Koydo Privacy Policy

Effective Date: May 9, 2026 Last Updated: May 9, 2026 Version: 2026-05-09 (supersedes 2026-04-01)

Required by UK Children's Code Standard 4, California AB 2273 (Age-Appropriate Design Code), and the Irish Data Protection Commission's Fundamentals for a Child-Oriented Approach. The full policy below is the authoritative document; this summary is provided for accessibility.

What we collect. Account info (display name, age, grade), learning progress (lesson completion, scores, skill mastery), how you interact with activities (signals like time spent, retries, content choices), and — only with your explicit opt-in — additional behavioral signals used by our adaptive learning engine PRISM to personalize the learning experience. For pronunciation exercises, we transmit short voice clips to our AI provider for real-time analysis; these clips are processed and immediately discarded — never stored. What we do NOT do.

• We do not run advertising. Ever.
• We do not sell or share your personal information for cross-context behavioral advertising.
• We do not use your child's work or conversations to train AI models.
• We do not profile your child for non-educational purposes.
• We do not keep voice recordings.

Your rights. You can access, correct, export (machine-readable JSON), and delete your data anytime. Parents of children under 13 can review the child's information, delete it, export it, disable Koydo Intelligence, and revoke consent. California residents have additional CPRA rights (limit use of sensitive personal information, opt out of profiling/automated decisions, learn about automated decision-making logic). EEA, UK, and Swiss users have full GDPR rights including access, rectification, erasure, portability, restriction, and objection. How to delete your stuff. Adults: Account Settings → Delete Account. Teens (13–17): Account Settings → Delete Account. Parents: Parent Dashboard → Manage Child's Data → Delete All Data. Schools: contact privacy@koydo.app — we delete within 30 days. All deletions cascade to our processors. Who decides what we do with data. Koydo's Privacy Officer at privacy@koydo.app. EEA and UK users may also contact our Article 27 representatives listed at the international transfer notice. For more detail on any of the above, the full policy follows.

KOYDO LLC ("Koydo," "we," "us," or "our") operates the Koydo educational platform, including the Koydo website, Koydo mobile applications (Koydo Jr., Koydo Kids, Koydo Learn, Koydo Academy), and the Koydo Distill notes application (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. We take the privacy of all users seriously, and we take the privacy of children extremely seriously. This policy is written in plain language so that parents, students, teachers, and all users can understand our data practices. If you have questions about this policy, contact us at privacy@koydo.app.

Table of Contents

1. Definitions
2. Children Under 13 (COPPA)
3. Students Age 13-17
4. Adults 18+
5. Koydo Distill (Notes App)
6. Koydo Intelligence (KI) and the PRISM System
7. Third-Party Data Processors
8. Data Retention
9. Data Security
10. Your Rights
11. International Users and Cross-Border Transfers
12. Changes to This Policy
13. How to Contact Us

• Child or Children: Users under the age of 13.
• Teen: Users between the ages of 13 and 17, inclusive.
• Adult: Users 18 years of age or older.
• Parent: A parent or legal guardian of a Child or Teen user.
• Koydo Intelligence or KI: Our optional adaptive learning system that uses behavioral signals to personalize the learning experience. KI is powered by the PRISM system described in Section 6.
• PRISM: Prismatic Learning Intelligence Signal Model, our behavioral signal analysis system that observes how a learner interacts with the platform in order to adapt content difficulty, pacing, and presentation style.
• Student Profile: A profile created by a Parent for a Child or Teen user.

This section applies to users under the age of 13. Koydo complies with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. 6501-6506, and the Federal Trade Commission's implementing rule at 16 C.F.R. Part 312, including the Amended Rule effective April 22, 2026, which expands the definition of personal information to include biometric identifiers (such as voiceprints) and requires separate parental consent for third-party disclosure of children's personal information.

2.1 Parental Consent Is Required

We do not knowingly collect personal information from children under 13 without first obtaining verifiable parental consent. Before a child can use any feature of Koydo that involves the collection of personal information, a parent must:

1. Create a parent account and add the child as a Student Profile.
2. Provide the child's birth date (used solely to determine applicable age protections).
3. Review a consent notice describing our data practices.
4. Verify consent through our Verifiable Parental Consent (VPC) process, which involves an email confirmation sent to the parent's verified email address, containing a summary of data practices and a signed confirmation link.

A child's participation in Koydo is never conditioned on the disclosure of more personal information than is reasonably necessary to participate in the Service.

2.2 Information We Collect from Children (Default Mode)

When a parent provides consent, we collect the following information in default mode (without Koydo Intelligence enabled): | Category | Specific Data | Purpose |

|---|---|---| | Account information | Child's display name, age, grade level | To create and maintain the child's learning profile | | Parent contact | Parent's email address (not the child's) | To communicate with the parent about the child's account and obtain consent | | Learning progress | Lesson completion status, quiz and game scores, skill mastery levels | To track educational progress and present it to the parent and child | | Content interaction events | Which lessons, activities, and games are started and completed | To recommend appropriate next content | | Session information | Session start time, session duration, date of use | To generate progress reports for parents | | Device information | Device type (e.g., tablet, phone), operating system version, screen size | To render the application correctly on the child's device | | Gamification data | Experience points, levels, streaks, and in-app currency balances (no real money) | To provide motivational feedback and track progress | | AI safety events | Records of content moderation actions | To ensure child safety and enforce content policies | | Voice and audio data (biometric) | Audio recordings of pronunciation exercises, transmitted to our AI speech provider for real-time analysis. Audio is processed and immediately discarded — it is never stored on Koydo servers or the provider's servers. Under the COPPA Amended Rule (April 22, 2026), voice recordings constitute biometric identifiers and are personal information. | To evaluate pronunciation accuracy in language learning exercises. Requires separate parental consent for third-party AI disclosure (see Section 2.8). | We do NOT collect the following from children under 13:

• Email addresses belonging to the child
• Precise geolocation
• Photographs or videos stored on our servers
• Persistent audio recordings (voice data for pronunciation exercises is transmitted, processed, and immediately discarded — never stored)
• Social media identifiers
• Advertising identifiers or persistent tracking identifiers
• Any data for behavioral advertising

2.3 Information Collected When Koydo Intelligence Is Enabled (OptIn)

Koydo Intelligence ("KI") is an optional feature that parents may enable or disable at any time. When KI is enabled, we collect additional behavioral signals through our PRISM system to provide an adaptive, personalized learning experience. These signals are described in full in Section 6 of this policy. KI is off by default for children under 13. A parent must affirmatively opt in to KI, and the parent is presented with a separate, specific disclosure of what KI collects before enabling it. The parent may disable KI at any time from the Parent Dashboard, and upon disabling, all PRISM signal data associated with the child is scheduled for deletion within 30 days.

2.4 How We Use Children's Information

We use information collected from children exclusively for the following purposes:

• Providing the educational service: Delivering lessons, quizzes, games, and learning activities appropriate to the child's age and skill level.
• Tracking learning progress: Generating progress reports visible to the child and parent.
• Adaptive learning (KI only): When KI is enabled, adjusting content difficulty, pacing, modality, and presentation based on the child's observed learning patterns.
• Safety and moderation: Monitoring AI-assisted interactions for safety and content policy compliance.
• Service improvement: Analyzing aggregated, de-identified usage patterns to improve our educational content and platform. No child's data is individually identifiable in these analyses.

