MyStory Privacy Policy

1. Introduction

Harmony International Limited ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use MyStory (the "Service").

Our Details:

  • Company Name: Harmony International Limited

  • Registered Address: 220 Cherry Orchard, Bridson Street, Port Erin, Isle of Man, IM9 6AN

  • Data Protection Contact: dataprotection@mystory.global

This Privacy Policy should be read alongside our Terms of Service and applies to all users of MyStory.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

  • Name, email address, and contact details

  • Username and password

  • Age (for compliance purposes)

  • Educational institution affiliation

  • Parent/guardian contact information (for under-16 users)

Educational Data:

  • Academic records and grades

  • Certificates and achievements

  • Course enrollment information

  • Educational institution details

Journal Content:

  • Personal reflections and diary entries

  • Written assignments and projects

  • Photos and multimedia content uploaded to journals

  • Comments and interactions with educational content

Payment Information:

  • Billing address and payment method details

  • Transaction history

  • Subscription preferences

  • Note: Payment card details are processed securely by our payment providers (Ripple and PayPal) and are not stored on our servers

2.2 Information We Collect Automatically

Usage Data:

  • Pages visited and features used

  • Time spent on the platform

  • Click patterns and navigation paths

  • Search queries within the platform

  • Device and browser information

Technical Information:

  • IP address and general location data

  • Device type, operating system, and browser type

  • App version and platform (mobile/web)

  • Error logs and performance data

Advertising Data:

  • Ad interaction data (via Google Ads)

  • Advertising preferences and interests

  • Marketing campaign effectiveness data

2.3 Information from Third Parties

Educational Institutions:

  • Academic records and achievements

  • Enrollment status and course information

  • Educational activities and certificates

  • Assessment results and feedback

External Agencies:

  • Training certificates and qualifications

  • Program participation records

  • Achievement badges and recognition

Integrated Services:

  • Data from learning management systems

  • Google services integration data

  • Third-party educational platform information

3. How We Use Your Information

3.1 Primary Purposes

Service Provision:

  • Creating and managing user accounts

  • Enabling journaling and reflection features

  • Facilitating collaboration between students, institutions, and agencies

  • Processing payments and managing subscriptions

  • Providing customer support and technical assistance

Educational Enhancement:

  • Tracking academic progress and achievements

  • Enabling institutions to post activities and certificates

  • Providing personalized learning experiences

  • Generating progress reports and analytics

Safety and Security:

  • Monitoring for inappropriate content or behavior

  • Implementing safeguarding measures for children

  • Detecting and preventing fraud or abuse

  • Maintaining platform security and integrity

3.2 Secondary Purposes

Communication:

  • Sending service updates and notifications

  • Educational institution communications

  • Marketing communications (with consent)

  • Safety and security alerts

Improvement and Analytics:

  • Analyzing usage patterns to improve our service

  • Testing new features and functionality

  • Conducting research on educational outcomes

  • Generating anonymized statistics and insights

Legal Compliance:

  • Meeting regulatory requirements

  • Responding to legal requests

  • Protecting our legal rights and interests

  • Complying with safeguarding obligations

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

Contract Performance:

  • Providing the MyStory service

  • Processing payments

  • Managing user accounts

Legitimate Interests:

  • Improving our service

  • Fraud prevention and security

  • Marketing to existing customers

  • Business analytics and research

Legal Obligation:

  • Safeguarding children

  • Responding to legal requests

  • Tax and accounting requirements

  • Regulatory compliance

Consent:

  • Marketing communications

  • Non-essential cookies

  • Certain data sharing with third parties

  • Processing special category data (where applicable)

Vital Interests:

  • Child protection and safety

  • Emergency situations requiring immediate action

5. Special Protections for Children

5.1 UK Children's Code Compliance

We comply with the UK Children's Code (Age Appropriate Design Code) by:

Parental Controls:

  • Requiring parental account setup for under-16 users

  • Providing parental dashboards and oversight tools

  • Enabling parents to control data sharing preferences

  • Obtaining parental consent for data processing

Child-Friendly Design:

  • Age-appropriate privacy settings as default

  • Clear, understandable privacy information for children

  • Minimal data collection necessary for service provision

  • Regular deletion of unnecessary child data

Enhanced Protections:

  • No behavioral advertising to children

  • Stricter content moderation for child users

  • Limited data sharing for child accounts

  • Enhanced security measures for child data

5.2 Parental Rights

Parents/guardians who manage accounts for children under 16 can:

  • Access their child's personal data

  • Request correction of inaccurate data

  • Request deletion of their child's data

  • Control data sharing with educational institutions

  • Withdraw consent at any time

  • Receive copies of their child's data

6. How We Share Your Information

6.1 Educational Institutions

We share relevant data with your registered educational institutions to:

  • Enable posting of activities and certificates

  • Facilitate academic progress tracking

  • Support educational collaborations

  • Provide institutional analytics and reporting

Data shared may include:

  • Academic performance and progress

  • Journal entries (where educationally relevant and consented)

  • Engagement with educational activities

  • Achievement and certification records

6.2 External Agencies

With your consent, we may share data with approved external agencies for:

  • Training and certification programs

  • Educational opportunities and activities

  • Career development and guidance

  • Skills assessment and recognition

6.3 Service Providers

We share data with trusted service providers who help us operate MyStory:

Payment Processors:

Technology Providers:

  • Cloud hosting and storage services

  • Analytics and performance monitoring

  • Email and communication services

  • Security and fraud prevention services

Advertising Partners:

  • Google Ads (for advertising services)

  • Analytics providers for advertising effectiveness

6.4 Legal Disclosures

We may disclose your information when required by law or to:

  • Comply with legal processes or court orders

  • Protect child safety and welfare

  • Investigate fraud or security incidents

  • Enforce our Terms of Service

  • Protect our legal rights and interests

6.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the business transaction, subject to the same privacy protections.

