Privacy Policy

01 Scope & our roles

This policy covers personal data processed through Sala's websites, applications and APIs (the “Services”). Sala operates in two distinct roles, and the difference matters for your rights:

• As a processor. When an institution uses Sala to manage its students, staff, courses and records, that institution is the data controller. We process that data only on their documented instructions, under our agreement with them.
• As a controller. For our own website visitors, prospective customers, and account administrators, Sala determines how data is used — and acts as the controller for that limited set of information.

02 Information we collect

Provided by institutions

Account and roster data needed to run the platform: names, contact details, role, enrolment and program information, attendance, grades, assessments, certificates, career-profile content and event registrations.

Provided directly by individuals

When you create a Hero career profile, request a demo, or contact us — your name, email, institution, and anything you choose to include in messages or your profile.

Collected automatically

• Usage & device data — pages viewed, features used, browser, device and approximate location derived from IP, for security and product improvement.
• Log data — timestamps, actions and identifiers retained for audit and abuse prevention.

We do not sell personal data, and we do not use student records to train public AI models.

03 How we use data

• To provide, maintain and secure the Services for your institution.
• To deliver features you'd expect — admissions ranking, dashboards, learning, events and career matching.
• To provide support, respond to requests, and send essential service notices.
• To improve reliability and performance using aggregated, de-identified analytics.
• To detect, prevent and investigate fraud, abuse or security incidents.
• To meet legal, regulatory and contractual obligations.

04 Legal bases for processing

Where data-protection law requires a lawful basis, we rely on one or more of: performance of a contract (running the Services), legitimate interests (securing and improving the platform), consent (e.g. optional communications), and legal obligation. Where we rely on consent, you may withdraw it at any time.

05 Student & institutional data

Student records are the most sensitive data we handle, and we treat them accordingly:

• Ownership stays with the institution. Customer data is and remains the property of the institution. We claim no ownership over it.
• Used only to deliver the Services. We access student records solely to operate, support and secure the platform — never for advertising.
• Portable on exit. On termination, institutions can export their data in standard formats; we then delete or anonymise it per the schedule below.

06 Sharing & sub-processors

We share personal data only as needed to run the Services, and never with data brokers. Categories of recipients:

• Infrastructure & sub-processors — vetted providers for hosting, storage, email and analytics, bound by contract to confidentiality and security obligations at least as strict as ours.
• Within your institution — according to the roles and permissions your administrators configure.
• Legal & safety — where required by law, or to protect the rights, safety and security of users and the public.

A current list of sub-processors is available on request and summarised on our Security page.

07 Data retention

We retain personal data for as long as an institution's account is active, and afterwards only as long as needed for the purposes below:

Active customer data

For the life of the agreement, under the institution's control.

After termination

Exported on request, then deleted or anonymised within 90 days.

Security & audit logs

Up to 12 months for abuse prevention and incident response.

Billing records

As required by applicable tax and accounting law.

08 International transfers & residency

Sala is headquartered in Singapore (Salatech Pte. Ltd.) with operations in Cambodia, and serves institutions across ASEAN. Where data is processed in a country other than your own, we apply appropriate safeguards — contractual protections with our providers and, where relevant, regional data-residency options. Institutions with specific residency requirements should contact us before onboarding.

09 Your rights

Subject to applicable law, you may request to access, correct, export or delete your personal data, object to certain processing, or withdraw consent. Where Sala is the processor, we route these requests to the relevant institution and assist them in fulfilling it. To make a request, email privacy@sala.tech; we respond within 30 days.

10 Children's data

Many institutions on Sala serve learners under 18. We process children's data only on behalf of, and under the instructions of, the institution acting in its educational capacity — and we apply the same security and minimisation standards to it as to all student records. We do not knowingly collect children's data directly for our own purposes or for marketing.

11 Cookies

We use a small number of cookies that are strictly necessary to keep you signed in and to keep the platform secure, plus optional analytics cookies that help us improve the product. You can control non-essential cookies through your browser settings without losing access to core features.

12 Changes to this policy

We may update this policy as the Services and the law evolve. We'll post the revised version here with a new effective date, and for material changes we'll notify institution administrators directly. Continued use after an update constitutes acceptance.