We do NOT use children's information for:

• Behavioral advertising or targeted advertising of any kind
• Sale to third parties
• Creating public profiles or social networking features
• Any purpose unrelated to the educational service

2.5 Disclosure of Children's Information

We do not sell children's personal information. We do not disclose children's personal information to third parties except as follows:

• Service providers (with separate parental consent for AI disclosure): Certain features require transmitting children's data to the following specific third-party AI providers. Under the COPPA Amended Rule, we obtain separate parental consent before disclosing children's personal information to these third parties (see Section 2.8):
• OpenAI — AI tutoring conversations, content moderation checks, and pronunciation analysis (speech-to-text via Whisper API). Zero data retention (ZDR) enabled; data is processed and immediately discarded.
• Anthropic — Alternative AI tutoring model. Zero data retention enabled.
• Google (Gemini API) — Alternative AI tutoring model. Zero data retention enabled.
• ElevenLabs — Text-to-speech voice generation for read-aloud features. Only text prompts are sent (no child personal data).
• fal.ai — AI image generation for creative activities. Only text prompts are sent (no child personal data).
• Infrastructure providers (no separate consent required — essential to service operation):
• Supabase — Database hosting and authentication. Processes all account and learning data under DPA.
• Sentry — Error monitoring. Receives error logs with PII automatically scrubbed before transmission.
• Providers that do NOT receive child data:
• Stripe and RevenueCat — Payment processing for adult account holders only.
• Mixpanel — Product analytics, blocked for all users under 18.
• Vercel Analytics — Web performance metrics, blocked for all users under 15.
• Legal requirements: We may disclose information when required by law, subpoena, court order, or government request.
• Safety: We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of a child.

2.6 Parent Rights Under COPPA

If you are the parent or legal guardian of a child under 13 using Koydo, you have the right to:

1. Review your child's data: Access a complete summary of all personal information Koydo has collected from your child, available through the Parent Dashboard or by emailing privacy@koydo.app.
2. Delete your child's data: Request deletion of all personal information collected from your child. You may do this through the Parent Dashboard ("Manage Child's Data" > "Delete All Data") or by emailing privacy@koydo.app. Deletion will be completed within 14 days of your confirmed request.
3. Disable Koydo Intelligence: Turn off KI at any time from the Parent Dashboard. Upon disabling, PRISM signal data will be deleted within 30 days.
4. Export your child's data: Download a machine-readable (JSON) export of all data associated with your child's account from the Parent Dashboard.
5. Revoke consent entirely: Withdraw your consent for Koydo to collect personal information from your child. Upon revocation, the child's account will be immediately deactivated. After a 14-day grace period (during which you may reverse your decision), all personal information will be permanently deleted.
6. Consent to collection without consenting to disclosure: You may consent to Koydo's collection and use of your child's information without consenting to disclosure to third parties. Note that declining disclosure to essential service providers may limit the availability of certain features (such as AI-powered tutoring, which requires an AI model provider).

To exercise any of these rights, visit the Parent Dashboard or contact us at privacy@koydo.app. We will verify your identity as the child's parent before fulfilling any request.

2.7 What Children Can Access Without Parental Consent

Before a parent provides consent, a child may browse Koydo's course catalog and read course descriptions. These activities do not involve the collection of personal information. All features that involve data collection are locked until parental consent is verified.

2.8 Separate Consent for ThirdParty AI Disclosure (COPPA Amended Rule)

Effective April 22, 2026, the COPPA Amended Rule requires operators to obtain separate, specific parental consent before disclosing a child's personal information to third parties, distinct from consent for the operator's own collection and use. Koydo implements this requirement as follows:

1. Two-part consent process: During the Verifiable Parental Consent flow, parents are presented with two distinct consent decisions:

• General consent: Consent for Koydo to collect and use the child's personal information as described in Sections 2.2 through 2.4 of this policy. This enables core platform features (lessons, quizzes, games, progress tracking) that do not involve third-party data disclosure.
• AI disclosure consent: Separate, specific consent for Koydo to transmit the child's personal information to the third-party AI providers named in Section 2.5 (OpenAI, Anthropic, Google Gemini) for the purpose of AI-powered tutoring, pronunciation analysis, and content moderation.

1. Consent without disclosure: A parent may consent to Koydo's collection and use of the child's data (general consent) without consenting to third-party AI disclosure. In this case:

• The child can use all non-AI features: lessons, quizzes, games, flashcards, progress tracking, and all offline-capable learning content.
• AI-powered features (AI tutoring, pronunciation exercises, photo tutor, AI-generated content) will be unavailable.
• The parent may grant AI disclosure consent at any time from the Parent Dashboard.

1. Revocation: A parent may revoke AI disclosure consent at any time from the Parent Dashboard without affecting general consent. Upon revocation, AI features are immediately disabled for the child, and a deletion request is sent to all AI providers.
2. Named third parties: The specific third-party AI providers to which data may be disclosed are: OpenAI, Inc. (AI tutoring, pronunciation analysis via Whisper API, content moderation), Anthropic, PBC (alternative AI tutoring), and Google LLC (Gemini API, alternative AI tutoring). All operate under zero data retention agreements. If Koydo adds a new AI provider that processes children's data, parents will be re-notified and re-consent will be required.
3. Voice/biometric data: Pronunciation exercises transmit audio recordings (biometric identifiers under the Amended Rule) to OpenAI's Whisper API. This disclosure requires AI disclosure consent. Audio is processed in real time and immediately discarded — neither Koydo nor OpenAI stores the audio.

COPPA's parental consent requirement applies to children under 13. For students between the ages of 13 and 17, the following applies:

3.1 Account Creation

Students age 13-17 may create their own Koydo account. During account creation, we collect:

• Email address
• Display name
• Birth date (to determine age group and applicable protections)
• Communication language preference

3.2 Parental Dashboard (Optional but Available)

Although parental consent is not legally required for users 13 and older under COPPA, we recognize that parents of teenagers may wish to monitor their child's educational progress. Parents may:

• Link their parent account to a teen's Koydo account (with the teen's approval)
• View learning progress and session activity
• Request data export or deletion on behalf of the teen (subject to the teen's confirmation for users 16 and older)
• Disable Koydo Intelligence for the teen's account

3.3 Data Collection for Teens

We collect the same categories of data from teen users as described in Section 2.2 (Default Mode), plus:

• Email address: The teen's own email address for account management and communications.
• AI tutor conversations: Text-based interactions with our AI tutoring system, retained for 90 days.
• Photo Tutor images: Homework photos submitted to the Photo Tutor, transmitted to the AI provider but not stored on Koydo servers. Available for users 13 and older.
• Social features: Direct messages, workspace participation, and social challenge participation, where the teen elects to use these features.
• Analytics: Third-party analytics (Mixpanel) are blocked for users under 18. No behavioral advertising identifiers are collected from teens.

