Lumi Tutor All legal

Privacy Policy

Effective date: [EFFECTIVE_DATE] Last updated: [LAST_UPDATED_DATE]

Important note for parents. [COMPANY_NAME] (we, us, our) operates [PRODUCT_NAME], a learning service used by children with the involvement and oversight of their parent or legal guardian. Because our service is directed to children, this policy is written with particular attention to the U.S. Children's Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR) — including its specific protections for children — and the UK Children's Code (Age-Appropriate Design Code). A simplified version written for children is published as the "Children's Privacy Notice".
Not legal advice. This document is provided as the operating privacy policy for [PRODUCT_NAME]. It should be reviewed and adapted by qualified counsel in each market before publication.

1. Who we are and how to contact us

Controller / operator[COMPANY_LEGAL_NAME]
Registered address[REGISTERED_ADDRESS]
Privacy contact[PRIVACY_EMAIL]
Data Protection Officer[DPO_NAME], [DPO_EMAIL]
EU representative (Art. 27 GDPR)[EU_REP_NAME_AND_ADDRESS]
UK representative[UK_REP_NAME_AND_ADDRESS]
Postal address for COPPA / data requests[COMPANY_POSTAL_ADDRESS]

If you are a parent or legal guardian and you would like to review, change, or delete information collected from or about your child, see Section 11 ("Your rights and choices").

2. Scope

This policy describes how we collect, use, share, and protect personal data when you (a parent) sign up for [PRODUCT_NAME], when your child uses the service through your account, and when you visit our marketing website.

It applies to:

  • The [PRODUCT_NAME] web application
  • Future [PRODUCT_NAME] mobile, tablet, and hardware/device applications
  • Our marketing website and customer communications

This policy does not apply to third-party websites or services linked from our product. We are not responsible for the privacy practices of third parties.

3. The people whose data we handle

We distinguish carefully between:

  • Parent / guardian account holders — adults who hold the contract with us. Each parent must be at least the age of legal majority in their country.
  • Children — individuals under the age of majority whose parents have set up a child profile within their account.
  • Visitors — anyone who visits our marketing website without signing up.
  • Business customers — schools, districts, or organisations who license our product (see our Data Processing Addendum).

We do not knowingly allow children to create their own accounts. Account creation requires an adult to attest to being a parent or legal guardian.

4. What we collect

4.1 Parent account data

  • Identity: name, email address, hashed password (or OAuth identifier).
  • Profile: preferred language, time zone, payment plan.
  • Children you set up: see 4.2.
  • Billing data (if subscribed): name on card, last 4 digits, billing country. Full card data is handled by our payment processor — we never see or store it.
  • Support communications: any message you send us.
  • Device and log data: IP address, browser type, pages viewed. We use the minimum needed to keep the service secure and operational.

4.2 Children's data

We collect only what is needed to provide a personalised, safe learning experience. Specifically, for each child profile a parent sets up we collect:

  • First name or nickname (used to personalise tutoring)
  • Age
  • Primary language and learning language
  • Reading level and maths level (parent-selected)
  • Persona, favourite themes, allowed/blocked topics (parent-selected)
  • Tutoring activity: mode, duration, message count, short summaries of each turn
  • Safety events: category, severity, short excerpt, action taken
  • Learning progress signals: subject, skill, level
  • Voice and text input during a session — see 4.3 for retention

We do not ask children for: last names, home addresses, phone numbers, school names, photographs, video, geolocation, or persistent identifiers used for advertising. The tutor is explicitly instructed never to ask for these.

4.3 Voice and message content

When a child speaks or types to the tutor:

  • The audio is converted to text on the child's device (browser speech-to-text). The raw audio is not transmitted to our servers in the current MVP. Future versions may use server-side transcription with the same privacy guarantees.
  • The text message is sent to our servers to produce a tutor reply.
  • By default we only store a short summary of each turn — not the raw message. This is controlled per child by the Summary-only mode and Store full transcripts settings.
  • We send the message text to our AI provider (see Section 5). Our contract with the provider prohibits use of the data to train models.

4.4 Cookies and similar technologies

We use a small set of strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party tracking cookies in the product. See the Cookie Policy for details.

4.5 What we do not collect

  • We do not collect a child's full name, home address, phone number, school, photos, or video.
  • We do not use behavioural advertising or build advertising profiles.
  • We do not sell or rent personal data.
  • We do not allow third parties to advertise inside the product.
  • We do not use children's data to train AI models.

