policy

EnrichGuru is operated by Anri ("Company", "we", "our", "us"), a company registered in Singapore. We operate the EnrichGuru platform at enrichguru.com ("Platform"), a directory connecting Singapore parents with education and enrichment providers for children.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with the Personal Data Protection Act 2012 of Singapore ("PDPA") and its subsequent amendments.

Our appointed Data Protection Officer can be contacted at: Email: privacy@enrichguru.com

This Privacy Policy applies to all personal data collected through:

• The EnrichGuru website at enrichguru.com. • Account registration and onboarding. • Listing submissions and claims by Vendors. • Reviews and community features. • Contact forms and support communications. • Payment processing for subscription plans and advertising. • Email newsletters and marketing communications.

This Policy applies to all users of the Platform, including parents and guardians ("Parents"), education and enrichment providers ("Vendors"), and general visitors.

We collect personal data that you provide to us directly, as well as data collected automatically when you use the Platform.

3.1 Data You Provide Directly

• Account registration data — your full name, email address, and password when you create an account using email/password sign-up, or your name and email address when you sign in via Google OAuth. • Onboarding and profile data — your role (Parent, Student, or Vendor), your children's names and ages, preferred Singapore districts and planning areas, enrichment category interests, and budget preferences. • Contact and communication data — your name, email address, and the content of messages you send through our contact form or support channels. • Review data — the content, ratings, and any other information included in reviews you submit, linked to your account. • Vendor listing data — business name, registered address, contact details (phone number, email, website), class schedules, pricing, age groups served, descriptions, images, logos, and other information submitted as part of a listing. • Payment data — when you subscribe to a paid plan or purchase advertising, your payment is processed by Stripe. We receive confirmation of payment status, subscription details, and a truncated card identifier from Stripe. We do not store your full credit card number, CVV, or other sensitive payment credentials on our servers. • Marketing preferences — your opt-in or opt-out choices for email newsletters, WhatsApp or Telegram notifications, and other marketing channels.

3.2 Data Collected Automatically

• Usage data — pages visited, search queries, listings viewed, buttons clicked, time spent on pages, and navigation patterns. • Device and browser data — browser type and version, operating system, screen resolution, device type, and language preferences. • Network data — IP address, approximate geolocation (city/country level), and referring website or source. • Cookie data — authentication session tokens and user preference cookies (see Section 8 for details).

Under the PDPA, we collect and use your personal data only for the following purposes:

4.1 Platform Operation and Service Delivery • To create and manage your user account. • To display education provider listings to Parents searching for classes and activities. • To process Vendor listing claims and submissions. • To enable Parents to save listings, submit reviews, and set preferences. • To process subscription payments and advertising purchases. • To provide customer support and respond to enquiries.

4.2 Communications • To send transactional emails, including account verification, password resets, payment confirmations, and subscription notifications. • To send service-related notifications about your listings, reviews, or account activity. • To send marketing emails and newsletters, only where you have provided your express consent (opt-in).

4.3 Platform Improvement and Analytics • To analyse usage patterns, search behaviour, and engagement to improve the Platform's features and user experience. • To generate aggregate, anonymised statistics about Platform usage. • To conduct A/B testing and product development.

4.4 Safety, Security, and Legal Compliance • To detect and prevent fraud, abuse, and security incidents. • To enforce our Terms & Conditions and other policies. • To comply with applicable Singapore laws, regulations, and legal processes.

We do not sell your personal data to third parties. We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Under the PDPA, we rely on your consent to collect, use, and disclose your personal data for the purposes described in this Policy.

Express consent is obtained for: • Marketing communications — you actively opt in during onboarding or through your account settings. • Review submissions — you choose to submit a review and understand it will be publicly displayed. • Onboarding preferences — you voluntarily provide your children's information and district preferences.

Deemed consent applies where: • You voluntarily provide personal data to us for a purpose that is reasonable and apparent from the circumstances (for example, providing your email address to create an account). • Consent is deemed given under the PDPA for the performance of a contract (for example, processing your subscription payment).

