Privacy Policy

Last updated: April 7, 2026

Children's Privacy (COPPA Disclosure)

This platform serves children. Read our detailed COPPA compliance disclosure including third-party data sharing.

1. Who We Are

Graventis (Pvt) Ltdoperates Genius Club (k12.graventis.org), an adaptive K-12 learning platform for children aged 5-18. This privacy policy covers how we handle parent/guardian account data. For children's data practices, see our Children's Privacy Policy.

2. Parent/Guardian Information We Collect

  • Account information (name, email address, hashed password)
  • Payment information for consent verification and subscriptions (processed securely via PayHere — we do not store card numbers)
  • Communication preferences and notification settings
  • Support interactions

3. How We Use Parent Data

  • Provide access to the Parent Dashboard (view child progress, manage settings)
  • Process payments and manage subscriptions
  • Send important notifications (consent requests, security alerts, progress reports)
  • Respond to support requests
  • Verify parental identity for COPPA consent

We do NOT use parent data for advertising, profiling, or sale to third parties.

4. Data Security

We implement enterprise-grade security: encryption at rest (Azure TDE + application-level PII encryption), TLS 1.3 in transit, BFF authentication (browser never holds JWT tokens), RS256 JWT signing, nonce-based Content Security Policy, and regular security audits. Passwords are hashed with bcrypt — never stored in plain text.

5. Your Rights

Under GDPR, Sri Lanka PDPA, and applicable data protection laws, you have the right to:

  • Access — view and download all your personal data
  • Rectification — update your personal information
  • Erasure — delete your account and all associated data
  • Portability — export your data in a machine-readable format
  • Withdraw consent — for any optional data processing

Exercise these rights via your account settings or by emailing [email protected].

6. Cookies

Genius Club uses only essential cookies required for authentication and security. We do not use analytics cookies, advertising cookies, or any form of cross-site tracking. This is a COPPA requirement — no cookie consent banner is needed because we use no optional cookies.

7. Data Retention

Your account data is retained while your account is active. Upon account deletion, personal data is removed within 30 days. Payment records are retained for 5 years as required by financial regulations. Consent audit logs are retained for 5 years for COPPA compliance.

8. Contact Us

For privacy-related inquiries, contact us at [email protected]. We respond within 5 business days.