Privacy Policy

OctoLearn is built for kids. This policy explains exactly what we collect, how we use it, and your rights as a Parent.

Effective: April 24, 2026 · Last updated: April 24, 2026

OctoLearn (“we”, “our”, or “us”) operates the OctoLearn website, the OctoLearn Parent app, and the OctoLearn Kids browser. This Privacy Policy explains how we collect, use, disclose, and protect information when a family uses OctoLearn.

OctoLearn is a Designed for Families service intended for children under 13 used only under the supervision of a Parent or legal guardian. We comply with the U.S. Children’s Online Privacy Protection Act (“COPPA”), the General Data Protection Regulation including the enhanced protections for children in Article 8 (“GDPR-K”), the California Consumer Privacy Act (CCPA/CPRA), and Apple’s App Store Review Guidelines §1.3 and §5.1.4 for the Kids Category.

Notice to Parents (COPPA Direct Notice)
Before you create a child profile in OctoLearn, you must review this notice and give verifiable parental consent.
We collect from your child: a Parent-chosen display name or nickname, an avatar you select, the age range you set, URLs and page titles the child visits inside the OctoLearn Kids browser, in-app search queries, messages the child sends to the AI tutor and the AI’s replies, and device/session metadata (OS, app version, session times).
We do NOT collect from your child: real name, home address, email, phone number, Social Security number, photos, videos, audio recordings, precise geolocation, contacts, calendar, or advertising identifiers (IDFA/AAID).
How we use it: operate the child-safe browser, power the AI tutor, run safety classifications on pages the child tries to visit, generate the weekly learning summary for you, and flag any concerning activity. We never use child data for advertising, profiling, or sale.
Who we share it with: a small set of service providers listed in Section 6 (database, email delivery, payment processor, LLM routing, web-search API). None of them use child data for their own purposes.
Your rights as a Parent: review the child’s data, delete any item or the whole profile, refuse further collection (by revoking consent), or delete the entire Parent account at any time. See Section 8 and our Delete Account page.
How to contact us: email [email protected] from your Parent account email address.

1. Information We Collect

Information You (the Parent) Provide

Parent account information: name, email address, profile details, and authentication information (passwordless email codes — no passwords stored).
Child profile information: display name or nickname, avatar, age range, grade level, and learning interests — all created and managed by you.
Payment information: billing details for paid plans. Payment data is processed by Stripe, Apple App Store, or Google Play and we do not store full payment card numbers.
Feedback and support information: messages you send to us, survey responses, and early-access feedback.

Browsing activity inside OctoLearn Kids: URLs, page titles, categories, time on page, in-app search queries, and the filter’s decision for each page.
AI tutor interactions: messages the child sends to the AI tutor and the AI’s responses.
Device and session data: device type, operating system, app version, and session start/end times.

We collect only the minimum data needed to operate a safe, AI-assisted browser for children. We follow the principle of data minimization (GDPR Art. 5(1)(c)): we never ask a child for information we don’t need.

Information We Collect Automatically

Usage and diagnostics: features used, crash reports, and performance metrics tied to the Parent account, not to an individual child identity.
Log data: IP address, access times, referring URLs, and security events — used for security and fraud prevention, deleted within 30 days.

2. How We Use Information

We use information to:

Provide, operate, maintain, and improve OctoLearn.
Create and manage Parent accounts, child profiles, device pairing, and parental controls.
Power safety features: the content filter, flagged-activity alerts, weekly summaries, and AI-tutor classifications.
Send service messages, security alerts, product updates, and support responses.
Protect OctoLearn, families, and the public from abuse, fraud, or security incidents.
Comply with legal obligations, including COPPA, GDPR-K, and App Store requirements.

We do not use child data for behavioral advertising, profiling, sale to third parties, or training of third-party foundation models. OctoLearn contains no third-party ad SDKs, no behavioral analytics SDKs, and no advertising identifiers (IDFA/AAID).

3. Child Data and AI Features

OctoLearn is designed around child-safe browsing. AI features may process pages a child visits and messages a child sends to the AI tutor in order to:

Classify the safety and topic of each page in real time.
Summarize learning activity for the Parent’s weekly dashboard.
Answer the child’s questions with age-appropriate replies.

The AI service we use (OpenRouter, routing to an underlying language model) is bound by a data-processing agreement that prohibits retention of prompts beyond the request and prohibits any use of child data to train the model provider’s foundation models. We are the only party that stores the child’s messages and responses, and we keep them only as long as described in Section 7.

OctoLearn is intended for children only under the supervision of a Parent or legal guardian. Before any child profile can be created, the Parent must:

Sign in to a Parent account verified by one-time email code (confirms the Parent controls an email address).
Review this Privacy Policy, the Terms of Service, and the Notice to Parents block above.
Affirmatively check a consent box and, on paid plans, provide a payment method in the Parent’s name (the “email + payment” method accepted by the FTC under 16 C.F.R. §312.5).

