Privacy Policy
Last updated: March 2026
This Privacy Policy explains how Aral2x collects, uses, and shares information when you browse the site, create an account, and use reviewer features such as practice attempts, mock simulations, bookmarks, progress tracking, and question reporting.
Aral2x is a learning platform for exam preparation (such as CSE and UPCAT review), not an official exam body. This policy applies to all users of aralaral.ph. For questions about this policy, contact us at info@aralaral.ph.
1. Information We Collect
Depending on how you use the platform, we may collect:
- Account and authentication data: email address, user identifier, authentication provider details (such as email OTP or Google sign-in), and session information.
- Google sign-in data:if you choose “Continue with Google,” we receive your name, email address, Google account ID, and profile photo from Google. We do not receive your Google password.
- Profile data: display name and profile fields you choose to provide.
- Learning activity data: practice attempts, simulation attempts, answers, scores, timestamps, and related progress history.
- Saved content data: bookmarked questions and related study preferences.
- Feedback data: question reports, issue categories, and optional feedback or suggestion text you submit.
- Cookies and similar technologies: we use cookies and browser local storage for authentication sessions and product analytics. See Section 4 for details.
- Technical and usage data: device type, browser type, operating system, IP address, page views, and request metadata collected through analytics and error monitoring tools.
Note: PostHog (product analytics) and Sentry (error monitoring) are active in all production deployments of Aral2x. These tools collect usage and technical data automatically when you use the platform.
2. How We Use Information
We use collected information to:
- Authenticate users and secure account access.
- Operate reviewer features and save your attempts, bookmarks, and progress.
- Improve question quality and prioritize content fixes from user reports.
- Maintain platform reliability, detect abuse, and troubleshoot incidents.
- Measure feature usage and improve user experience through analytics.
- Send transactional messages related to your account, such as OTP login codes.
- Comply with legal obligations, including the Philippine Data Privacy Act (RA 10173), and enforce platform rules.
3. Legal Basis for Processing
Under the Philippine Data Privacy Act (RA 10173) and applicable privacy laws, we process your personal data on the following bases:
- Contract performance: processing necessary to provide the platform and its features to you.
- Legitimate interests: analytics, error monitoring, and platform security — balanced against your privacy rights.
- Legal obligation: compliance with RA 10173 and other applicable Philippine laws.
- Consent: where required (e.g., optional analytics cookies), we obtain your consent and you may withdraw it at any time.
4. Cookies and Similar Technologies
Aral2x uses cookies and browser local storage for the following purposes:
| Cookie / Storage | Purpose | Provider | Can Opt Out |
|---|---|---|---|
| Auth session cookie | Keeps you logged in securely | Supabase | No — required for login |
| PostHog analytics | Tracks feature usage and user flows | PostHog | Yes — via consent banner |
| PostHog distinct_id | Anonymous user identifier for analytics | PostHog | Yes — via consent banner |
| Sentry session | Error and crash reporting | Sentry | No — essential for stability |
You can manage cookie preferences through the consent banner shown on your first visit, or by contacting us at info@aralaral.ph. Disabling analytics cookies will not affect your ability to use the platform.
5. Third-Party Services and Providers
Aral2x uses the following third-party service providers to operate core platform functions. These providers process data on our behalf under their own terms and privacy policies.
- Supabase — authentication, database storage, and related infrastructure. Data is stored in Supabase-managed servers. See supabase.com/privacy.
- Google OAuth— optional sign-in via Google. When you use “Continue with Google,” Google shares your name, email, Google account ID, and profile photo with us. See policies.google.com/privacy.
- PostHog — product analytics. PostHog collects usage events, session data, and an anonymous user identifier. PostHog is active in all production deployments. See posthog.com/privacy.
- Sentry — error monitoring and crash reporting. Sentry collects technical error data including stack traces and browser/device context. Sentry is active in all production deployments. See sentry.io/privacy.
