Loading...
Loading...
Legal Documents
Koydo collects only the data required to provide learning, account security, billing, and support services.
We protect your privacy
Checking acceptance status...
Account identifiers (email, display name), date of birth (age-verification and COPPA classification only), learning progress metrics, support tickets, subscription metadata, and verifiable parental consent (VPC) records for users under 13. Wardrobe feature only: user-uploaded clothing photos stored privately in your account in the wardrobe-assets bucket — accessible only to you, never shared with third parties, and never used for AI model training.
Koydo serves learners ages 3+. Users under 13 are subject to full COPPA compliance (16 CFR Part 312). Verifiable Parental Consent (VPC) is required before a child may access personalised features. Primary VPC method: $0.50 credit/debit card micro-charge (immediately refunded) - the FTC-recommended method proving the parent holds a valid payment card. Alternate methods: email verification link (lower assurance) and government-issued photo ID upload (highest assurance; ID deleted after verification). AI-powered features are age-gated: companion chat and open-ended generative AI are disabled for users under 13; structured curriculum lessons, flashcards, read-aloud audio, and curated games remain available for learners ages 3+. Parental consent records are retained for the lifetime of the child's account plus 3 years for legal audit compliance. A verified parent or guardian may request access, correction, or deletion of their child's data at support@koydo.app; requests are fulfilled within 30 days.
Data is kept while the account remains active and longer only where law, billing, security, or audit duties require it. Wardrobe photos are stored per-user in the wardrobe-assets Supabase Storage bucket and are permanently deleted when the user removes the item or closes their account. We use trusted service providers for operations, including Supabase (database/auth/storage), Stripe (web billing and COPPA VPC micro-charge processing), RevenueCat (native subscriptions), Mixpanel (adult-only consent-gated analytics), Vercel (hosting), OpenAI GPT (AI curriculum and assessments), Google Gemini (AI curriculum and translation), Anthropic Claude (AI moderation and curriculum), ElevenLabs (text-to-speech), fal.ai (image generation), HeyGen (avatar video), Resend (transactional email including parental consent requests), Twilio (SMS), Upstash Redis (rate limiting), Capgo (native live updates), and Google Classroom where the related features are enabled. Some features send learner or parent content to those processors to provide AI responses, translation, email, SMS, rate limiting, live updates, or classroom sync. Companion chat does not send learner display names or exact age bands to model providers. Camera preview and microphone recording are processed locally; raw camera feed and raw audio are not uploaded off-device by default. We will notify affected users and relevant authorities within 72 hours of confirming a personal data breach, in compliance with GDPR Art. 33–34.
You have the right to access, correct, or delete your personal data (DSAR). Submit requests to support@koydo.app. We respond within 30 days as required by GDPR Art. 12 and applicable privacy law. For children's data, a verified parent or guardian must submit the request. EU/EEA users may also contact our Data Protection Officer at privacy@koydo.app or lodge a complaint with your local supervisory authority.
Your data may be processed outside the European Economic Area (EEA) by service providers used for hosting, billing, analytics, AI features, communications, rate limiting, live updates, or classroom sync. This can include Supabase, Stripe, RevenueCat, Mixpanel, OpenAI, Google, Anthropic, ElevenLabs, Resend, Twilio, Upstash, Capgo, and other enabled processors tied to the shipping release. Each provider must maintain appropriate safeguards such as Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where applicable, or equivalent contractual protections. We review enabled processors release-by-release and require international transfers to comply with GDPR Article 46.
For questions about data protection or to exercise your rights under GDPR, you may contact our Data Protection Officer at privacy@koydo.app. You also have the right to lodge a complaint with your local supervisory authority.
We store and access information on your device using cookies and similar technologies, as described below. Strictly necessary cookies: Supabase auth tokens (sb-*-auth-token, session duration), locale preference (koydo.locale, 1 year), consent record (koydo.trackingConsent, 1 year), Stripe fraud detection (__stripe_mid, __stripe_sid, 1 year / session). Analytics cookies (require consent): Mixpanel (mp_*_mixpanel, 1 year) - only activated with your explicit consent via our cookie banner; disabled entirely for users under 13 (COPPA). You can change your cookie preferences at any time via the 'Manage Cookies' link in the footer. On native mobile builds, web analytics tracking is disabled.