Koydo COPPA Notice

Effective Date: May 9, 2026 Last Updated: May 9, 2026 Version: 2026-05-09 This COPPA Notice is the children's privacy portion of the Koydo Privacy Policy, presented as a standalone document for parents, app stores, and reviewers. The full Privacy Policy and Terms of Service also apply.

This section applies to users under the age of 13. Koydo complies with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. 6501-6506, and the Federal Trade Commission's implementing rule at 16 C.F.R. Part 312, including the Amended Rule effective April 22, 2026, which expands the definition of personal information to include biometric identifiers (such as voiceprints) and requires separate parental consent for third-party disclosure of children's personal information.

2.1 Parental Consent Is Required

We do not knowingly collect personal information from children under 13 without first obtaining verifiable parental consent. Before a child can use any feature of Koydo that involves the collection of personal information, a parent must:

1. Create a parent account and add the child as a Student Profile.
2. Provide the child's birth date (used solely to determine applicable age protections).
3. Review a consent notice describing our data practices.
4. Verify consent through our Verifiable Parental Consent (VPC) process, which involves an email confirmation sent to the parent's verified email address, containing a summary of data practices and a signed confirmation link.

A child's participation in Koydo is never conditioned on the disclosure of more personal information than is reasonably necessary to participate in the Service.

2.2 Information We Collect from Children (Default Mode)

When a parent provides consent, we collect the following information in default mode (without Koydo Intelligence enabled): | Category | Specific Data | Purpose |

|---|---|---| | Account information | Child's display name, age, grade level | To create and maintain the child's learning profile | | Parent contact | Parent's email address (not the child's) | To communicate with the parent about the child's account and obtain consent | | Learning progress | Lesson completion status, quiz and game scores, skill mastery levels | To track educational progress and present it to the parent and child | | Content interaction events | Which lessons, activities, and games are started and completed | To recommend appropriate next content | | Session information | Session start time, session duration, date of use | To generate progress reports for parents | | Device information | Device type (e.g., tablet, phone), operating system version, screen size | To render the application correctly on the child's device | | Gamification data | Experience points, levels, streaks, and in-app currency balances (no real money) | To provide motivational feedback and track progress | | AI safety events | Records of content moderation actions | To ensure child safety and enforce content policies | | Voice and audio data (biometric) | Audio recordings of pronunciation exercises, transmitted to our AI speech provider for real-time analysis. Audio is processed and immediately discarded — it is never stored on Koydo servers or the provider's servers. Under the COPPA Amended Rule (April 22, 2026), voice recordings constitute biometric identifiers and are personal information. | To evaluate pronunciation accuracy in language learning exercises. Requires separate parental consent for third-party AI disclosure (see Section 2.8). | We do NOT collect the following from children under 13:

• Email addresses belonging to the child
• Precise geolocation
• Photographs or videos stored on our servers
• Persistent audio recordings (voice data for pronunciation exercises is transmitted, processed, and immediately discarded — never stored)
• Social media identifiers
• Advertising identifiers or persistent tracking identifiers
• Any data for behavioral advertising

2.3 Information Collected When Koydo Intelligence Is Enabled (OptIn)

Koydo Intelligence ("KI") is an optional feature that parents may enable or disable at any time. When KI is enabled, we collect additional behavioral signals through our PRISM system to provide an adaptive, personalized learning experience. These signals are described in full in Section 6 of this policy. KI is off by default for children under 13. A parent must affirmatively opt in to KI, and the parent is presented with a separate, specific disclosure of what KI collects before enabling it. The parent may disable KI at any time from the Parent Dashboard, and upon disabling, all PRISM signal data associated with the child is scheduled for deletion within 30 days.

2.4 How We Use Children's Information

We use information collected from children exclusively for the following purposes:

• Providing the educational service: Delivering lessons, quizzes, games, and learning activities appropriate to the child's age and skill level.
• Tracking learning progress: Generating progress reports visible to the child and parent.
• Adaptive learning (KI only): When KI is enabled, adjusting content difficulty, pacing, modality, and presentation based on the child's observed learning patterns.
• Safety and moderation: Monitoring AI-assisted interactions for safety and content policy compliance.
• Service improvement: Analyzing aggregated, de-identified usage patterns to improve our educational content and platform. No child's data is individually identifiable in these analyses.