3.4 Koydo Intelligence for Teens

KI is available to teens and may be enabled by the teen or their linked parent. The same PRISM signals described in Section 6 are collected when KI is enabled. Teens may disable KI at any time from their account settings.

3.5 Teen Rights

Teen users may:

• Access and review all data in their account
• Export their data in machine-readable format
• Delete their account and all associated data
• Enable or disable Koydo Intelligence
• Control social feature participation

4.1 Data Collection

Adult users (18 and older) provide and generate the following data:

• Account information: Email address, display name, birth date, communication language, billing state, avatar, theme and accessibility preferences.
• Learning data: All categories described in Section 2.2 (Default Mode), plus AI tutor conversations, Photo Tutor submissions, and social features.
• Koydo Intelligence: Available and may be enabled at any time. See Section 6 for details.
• Payment information: When subscribing or making purchases, payment is processed through Stripe. Koydo does not store credit card numbers, CVVs, or full payment card details. We store only a Stripe payment intent identifier and subscription status.
• Analytics: With your consent, we collect usage analytics through Mixpanel to improve the Service. You may opt out at any time through Settings or by using your browser's Do Not Track signal.
• Web performance data: We collect anonymized web performance metrics (page load time, interaction responsiveness) through Vercel Analytics to maintain platform performance.

4.2 How We Use Adult Data

In addition to the educational purposes described in Section 2.4, adult data may be used for:

• Account management and billing
• Personalized content recommendations
• Platform analytics and improvement (with consent)
• Communications about account status, new features, and educational content (with opt-out available)
• Fraud prevention and security

4.3 Adult Rights

Adult users may exercise all rights described in Section 10 of this policy.

Koydo Distill is our notes and study companion application. It includes a voice recording feature for capturing lectures and study notes.

5.1 Voice Recordings

• Processing: When you record audio through Koydo Distill, the recording is transmitted to our AI provider for transcription. The audio is processed in real time and is not stored on Koydo's servers after transcription is complete.
• Transcripts: The text transcript generated from your recording is stored in your Koydo account and is accessible only to you (and your parent, if you are under 18 and a parent account is linked).
• No server-side audio storage: Koydo does not retain audio recordings on its servers. Audio is processed and discarded. If this practice changes in the future, we will update this policy and, for users under 13, re-obtain parental consent.
• AI provider processing: Audio is transmitted to our AI provider under a Data Processing Agreement with zero data retention terms. The provider does not store, train on, or retain your audio data.
• Children under 13: Voice features for children under 13 follow a process-and-discard model. No audio is stored on any server. Parental consent is required before any voice feature is accessible.

5.2 Notes and Documents

• Notes, summaries, and study materials created in Koydo Distill are stored in your account and retained for the lifetime of your account.
• You may export or delete your notes at any time.

Koydo Intelligence is our adaptive learning engine. When enabled, it uses the PRISM (Prismatic Learning Intelligence Signal Model) system to observe how a learner interacts with the platform, not just what they answer, but how they engage. PRISM uses these observations to adjust content difficulty, pacing, and presentation style in real time. KI is entirely optional. It is off by default for users under 13 and requires affirmative opt-in.

6.1 What PRISM Collects (46 Behavioral Signals Across 7 Categories)

When KI is enabled, PRISM collects the following categories of behavioral signals. All signals are numeric measurements of interaction patterns. PRISM does not collect names, photos, audio, or any content the user creates -- only measurements of how the user interacts with learning activities.

Timing Patterns (6 signals)

How quickly or slowly a learner works through activities:

• How long a learner pauses before acting on a question
• How long it takes to complete an activity
• The gap between successive actions
• Whether the learner is speeding up or slowing down over time
• How consistent the learner's working rhythm is
• How long the learner thinks before submitting an answer

Touch and Movement Patterns (8 signals)

How precisely and comfortably a learner interacts with the screen:

• Accuracy of taps on intended targets
• Speed of drawing strokes
• Smoothness of drawing strokes
• Precision when coloring within boundaries
• How quickly the learner scrolls through content
• Accuracy when dragging objects to targets
• Complexity of gestures used
• How frequently the learner uses the eraser tool

Color Preferences (6 signals)

What colors a learner gravitates toward when given choices in creative activities:

• Which colors are selected most often
• How many different colors are used
• Preference for warm versus cool colors
• Preference for bright versus muted colors
• Whether color choices are consistent across sessions
• How often dark colors are chosen

Spatial Preferences (6 signals)

How a learner organizes and navigates visual elements:

• Preferred shapes in creative activities
• How organized the learner's spatial arrangements are
• Preference for symmetrical versus asymmetrical layouts
• Preferred sizes of drawn or placed elements
• Where on the screen the learner tends to place objects
• How the learner navigates between screens and activities

Persistence and ProblemSolving Patterns (8 signals)

How a learner responds to challenges, errors, and difficulty:

• Whether the learner retries after making an error
• How long it takes to recover from an error and try again
• When the learner requests hints (early, middle, or late in a problem)
• How many consecutive failures the learner endures before stopping
• Whether the learner voluntarily repeats completed activities
• How often the learner skips activities
• Whether the learner seeks out harder or easier content
• How quickly the learner recovers from frustration

Social Interaction Patterns (5 signals)

How the learner engages with collaborative and competitive features:

• Whether the learner checks leaderboards or peer comparisons
• Preference for collaborative versus individual activities
• How often the learner shares achievements or content
• Response to competitive elements (motivated, neutral, or discouraged)
• How often the learner helps peers

Daily and Session Patterns (7 signals)

When and how long the learner engages with the platform:

• What time of day sessions typically begin
• How long each session lasts
• How quickly engagement declines during a session
• How long it takes the learner to "warm up" at the start of a session
• The time of day when the learner performs best
• Which days of the week the learner is most active
• How often the learner takes breaks during a session

6.2 What PRISM Derives from These Signals

PRISM combines the 46 raw signals into composite indices that guide the adaptive learning system:

• Cognitive load estimate: Whether the learner appears under-challenged, appropriately challenged, or overwhelmed.
• Emotional state estimate: Whether the learner appears to be thriving, neutral, or struggling.
• Developmental stage markers: Fine motor development, spatial reasoning development, and abstraction level, used to select age-appropriate content.
• Learning modality preference: Whether the learner responds best to visual, kinesthetic, auditory, or reading/writing activities.
• Engagement quality: Whether the learner is actively engaged, passively present, or disengaging.
• Frustration risk: Real-time estimate of whether the learner is becoming frustrated, used to trigger difficulty adjustments or break suggestions.
• Curiosity indicators: Whether the learner is voluntarily exploring content, used to offer enrichment opportunities.
• Confidence calibration: Whether the learner's confidence matches their performance, used to provide appropriate encouragement or challenge.
• Attention quality: Sustained attention estimate within a session, used to suggest breaks when attention wanes.
• Intrinsic motivation: Whether the learner is engaging voluntarily and with interest, versus completing tasks under external pressure.

