KaKa SQA
登录
legal.隐私与数据保护政策Privacy & Data Protection Notice

隐私政策

Privacy Policy

本政策描述 KaKa SQA("本服务"、"我们") 在为你提供留学辅导、试卷训练与相关服务时, 如何收集、使用、存储、共享及保护你的个人数据。 本政策同时构成依据《通用数据保护条例》(EU 2016/679,"GDPR")、 英国《数据保护法》2018 与《一般数据保护条例》(UK GDPR)、 中华人民共和国《个人信息保护法》("PIPL")所作之合规声明。

This Notice describes how KaKa SQA ("the Service", "we", "us") collects, uses, stores, shares and protects your personal data when providing academic mentoring, mock examination training and related services. It serves as our compliance statement under the EU General Data Protection Regulation (Regulation EU 2016/679, "GDPR"), the UK Data Protection Act 2018 and UK GDPR, and the Personal Information Protection Law of the People's Republic of China ("PIPL").

生效日期 · 2026年4月30日 v 2.0 Effective · 30 April 2026 v 2.0

适用范围

Scope

本政策适用于你访问 kakasqa.congchuanji.workers.dev、其任何子域名、 以及通过本服务向 KaKa SQA 提供数据的所有情形,包括但不限于浏览公开页面、 注册账户、登录学员后台、参与一对一辅导、参加模拟试卷以及通过微信或电子邮件与我们联系。

本政策不适用于通过本服务跳转的第三方网站。这些网站由其自身的隐私声明约束。

This Notice applies when you access kakasqa.congchuanji.workers.dev, any of its subdomains, or otherwise provide data to KaKa SQA through the Service, including browsing public pages, registering an account, signing in to the Student Portal, engaging in 1-on-1 mentoring, taking mock papers, or contacting us via WeChat or email.

This Notice does not apply to third-party websites linked from the Service, which are governed by their own notices.

术语定义

Definitions

个人数据
任何与已识别或可识别自然人相关的信息(GDPR 第 4(1) 条;PIPL 第 4 条)。
数据控制者
单独或与他人共同决定个人数据处理目的与方式的自然人或法人(GDPR 第 4(7) 条)。
数据处理者
代表控制者处理个人数据的自然人或法人(GDPR 第 4(8) 条)。
数据主体
其个人数据被处理的已识别或可识别自然人,即本服务的用户
处理
对个人数据的任何操作,包括收集、记录、组织、存储、改编、检索、咨询、使用、披露、传输、限制、删除、销毁。
同意
数据主体自由作出、具体、知情且明确表示其同意处理其个人数据的意愿表达(GDPR 第 4(11) 条)。
Personal Data
Any information relating to an identified or identifiable natural person (GDPR Art. 4(1); PIPL Art. 4).
Controller
The person or entity that determines the purposes and means of processing personal data (GDPR Art. 4(7)).
Processor
The person or entity that processes personal data on behalf of the controller (GDPR Art. 4(8)).
Data Subject
The identified or identifiable natural person whose data is processed, i.e. the user of the Service.
Processing
Any operation on personal data: collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure or destruction.
Consent
A freely given, specific, informed and unambiguous indication of the data subject's wishes (GDPR Art. 4(11)).

数据控制者

Data Controller

本服务的数据控制者为 KaKa SQA, 一间由 KaKa 运营的独立辅导工作室(natural person, sole trader)。 因业务规模与处理数量未达到 GDPR 第 37 条所要求的强制性指定条件, 本服务未指定独立数据保护官(DPO)。 数据保护相关事宜由 KaKa 本人直接负责。

联系方式见第 19 章

The Controller for this Service is KaKa SQA, an independent tutoring studio operated by KaKa as a natural person / sole trader. Given the scale of processing operations, no mandatory Data Protection Officer is required under GDPR Art. 37, and no separate DPO has been designated. All data-protection matters are handled directly by KaKa.

Contact details are in § 19.

