Privacy Policy

Transparent data practices for Zhonghua Secondary School

Last Updated: March 10, 2026

Welcome to ZPortal. This Privacy Policy ("Policy") governs the data collection, processing, and storage practices employed by ZPortal ("we," "our," or "the Application"). We are steadfastly committed to safeguarding the privacy, security, and digital wellbeing of all students and staff at Zhonghua Secondary School. By accessing or utilizing ZPortal, you consent to the data practices described herein.

1. Data Collection and Processing

To furnish a personalized and functionally robust academic experience, ZPortal necessitates the collection of specific user data during the onboarding process and subsequent usage:

A. Information from Google Authentication

Upon authenticating via your institutional Google account, we securely ingest the following profile parameters:

  • Legal Name
  • Institutional Email Address (@students.edu.sg)
  • Profile Picture (Avatar URL)
  • Google User Identification Number

B. User-Provided Academic Data

During profile initialization, you are required to submit:

  • Class Designation
  • Co-Curricular Activity (CCA) Enrollment

C. User-Generated Content

ZPortal processes and stores digital study tasks, personal notes, and file attachments explicitly authored or uploaded by you within the platform's infrastructure.

2. Google Workspace & Classroom Integration

Read-Only OAuth Delegation

Should you elect to synchronize your academic schedule, ZPortal requests strictly read-only access to your Google Classroom data:

  • https://www.googleapis.com/auth/classroom.courses.readonly: To view enrolled classes.
  • https://www.googleapis.com/auth/classroom.coursework.me.readonly: To view course work and status.

Data Protection Guarantee: This access is utilized exclusively for the real-time aggregation and display of academic assignments within your dashboard interface. ZPortal possesses no programmatic authority to modify, submit, or delete your Google Classroom coursework. Furthermore, we do not persistently cache or store your Google Classroom assignment data in our database.

3. Artificial Intelligence Integration (ZHSS AI)

Secure Third-Party API Processing

ZPortal incorporates a built-in AI Assistant (ZHSS AI) powered by advanced Large Language Models (LLMs). To formulate highly accurate and contextual responses, user queries alongside a limited subset of relevant academic context (including your first name, class, CCA schedule, and truncated snippets of recent notes or pending tasks) are transmitted to trusted third-party cloud AI providers (e.g., OpenAI, Groq) via a secure, server-side proxy.

Security & API Usage: All AI interactions are routed entirely through our backend infrastructure. Your account credentials and our Application Programming Interface (API) keys are strictly isolated from the client environment. Furthermore, data transmitted to these third-party providers via their enterprise APIs is governed by stringent data processing agreements, which explicitly prohibit the retention or utilization of API payload data for training proprietary machine learning models.

4. Data Storage & Visibility Controls

The integrated Notes application facilitates the drafting of text and attachment of digital files. By default, all generated notes default to a Private state. Users maintain sovereign control over visibility through the following privacy tiers:

  • Private: Strictly accessible only by your authenticated user session.
  • Link Only: Accessible exclusively to individuals possessing the cryptographically secure, randomized 16-character uniform resource locator (URL).
  • Public: Discoverable and indexed for other authenticated ZPortal users within the institutional network.

5. Cryptographic Security & Infrastructure

We deploy rigorous administrative, technical, and physical safeguards to defend your personal information against unauthorized access:

  • Transport Layer Security: ZPortal enforces HTTPS/SSL/TLS encryption for all data transmitted between your local client device and our servers.
  • Input Sanitization: All user-submitted data undergoes aggressive server-side sanitization protocols (including HTML entity encoding and tag stripping) to effectively neutralize Cross-Site Scripting (XSS) and SQL Injection vulnerabilities.
  • Session Integrity: Authentication states are managed via secure, HTTP-only session tokens to mitigate session hijacking.

6. Your Data Protection Rights

  • Revoking Google Access: You retain the unilateral right to revoke ZPortal's access to your Google account at any time by visiting your Google Account's Permissions page.
  • Account Erasure: You may exercise your right to request the complete erasure of your account and associated database records (Name, Email, Class, CCA, Notes) by contacting the designated system administrator.

7. Compliance

ZPortal's use and transfer to any other app of information received from Google APIs strictly adheres to the Google API Services User Data Policy, including all Limited Use requirements.

8. Contact & Dispute Resolution

For inquiries pertaining to data privacy, technical vulnerabilities, or policy clarifications, please contact the ZPortal Administration team.

Return to ZPortal