6. Sharing and Disclosure
We do not sell your personal data. We may share information:
- With service providers listed in Section 5 that host or support the platform.
- To comply with Philippine law (including RA 10173), legal process, or valid government requests, including the National Privacy Commission.
- To investigate abuse, fraud, or security issues affecting the platform.
- As part of a merger, acquisition, financing, or asset transfer involving Aral2x, subject to applicable law. We will notify you of any such change via email or a prominent notice on the platform.
7. Data Retention
We retain your data for as long as needed to operate the platform and meet legal obligations. Specific timelines:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account and profile data | Until account deletion request | Contract / user choice |
| Learning activity (attempts, answers, scores) | Life of account; deleted with account | Contract |
| Bookmarks and study preferences | Life of account; deleted with account | Contract |
| Question reports submitted | Up to 2 years after resolution | Legitimate interest |
| Analytics data (PostHog) | 13 months rolling (PostHog default) | Legitimate interest |
| Error logs (Sentry) | 90 days (Sentry default) | Legitimate interest |
| Auth/session logs | 30 days | Security |
| Inactive accounts (no login) | 2 years, then anonymized | Legitimate interest |
8. Your Rights and Choices
Under the Philippine Data Privacy Act (RA 10173) and applicable law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to legal retention requirements.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (e.g., analytics cookies), withdraw it at any time without affecting the lawfulness of prior processing.
- Data portability — request your learning data in a structured, machine-readable format.
- Lodge a complaint — file a complaint with the National Privacy Commission (privacy.gov.ph) if you believe your rights have been violated.
To exercise any of these rights, email us at info@aralaral.ph. We will respond within 15 business days as required by RA 10173. Some requests may require identity verification and may be limited where data must be retained for security, legal, or operational reasons.
9. Philippine Data Privacy Act Compliance
Aral2x is committed to compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.
- Data Protection Officer (DPO): Aral2x has designated a Data Protection Officer responsible for overseeing compliance with RA 10173. The DPO can be reached at info@aralaral.ph.
- NPC Registration: Aral2x will register with the National Privacy Commission as required under RA 10173 and its implementing rules. Registration status will be updated in this policy when completed.
- Privacy Impact Assessment: we conduct privacy impact assessments when introducing new features that materially affect the processing of personal data.
- Data Breach Notification: in the event of a personal data breach that poses a real risk of serious harm, we will notify affected users and the National Privacy Commission within 72 hours of discovery, as required by law.
10. Security
We use reasonable technical and organizational safeguards to protect platform data, including encrypted data transmission (HTTPS), row-level security on our database, and access controls limiting who can access user data. No method of storage or transmission is completely secure, and we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to info@aralaral.ph.
11. Children and Minors
Aral2x is intended for users aged 18 and above. Users under 18 years of age (minors under Philippine law) may use the platform only with the knowledge and consent of a parent or legal guardian, who accepts responsibility for the minor's use of the platform and compliance with this policy. If you believe a child under 13 has provided personal information without appropriate consent, please contact us immediately at info@aralaral.ph and we will take steps to delete such information.
12. International Use and Data Transfers
Aral2x is operated from the Philippines and primarily serves Philippine users. Data may be processed in jurisdictions where our service providers operate — including the United States, where Supabase, PostHog, and Sentry infrastructure is based. By using the platform, you understand that your information may be transferred to and processed in those jurisdictions under applicable data transfer safeguards.
13. Policy Changes
We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 7 days before the change takes effect. We will also post updates on this page and revise the “Last updated” date. Continued use of the platform after a policy change constitutes acceptance of the revised policy.
14. Contact and Data Protection Officer
For privacy-related questions, data subject requests, or concerns:
- Email: info@aralaral.ph
- Data Protection Officer: info@aralaral.ph (mark subject line: “Privacy / DPO Request”)
- National Privacy Commission (for unresolved complaints): privacy.gov.ph
We aim to respond to all privacy inquiries within 15 business days.