Withdrawal of consent. You may withdraw your consent for any purpose at any time by: • Updating your preferences in your account settings. • Clicking the "unsubscribe" link in any marketing email. • Contacting us at privacy@enrichguru.com.

Please note that withdrawing consent for certain purposes may affect our ability to provide the Platform's services to you. We will inform you of the likely consequences of withdrawing consent before processing your request.

We share your personal data only in the following circumstances and with the following categories of recipients:

6.1 Third-Party Service Providers

We engage the following third-party service providers who process personal data on our behalf:

• Stripe (payment processing) — processes your payment information when you subscribe to a paid plan or purchase advertising. Stripe is PCI-DSS Level 1 certified. Your payment data is governed by Stripe's Privacy Policy (stripe.com/privacy). • Supabase (authentication and database) — stores your account data, profile information, and Platform data. Supabase processes data in accordance with their Privacy Policy (supabase.com/privacy). • Google (OAuth authentication) — if you choose to sign in with Google, your basic profile information (name and email) is shared with us by Google. Google's data handling is governed by Google's Privacy Policy (policies.google.com/privacy). • Vercel (hosting) — hosts the Platform and processes web requests, which may include IP addresses and request metadata. • Email service providers — we use third-party email services to send transactional and marketing emails.

All service providers are bound by data processing agreements that require them to protect your data and use it only for the purposes we specify.

6.2 Public Display

• Vendor listing information (business name, address, contact details, class information, and photos) is publicly displayed on the Platform by design. • Reviews and ratings submitted by Parents are publicly displayed alongside the reviewer's display name.

6.3 Legal Requirements

We may disclose your personal data if required to do so by Singapore law, regulation, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your data.

We do not share your personal data with advertisers, data brokers, or any third parties for their own marketing purposes.

EnrichGuru is a platform designed to help parents find enrichment activities for their children. We take the protection of children's personal data very seriously.

Data we collect about children. During onboarding, Parents may optionally provide their children's first names and ages to personalise their experience and receive age-appropriate listing recommendations. This information is:

• Provided voluntarily by the parent or legal guardian. • Stored in association with the parent's account only. • Not publicly displayed on the Platform. • Not shared with Vendors or any third parties. • Not used for marketing or advertising purposes. • Not used to create profiles of individual children.

Children do not create accounts. The Platform is intended for use by adults (parents, guardians, and education providers). Users must be at least 18 years of age to create an account. We do not knowingly collect personal data directly from children under the age of 18.

Parental control. Parents can view, update, or delete their children's information at any time through their account settings or by contacting us at privacy@enrichguru.com.

If we become aware that we have inadvertently collected personal data from a child under 18 without verified parental consent, we will take immediate steps to delete such data.

We use cookies and similar technologies on the Platform for the following purposes:

8.1 Essential Cookies (Required)

• Authentication session cookies — these cookies are set by Supabase to keep you logged in and maintain your session. They are necessary for the Platform to function and cannot be disabled without losing access to authenticated features. • Security cookies — used to prevent cross-site request forgery and protect your account.

8.2 Functional Cookies

• Preference cookies — store your display preferences, such as currency settings or last-viewed category.

8.3 Analytics

• We collect anonymised usage data to understand how users interact with the Platform. This data is used in aggregate form and does not personally identify you.

What we do not use:

• We do not use third-party advertising or retargeting cookies. • We do not use tracking pixels from social media platforms. • We do not participate in cross-site tracking networks.

Managing cookies. You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling essential cookies will prevent you from logging in and using authenticated features of the Platform.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by Singapore law.

Account data. We retain your account information for as long as your account is active. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

Vendor listing data. Active listing information is retained for as long as the Vendor's account is active. After account closure, listing data may be retained in anonymised form for directory integrity.

Reviews. Review content may be retained in anonymised form after the reviewer's account is deleted, to preserve the integrity of Vendor ratings and the Platform's review history.

Payment records. Transaction records and payment history are retained for 7 years in accordance with Singapore's Income Tax Act and IRAS requirements.

Communication records. Support enquiries and contact form submissions are retained for 2 years after the last communication.

Usage and analytics data. Anonymised, aggregate usage data may be retained indefinitely for statistical analysis.