6.3 How PRISM Uses This Data

PRISM data is used exclusively to:

1. Adjust difficulty: Make questions easier or harder based on the learner's current state.
2. Switch modality: If a learner responds better to visual activities than text-based ones, present more visual content.
3. Suggest breaks: When attention or engagement declines, suggest a break.
4. Offer encouragement: When frustration risk is elevated, provide supportive feedback.
5. Optimize session length: Recommend session durations based on the learner's observed attention patterns.
6. Generate parent reports: Provide parents with insights into their child's learning patterns and progress.

PRISM data is never used for advertising, behavioral profiling for non-educational purposes, sale to third parties, or any purpose outside of the educational service.

6.4 PRISM Data and Children Under 13

For children under 13:

• PRISM is off by default and requires specific parental opt-in.
• Parents receive a dedicated disclosure describing all 46 signals before opting in.
• Parents may disable PRISM at any time. Upon disabling, all raw PRISM signal data is deleted within 30 days.
• Aggregated PRISM profiles (the derived indices described in Section 6.2) are deleted upon account deletion or parental request.
• PRISM data is never shared with third parties.

We use the following third-party service providers to operate the Service. Each provider processes data only as directed by Koydo and only for the purpose of providing their service to us. | Provider | Service | Data Processed | Processes Child Data? |

|---|---|---|---| | Supabase | Database and authentication hosting | All account data, learning data, profiles | Yes | | OpenAI | AI tutoring, content generation, moderation | AI conversation text, moderation checks | Yes (with parental consent; zero data retention enabled) | | Anthropic | AI tutoring (alternate model) | AI conversation text | Yes (with parental consent; zero data retention enabled) | | Google (Gemini API) | AI tutoring (alternate model) | AI conversation text | Yes (with parental consent; zero data retention enabled) | <!-- Removed: xAI/Grok — regulatory risk for child-serving platform. DO NOT RE-ENABLE. --> | ElevenLabs | Audio asset pre-generation only (server-side text-to-speech, generating static audio files baked into Koydo content; not used for live, per-user AI traffic) | Koydo-authored scripts only; no User personal data is sent | No — content tooling, not a User-data processor | | fal.ai | AI image generation | Text prompts for image generation | Limited (text prompts only; no child personal data sent; requires AI disclosure consent for under-13) | | Stripe | Payment processing | Payment card information, billing details | No (adults only) | | RevenueCat | Subscription management (mobile) | Subscription status, purchase receipts | No (adults only) | | Vercel | Web hosting and performance analytics | Web performance metrics, IP addresses (anonymized) | No (blocked for users under 18 via age-gated analytics) | | Mixpanel | Product analytics | Usage events, feature interactions | No (blocked for users under 18) | | Sentry | Error monitoring | Error logs, stack traces (PII auto-scrubbed) | Limited (error data only; PII scrubbed by policy) | Important notes regarding child data and third-party processors:

• All AI model providers that process child data operate under zero data retention (ZDR) agreements or configurations. This means conversational data sent to these providers is processed and immediately discarded by the provider; it is not stored, logged, or used for model training.
• Mixpanel analytics are completely blocked for all users under 18. No analytics events, device identifiers, or behavioral data are sent to Mixpanel for minors.
• Stripe and RevenueCat process payment data only for adult account holders. Children do not have a direct payment relationship with Koydo.
• ElevenLabs is used only to pre-generate static audio assets that ship with Koydo content (server-side rendering of Koydo-authored scripts). It does not receive User personal data, AI conversations, or live per-User traffic. It is listed in the table for completeness; it is not a User-data processor.

Sub-processors and change notifications. The processors listed above retain their own sub-processors (for example, Supabase uses AWS; Vercel uses Cloudflare and AWS). The current authoritative list of Koydo direct processors and their material sub-processors — together with a free email subscription to be notified of additions or replacements — is published at /legal/subprocessors. Where a User or Institutional customer reasonably objects to a new sub-processor within thirty (30) days of notice, Koydo will work in good faith to address the objection, including by offering an alternative arrangement or, where no reasonable alternative exists, terminating the affected service for that customer.

We retain different categories of data for different periods, based on the purpose of collection and applicable legal requirements. | Data Category | Retention Period | Basis |

|---|---|---| | Account information (email, display name, birth date, grade) | Lifetime of account | Necessary to provide the service | | Learning progress (lesson completion, skill mastery, quiz scores) | Lifetime of account | Core educational record | | Gamification data (XP, levels, streaks, currency) | Lifetime of account | Part of the learning experience | | AI tutor conversations — under 13 (Children) | 30 days from creation | COPPA data-minimization (16 C.F.R. § 312.7); shortest period sufficient for safety, abuse detection, and dispute resolution | | AI tutor conversations — 13–17 (Teens) | 90 days from creation | Sufficient for safety review and pedagogical continuity | | AI tutor conversations — 18+ (Adults) | 12 months from creation | Sufficient for context continuity and dispute resolution | | PRISM raw signal events | 1 year from creation | Necessary for longitudinal adaptive learning analysis | | PRISM session snapshots | 90 days from creation | Short-term adaptive decision-making | | PRISM learner profiles (aggregated composites) | Lifetime of account (deleted upon request or account deletion) | Long-term personalization | | PRISM interventions (pedagogical actions) | 1 year from creation | Evaluating effectiveness of learning adaptations | | Session records (study sessions) | 1 year from creation | Progress reporting and analytics | | AI safety and moderation events | 1 year from creation | Safety audit trail and regulatory compliance | | Direct messages | Lifetime of account | User communication record | | Payment and financial records | 7 years from transaction | Tax and financial regulatory compliance | | Legal evidence (consent records, policy acceptances, IP at consent) | Indefinite | Legal compliance and audit trail | | Deletion audit logs (anonymized, no PII) | Indefinite | Verification that deletion was executed | | Device login information | Until consumed or expired | Temporary; used only for device login flow | | Koydo Distill voice recordings | Not retained | Process-and-discard; no server storage | | Pronunciation exercise audio | Not retained | Biometric data (voiceprint); transmitted to AI provider, processed in real time, and immediately discarded. Never stored by Koydo or the provider. | | Koydo Distill transcripts and notes | Lifetime of account | User-created content | Upon account deletion:

• All personal data is permanently deleted within 14 days of confirmed deletion request (consumer accounts) or 30 days (institutional accounts).
• Financial records are anonymized (user identifiers removed) and retained for the legally required period.
• Deletion audit records are retained in anonymized form (no personal identifiers) to verify that deletion was properly executed.
• Third-party providers are notified to delete associated data under their contractual privacy obligations.

Legal hold exception. The retention periods above may be extended only for specific User accounts subject to a documented written legal hold (active dispute, regulatory inquiry, court order, subpoena, or formal claim). Legal holds are issued through a documented internal process; they apply only to the specific account(s) implicated; they auto-expire when the trigger event closes; and they do not justify general retention beyond the periods stated above for any other User. The "dispute resolution" rationale alone does not authorize indefinite retention.

We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Koydo maintains a formal Written Information Security Program as required by COPPA 16 C.F.R. § 312.8. A summary of our security measures follows; the full program document is available upon request to privacy@koydo.app.

9.1 Encryption

• In transit: All data transmitted between your device and Koydo's servers is encrypted using TLS 1.2 or higher.
• At rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
• Payment data: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Koydo never stores, processes, or transmits raw payment card data on its own servers.