5. Who we share data with

We share personal data only with vendors strictly necessary to provide the service. Each is bound by a written agreement that limits their use of the data to providing services to us. A complete and up-to-date list is published in our Subprocessor List.

Current categories:

  • Cloud hosting: [HOSTING_PROVIDER, e.g., Vercel — for application hosting]
  • Database and authentication: [DATABASE_AUTH_PROVIDER, e.g., Supabase — Postgres + auth]
  • AI provider: [AI_PROVIDER, e.g., Anthropic and/or OpenAI]. Zero-retention or short-retention enterprise terms are in place where supported. Provider contracts forbid use of our data for model training.
  • Email delivery: [EMAIL_PROVIDER, e.g., Postmark, Resend]
  • Payment processing (future): [PAYMENT_PROVIDER, e.g., Stripe]
  • Customer support tooling (future): [SUPPORT_PROVIDER]

We share personal data with law enforcement, regulators, or courts only when required by law, after considering whether a narrower disclosure or a court order is possible, and (where lawful) after notifying the affected user.

We share data with a buyer or successor in the event of a merger, acquisition, or sale of assets — but only under the same confidentiality and use restrictions described here. We will notify users in advance where reasonably possible.

6. Legal bases (GDPR / UK GDPR)

For users in the EEA and UK, the legal bases on which we rely are:

ActivityLegal basis
Provide tutoring and account servicesPerformance of a contract (Art. 6(1)(b))
Process children's data on parent's instructionParental consent under Art. 8 GDPR, supplemented by national age-of-consent rules (varies 13–16)
Keep the service secure, prevent abuseLegitimate interests (Art. 6(1)(f)) — safety of children is a compelling interest
Send service-related emails (billing, security)Contract / legitimate interests
Send marketing emailsConsent — withdrawable at any time
Comply with legal obligationsLegal obligation (Art. 6(1)(c))
Special-category data (none collected by design)Not applicable

7. Children's privacy — COPPA-specific notice (US)

This section is required by the U.S. Children's Online Privacy Protection Act (COPPA). It applies to children under 13 in the United States.

7.1 What we collect from children

Only the data listed in Section 4.2.

7.2 How we use it

  • To deliver the tutoring experience the parent has configured
  • To enforce safety guardrails (see Section 9)
  • To show the parent activity summaries and safety events
  • To keep the service secure

We do not use children's data for advertising, profiling, or any purpose outside the service. We do not condition a child's participation in the service on the child disclosing more than is reasonably necessary.

7.3 Verifiable parental consent

Before any child data is collected, we obtain verifiable parental consent from the adult account holder. We currently use one or more of the following methods (FTC-approved):

  • Credit/debit card or other online payment system that provides notification of each transaction (used when a paid subscription is started)
  • Government-issued ID matched against databases (when offered for free accounts)
  • Signed consent form returned by mail, fax, or scanned upload
  • Email-plus method ("email plus" — confirmation followed by a delayed confirmation step)

Our parental consent process is described in the Parental Consent Form document.

7.4 Parent rights under COPPA

Parents have the right to:

  • Review the personal information we have collected from their child
  • Refuse to permit further collection or use
  • Direct us to delete their child's information

To exercise these rights, email [PRIVACY_EMAIL] or write to [COMPANY_POSTAL_ADDRESS]. We will verify your identity (typically by confirming you are the account holder) before acting on the request. We aim to fulfil verified requests within 30 days.

7.5 No conditioning

We will not condition a child's participation in any activity on the child disclosing more personal information than is reasonably necessary to participate.

8. Children's privacy — GDPR / UK GDPR / national laws

8.1 Age of digital consent

The age at which a child may consent on their own behalf to information-society services varies by country (typically between 13 and 16). Until that age, parental consent is required. We require parental consent for all child users on our service regardless of country, because the service is directed to children.

8.2 Data minimisation by design

Consistent with Art. 25 GDPR and the UK Children's Code, we have designed our service to collect only what is necessary, default to the most privacy-protective settings, and provide parents (not the child) with the controls.

8.3 Parent and child rights

See Section 11.

9. How we keep children safe

We treat child safety as a primary product concern, not a feature.

