Privacy Policy

At VietRica, privacy is a core part of the learning experience. This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have over your data.

1. Scope

This policy applies to all VietRica services, including the website, web app, course player, AI tutor, certificate system, and any official support channels. By using VietRica, you confirm that you have read and agree to the data handling described here.

2. Data we collect

2.1 Data you provide

• Account: display name, email address, password (stored as a hash), preferred language.
• Optional profile: avatar, short bio, social links — only if you fill them in.
• Billing: billing name, address, tax number (if you request a VAT invoice). Full card details are never stored on our servers.
• Content you create: assignments, comments, questions to the AI tutor, uploaded attachments.

2.2 Data generated as you learn

• Course progress, quiz answers, final-exam scores, list of certificates earned.
• AI tutor conversation history and text-to-speech narration requests.

2.3 Technical data

• IP address, browser user agent, screen size, system language.
• Session and preference cookies (UI, language).
• Access logs (URL, timestamp, HTTP status code) for monitoring and abuse prevention.

3. How we use the data

• Provide the service: registration, sign-in, progress tracking, certificate issuance, payment processing.
• Personalisation: course recommendations, remembering language and UI preferences.
• Transactional communication: verification emails, password reset, payment receipts, certificate notifications.
• Marketing communication (only with consent): newsletters about new courses and offers. You can unsubscribe at any time.
• Product improvement: aggregated analytics, bug fixes, A/B tests (anonymised where feasible).
• Legal compliance: responding to lawful requests, fraud prevention, protecting the rights of VietRica and its users.

4. Cookies and similar technologies

VietRica uses cookies for three main purposes:

• Essential cookies: sign-in session, CSRF token, language — cannot be disabled if you want to use the service.
• Analytics cookies: page views, navigation flow, anonymised at the aggregate level.
• Third-party cookies: set when you use features that depend on external services (payment gateways, captcha, embedded YouTube videos if any).

You can block or delete cookies through your browser settings; doing so may disable some functionality.

5. Sharing with third parties

VietRica does not sell your personal data to third parties. We share data only in the following situations:

• Payment gateways: Stripe, PayPal, MoMo and similar partners process transactions under their own privacy policies.
• AI and TTS providers: Questions to the AI tutor and text to be read aloud are sent to providers such as OpenAI or ElevenLabs for processing.
• Email service: SMTP providers send transactional and (consented) marketing email on VietRica's behalf.
• Analytics: Aggregated measurement tools (anonymised where possible).
• Legal requests: Authorities pursuant to a valid order.

6. AI tutor, narration, and conversation data

When you ask the AI tutor a question or trigger narration playback:

• Your question, plus relevant course context, may be sent to a third-party language model (e.g., OpenAI) to generate a response.
• Narration text is sent to a TTS service (e.g., OpenAI TTS, ElevenLabs) to produce an audio file, which may be cached to reduce cost and improve playback speed on subsequent listens.
• Conversations are kept for up to 90 days for debugging, quality measurement, and improvement of VietRica's models. After that, records are anonymised or deleted.
• You may request deletion of your full conversation history by contacting support.

7. Data security

We apply reasonable technical and administrative measures to protect data, including:

• Data in transit over HTTPS/TLS.
• Passwords stored as a hash (bcrypt/argon2); never stored in plain text.
• CSRF tokens on forms, rate limits on sensitive endpoints.
• Regular backups and least-privilege internal access.

That said, no system is perfectly secure. Please use a strong password and enable two-factor authentication when available.

8. Data retention

• Active accounts: data is kept until you request deletion or close the account.
• Closed accounts: most data is deleted within 30 days, except information required for legal or accounting reasons (invoices, receipts) — typically up to 5–10 years per tax regulations.
• Access logs: retained for up to 12 months for security and abuse prevention.

9. Your rights

Subject to applicable law, you may have the following rights over your personal data:

• Access: request a copy of your data.
• Correction: fix inaccurate or outdated data.
• Erasure ("right to be forgotten"): request deletion of the account and related data.
• Portability: receive your data in a machine-readable format.
• Withdraw consent: for marketing or other consent-based processing.
• Lodge a complaint: with the competent data protection authority.

To exercise these rights, please reach out via the Contact page. We will respond within 30 days.

10. Children's privacy

VietRica is not intended for children under 16. Children aged 16 and under may use the service only with the consent of a parent or legal guardian. If we discover that data has been collected from a child without valid consent, we will delete it as soon as possible.

11. International data transfers

Some service providers (payment gateways, AI, email) may host servers outside Vietnam. Where that happens, we apply appropriate contractual and technical measures to ensure a level of protection equivalent to applicable legal requirements.

12. Changes to the policy

We may update this policy from time to time. Where the change is material, VietRica will notify you by email or via in-app notice at least 14 days before the effective date. Continuing to use the service after the effective date constitutes acceptance of the new policy.

13. Contact

For any questions, rights requests, or privacy complaints, please reach us via the Contact page or the support email listed in the footer.

Effective: May 2026.