We do NOT use children's information for:

• Behavioral advertising or targeted advertising of any kind
• Sale to third parties
• Creating public profiles or social networking features
• Any purpose unrelated to the educational service

2.5 Disclosure of Children's Information

We do not sell children's personal information. We do not disclose children's personal information to third parties except as follows:

• Service providers (with separate parental consent for AI disclosure): Certain features require transmitting children's data to the following specific third-party AI providers. Under the COPPA Amended Rule, we obtain separate parental consent before disclosing children's personal information to these third parties (see Section 2.8):
• OpenAI — AI tutoring conversations, content moderation checks, and pronunciation analysis (speech-to-text via Whisper API). Zero data retention (ZDR) enabled; data is processed and immediately discarded.
• Anthropic — Alternative AI tutoring model. Zero data retention enabled.
• Google (Gemini API) — Alternative AI tutoring model. Zero data retention enabled.
• ElevenLabs — Text-to-speech voice generation for read-aloud features. Only text prompts are sent (no child personal data).
• fal.ai — AI image generation for creative activities. Only text prompts are sent (no child personal data).
• Infrastructure providers (no separate consent required — essential to service operation):
• Supabase — Database hosting and authentication. Processes all account and learning data under DPA.
• Sentry — Error monitoring. Receives error logs with PII automatically scrubbed before transmission.
• Providers that do NOT receive child data:
• Stripe and RevenueCat — Payment processing for adult account holders only.
• Mixpanel — Product analytics, blocked for all users under 18.
• Vercel Analytics — Web performance metrics, blocked for all users under 15.
• Legal requirements: We may disclose information when required by law, subpoena, court order, or government request.
• Safety: We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of a child.

2.6 Parent Rights Under COPPA

If you are the parent or legal guardian of a child under 13 using Koydo, you have the right to:

1. Review your child's data: Access a complete summary of all personal information Koydo has collected from your child, available through the Parent Dashboard or by emailing privacy@koydo.app.
2. Delete your child's data: Request deletion of all personal information collected from your child. You may do this through the Parent Dashboard ("Manage Child's Data" > "Delete All Data") or by emailing privacy@koydo.app. Deletion will be completed within 14 days of your confirmed request.
3. Disable Koydo Intelligence: Turn off KI at any time from the Parent Dashboard. Upon disabling, PRISM signal data will be deleted within 30 days.
4. Export your child's data: Download a machine-readable (JSON) export of all data associated with your child's account from the Parent Dashboard.
5. Revoke consent entirely: Withdraw your consent for Koydo to collect personal information from your child. Upon revocation, the child's account will be immediately deactivated. After a 14-day grace period (during which you may reverse your decision), all personal information will be permanently deleted.
6. Consent to collection without consenting to disclosure: You may consent to Koydo's collection and use of your child's information without consenting to disclosure to third parties. Note that declining disclosure to essential service providers may limit the availability of certain features (such as AI-powered tutoring, which requires an AI model provider).

To exercise any of these rights, visit the Parent Dashboard or contact us at privacy@koydo.app. We will verify your identity as the child's parent before fulfilling any request.

2.7 What Children Can Access Without Parental Consent

Before a parent provides consent, a child may browse Koydo's course catalog and read course descriptions. These activities do not involve the collection of personal information. All features that involve data collection are locked until parental consent is verified.

2.8 Separate Consent for ThirdParty AI Disclosure (COPPA Amended Rule)

Effective April 22, 2026, the COPPA Amended Rule requires operators to obtain separate, specific parental consent before disclosing a child's personal information to third parties, distinct from consent for the operator's own collection and use. Koydo implements this requirement as follows:

1. Two-part consent process: During the Verifiable Parental Consent flow, parents are presented with two distinct consent decisions:

• General consent: Consent for Koydo to collect and use the child's personal information as described in Sections 2.2 through 2.4 of this policy. This enables core platform features (lessons, quizzes, games, progress tracking) that do not involve third-party data disclosure.
• AI disclosure consent: Separate, specific consent for Koydo to transmit the child's personal information to the third-party AI providers named in Section 2.5 (OpenAI, Anthropic, Google Gemini) for the purpose of AI-powered tutoring, pronunciation analysis, and content moderation.