7. Data Retention

7.1 General Retention Periods

Account Data: Retained while your account is active and for 12 months after account closure Journal Content: Retained according to user preferences, with option for immediate deletion Educational Records: Retained for 7 years after course completion (standard educational practice) Payment Data: Retained for 7 years for tax and accounting purposes Marketing Data: Retained until consent is withdrawn or for 3 years of inactivity

7.2 Child Data

For users under 16:

  • Data is reviewed annually for continued necessity

  • Unnecessary data is deleted automatically

  • Enhanced deletion rights apply

  • Parents can request immediate deletion at any time

7.3 Legal Requirements

Some data may be retained longer when required by:

  • Legal obligations

  • Safeguarding requirements

  • Ongoing legal proceedings

  • Regulatory compliance

8. International Data Transfers

8.1 Transfer Safeguards

When we transfer data outside the UK/EEA, we ensure appropriate safeguards through:

  • Adequacy decisions by the UK government

  • Standard Contractual Clauses (SCCs)

  • Binding Corporate Rules

  • Certification schemes

8.2 Third-Party Services

Some of our service providers may be located outside the UK/EEA:

  • Cloud storage providers (with appropriate safeguards)

  • Analytics services (with data processing agreements)

  • Payment processors (under relevant data protection frameworks)

9. Your Privacy Rights

Under UK GDPR, you have the following rights:

9.1 Access Rights

  • Request copies of your personal data

  • Receive information about how your data is processed

  • Obtain data in a portable format

9.2 Correction Rights

  • Request correction of inaccurate data

  • Update your account information

  • Amend incomplete records

9.3 Deletion Rights

  • Request deletion of your personal data

  • Exercise "right to be forgotten"

  • Request deletion of child data (parental right)

9.4 Restriction Rights

  • Limit how we process your data

  • Object to certain types of processing

  • Restrict processing during disputes

9.5 Objection Rights

  • Object to processing based on legitimate interests

  • Opt out of marketing communications

  • Object to profiling and automated decision-making

9.6 Portability Rights

  • Receive your data in machine-readable format

  • Transfer data to another service provider

  • Export your journal content and records

10. Cookies and Tracking

10.1 Types of Cookies

Essential Cookies:

  • Authentication and security

  • Service functionality

  • Load balancing and performance

Analytics Cookies:

  • Usage statistics and insights

  • Feature usage tracking

  • Performance monitoring

Marketing Cookies:

  • Google Ads functionality

  • Advertising effectiveness

  • Personalized marketing (with consent)

10.2 Cookie Management

You can control cookies through:

  • Browser settings and preferences

  • Our cookie consent banner

  • Third-party opt-out tools

  • Account privacy settings

11. Data Security

11.1 Technical Safeguards

Encryption:

  • Data encrypted in transit (TLS/SSL)

  • Data encrypted at rest

  • Database encryption and access controls

Access Controls:

  • Multi-factor authentication for staff

  • Role-based access permissions

  • Regular access reviews and audits

Monitoring:

  • 24/7 security monitoring

  • Intrusion detection systems

  • Regular security assessments and penetration testing

11.2 Organizational Safeguards

Staff Training:

  • Regular privacy and security training

  • Safeguarding awareness programs

  • Incident response procedures

Policies and Procedures:

  • Data protection impact assessments

  • Privacy by design principles

  • Regular policy reviews and updates

11.3 Incident Response

In the event of a data breach:

  • Immediate containment and investigation

  • Notification to supervisory authorities (within 72 hours if required)

  • User notification when legally required or high risk identified

  • Remedial action and prevention measures

12. Third-Party Links and Services

MyStory may contain links to external websites and services. This Privacy Policy does not apply to third-party sites. We recommend reviewing the privacy policies of any external services you access through our platform.

Key Third-Party Services:

  • Google services and integrations

  • Educational institution portals

  • Learning management systems

  • External agency platforms

13. Updates to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy periodically. When we make material changes:

  • Users will be notified via email and in-app notifications

  • Parents/guardians will be notified directly for child accounts

  • The updated policy will be posted on our website

  • Continued use implies acceptance of changes

13.2 Significant Changes

For significant changes affecting:

  • Children's data processing

  • Data sharing arrangements

  • Legal bases for processing

  • International transfers

We will seek renewed consent where legally required.

14. Contact Information

14.1 Privacy Inquiries

Data Protection Officer: dataprotection@mystory.global
General Privacy Questions: dataprotection@mystory.global

14.2 Postal Address

Harmony International Limited, 220 Cherry Orchard, Bridson Street Port Erin, Isle of Man IM9 6AN

14.3 Supervisory Authority

If you're not satisfied with our response to your privacy concerns, you can contact: Information Commissioner's Office (ICO) Website: https://ico.org.uk Telephone: 0303 123 1113

14.4 Urgent Safeguarding Concerns

For urgent child protection matters: safeguarding@mystory.global 

15. Definitions

Child/Minor: Any user under the age of 16 Educational Institution: Schools, colleges, universities, and other registered educational providers External Agencies: Third-party organizations providing educational services, training, or certification Parent/Guardian: Legal guardian responsible for a child user's account Personal Data: Any information relating to an identified or identifiable individual Processing: Any operation performed on personal data Service: The MyStory platform and associated services

This Privacy Policy is effective as of stated Last Updated date and governs the collection, use, and disclosure of information through the MyStory platform.