The child-facing OctoLearn Kids app contains no in-app purchases, no social features, and no way to leave the app into external services — all subscription management and account settings live in the separate Parent app, reachable only with Parent authentication. This architecture makes a traditional “parental gate” unnecessary, because there is nothing sensitive in the kids’ surface a child could reach.

Age of digital consent (GDPR). In the EU/EEA, the age below which parental consent is required ranges from 13 to 16 depending on member state (for example: Germany 16, France 15, Spain 14, Ireland 16, Portugal 13). OctoLearn treats any user identified as a child as requiring parental consent until the age of 16 unless a lower age applies by local law. In the United States and the United Kingdom the threshold is 13.

Withdrawal of consent. You can withdraw parental consent at any time by deleting the child profile or the whole Parent account (see Delete Account). Withdrawal triggers deletion of the child’s data as described in Section 7. We never condition a child’s participation in any activity on providing more data than is reasonably necessary to participate.

5. Privacy and Security

OctoLearn is built with child-safety at the core:

TLS 1.2+ for all traffic.
Encryption at rest (AES-256).
Passwordless authentication — no passwords to leak.
The child-facing Kids app has no in-app purchases, no social features, and no way to navigate out of the safe sandbox — all account and billing actions live only in the separately-authenticated Parent app.
Access to production data is restricted to a small engineering team, audited, and protected by hardware MFA.
Automated monitoring for anomalous access and regular security reviews.

No system can be guaranteed perfectly secure. If we ever discover a breach that affects you, we will notify you (and, where required, regulators) without undue delay.

We do not sell personal information, and we do not share child data for advertising, profiling, or any purpose outside providing the service. We share limited data with a small set of service providers (“subprocessors”), each bound by a written data-processing agreement that restricts their use of the data to serving us:

Subprocessor	Purpose	Location	Child data accessed
MongoDB Atlas	Database hosting	USA / EU	Yes — encrypted at rest
Stripe, Inc.	Payments for Parent subscriptions	USA	No — Parent billing only
Apple / Google Play	In-app purchase payments	USA	No — Parent billing only
Mailgun Technologies	Transactional email (sign-in codes, receipts, weekly summaries)	USA / EU	No — Parent email address only
OpenRouter.ai	LLM routing for the AI tutor	USA	Message text only, not retained by OpenRouter beyond the request
Google Programmable Search	In-app search results	USA	Search query string only, without any child identifier

We may also disclose information if required by law, court order, or valid government request, or to protect OctoLearn, families, or the public from abuse, fraud, or a security incident, or in connection with a merger, acquisition, or sale of assets with advance notice to Parents where practicable.

7. Data Retention

Data	Retention
Parent account records	While active, plus 90 days after deletion
Child profile and activity	While the child profile exists, plus up to 30 days after Parent deletes it
AI tutor conversations	90 days (rolling), then aggregated into the weekly summary and deleted
Billing / tax records	7 years (U.S. tax law, 26 C.F.R. §1.6001-1) — card details are held by Stripe, not us
Server logs	30 days

Backups containing the data above are rotated within 90 days after deletion.

8. Your Rights

Depending on your location, you may have the right to:

Access — request a copy of the personal data we hold about you or your child.
Correct — ask us to fix inaccurate data.
Delete — ask us to delete your account or any child profile at any time — see Delete Account.
Restrict or object to certain processing.
Withdraw parental consent — triggers deletion of the child’s data.
Data portability — request a machine-readable export.
Not sell / not share — we already don’t sell or share child data for behavioral advertising; this covers CCPA/CPRA rights.
Lodge a complaint with your local data-protection authority (e.g., ICO in the U.K., or an EU Member State DPA).

To exercise any right, email [email protected] from the email address on your Parent account. We respond within 30 days.

9. Children’s Privacy — COPPA and Apple Kids Category

OctoLearn complies with:

COPPA (15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312).
GDPR Article 8 and all applicable EU member-state ages of digital consent.
Apple App Store Review Guidelines §1.3 and §5.1.4 (Kids Category). This means:
- No third-party advertising or advertising SDKs.
- No third-party analytics that profile users. We use only first-party, aggregate metrics.
- No advertising identifiers collected from children (IDFA/AAID).
- The OctoLearn Kids app contains no in-app purchases, no social features, and no links to external services — subscription management and account settings live only in the Parent app.
- All information we collect about a child is collected only after verifiable parental consent.

If you believe we hold information about a child whose Parent did not provide consent, email [email protected] and we will delete it.

10. International Data Transfers

OctoLearn is operated from the United States and most of our subprocessors are U.S.-based. When we transfer personal data out of the EEA, U.K., or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (2021/914/EU) and the EU–U.S. Data Privacy Framework where applicable, with supplementary safeguards including encryption in transit and at rest.

11. Changes To This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page, update the “Last updated” date, and — when a change materially affects how we handle personal data — notify active Parent accounts by email at least 30 days before the change takes effect.

12. Contact Us

If you have questions about this Privacy Policy, or to exercise any parental right described above:

Email: [email protected]
Website: https://kids.aiwize.com

We respond within one business day to privacy requests.