数据类别

Data Categories

4.1 自动收集

访问公开页面时,不写入任何 cookie,不调用任何分析脚本。 服务器仅记录技术性最小日志(HTTP 状态码、请求路径、请求时间),用于服务可用性诊断。 该日志不与任何个人身份关联,保留 30 日后被覆盖。

4.2 注册与账户数据

  • 邮箱地址(必需,用于登录、密码重置与服务通知)
  • 密码(必需;以 bcrypt 哈希后存储;明文不留存)
  • 展示名(由你自行设置;可随时修改)
  • 角色标签(学员 / 导师 / 管理员;用于权限分配)

4.3 服务使用数据

  • 你提交的作业内容、留言、批注
  • 对作业章节的进度(已读 / 已完成标记)
  • 会话日志(登录时间、登录设备的近似时区,不收集精确 IP 与定位信息

4.4 试卷访问日志(特殊类别)

每次打开模拟试卷会写入服务端日志,包含:用户 ID、试卷 ID、UTC 时间戳、登录设备的国家级 IP 段(/24)。 该日志的合法目的是反盗版与必要时的法律举证

4.5 不收集

本服务从不主动收集 真实姓名、身份证号、护照号、银行卡号、家庭住址、手机号、社交账号、生物特征、健康数据、宗教信仰、政治观点、性取向,或 GDPR 第 9 条所定义的任何"特殊类别个人数据"。

4.1 Automatically Collected

When you visit public pages, no cookies are written and no analytics scripts run. The server keeps only minimal technical logs (HTTP status, request path, request time) for availability diagnostics. These logs are not linked to identity and are overwritten after 30 days.

4.2 Registration & Account Data

  • Email address (required; used for login, password reset and service notices)
  • Password (required; stored as a bcrypt hash; plaintext is never kept)
  • Display name (set by you; can be changed at any time)
  • Role label (student / tutor / admin; used for access control)

4.3 Service Usage Data

  • Submissions, notes and comments you make on assignments
  • Reading / completion progress on assignment chapters
  • Session logs (login time, approximate time zone of the device; precise IP and geolocation are not collected)

4.4 Mock Paper Access Logs (Special Category)

Each time you open a mock paper we write a server log entry containing: user ID, paper ID, UTC timestamp, country-level IP segment (/24). The lawful purpose is anti-piracy and legal evidence where necessary.

4.5 Not Collected

The Service does NOT proactively collect real name, government ID, passport number, payment card details, home address, phone number, social-media accounts, biometric data, health data, religion, political opinions, sexual orientation, or any "special category" data under GDPR Art. 9.

处理目的

Purposes of Processing

  1. 账户管理。身份认证、会话维持、密码重置。
  2. 服务交付。呈现作业内容、记录进度、保存提交。
  3. 辅导通讯。导师与学员之间针对具体作业的留言。
  4. 反盗版。识别试卷的非授权传播;必要时作为法律证据。
  5. 安全与诊断。识别滥用、阻止暴力破解、维持服务可用性。
  6. 法律义务。响应监管要求或法院命令时的依法配合。

本服务不会出于直接营销目的处理你的数据,也不会进行用户画像或行为广告投放。

  1. Account management. Authentication, session maintenance, password reset.
  2. Service delivery. Presenting assignment content, tracking progress, saving submissions.
  3. Tutoring communication. Messages between tutor and student tied to specific assignments.
  4. Anti-piracy. Detecting unauthorised distribution of mock papers and providing legal evidence where required.
  5. Security & diagnostics. Detecting abuse, preventing brute-force attempts, maintaining service availability.
  6. Legal obligations. Lawful cooperation with regulators or courts when compelled.

The Service does not process data for direct-marketing purposes, profiling, or behavioural advertising.

数据处理者

Sub-processors

为提供本服务,我们使用以下经审慎评估的第三方处理者。每一处理者均与我们签订符合 GDPR 第 28 条要求的数据处理协议(DPA)。

处理者用途所在地合规框架
Cloudflare, Inc.静态网站托管 / CDN美国(全球边缘网络)SCCs · UK IDTA
Supabase Inc.数据库与身份认证欧盟(爱尔兰区域)GDPR 原生 · SCCs
Tencent (微信)用户通讯(仅当你主动添加微信时)中国大陆PIPL · 微信用户协议

除上述三方外,本服务不与任何其他实体共享你的个人数据,包括但不限于:广告网络、数据经纪商、留学中介、教育机构、社交平台、AI 训练公司。

To deliver the Service we use the following carefully evaluated sub-processors. Each is bound by a DPA that meets GDPR Art. 28 requirements.

