Children's Privacy Policy

Operator: Graventis (Pvt) Ltd

Product: Genius Club (k12.graventis.org)

Privacy Contact: [email protected]

Mailing Address: Graventis (Pvt) Ltd, Colombo, Sri Lanka

For urgent child safety concerns, email [email protected] with subject line "URGENT: Child Safety".

Children under 18 cannot create accounts independently. A parent or legal guardian must:

• Register an account and add their child's profile
• Provide verifiable parental consent via one of: credit/debit card micro-charge (LKR 100 / $0.50, refunded), or signed consent form upload
• Consent requests expire after 7 days if not completed

No data is collected from a child until verifiable parental consent is obtained.

Parents may withdraw consent at any time via the Parent Dashboard → Settings → "Delete Child Data". Upon withdrawal, all child data is queued for deletion with a 48-hour cooling-off period, after which deletion is permanent and irreversible.

We practice strict data minimization. We collect only what is necessary for educational services:

Data we collect:

• Display name (chosen by parent — not necessarily real name)
• Birth year (for age-appropriate content — not full date of birth)
• Grade level (for curriculum alignment)
• Avatar character (selected by child from pre-set options)
• Learning progress: quiz scores, lesson completion, mastery levels, spaced repetition schedules
• Session data: login timestamps, session duration (for wellbeing monitoring)
• Language preference (English or Sinhala)

Data we do NOT collect from children:

• Email address, phone number, or physical address
• Full date of birth, national ID, or government identifiers
• Photos, videos, or biometric data
• Location data (GPS or IP-based geolocation)
• Social media profiles or contacts
• Browsing history or cross-site tracking data
• Voice recordings or free-text personal information

Children's data is used exclusively for:

• Adaptive learning: adjusting lesson difficulty based on mastery and quiz performance
• Spaced repetition (FSRS): scheduling review sessions for optimal retention
• Progress tracking: showing learning progress to parents via the Parent Dashboard
• Wellbeing monitoring: session duration warnings, break reminders, anti-addiction safeguards
• Gamification: XP, streaks (capped at 7 days), achievements, and 3D trophies (all with anti-addiction design)
• Platform safety: preventing unauthorized access to child accounts

We NEVER use children's data for:

• Advertising or marketing of any kind
• Behavioral profiling for non-educational purposes
• Sale, rental, or sharing with data brokers
• Training AI models on identifiable child data
• Cross-platform tracking or retargeting

COPPA requires us to disclose every third party that receives children's personal information. Below is the complete list:

Services we do NOT use in Genius Club:

• No analytics services (Google Analytics, Mixpanel, Hotjar, etc.)
• No advertising networks or ad trackers
• No fingerprinting services (FingerprintJS, etc.)
• No social media integrations or login
• No third-party AI services that process child data directly

AI features in Genius Club are processed through our own AI Security Gateway, which strips PII before sending requests to AI providers. No identifiable child data reaches third-party AI services.

Parents and legal guardians have the right to:

• Review — view all data collected about their child via the Parent Dashboard
• Download— export their child's learning data in machine-readable format
• Delete— request complete deletion of their child's data (48-hour cooling-off period, then permanently deleted from 19+ database tables)
• Withdraw consent — at any time, effective immediately
• Refuse further collection — without deleting existing data
• Control notifications — manage push notification preferences
• Set session limits — configure daily time limits and break reminders
• Remote session kill— end a child's active session from the Parent Dashboard

Exercise these rights at: Parent Dashboard → Settings or email [email protected]

• COPPA architectural isolation: child data stored in a separate database (K12Database) that is never accessed by non-K12 services
• Encryption at rest: Azure SQL Transparent Data Encryption (TDE) + application-level PII encryption
• Encryption in transit: TLS 1.3 enforced on all connections
• Child session security: HMAC-SHA256 signed session cookies, 4-hour expiry, SameSite=Strict
• No JWT exposure: BFF (Backend-for-Frontend) pattern — browser never holds authentication tokens
• Content Security Policy: strictest CSP of all Graventis apps — no external fonts, no inline scripts
• Device trust: new device login requires parent approval

• Active accounts: data retained while account is active and parent consent is valid
• Deletion process: when a parent requests deletion, data enters a 48-hour cooling-off period (allowing parents to cancel accidental requests), then is permanently deleted from all 19+ database tables
• Consent withdrawal: if consent expires or is withdrawn, child data is automatically queued for deletion
• Inactive accounts: child profiles with no activity for 12 months are flagged for parent review
• Anonymized data:aggregate, non-identifiable learning statistics may be retained for educational research (e.g., "85% of Grade 5 students improved in mathematics")
• Audit logs: consent events (granted, withdrawn, deleted) are retained for 5 years for legal compliance

Genius Club follows WHO child screen time guidelines:

• Streak caps at 7 days with maximum 1.7x multiplier (no Duolingo-style anxiety)
• Comeback bonuses instead of streak guilt
• Quality Score replaces raw screen time as the primary metric
• Configurable session duration warnings and break reminders
• No dark patterns ("you'll lose your streak!" notifications are prohibited)
• Parent-configurable daily time limits