Marketing data. If you unsubscribe from marketing communications, we will retain your opt-out preference to ensure we respect your choice.

Under Singapore's Personal Data Protection Act, you have the following rights:

Right of access. You may request access to the personal data we hold about you. We will provide a copy of your data in a commonly used electronic format.

Right of correction. You may request the correction of any personal data that is inaccurate or incomplete. You can update most of your information directly through your account settings.

Right to withdraw consent. You may withdraw your consent for any specific purpose of data collection, use, or disclosure at any time. Note that withdrawal of consent may affect our ability to provide certain services.

Right to data portability. Upon request, we will provide your personal data in a structured, commonly used, and machine-readable format.

Right to deletion. You may request the deletion of your account and associated personal data. We will comply with your request subject to any legal retention obligations.

How to exercise your rights. To exercise any of these rights, contact our Data Protection Officer at privacy@enrichguru.com. Please include:

• Your full name and the email address associated with your account. • A clear description of your request. • Any relevant details to help us locate the specific data in question.

We will acknowledge your request within 3 business days and provide a substantive response within 30 days, as required by the PDPA. In exceptional cases where we require more time, we will notify you of the extension and the reasons.

No fee. We will not charge a fee for processing reasonable access or correction requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline the request, and will explain our reasons.

Some of our third-party service providers process data in jurisdictions outside of Singapore. Where personal data is transferred outside of Singapore, we ensure that:

• The recipient provides a standard of protection comparable to that under the PDPA. • Appropriate safeguards are in place, such as contractual clauses or binding corporate rules. • The transfer complies with the requirements of the PDPA's Transfer Limitation Obligation.

Our key service providers and their data processing locations:

• Stripe — processes payment data primarily in the United States, with data centres globally. Stripe is PCI-DSS compliant and maintains robust data protection standards. • Supabase — hosts data in data centres that may be located outside Singapore. Supabase maintains SOC 2 Type II compliance. • Vercel — serves the Platform globally through a content delivery network with edge locations worldwide.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit — all data transmitted between your browser and the Platform is encrypted using TLS/HTTPS. • Encryption at rest — personal data stored in our database is encrypted at rest. • Secure authentication — passwords are hashed using industry-standard algorithms. We support Google OAuth as an additional secure sign-in option. • Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis. • Regular security reviews — we periodically review our security practices and update them in response to emerging threats. • Payment security — payment processing is handled by Stripe, which is PCI-DSS Level 1 certified, the highest level of payment security certification.

Despite our efforts, no system is completely secure. We cannot guarantee the absolute security of your data. If we become aware of a data breach that is likely to result in significant harm to you, we will notify you and the Personal Data Protection Commission (PDPC) as required by the PDPA's Mandatory Data Breach Notification regime.

The Platform may contain links to third-party websites, including the websites of listed Vendors, Stripe's payment portal, and other external services. We are not responsible for the privacy practices, content, or security of these third-party sites.

We encourage you to review the privacy policies of any third-party websites you visit through links on our Platform. The inclusion of a link does not imply endorsement of the linked site.

We respect the Singapore Do Not Call ("DNC") Registry provisions under the PDPA. We do not make unsolicited telemarketing calls or send unsolicited text messages. If you have provided your phone number to us (for example, as part of a Vendor listing), we will only use it for purposes directly related to our services and in accordance with your consent.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this page. • We will notify registered users by email at least 14 days before the changes take effect. • We will post a notice on the Platform.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should stop using the Platform and contact us to close your account.

We encourage you to review this Policy periodically to stay informed about how we protect your data.

If you believe that we have not complied with this Privacy Policy or the PDPA, you may lodge a complaint with us by emailing privacy@enrichguru.com. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the Personal Data Protection Commission (PDPC) of Singapore:

Personal Data Protection Commission 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438 Website: pdpc.gov.sg Email: info@pdpc.gov.sg

For any privacy-related questions, requests, or concerns, please contact:

Anri — Data Protection Officer Email: privacy@enrichguru.com Website: enrichguru.com

For general enquiries, contact: support@enrichguru.com