9.2 Access Controls

• Access to user data is restricted to authorized personnel on a need-to-know basis.
• Administrative access to production systems requires multi-factor authentication.
• All access to child data is logged and auditable.

9.3 AI Safety Architecture

• All AI interactions involving children pass through a multi-layer safety system including content moderation, persona safety constraints, and fail-closed circuit breakers.
• If the moderation system is unavailable, AI features are automatically disabled (fail-closed design).
• AI safety events are logged for audit and review.

9.4 SOC 2 Compliance

Koydo is pursuing SOC 2 Type II certification. Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type II certification. We will update this policy when Koydo's own SOC 2 certification is achieved.

9.5 Breach Notification

In the event of a data breach affecting personal information:

• We will notify affected users (or parents, in the case of children) without undue delay and in any event within 72 hours of becoming aware of the breach.
• We will notify the Federal Trade Commission and any applicable state attorneys general as required by law.
• For EU users, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
• Notification will include: the nature of the breach, the categories of data affected, likely consequences, and measures taken to address the breach.

10.1 All Users

Regardless of age or location, all Koydo users (or their parents, for children) have the right to:

• Access: Request a copy of all personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your account and associated personal information.
• Export: Download your data in a machine-readable format (JSON).
• Opt out of analytics: Disable optional analytics collection at any time.

10.2 Parents of Children Under 13 (COPPA Rights)

See Section 2.6 for a complete description of parental rights, including the right to review, delete, export, disable KI, and revoke consent.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"): CCPA core rights:

• Right to know. Request a copy of the personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with whom we share it.
• Right to correct. Request correction of inaccurate personal information.
• Right to delete. Request deletion of your personal information, subject to limited statutory exceptions.
• Right to opt out of sale or share. Koydo does not sell or share personal information for cross-context behavioral advertising. We nevertheless honor "Do Not Sell or Share My Personal Information" requests at /legal/do-not-sell.
• Right to non-discrimination. We will not deny service, charge a different price, or provide a different level of service because you exercised any of these rights.

CPRA additional rights (effective for all Koydo California Users):

• Right to limit use and disclosure of Sensitive Personal Information. California recognizes certain categories of personal information as "sensitive" — including precise geolocation, biometric identifiers used for unique identification, health information, racial or ethnic origin, religious beliefs, contents of mail or messages, financial-account credentials, sex life or sexual orientation, and the fact that an individual is a minor. You may direct Koydo to use Sensitive Personal Information only for the purposes that are reasonably necessary to provide the Service and for the additional purposes permitted by Cal. Civ. Code § 1798.121(b). To exercise this right, visit /legal/limit-sensitive-pi.
• Right to opt out of profiling and automated decision-making with significant effect. Where Koydo uses automated processing — for example, the PRISM behavioral signal system that informs adaptive learning decisions described in Section 6 — you may opt out of having that processing applied to your account. When you opt out, Koydo serves a non-personalized version of the adaptive learning experience. You can opt out at any time in Account Settings.
• Right to information about automated decision-making logic. You may request meaningful information about the logic involved in any automated decision, the significance of the processing, and the envisioned consequences. Koydo's authoritative disclosure of its automated decision-making logic — the PRISM signal taxonomy, derived indices, and how the indices are used — is published at /legal/automated-decisions.

To exercise any of these rights, contact us at privacy@koydo.app or use the controls in your account settings. We respond within forty-five (45) calendar days, with one forty-five-day extension where reasonably necessary, in line with CCPA § 1798.130.

10.4 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights, in each case as recognized by the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and the Swiss Federal Act on Data Protection (revised effective 1 September 2023, "FADP"):

• Right of access (Art. 15) — request a copy of your personal data.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion in the circumstances specified by law.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (we provide JSON).
• Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
• Right not to be subject to a decision based solely on automated processing (Art. 22) where the decision produces legal or similarly significant effects.
• Right to withdraw consent at any time for processing based on consent (Art. 7(3)).
• Right to lodge a complaint with your local supervisory authority. EEA Users may identify their authority at edpb.europa.eu; UK Users may contact the Information Commissioner's Office at ico.org.uk; Swiss Users may contact the Federal Data Protection and Information Commissioner at edoeb.admin.ch.

Legal bases for processing. Koydo processes personal data under the following lawful bases identified by Art. 6 GDPR and corresponding provisions of UK GDPR and FADP: contract performance (delivering the Service you signed up for); legitimate interest (adaptive learning, platform security, service improvement, fraud prevention, debugging); consent (Koydo Intelligence opt-in, optional analytics, marketing-showcase use of co-created content per TOS § 8.4(c)); and legal obligation (child safety, financial recordkeeping, regulator response). For each processing activity, the applicable legal basis is recorded in our internal Article 30 record of processing activities, available to supervisory authorities on request. Privacy Team. Koydo's Privacy Team is the single point of contact for data-protection inquiries and is reachable at privacy@koydo.app. Koydo does not currently designate a named individual as Data Protection Officer; where Koydo becomes required to maintain a formal DPO under GDPR Article 37, the appointment will be reflected in this Section and at Koydo's legal version history. EU / UK Article 27 Representatives — pending. Koydo has not yet appointed representatives under GDPR Article 27 or UK GDPR Article 27. The status of these appointments is published at the international transfer notice and Koydo's legal version history and will be updated when appointments are made. Pending appointment, EEA and UK data subjects may contact Koydo's Privacy Team directly at privacy@koydo.app. EEA data subjects retain the right to lodge a complaint with the supervisory authority of their habitual residence; UK data subjects retain the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. Cross-border transfers. Your personal data is transferred to and processed in the United States. Koydo relies on the following transfer mechanisms, each documented and available for inspection at the international transfer notice:

• EU SCCs — the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914, Modules 2 (Controller-to-Processor) and 3 (Processor-to-Processor), as appropriate to the processing relationship;
• UK Addendum to the EU SCCs — the International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022), which incorporates the EU SCCs into UK law for transfers from the United Kingdom; and
• Swiss FADP addendum — the supplementary clauses recognized by the Swiss Federal Data Protection and Information Commissioner for transfers from Switzerland.

Koydo has performed transfer impact assessments addressing FISA Section 702, Executive Order 12333, and the EU-U.S. Data Privacy Framework. Koydo's certification status under the Data Privacy Framework, where applicable, is published at the international transfer notice. Member-state age thresholds. For Users in EU member states where the GDPR parental-consent age threshold is higher than 13 (Art. 8 GDPR and member-state implementations), Koydo applies the stricter threshold. Examples: Germany and the Netherlands require parental consent up to age 16; France up to age 15. Users in the United Kingdom are governed by the UK GDPR's age 13 threshold and the UK Age Appropriate Design Code (Children's Code) standards.

Koydo is based in the United States. If you access the Service from outside the United States, your data will be transferred to, stored in, and processed in the United States and any other country where Koydo or its processors operate.