ProcessorPurposeLocationCompliance
Cloudflare, Inc.Static hosting / CDNUSA (global edge network)SCCs · UK IDTA
Supabase Inc.Database & authenticationEU (Ireland region)GDPR-native · SCCs
Tencent (WeChat)User communication (only when you proactively add the WeChat ID)Mainland ChinaPIPL · WeChat ToS

We do not share your data with any other entity, including ad networks, data brokers, study agencies, educational institutions, social platforms, or AI training companies.

国际数据传输

International Data Transfers

由于本服务的处理者跨欧盟、英国、美国与中国大陆部署, 部分数据可能跨境流动。所有跨境传输基于下列保障措施之一:

  • 欧盟标准合同条款(SCCs),2021 年 6 月 4 日修订版本;
  • 英国国际数据传输协议(UK IDTA),附加于 SCCs;
  • 欧盟充分性认定(针对受认定地区,例如 Supabase EU 区域);
  • 数据主体明示同意(仅在上述机制不适用时使用)。

如你希望了解适用于你数据的具体保障副本,请通过第 19 章所列联系方式索取。

Because our sub-processors operate across the EU, UK, US and mainland China, personal data may be transferred internationally. All transfers rely on one of the following safeguards:

  • EU Standard Contractual Clauses (SCCs), version of 4 June 2021;
  • UK International Data Transfer Addendum (IDTA), appended to the SCCs;
  • EU adequacy decisions for adequate jurisdictions (e.g. Supabase EU region);
  • Explicit consent of the data subject, used only where the above mechanisms do not apply.

To request a copy of the safeguards applicable to your data, contact us per § 19.

Cookie 与追踪技术

Cookies & Tracking

本服务的 cookie 使用情况如下:

  • 登录前:不设置任何 cookie;不加载任何第三方追踪像素或脚本。
  • 登录后:仅设置 严格必要 cookie,包含 Supabase 颁发的会话 token(一个 sb-access-token、一个 sb-refresh-token),用于维持登录状态。其有效期由 Supabase 服务端管理,注销后立即失效。
  • 不使用:分析 cookie、广告 cookie、社交插件 cookie、跨站追踪像素、device fingerprinting。

因本服务仅使用严格必要 cookie,依据 ePrivacy 指令第 5(3) 条,无需弹窗式同意横幅

Our cookie usage:

  • Before login: no cookies are set; no third-party tracking pixels or scripts are loaded.
  • After login: only strictly necessary cookies are set — the Supabase session tokens (sb-access-token, sb-refresh-token) used to maintain your authenticated session. Their lifetime is managed server-side by Supabase and they are invalidated on logout.
  • We do not use: analytics cookies, advertising cookies, social-plugin cookies, cross-site tracking pixels, or device fingerprinting.

Because we use only strictly necessary cookies, no consent banner is required under ePrivacy Directive Art. 5(3).

数据保留与删除

Retention & Deletion

  • 账户数据:账号存在期间保留;注销账户后 24 小时内永久删除(含数据库行级删除与索引清理)。
  • 服务使用数据:辅导关系结束后 12 个月内可申请删除;逾期不删除则继续保留以备查询。
  • 试卷访问日志:保留 24 个月;保留期满后自动清除。在此期间用于反盗版与法律举证。
  • 服务器技术日志:30 天后自动覆盖。
  • 数据库备份:每日自动备份,备份在 7 天后被覆盖;删除请求会同步传播到备份层。

当法律义务(例如法院命令)要求超出上述期限继续保留时,本服务将依法保留,并仅保留所需最小数据。

  • Account data: kept while your account exists; permanently deleted within 24 hours of an account-deletion request (row-level delete plus index cleanup).
  • Service usage data: deletion may be requested within 12 months after the tutoring relationship ends; otherwise retained for reference.
  • Mock paper access logs: retained for 24 months; automatically purged thereafter. Used for anti-piracy and legal evidence during this period.
  • Server technical logs: overwritten after 30 days.
  • Database backups: daily backups, overwritten after 7 days; deletion requests propagate to the backup tier.