1. Consent without disclosure: A parent may consent to Koydo's collection and use of the child's data (general consent) without consenting to third-party AI disclosure. In this case:

• The child can use all non-AI features: lessons, quizzes, games, flashcards, progress tracking, and all offline-capable learning content.
• AI-powered features (AI tutoring, pronunciation exercises, photo tutor, AI-generated content) will be unavailable.
• The parent may grant AI disclosure consent at any time from the Parent Dashboard.

1. Revocation: A parent may revoke AI disclosure consent at any time from the Parent Dashboard without affecting general consent. Upon revocation, AI features are immediately disabled for the child, and a deletion request is sent to all AI providers.
2. Named third parties: The specific third-party AI providers to which data may be disclosed are: OpenAI, Inc. (AI tutoring, pronunciation analysis via Whisper API, content moderation), Anthropic, PBC (alternative AI tutoring), and Google LLC (Gemini API, alternative AI tutoring). All operate under zero data retention agreements. If Koydo adds a new AI provider that processes children's data, parents will be re-notified and re-consent will be required.
3. Voice/biometric data: Pronunciation exercises transmit audio recordings (biometric identifiers under the Amended Rule) to OpenAI's Whisper API. This disclosure requires AI disclosure consent. Audio is processed in real time and immediately discarded — neither Koydo nor OpenAI stores the audio.

We use the following third-party service providers to operate the Service. Each provider processes data only as directed by Koydo and only for the purpose of providing their service to us. | Provider | Service | Data Processed | Processes Child Data? |

|---|---|---|---| | Supabase | Database and authentication hosting | All account data, learning data, profiles | Yes | | OpenAI | AI tutoring, content generation, moderation | AI conversation text, moderation checks | Yes (with parental consent; zero data retention enabled) | | Anthropic | AI tutoring (alternate model) | AI conversation text | Yes (with parental consent; zero data retention enabled) | | Google (Gemini API) | AI tutoring (alternate model) | AI conversation text | Yes (with parental consent; zero data retention enabled) | <!-- Removed: xAI/Grok — regulatory risk for child-serving platform. DO NOT RE-ENABLE. --> | ElevenLabs | Audio asset pre-generation only (server-side text-to-speech, generating static audio files baked into Koydo content; not used for live, per-user AI traffic) | Koydo-authored scripts only; no User personal data is sent | No — content tooling, not a User-data processor | | fal.ai | AI image generation | Text prompts for image generation | Limited (text prompts only; no child personal data sent; requires AI disclosure consent for under-13) | | Stripe | Payment processing | Payment card information, billing details | No (adults only) | | RevenueCat | Subscription management (mobile) | Subscription status, purchase receipts | No (adults only) | | Vercel | Web hosting and performance analytics | Web performance metrics, IP addresses (anonymized) | No (blocked for users under 18 via age-gated analytics) | | Mixpanel | Product analytics | Usage events, feature interactions | No (blocked for users under 18) | | Sentry | Error monitoring | Error logs, stack traces (PII auto-scrubbed) | Limited (error data only; PII scrubbed by policy) | Important notes regarding child data and third-party processors:

• All AI model providers that process child data operate under zero data retention (ZDR) agreements or configurations. This means conversational data sent to these providers is processed and immediately discarded by the provider; it is not stored, logged, or used for model training.
• Mixpanel analytics are completely blocked for all users under 18. No analytics events, device identifiers, or behavioral data are sent to Mixpanel for minors.
• Stripe and RevenueCat process payment data only for adult account holders. Children do not have a direct payment relationship with Koydo.
• ElevenLabs is used only to pre-generate static audio assets that ship with Koydo content (server-side rendering of Koydo-authored scripts). It does not receive User personal data, AI conversations, or live per-User traffic. It is listed in the table for completeness; it is not a User-data processor.

Sub-processors and change notifications. The processors listed above retain their own sub-processors (for example, Supabase uses AWS; Vercel uses Cloudflare and AWS). The current authoritative list of Koydo direct processors and their material sub-processors — together with a free email subscription to be notified of additions or replacements — is published at /legal/subprocessors. Where a User or Institutional customer reasonably objects to a new sub-processor within thirty (30) days of notice, Koydo will work in good faith to address the objection, including by offering an alternative arrangement or, where no reasonable alternative exists, terminating the affected service for that customer.