• EEA Users: Transfers from the EEA to the United States are made pursuant to the EU Standard Contractual Clauses (Decision 2021/914), Modules 2 and 3 as applicable, executed with each U.S.-based processor. The text of the executed clauses (or a redacted summary where the underlying contract is confidential) is published at the international transfer notice.
• UK Users: Transfers from the United Kingdom to the United States are made pursuant to the UK Addendum to the EU SCCs (B1.0, 21 March 2022), adopted by the Information Commissioner's Office, executed alongside the EU SCCs above. Alternatively, where executed separately with a processor, Koydo relies on the UK International Data Transfer Agreement (IDTA).
• Swiss Users: Transfers from Switzerland to the United States rely on the EU SCCs as supplemented by the FADP-specific addendum recognized by the Swiss Federal Data Protection and Information Commissioner.
• Sub-processor transfers: Koydo's direct processors (e.g., Supabase, Vercel) and their sub-processors (e.g., AWS, Cloudflare) are subject to flow-down obligations under their respective DPAs. The current sub-processor list is at /legal/subprocessors.
• AI model providers: OpenAI, Anthropic, and Google process data in the United States under zero data retention configurations, meaning your data is not persistently stored by these providers and is not used for model training.

If you would like a copy of the executed transfer mechanism for a specific data flow, contact privacy@koydo.app — Koydo will provide the document or a redacted summary within thirty (30) days.

12.1 What Counts as a "Material Change"

A change to this Privacy Policy is material if it touches any of the following:

1. Categories of personal data Koydo collects;
2. Identity of Koydo's processors or sub-processors;
3. Data retention periods;
4. User rights or how to exercise them;
5. Any provision specifically governing Children, Teens, or Parents;
6. Security commitments or breach-notification timelines;
7. International transfer mechanisms; or
8. Lawful bases for processing.

Non-material changes — typographical fixes, formatting, restructuring, and clarifying language that does not alter rights or obligations — may be published without advance notice; the publication itself updates the version recorded in Koydo's legal version history.

12.2 Notice Process for Material Changes

For material changes affecting adults (18+) and teens (13–17), Koydo provides at least thirty (30) days' advance notice via:

1. Email to the address associated with your account; and
2. In-app notification displayed prominently within the Service; and
3. A one-click "review changes" page summarizing what changed and why.

Continued use after the effective date constitutes acceptance. You may decline by closing your account before the effective date.

12.3 Children Under 13 — ReVerifiableParentalConsent

For material changes affecting any provision governing Children under 13 — including changes to data categories, processors, retention periods, or children-specific rights — Koydo will, consistent with 16 C.F.R. § 312.5, re-obtain Verifiable Parental Consent before the change applies to existing Child Profiles. Until re-consent is obtained from a Parent, the previously-consented practices remain in effect for that Child Profile. If a Parent does not respond, the affected Child Profile remains on the previously-consented practices; Koydo will not silently default to the new practices.

12.4 LegallyRequired Changes

Changes required by law, regulation, court order, or regulator directive may be implemented with shorter notice or with immediate effect, with the legal basis recorded in the changelog at Koydo's legal version history.

Koydo uses a small number of cookies and similar local-storage technologies — strictly necessary cookies for authentication and security, functional storage for accessibility and locale preferences, and (only with consent in the EEA, UK, and Switzerland) analytics cookies for Mixpanel and Vercel performance metrics. Koydo does not use advertising cookies; Koydo does not run advertising of any kind. For users in the EEA, UK, and Switzerland, Koydo presents a consent banner on first visit allowing you to accept or reject non-essential cookies; your choice is stored and respected. For users elsewhere, the same controls are available in your account settings under "Manage Cookies." A complete cookie inventory — including each cookie name, purpose, provider, retention, and type — is published at /legal/cookies. Mobile applications (Flutter native, native iOS Swift, native Android) do not use web cookies. Where those applications use platform-level analytics or measurement frameworks, consent is obtained through the platform's native consent mechanism — Apple App Tracking Transparency (ATT) on iOS and Google's User Messaging Platform (UMP) on Android — not through this web Privacy Policy or any embedded web banner.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at: KOYDO LLC 940 W. FM 544 #332 Wylie, Texas 75098-5157 United States Telephone: +1 (214) 218-6693 Email: privacy@koydo.app | Inquiry type | Email | Subject line | Response window |

|---|---|---|---| | General privacy inquiry | privacy@koydo.app | Privacy Inquiry | 30 days | | COPPA parental request (under 13) | privacy@koydo.app | COPPA Parent Request | 14 days | | GDPR / UK GDPR / FADP request | privacy@koydo.app | GDPR Data Request | 30 days (extendable by 60 per Art. 12(3)) | | CCPA / CPRA request | privacy@koydo.app | CCPA Request | 45 days (extendable by 45) | | FERPA / school request | privacy@koydo.app | School Data Request | 30 days | | Data breach concern | privacy@koydo.app | Security Incident | Without undue delay | Privacy Team. Koydo's Privacy Team is the single point of contact for data-protection matters and is reachable at privacy@koydo.app. Koydo does not currently designate a named individual as Data Protection Officer in this Privacy Policy; where Koydo is required to maintain a formal DPO under GDPR Article 37, the appointment will be reflected in this Section and at Koydo's legal version history. EU / UK Article 27 Representatives — pending appointment. EEA and UK data subjects may contact the Privacy Team directly at privacy@koydo.app while these appointments are pending. The current status is at the international transfer notice.

Reviewed and approved by Robert Waltos, Founder & Chief Executive Officer of KOYDO LLC, on May 9, 2026. Mr. Waltos attests, to the best of his knowledge as of the effective date, that the substantive content of this Privacy Policy reflects Koydo LLC's actual data-handling practices, processor relationships, security commitments, and legal posture. This attestation does not substitute for outside legal counsel review, which is scheduled per the company's annual review cadence. External regulators, users, and counterparties may rely on the substantive content of this document; any inaccuracy will be corrected promptly upon discovery and any material change will follow Section 12 above.

Koydo Privacy Policy v2026-05-09 — Effective May 9, 2026 — supersedes v1.0 (April 1, 2026)

These addenda supplement the Koydo Terms of Service and Privacy Policy. The addendum for a user's location, billing region, school relationship, or child-safety law applies in addition to the main documents. If an addendum conflicts with the main document for a covered user, the addendum controls for that user.

Applies to: Users physically located in or with primary residence in the State of Texas. Version: 2026-05-09 Effective Date: 2026-05-09 Companion: TX-SCOPE Addendum — applies in parallel for Users known to be under 18 and for Institutional school accounts.

For Texas Users, these Terms are governed by the laws of the State of Texas. Any litigation arising from these Terms (where arbitration does not apply per TOS §11) shall be brought exclusively in the state or federal courts located in Collin County, Texas, except as provided by TOS §11.10 (Minors carve-out).

For Texas consumers, non-waivable rights under the Texas Deceptive Trade Practices–Consumer Protection Act (DTPA), Tex. Bus. & Com. Code Chapter 17, remain available and are not limited by these Terms.

Texas consumer rights under the TDPSA (Tex. Bus. & Com. Code Chapter 541) — access, correct, delete, portability, opt-out of targeted advertising / sale / profiling — are described in the TX-SCOPE Addendum §3.

Automatic-renewal disclosures, affirmative consent, and cancellation access are provided in compliance with applicable Texas law (Tex. Bus. & Com. Code § 17.46(b)(38) and related provisions).

