Privacy Policy

1. Introduction

The Mandarin Learning Center ("MLC," "we," "us," or "our") is committed to protecting the privacy of our students, parents, and visitors. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our student portal at portal.mandarinlearningcenter.com (the "Portal") and related services.

By using the Portal, you consent to the practices described in this policy. Please also review our Terms of Service.

2. Information We Collect

2.1 Account Registration

When you create an account, we collect your display name, email address, and password. If you register using Google OAuth, we receive your name and email address from Google. We do not receive or store your Google password.

2.2 Google OAuth

If you choose to sign in with Google, we use Google's OAuth 2.0 service to authenticate your identity. We receive only your basic profile information (name and email address). Google's use of your information is governed by Google's Privacy Policy.

2.3 Payment Information (Stripe)

Payments are processed by Stripe, a PCI DSS-compliant third-party payment processor. When you make a purchase or save a payment method for auto top-up, your credit card details are collected and stored directly by Stripe. MLC does not store your full card number, expiration date, or CVV on its own servers.

We do store your Stripe customer ID and limited payment metadata (last four digits of card, payment status, transaction amounts) for account management and record-keeping. Stripe's handling of your data is governed by Stripe's Privacy Policy.

2.4 Cookies & Session Data

The Portal uses essential cookies to maintain your login session, protect against cross-site request forgery (CSRF), and remember your preferences. These cookies are necessary for the Portal to function and cannot be disabled while using the service. We do not use third-party advertising or tracking cookies.

2.5 reCAPTCHA

We use Google reCAPTCHA to protect registration and contact forms from automated abuse. reCAPTCHA may collect hardware and software information, such as device data and application data, and send it to Google for analysis. Your use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

2.6 Student Academic Data

For enrolled students, we collect and maintain academic records including: tutoring session dates and durations, course progress and exam results, flashcard study activity, tutor notes and session feedback, and HSK level and course level progression. This data is used to provide and improve our educational services.

2.7 Job & Career Applications

If you apply for a position with MLC, we collect the information you provide in your application, including your name, contact information, employment history, and any other details you submit. This information is used solely for evaluating your candidacy.

3. How We Use Your Information

We use the information we collect to:

• Provide services: Manage your account, process payments, track tutoring minutes, deliver course content, and facilitate tutoring sessions
• Communicate with you: Send account notifications, session reminders, low-balance alerts, receipts, and announcements through the Portal's messaging system and email
• Maintain security: Protect against unauthorized access, verify user identity, prevent fraud, and detect automated abuse via reCAPTCHA
• Improve our services: Understand how the Portal is used, identify issues, and enhance the student experience
• Comply with legal obligations: Maintain records required by law and respond to legal requests

We do not use your personal information for third-party advertising. We do not sell your information to anyone.

4. How We Store & Protect Your Information

Your data is stored on Microsoft Azure cloud infrastructure, including Azure SQL Database for application data and Azure Blob Storage for uploaded files (such as excursion photos and store images). Azure data centers maintain industry-standard physical and digital security controls.

We protect your information through the following measures:

• Encryption in transit: All connections to the Portal use HTTPS/TLS encryption
• Password security: Passwords are hashed using ASP.NET Core Identity's secure hashing algorithms and are never stored in plain text
• Role-based access control: Portal access is restricted by role (Student, Tutor, Parent, Admin), ensuring users can only access data relevant to their role
• Anti-forgery protection: All data-modifying actions are protected against cross-site request forgery (CSRF) attacks
• Secrets management: Sensitive configuration keys are stored in Azure Key Vault, not in application code

While we implement commercially reasonable safeguards, no system is completely secure. We cannot guarantee absolute security of your data.

5. Information Sharing

We do not sell, rent, or trade your personal information to third parties.

We may share limited information with the following service providers who assist in operating the Portal:

• Stripe: Payment processing (card details, transaction data)
• Google: OAuth authentication, reCAPTCHA bot protection
• Microsoft Azure: Cloud hosting, data storage, and key management
• SMTP email provider: Delivery of transactional and notification emails (email address and message content)

These providers are contractually obligated to protect your data and may only use it for the specific services they provide to us.

We may also disclose information if required by law, court order, or government request, or if necessary to protect the rights, safety, or property of MLC, our users, or the public.

6. Children's Privacy (COPPA Compliance)

The Mandarin Learning Center serves students of all ages, including children under 13. We are committed to complying with the Children's Online Privacy Protection Act (COPPA).

Registration for Children Under 13

Children under the age of 13 may not create their own accounts. A parent or legal guardian must register on behalf of any child under 13. By registering a child, the parent or guardian consents to the collection and use of the child's information as described in this policy.

Data Collection for Minors

We collect only the information necessary to provide educational services to child students. This includes a display name, academic progress data, session records, and course activity. We do not knowingly collect more information from children than is reasonably necessary for participation in our services.

Parental Rights

Parents and guardians have the right to:

• Review the personal information we have collected about their child
• Request correction or deletion of their child's information
• Refuse further collection or use of their child's information
• Access their child's academic records and Portal activity through a linked parent account

To exercise these rights, please contact us using the information in Section 10.

7. Your Rights

California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you and why
• Request disclosure of your personal information
• Request deletion of your personal information
• Not be discriminated against for exercising your privacy rights

MLC does not sell personal information to third parties. We will respond to verified CCPA requests within 45 days.

EU/EEA Residents (GDPR)

If you are located in the EU or EEA, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure of your data
• Restrict or object to processing of your data
• Data portability

All Users

Regardless of your location, you may:

• Update your account information through the Portal at any time
• Request a summary of the personal data we hold about you
• Request deletion of your account and associated data
• Opt out of non-essential communications

To make a privacy request, please contact us using the information in Section 10.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Active accounts: Data is retained for the duration of your enrollment
• Archived accounts: Basic account and transaction records may be retained for up to 7 years for tax and legal compliance
• Academic records: Student progress and session history may be retained after account closure for reference purposes, unless deletion is requested
• Payment records: Transaction history is retained as required for financial record-keeping and tax purposes

When data is no longer needed, it is securely deleted or anonymized.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes, we will update the "Effective" date at the top of this page.

For significant changes, we will notify you via email or a Portal announcement. Your continued use of the Portal after changes are posted constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data is handled, please contact us:

• Phone: 619-786-5371
• Email: info@mandarinlearningcenter.com
• Address: 7422 SW Daisy Dr, Beaverton, OR 97007
• Online: Contact Us

We respond to all privacy inquiries promptly, and within 45 days of receiving a request.