We retain different categories of data for different periods, based on the purpose of collection and applicable legal requirements. | Data Category | Retention Period | Basis |

|---|---|---| | Account information (email, display name, birth date, grade) | Lifetime of account | Necessary to provide the service | | Learning progress (lesson completion, skill mastery, quiz scores) | Lifetime of account | Core educational record | | Gamification data (XP, levels, streaks, currency) | Lifetime of account | Part of the learning experience | | AI tutor conversations — under 13 (Children) | 30 days from creation | COPPA data-minimization (16 C.F.R. § 312.7); shortest period sufficient for safety, abuse detection, and dispute resolution | | AI tutor conversations — 13–17 (Teens) | 90 days from creation | Sufficient for safety review and pedagogical continuity | | AI tutor conversations — 18+ (Adults) | 12 months from creation | Sufficient for context continuity and dispute resolution | | PRISM raw signal events | 1 year from creation | Necessary for longitudinal adaptive learning analysis | | PRISM session snapshots | 90 days from creation | Short-term adaptive decision-making | | PRISM learner profiles (aggregated composites) | Lifetime of account (deleted upon request or account deletion) | Long-term personalization | | PRISM interventions (pedagogical actions) | 1 year from creation | Evaluating effectiveness of learning adaptations | | Session records (study sessions) | 1 year from creation | Progress reporting and analytics | | AI safety and moderation events | 1 year from creation | Safety audit trail and regulatory compliance | | Direct messages | Lifetime of account | User communication record | | Payment and financial records | 7 years from transaction | Tax and financial regulatory compliance | | Legal evidence (consent records, policy acceptances, IP at consent) | Indefinite | Legal compliance and audit trail | | Deletion audit logs (anonymized, no PII) | Indefinite | Verification that deletion was executed | | Device login information | Until consumed or expired | Temporary; used only for device login flow | | Koydo Distill voice recordings | Not retained | Process-and-discard; no server storage | | Pronunciation exercise audio | Not retained | Biometric data (voiceprint); transmitted to AI provider, processed in real time, and immediately discarded. Never stored by Koydo or the provider. | | Koydo Distill transcripts and notes | Lifetime of account | User-created content | Upon account deletion:

• All personal data is permanently deleted within 14 days of confirmed deletion request (consumer accounts) or 30 days (institutional accounts).
• Financial records are anonymized (user identifiers removed) and retained for the legally required period.
• Deletion audit records are retained in anonymized form (no personal identifiers) to verify that deletion was properly executed.
• Third-party providers are notified to delete associated data under their contractual privacy obligations.

Legal hold exception. The retention periods above may be extended only for specific User accounts subject to a documented written legal hold (active dispute, regulatory inquiry, court order, subpoena, or formal claim). Legal holds are issued through a documented internal process; they apply only to the specific account(s) implicated; they auto-expire when the trigger event closes; and they do not justify general retention beyond the periods stated above for any other User. The "dispute resolution" rationale alone does not authorize indefinite retention.

We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Koydo maintains a formal Written Information Security Program as required by COPPA 16 C.F.R. § 312.8. A summary of our security measures follows; the full program document is available upon request to privacy@koydo.app.

9.1 Encryption

• In transit: All data transmitted between your device and Koydo's servers is encrypted using TLS 1.2 or higher.
• At rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
• Payment data: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Koydo never stores, processes, or transmits raw payment card data on its own servers.

9.2 Access Controls

• Access to user data is restricted to authorized personnel on a need-to-know basis.
• Administrative access to production systems requires multi-factor authentication.
• All access to child data is logged and auditable.

9.3 AI Safety Architecture

• All AI interactions involving children pass through a multi-layer safety system including content moderation, persona safety constraints, and fail-closed circuit breakers.
• If the moderation system is unavailable, AI features are automatically disabled (fail-closed design).
• AI safety events are logged for audit and review.

9.4 SOC 2 Compliance

Koydo is pursuing SOC 2 Type II certification. Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type II certification. We will update this policy when Koydo's own SOC 2 certification is achieved.

9.5 Breach Notification

In the event of a data breach affecting personal information:

• We will notify affected users (or parents, in the case of children) without undue delay and in any event within 72 hours of becoming aware of the breach.
• We will notify the Federal Trade Commission and any applicable state attorneys general as required by law.
• For EU users, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
• Notification will include: the nature of the breach, the categories of data affected, likely consequences, and measures taken to address the breach.

10.1 All Users

Regardless of age or location, all Koydo users (or their parents, for children) have the right to:

• Access: Request a copy of all personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your account and associated personal information.
• Export: Download your data in a machine-readable format (JSON).
• Opt out of analytics: Disable optional analytics collection at any time.

