Privacy Policy

Volvedu (“we”, “our”, or “us”) is committed to protecting the privacy of our users, especially children. This Privacy Policy explains how we collect, use, and protect information when you use the Volvedu mobile application, website, and school platform (together, the “Service”).

Volvedu is designed primarily for children aged 5–13. We comply with the U.S. Children’s Online Privacy Protection Act (COPPA), the U.S. Family Educational Rights and Privacy Act (FERPA) where it applies to school use, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and applicable regional privacy laws in the Gulf region.

1. Information We Collect

We collect the following information when you create an account and use Volvedu:

• Account information: full name (or display name), email address, age, country.
• Learning data: course progress, lesson completion, quiz answers and scores, badges earned, XP points, and learning streaks.
• Parent information: for users under 13, we collect a parent or guardian email address for verifiable parental consent purposes.
• School information: if you join a school, we store your school and class membership so teachers and administrators can support the student’s learning.
• Device information: a non-identifying device token used to deliver scheduled learning reminders (push notifications), and crash-report metadata used solely for debugging.

We do not collect location data, contacts, photos, audio recordings, browsing history, or any biometric information. The app does not access the device camera or microphone.

2. How We Use Your Information

• Provide and personalise the Volvedu learning experience.
• Track learning progress and achievements (XP, badges, streaks).
• Display age-appropriate educational content based on the student’s declared age.
• Enable school and classroom features (teacher dashboards, class leaderboards).
• Send opt-in learning reminders so students can keep their streak.
• Improve our educational content and app experience through aggregated, non-identifying analytics.
• Ensure the security of accounts (rate limiting, abuse detection).

We do not use children’s information for behavioural advertising, profile building, or any commercial purpose unrelated to providing the educational service.

3. Third-Party Services

Volvedu uses the following third-party services to operate the platform:

• Supabase — authentication, database hosting, and storage for course images, audio, and learning progress data. Hosted on Supabase’s EU or US infrastructure depending on region.
• Google Generative AI (Gemini) — used by our content team to generate educational comic panels, illustrations, and bilingual lesson text. No personal data from end users is sent to Gemini.
• Google Cloud Text-to-Speech — generates Arabic narration audio for lessons. The text sent is the lesson script only; no personal data is sent.
• OpenAI — cross-model review of generated educational content for quality assurance. No personal data is sent.
• Sentry — captures crash reports and unhandled errors so we can diagnose bugs. Personal data is scrubbed from crash payloads before transmission.
• Vercel — hosts our marketing website (volvedu.com); does not handle in-app data.

Each of these processors operates under its own privacy policy, and we have data-processing agreements in place where required. We do not sell or share personal information with any third party for advertising or marketing purposes.

4. Children’s Privacy (COPPA Compliance)

Volvedu is designed for children ages 5 and up. We take children’s privacy seriously:

• For users under 13, we require verifiable parental consent before the child can use the full app.
• We collect only the minimum information necessary for the educational service.
• We do not use children’s data for behavioural or interest-based advertising.
• We do not use third-party analytics SDKs that personalise on child data. Aggregate, non-identifying usage statistics only.
• We do not allow children to publicly post content; classroom leaderboards are visible only to other students and teachers in the same class.
• Parents can review, modify, or delete their child’s information at any time by contacting us or using the account-deletion feature in the app.

5. School Use (FERPA & Schools-Specific Provisions)

When Volvedu is used as part of a school program, the school acts as the educational agency and Volvedu acts as a school service provider. In this context:

• Student records are accessible only to the student themselves, their teachers, and authorised school administrators.
• We do not disclose student information to third parties outside the school relationship without the school’s direction or the parent’s consent, except as required by law.
• Schools may request deletion of all student records at any time and we will comply within 30 days.
• We sign data-processing agreements with school customers on request.

6. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS) for all client–server communication.
• Secure session storage using device hardware encryption (iOS Keychain / Android Keystore).
• Row-level security policies on our database so users can only access their own records.
• Password hashing and rate-limiting on authentication endpoints.
• Regular dependency and infrastructure audits; we use the principle of least privilege for staff access to production systems.

7. Data Retention and Deletion

We retain your data for as long as your account is active. You can delete your account at any time through the Settings screen in the app (Profile → Settings → Delete Account). Deletion is immediate and permanent — all personal data, learning progress, and associated records are removed from our active systems. Encrypted backups expire on a rolling 30-day window.

If you cannot access the app and want to delete your account, email hello@volvedu.com from the account’s registered email address and we will process the deletion within 7 days.

8. Your Rights

Depending on where you live, you have some or all of the following rights:

• Access the personal information we hold about you.
• Correct inaccurate information via the Settings screen.
• Delete your account and all associated data.
• Withdraw parental consent for users under 13.
• Object to or restrict processing.
• Port your data to another provider.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact hello@volvedu.com.

9. International Data Transfers

Volvedu is operated globally. Personal data may be processed in the United States, the European Union, and the United Arab Emirates. Where we transfer personal data out of the EEA or UK, we rely on Standard Contractual Clauses or other lawful safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy in the app and on this page, and we will update the “Last updated” date at the top. Material changes that affect children will additionally be communicated to parents.

11. Contact Us

Questions about this Privacy Policy or our data practices, especially regarding children’s data:

• Email: hello@volvedu.com
• Subject line for privacy-related requests: “Privacy Request”
• Response time: within 7 business days; urgent child-data requests within 24 hours.