  • All input from a child and all output from the AI tutor passes through a server-side safety classifier before being shown.
  • A separate homework guardrail prevents the AI from completing schoolwork on the child's behalf.
  • Parents control allowed and blocked topics, voice on/off, transcript retention, persona, and homework strictness per child.
  • We log safety events (with short excerpts) so parents can review what happened.
  • We never give medical, legal, or financial advice; never describe sexual content; never describe violence or self-harm; and instruct the child to speak with a parent or trusted adult when distress is detected.

The full safety model is described in docs/safety.md and is incorporated here by reference for transparency.

10. Retention

DataDefault retention
Parent accountUntil the parent deletes the account
Child profileUntil the parent deletes it; cascade-deletes related data
Full message transcripts (only if explicitly enabled)[TRANSCRIPT_RETENTION, e.g., 90 days] then auto-deleted unless re-enabled
Message summaries (default)While the child profile exists, then deleted with it
Safety events[SAFETY_RETENTION, e.g., 2 years] for safeguarding and audit purposes
Billing recordsAs required by tax law in the billing country, typically [BILLING_RETENTION, e.g., 7 years]
Server access logs[LOG_RETENTION, e.g., 30 days]
BackupsEncrypted; rolling [BACKUP_WINDOW, e.g., 35-day] window

A parent may shorten retention by deleting the child profile or the account. A parent may extend retention only for transcripts and only by enabling that setting.

11. Your rights and choices

You may exercise the following rights at any time by emailing [PRIVACY_EMAIL]. We aim to respond within 30 days (and within the timelines required by COPPA, GDPR, UK GDPR, and CCPA where applicable).

  • Access — get a copy of personal data we hold about you or your child
  • Correction — fix inaccurate data
  • Deletion — delete an account or a child profile
  • Restriction — pause processing while a dispute is resolved
  • Objection — object to processing based on legitimate interests
  • Portability — receive your data in a structured, machine-readable format
  • Withdraw consent — withdraw consent at any time without affecting prior processing
  • No automated decision-making — we do not use automated decision-making that produces legal or similarly significant effects
  • Complaint to a supervisory authority — you have the right to complain to your data protection authority (EU/UK) or to the FTC (US)

For California residents, additional rights under the CCPA / CPRA apply. We do not "sell" or "share" personal information as defined by California law. To opt out of any future selling/sharing or to limit the use of sensitive personal information, email [PRIVACY_EMAIL].

We never charge a fee, retaliate, or downgrade your service for exercising your rights.

A self-service template for requests is included in our DSAR Templates document.

12. International data transfers

We are based in [PRIMARY_JURISDICTION]. Personal data we collect may be transferred to, stored in, and processed in countries outside the EEA, UK, or your country of residence. When we transfer personal data out of the EEA or UK we use:

  • EU Standard Contractual Clauses (Commission Decision 2021/914) where applicable
  • UK International Data Transfer Addendum for UK transfers
  • Adequacy decisions where the European Commission or UK government has issued one
  • Supplementary measures (encryption in transit and at rest, access controls, contractual safeguards) where required by Schrems II

A copy of the relevant clauses is available on request.

13. Security

Security details are in our Security Whitepaper. In short:

  • Transport encryption (TLS 1.2+) for all traffic
  • Encryption at rest for the database and backups
  • Principle-of-least-privilege access controls on production systems
  • Audit logging of administrative actions
  • A defined incident-response process with parent notification within [BREACH_NOTIFICATION_HOURS, e.g., 72] hours of confirming a personal-data breach where required by law

No security program eliminates risk. If we ever experience a personal-data breach affecting you or your child, we will notify you as required by law and explain what happened, what we are doing, and what you should do.

14. Changes to this policy

We may update this policy. If we make a material change that expands the categories of data we collect from children, or the purposes for which it is used, we will obtain renewed parental consent before the change applies to your child. For other material changes we will notify you by email and post a notice in the product at least 30 days before the change takes effect.

The "Effective date" and "Last updated" at the top of this document show the current version.

15. Glossary

  • Personal data / personal information — any information relating to an identified or identifiable person
  • Child — anyone under the age of majority in their country (we treat under-13s with COPPA standards, under-16s with UK Children's Code, and the local age-of-digital-consent for GDPR)
  • Processing — any operation performed on personal data, e.g. collection, storage, use, disclosure
  • Controller / operator — the entity that decides why and how personal data is processed
  • Processor / subprocessor / service provider — an entity that processes personal data on a controller's behalf

If you have any question about anything in this policy, please email [PRIVACY_EMAIL] before agreeing.