Where a legal obligation (e.g. a court order) requires retention beyond the above periods, we retain only the minimum data necessary for that obligation.

技术与组织安全措施

Technical & Organisational Measures

依据 GDPR 第 32 条,本服务实施符合数据处理风险的安全措施:

  • 传输加密:HTTPS / TLS 1.3 全站启用,HSTS 强制;不允许明文 HTTP 访问。
  • 静态加密:Supabase 数据库 AES-256 静态加密;备份同样加密。
  • 认证:密码以 bcrypt(cost factor ≥ 10)哈希;登录尝试限速。
  • 访问控制:数据库表级与行级权限(Row-Level Security);服务端密钥不在前端代码出现。
  • 水印:对会员可见的试卷类内容嵌入个人化水印(用户 ID 哈希、邮箱、时间戳)以追溯泄露源。
  • 最小化原则:仅 KaKa 本人具备生产环境访问权限;无团队成员、无外包客服。
  • 日志:关键操作(登录失败、删除账户、试卷访问)写入独立日志,定期审查。

Pursuant to GDPR Art. 32 we implement the following measures, proportionate to the risk:

  • Encryption in transit: HTTPS / TLS 1.3 everywhere, HSTS enforced; plain HTTP refused.
  • Encryption at rest: AES-256 on the Supabase database and all backups.
  • Authentication: passwords hashed with bcrypt (cost factor ≥ 10); login attempts rate-limited.
  • Access control: table- and row-level security on the database; server-side keys never exposed to the frontend.
  • Watermarking: member-only paper content carries a personal watermark (user ID hash, email, timestamp) to enable leak attribution.
  • Minimisation: only KaKa has production access; no team members or outsourced support.
  • Auditing: sensitive events (failed logins, account deletions, paper access) are written to a separate log and reviewed periodically.

数据泄露通知

Data Breach Notification

如发生可能对你构成较高风险的个人数据泄露, 我们将依据 GDPR 第 33 与 34 条以及 PIPL 第 57 条, 在意识到事件后 72 小时内向相应监管机构报告, 并以适当方式(电子邮件 + 网站公告)不无故拖延地直接通知你。

通知将包含:泄露性质、可能后果、已采取或拟采取的缓解措施、可获取更多信息的联系点。

In the event of a personal-data breach likely to result in a high risk to you, we will report to the relevant supervisory authority within 72 hours of becoming aware (GDPR Arts. 33–34; PIPL Art. 57) and without undue delay notify you directly by email and a site notice.

The notice will describe the nature of the breach, likely consequences, measures taken or proposed, and a contact point for further information.

数据主体权利

Your Rights

你享有 GDPR 第 III 章及 PIPL 第 IV 章所赋予的下列权利:

  • 知情权 / 访问权(Art. 13–15):获取本服务持有的关于你的所有数据副本。
  • 更正权(Art. 16):修改不准确的个人数据(邮箱、展示名等)。
  • 删除权 / 被遗忘权(Art. 17):在符合条件下删除你的数据。
  • 限制处理权(Art. 18):在异议解决期间限制处理。
  • 数据可携权(Art. 20):以机器可读格式(JSON)导出你的数据。
  • 反对权(Art. 21):反对基于合法利益的处理。
  • 撤回同意权(Art. 7(3)):注销账户视为撤回所有授权。
  • 自动化决策的反对权(Art. 22):本服务不进行自动化决策(见第 15 章)。

行使任何权利只需通过第 19 章所列方式联系我们。 我们将在 30 日内免费回应;复杂情况下最多再延长 60 日,并会在 30 日内告知延长。

You have the following rights under GDPR Chapter III and PIPL Chapter IV:

  • Right to information & access (Arts. 13–15): obtain a copy of all data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate personal data (email, display name, etc.).
  • Right to erasure / "to be forgotten" (Art. 17): have your data deleted where conditions are met.
  • Right to restrict processing (Art. 18): restrict processing while a dispute is resolved.
  • Right to data portability (Art. 20): export your data in a machine-readable format (JSON).
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): account deletion equals full withdrawal.
  • Rights re. automated decision-making (Art. 22): we do not perform automated decisions (see § 15).