10.2 Parents of Children Under 13 (COPPA Rights)

See Section 2.6 for a complete description of parental rights, including the right to review, delete, export, disable KI, and revoke consent.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"): CCPA core rights:

• Right to know. Request a copy of the personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with whom we share it.
• Right to correct. Request correction of inaccurate personal information.
• Right to delete. Request deletion of your personal information, subject to limited statutory exceptions.
• Right to opt out of sale or share. Koydo does not sell or share personal information for cross-context behavioral advertising. We nevertheless honor "Do Not Sell or Share My Personal Information" requests at /legal/do-not-sell.
• Right to non-discrimination. We will not deny service, charge a different price, or provide a different level of service because you exercised any of these rights.

CPRA additional rights (effective for all Koydo California Users):

• Right to limit use and disclosure of Sensitive Personal Information. California recognizes certain categories of personal information as "sensitive" — including precise geolocation, biometric identifiers used for unique identification, health information, racial or ethnic origin, religious beliefs, contents of mail or messages, financial-account credentials, sex life or sexual orientation, and the fact that an individual is a minor. You may direct Koydo to use Sensitive Personal Information only for the purposes that are reasonably necessary to provide the Service and for the additional purposes permitted by Cal. Civ. Code § 1798.121(b). To exercise this right, visit /legal/limit-sensitive-pi.
• Right to opt out of profiling and automated decision-making with significant effect. Where Koydo uses automated processing — for example, the PRISM behavioral signal system that informs adaptive learning decisions described in Section 6 — you may opt out of having that processing applied to your account. When you opt out, Koydo serves a non-personalized version of the adaptive learning experience. You can opt out at any time in Account Settings.
• Right to information about automated decision-making logic. You may request meaningful information about the logic involved in any automated decision, the significance of the processing, and the envisioned consequences. Koydo's authoritative disclosure of its automated decision-making logic — the PRISM signal taxonomy, derived indices, and how the indices are used — is published at /legal/automated-decisions.

To exercise any of these rights, contact us at privacy@koydo.app or use the controls in your account settings. We respond within forty-five (45) calendar days, with one forty-five-day extension where reasonably necessary, in line with CCPA § 1798.130.

10.4 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights, in each case as recognized by the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and the Swiss Federal Act on Data Protection (revised effective 1 September 2023, "FADP"):

• Right of access (Art. 15) — request a copy of your personal data.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion in the circumstances specified by law.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (we provide JSON).
• Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
• Right not to be subject to a decision based solely on automated processing (Art. 22) where the decision produces legal or similarly significant effects.
• Right to withdraw consent at any time for processing based on consent (Art. 7(3)).
• Right to lodge a complaint with your local supervisory authority. EEA Users may identify their authority at edpb.europa.eu; UK Users may contact the Information Commissioner's Office at ico.org.uk; Swiss Users may contact the Federal Data Protection and Information Commissioner at edoeb.admin.ch.

Legal bases for processing. Koydo processes personal data under the following lawful bases identified by Art. 6 GDPR and corresponding provisions of UK GDPR and FADP: contract performance (delivering the Service you signed up for); legitimate interest (adaptive learning, platform security, service improvement, fraud prevention, debugging); consent (Koydo Intelligence opt-in, optional analytics, marketing-showcase use of co-created content per TOS § 8.4(c)); and legal obligation (child safety, financial recordkeeping, regulator response). For each processing activity, the applicable legal basis is recorded in our internal Article 30 record of processing activities, available to supervisory authorities on request. Privacy Team. Koydo's Privacy Team is the single point of contact for data-protection inquiries and is reachable at privacy@koydo.app. Koydo does not currently designate a named individual as Data Protection Officer; where Koydo becomes required to maintain a formal DPO under GDPR Article 37, the appointment will be reflected in this Section and at Koydo's legal version history. EU / UK Article 27 Representatives — pending. Koydo has not yet appointed representatives under GDPR Article 27 or UK GDPR Article 27. The status of these appointments is published at the international transfer notice and Koydo's legal version history and will be updated when appointments are made. Pending appointment, EEA and UK data subjects may contact Koydo's Privacy Team directly at privacy@koydo.app. EEA data subjects retain the right to lodge a complaint with the supervisory authority of their habitual residence; UK data subjects retain the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. Cross-border transfers. Your personal data is transferred to and processed in the United States. Koydo relies on the following transfer mechanisms, each documented and available for inspection at the international transfer notice:

• EU SCCs — the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914, Modules 2 (Controller-to-Processor) and 3 (Processor-to-Processor), as appropriate to the processing relationship;
• UK Addendum to the EU SCCs — the International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022), which incorporates the EU SCCs into UK law for transfers from the United Kingdom; and
• Swiss FADP addendum — the supplementary clauses recognized by the Swiss Federal Data Protection and Information Commissioner for transfers from Switzerland.

Koydo has performed transfer impact assessments addressing FISA Section 702, Executive Order 12333, and the EU-U.S. Data Privacy Framework. Koydo's certification status under the Data Privacy Framework, where applicable, is published at the international transfer notice. Member-state age thresholds. For Users in EU member states where the GDPR parental-consent age threshold is higher than 13 (Art. 8 GDPR and member-state implementations), Koydo applies the stricter threshold. Examples: Germany and the Netherlands require parental consent up to age 16; France up to age 15. Users in the United Kingdom are governed by the UK GDPR's age 13 threshold and the UK Age Appropriate Design Code (Children's Code) standards.

12.1 What Counts as a "Material Change"

A change to this Privacy Policy is material if it touches any of the following:

1. Categories of personal data Koydo collects;
2. Identity of Koydo's processors or sub-processors;
3. Data retention periods;
4. User rights or how to exercise them;
5. Any provision specifically governing Children, Teens, or Parents;
6. Security commitments or breach-notification timelines;
7. International transfer mechanisms; or
8. Lawful bases for processing.

Non-material changes — typographical fixes, formatting, restructuring, and clarifying language that does not alter rights or obligations — may be published without advance notice; the publication itself updates the version recorded in Koydo's legal version history.

12.2 Notice Process for Material Changes

For material changes affecting adults (18+) and teens (13–17), Koydo provides at least thirty (30) days' advance notice via:

1. Email to the address associated with your account; and
2. In-app notification displayed prominently within the Service; and
3. A one-click "review changes" page summarizing what changed and why.

Continued use after the effective date constitutes acceptance. You may decline by closing your account before the effective date.

12.3 Children Under 13 — ReVerifiableParentalConsent

For material changes affecting any provision governing Children under 13 — including changes to data categories, processors, retention periods, or children-specific rights — Koydo will, consistent with 16 C.F.R. § 312.5, re-obtain Verifiable Parental Consent before the change applies to existing Child Profiles. Until re-consent is obtained from a Parent, the previously-consented practices remain in effect for that Child Profile. If a Parent does not respond, the affected Child Profile remains on the previously-consented practices; Koydo will not silently default to the new practices.

12.4 LegallyRequired Changes

Changes required by law, regulation, court order, or regulator directive may be implemented with shorter notice or with immediate effect, with the legal basis recorded in the changelog at Koydo's legal version history.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at: KOYDO LLC 940 W. FM 544 #332 Wylie, Texas 75098-5157 United States Telephone: +1 (214) 218-6693 Email: privacy@koydo.app | Inquiry type | Email | Subject line | Response window |

|---|---|---|---| | General privacy inquiry | privacy@koydo.app | Privacy Inquiry | 30 days | | COPPA parental request (under 13) | privacy@koydo.app | COPPA Parent Request | 14 days | | GDPR / UK GDPR / FADP request | privacy@koydo.app | GDPR Data Request | 30 days (extendable by 60 per Art. 12(3)) | | CCPA / CPRA request | privacy@koydo.app | CCPA Request | 45 days (extendable by 45) | | FERPA / school request | privacy@koydo.app | School Data Request | 30 days | | Data breach concern | privacy@koydo.app | Security Incident | Without undue delay | Privacy Team. Koydo's Privacy Team is the single point of contact for data-protection matters and is reachable at privacy@koydo.app. Koydo does not currently designate a named individual as Data Protection Officer in this Privacy Policy; where Koydo is required to maintain a formal DPO under GDPR Article 37, the appointment will be reflected in this Section and at Koydo's legal version history. EU / UK Article 27 Representatives — pending appointment. EEA and UK data subjects may contact the Privacy Team directly at privacy@koydo.app while these appointments are pending. The current status is at the international transfer notice.