To exercise any right, contact us per § 19. We will respond within 30 days at no cost; in complex cases we may extend by 60 days and will notify you of the extension within 30 days.

未成年人

Minors

本服务面向 18 周岁及以上同学。我们不主动向未成年人提供服务, 也不在知情情况下收集未成年人的个人数据。如你未满 18 岁, 请在监护人知情同意的前提下使用本服务,并使用监护人的邮箱注册。

若我们发现已收集到未成年人的数据而未取得监护人同意,将立即删除。

The Service is intended for users aged 18 or over. We do not knowingly collect personal data from minors. If you are under 18, please use the Service only with informed parental / guardian consent and register with the guardian's email.

If we discover that personal data of a minor has been collected without consent, we will delete it immediately.

自动化决策与画像

Automated Decision-Making & Profiling

本服务不做任何对你产生法律效力或类似重大影响的全自动决策不进行用户画像不用于训练第三方人工智能模型

客观题的自动校验仅是数学比对(你的选项与正确选项的字符串比较), 不构成 GDPR 第 22 条意义上的"自动化决策"。

We do not conduct fully automated decisions that produce legal effects or similarly significant effects on you, do not profile users, and do not use your data to train third-party AI models.

Automated marking of multiple-choice answers is a string comparison and does not amount to "automated decision-making" under GDPR Art. 22.

平等、多元与包容

Equity, Diversity & Inclusion

KaKa SQA 不以种族、国籍、性别、性取向、性别认同、宗教、家庭背景、经济状况或残障作出区别对待。 任何形式的歧视言语在辅导过程中都不被容忍。LGBTQ+ 友好;尊重你使用的代词与身份选择。

KaKa SQA does not discriminate on race, nationality, gender, sexual orientation, gender identity, religion, family background, financial status or disability. No form of discriminatory language is tolerated during tutoring. LGBTQ+ friendly; we respect your pronouns and identity.

政策变更

Changes to This Notice

本政策可能因服务调整或法律要求而更新。每次更新会:

  • 提升语义化版本号(重大变更:主版本;细节变更:次版本);
  • 更新页首生效日期;
  • 对实质性变更,通过电子邮件提前 14 天通知所有注册用户;
  • 历史版本可在 GitHub 仓库的 commit 记录中检索。

This Notice may be updated due to service changes or legal requirements. With each update we will:

  • Bump the semantic version (major for material changes; minor otherwise);
  • Update the effective date at the top;
  • For material changes, notify registered users by email 14 days in advance;
  • Historical versions are available via the GitHub repository commit log.

监管投诉权

Right to Lodge a Complaint

若你认为本服务对你的个人数据处理违反适用法律, 你有权向相应监管机构投诉,且无需先行联系我们:

  • 欧盟用户:居住地或工作地的成员国监管机构(详见 EDPB 成员名录)。
  • 英国用户:Information Commissioner's Office(ico.org.uk)。
  • 中国大陆用户:国家互联网信息办公室或省级网信部门。

我们鼓励你先与我们联系,便于尽快解决问题。

If you believe our processing of your personal data violates applicable law, you may lodge a complaint with the relevant supervisory authority without contacting us first:

  • EU users: the supervisory authority of your member state of residence or work (see the EDPB members list).
  • UK users: the Information Commissioner's Office (ico.org.uk).
  • Mainland China users: the Cyberspace Administration of China (CAC) or its provincial offices.

We encourage you to contact us first so we can resolve the matter directly.

联系我们

Contact Us

关于隐私、数据、删除账户或本政策的任何疑问:

我们将在 7 个工作日内回应所有合理请求。如未在 14 日内收到答复,请再次联系。

For any question regarding privacy, data, account deletion or this Notice:

We will respond to all reasonable requests within 7 business days. If you do not hear from us within 14 days, please contact us again.

生效日期 · 2026年4月30日 · v 2.0 Effective · 30 April 2026 · v 2.0 阅读宗旨 Read manifesto