For Institutional Accounts in Texas (school districts, charter schools, accredited private schools, homeschool cooperatives), see TX-SCOPE Addendum §2.

Nothing in these Terms waives any non-waivable Texas consumer right.

Texas General Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of Texas, United States. Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative documents: /legal/terms-of-service and /legal/privacy-policy This Addendum supplements the Terms of Service and Privacy Policy as they apply to Koydo Users in Texas. It implements Koydo's compliance with the Texas Securing Children Online through Parental Empowerment Act (SCOPE Act), codified at Tex. Bus. & Com. Code Chapter 509 (effective September 1, 2024), the Texas Data Privacy and Security Act ("TDPSA"), codified at Tex. Bus. & Com. Code Chapter 541, and the Texas Student Privacy Act. Where this Addendum and the body of the Terms or Privacy Policy conflict, this Addendum controls solely with respect to Users in Texas.

For each Texas User Koydo knows or reasonably believes to be under 18 ("Minor"), Koydo:

1. Verifies parental identity and consent before the Minor's account is activated, using the Verifiable Parental Consent process described in TOS §3.2 and Privacy Policy §2.
2. Restricts known-Minor accounts from the following data practices:

• Targeted advertising — not applicable, because Koydo does not run advertising of any kind.
• Sale of personal data — not applicable, because Koydo does not sell personal data.
• Sharing of personal data with third parties for purposes other than providing the Service.
• Use of the Minor's personal data to train, fine-tune, evaluate, or improve any AI model.

1. Provides parental access to:

• The Minor's account, including a parent dashboard with visibility into the Minor's activity, time-on-platform, and content interactions.
• Tools to manage privacy settings on behalf of the Minor.
• The ability to delete the Minor's account or any associated data.

1. Defaults privacy settings for known-Minor accounts to the most protective configuration available (PRISM off, social features at "friends only" for under-13 and as set by the Minor for 13–17, no public profile).
2. Implements safety filters for harmful content categories enumerated in the SCOPE Act (suicide/self-harm promotion, eating disorders, substance abuse, harassment, sexual exploitation), with a parental escalation path.

For Institutional Accounts in Texas (school districts, charter schools, accredited private schools, and homeschool cooperatives), Koydo:

• Acts as a "School Official" under FERPA (20 U.S.C. § 1232g) with a legitimate educational interest in providing the Service.
• Processes student education records solely as directed by the Institution under the institutional agreement.
• Does not sell student data, target advertising to students, or use student data for any purpose other than providing the Service.
• Provides a 30-day institutional deletion workflow for any school requesting deletion of student data.

Texas residents whose accounts are subject to the TDPSA may exercise the following rights:

• Right of access — request a copy of personal data held by Koydo.
• Right to correct inaccuracies.
• Right to delete personal data.
• Right to data portability in machine-readable format.
• Right to opt out of targeted advertising — not applicable; Koydo does not run advertising.
• Right to opt out of the sale of personal data — not applicable; Koydo does not sell personal data.
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects — Koydo's PRISM system does not produce such decisions; see /legal/automated-decisions.
• Right to appeal any denial of a TDPSA request — appeals may be sent to privacy@koydo.app with subject "TDPSA Appeal."

To exercise these rights, contact privacy@koydo.app or use the controls in your account settings. Koydo responds within 45 days.

In the event of a breach affecting Texas residents, Koydo notifies affected Users without unreasonable delay and in compliance with Tex. Bus. & Com. Code § 521.053. Where the breach affects 250 or more Texas residents, Koydo also notifies the Office of the Texas Attorney General within 30 days.

Disputes brought by Texas Users are governed by Texas law, in the courts of competent jurisdiction in Collin County, Texas, consistent with TOS §11.8 and §11.10 (minors carve-out from arbitration).

Koydo cooperates in good faith with inquiries from the Office of the Texas Attorney General regarding compliance with the SCOPE Act, TDPSA, and Texas Student Privacy Act. Inquiries should be directed to legal@koydo.app.

Texas SCOPE / TDPSA / Student Privacy Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of California, United States. Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative documents: /legal/terms-of-service and /legal/privacy-policy This Addendum supplements the Terms of Service and Privacy Policy as they apply to Koydo Users in California.

California Users' privacy rights — including the right to know, correct, delete, opt out of sale or share (Koydo does neither), opt out of profiling and automated decision-making with significant effects, limit use of Sensitive Personal Information, and non-discrimination — are enumerated at Privacy Policy §10.3. Koydo does not sell or share personal information for cross-context behavioral advertising and does not run advertising of any kind. The "Do Not Sell or Share My Personal Information" request is available at /legal/do-not-sell. The "Limit Use of Sensitive Personal Information" control is at /legal/limit-sensitive-pi. Automated-decision-making logic disclosure is at /legal/automated-decisions. Koydo honors the Global Privacy Control (GPC) browser signal as a valid opt-out of sale, share, and analytics tracking.

To the extent the California Age-Appropriate Design Code is enforceable (subject to ongoing litigation), Koydo voluntarily aligns with its design standards for known-Minor accounts (under 18), including:

• Default privacy settings to most protective (PRISM off, no public profile, social features at "friends only" for under-13).
• Plain-language disclosure at the /legal/privacy-summary.
• No dark patterns — refusing or revoking consent is no harder than granting it.
• Data minimisation — collect no more than reasonably necessary for the educational purpose.
• No profiling for non-educational purposes — PRISM is pedagogical only.

For Institutional Accounts serving California schools, Koydo complies with SOPIPA (Cal. Bus. & Prof. Code §§ 22584–22585):

• No targeted advertising to students based on data acquired through the Service.
• No use of student data to amass a profile other than for K-12 school purposes.
• No selling, renting, trading, or otherwise making available a student's personal information.
• No disclosure of student personal information except as enumerated by SOPIPA.

For California consumers purchasing auto-renewing subscriptions through Koydo:

• Clear and conspicuous disclosure of auto-renewal terms at the time of purchase, including renewal cycle, renewal price, and cancellation method.
• Affirmative consent to the auto-renewal at checkout.
• Acknowledgment confirmation post-purchase including the foregoing.
• Annual renewal reminder for annual subscriptions, sent 15–45 days before renewal.
• Easy cancellation through Account Settings → Subscription, online and without unreasonable friction.
• Refund alignment with TOS §4.4 (14-day no-questions for annual; pro-rata thereafter; cancel-anytime for monthly).

Under California Civil Code § 1789.3, California residents may contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 N. Market Blvd., Suite N-112, Sacramento, California 95834, or by telephone at (800) 952-5210.

Nothing in these Terms waives any non-waivable consumer protection right available to California residents under California law, including but not limited to those under the California Consumer Privacy Act (as amended by the CPRA), the California Online Privacy Protection Act, the California Invasion of Privacy Act, the SHIELD Act analogues, and applicable consumer-protection statutes. Where a non-waivable California right conflicts with the body of these Terms, the California right controls.

California Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of New York, United States. Version: 2026-05-09 Effective Date: 2026-05-09 Companion: NY-SAFE Addendum — applies in parallel for Users known to be under 18. Authoritative documents: /legal/terms-of-service and /legal/privacy-policy

For New York consumers purchasing auto-renewing subscriptions through Koydo (Stripe-processed):

• Clear and conspicuous disclosure of auto-renewal terms at purchase.
• Affirmative consent at checkout.
• Renewal reminder for annual subscriptions between 15 and 45 days before renewal, with a one-click cancellation link.
• Easy cancellation via Account Settings → Subscription, with no friction designed to deter cancellation.

For New York schools, school districts, BOCES, and charter schools, see the NY-SAFE Addendum §2 for the Parents' Bill of Rights, Data Security and Privacy Plan, subcontractor disclosure, and annual reporting commitments.

Koydo implements administrative, technical, and physical safeguards consistent with General Business Law § 899-bb (NY SHIELD Act): encryption (TLS 1.2+ in transit, AES-256 at rest), access controls, periodic security assessments, employee training, vendor due diligence, and an incident-response plan.

Nothing in these Terms waives any non-waivable consumer-protection right available to New York residents.

New York General Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of New York, United States. Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative documents: /legal/terms-of-service and /legal/privacy-policy This Addendum supplements the Terms of Service and Privacy Policy as they apply to Koydo Users in New York. It addresses the New York Stop Addictive Feeds Exploitation (SAFE) for Kids Act (S.7694, 2024), New York Education Law § 2-d (Parents' Bill of Rights for Data Privacy and Security), the NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), and GBL § 527-a (auto-renewal disclosure).

Koydo is, in substance, an adaptive educational service — not a social-media platform. Koydo's adaptive learning engine PRISM is a pedagogical system, not an "addictive feed" within the meaning of the SAFE for Kids Act. Nonetheless, to align defensively with the policy intent of the SAFE for Kids Act, Koydo applies the following protections to all New York Users known to be under 18:

1. No algorithmic feed of unbounded user-generated content. Koydo does not host or recommend an open social feed.
2. Default chronological ordering of any list of activities, content, or messages. Adaptive recommendations from PRISM are pedagogical (next lesson, suggested skill review) and require opt-in parental consent for under-13 (PRISM off by default per Privacy Policy §6.4).
3. Notification quiet hours. Push notifications and in-app reminders are suppressed between midnight and 6 AM local time for known-Minor accounts (under 18) by default. Parents may adjust this window in the Parent Dashboard.
4. Time-on-platform visibility for parents, including session-length and weekly-total reports.
5. Right of parental disable. A Parent may, at any time, disable any adaptive recommendation feature for their child via the Parent Dashboard; the Service continues to function on a fixed pedagogical curriculum path.

For Institutional Accounts serving New York schools, school districts, BOCES, and charter schools, Koydo provides the protections required under § 2-d, including:

• Parents' Bill of Rights for Data Privacy and Security — incorporated by reference into every institutional agreement.
• Data Security and Privacy Plan describing the categories of personally identifiable information (PII) Koydo accesses, the purposes of processing, the data security measures (encryption in transit and at rest, MFA, access logging, breach response), and the entities receiving PII.
• Subcontractor disclosure at /legal/subprocessors.
• Annual report to participating school districts on Koydo's data-handling practices upon request.
• No sale of student PII and no use of student PII for any purpose other than providing the Service.

To request the institutional Data Security and Privacy Plan, schools may contact legal@koydo.app.

Koydo implements administrative, technical, and physical safeguards consistent with the NY SHIELD Act (General Business Law § 899-bb), including encryption (TLS 1.2+ in transit, AES-256 at rest), access controls, periodic security assessments, employee training, vendor due diligence (see /legal/subprocessors), and an incident response plan.

For New York consumers purchasing auto-renewing subscriptions through Koydo (Stripe-processed; not via app stores):

• Pre-renewal notice. Koydo provides a clear and conspicuous notice of the auto-renewal terms — including the renewal cycle, the renewal price, and the cancellation method — at the time of purchase.
• Renewal reminder. For annual subscriptions, Koydo provides an email reminder between 15 and 45 days before the renewal date, stating the renewal date and price and a one-click cancellation link.
• Easy cancellation. Cancellation is available via Account Settings → Subscription, with no friction designed to deter cancellation. Exit-intent retention offers, if any, are clearly skippable.
• Refund alignment. Koydo's tiered refund policy (TOS §4.4) — 14-day no-questions for annual; pro-rata thereafter; cancel-anytime for monthly — applies to New York consumers without diminution.

To the extent a comprehensive NY consumer-privacy statute is enacted and effective, this Addendum will be updated to reflect the resulting rights. Pending such enactment, NY consumers may exercise the universal rights described in Privacy Policy §10.1 (access, correction, deletion, export, opt out of analytics).

Disputes brought by New York consumers are subject to the choice-of-law and venue provisions of TOS §11.8 and the minors carve-out at §11.10. Nothing in this Addendum waives any non-waivable consumer right under New York law.

New York SAFE for Kids / §2-d / SHIELD / Auto-Renewal Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of Florida, United States. Version: 2026-05-09 (stub) Effective Date: 2026-05-09 Status: Stub pending litigation resolution. Florida HB 3 ("Online Protections for Minors") is partially enjoined as of the effective date of this Addendum (NetChoice v. Moody, Northern District of Florida, ongoing). Several provisions of HB 3 are not currently enforced. Koydo will revise this Addendum once the litigation is resolved and the law's enforceable scope is clarified.

Koydo is in substance an online educational service. Florida HB 3 contains explicit carve-outs for educational platforms, including the exclusions at Florida Statutes § 501.1735 for online services whose primary purpose is the provision of educational content and services to minors and students under the supervision of a parent, school, or other authorized adult. Koydo's primary purpose — adaptive learning, AI tutoring, exam preparation, language learning, and adaptive curriculum delivery — falls within the educational-services scope. The Service is not a social-media platform, does not host an unbounded user-generated-content feed, and does not derive revenue from advertising. Accordingly, Koydo asserts the educational-platform carve-out and operates outside the scope of the substantive HB 3 minor-account provisions.

Notwithstanding the carve-out, Koydo voluntarily aligns with the policy intent of HB 3 by applying the protections described in the New York SAFE for Kids Addendum to Florida Users known to be under 18 — including default-protective privacy settings, no targeted advertising (Koydo runs no advertising of any kind), parental dashboard, and notification quiet hours.

To the extent applicable, Florida consumers may exercise the rights described in Privacy Policy §10 and may file complaints with the Florida Department of Legal Affairs, Office of the Attorney General.

This Addendum is intentionally short pending resolution of NetChoice v. Moody and any subsequent Florida Department of Legal Affairs guidance. When the enforceable scope of HB 3 is clarified, this Addendum will be updated and the change recorded in Koydo's legal version history.

Florida HB 3 Stub Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in Washington State. Version: 2026-05-09 Effective Date: 2026-05-09

For Washington subscribers, recurring-charge disclosures are shown before purchase, and account cancellation methods are maintained in account settings or support channels in compliance with RCW 19.224.

Koydo does not collect "consumer health data" within the meaning of Washington's My Health My Data Act (RCW 19.373). Where any Koydo data could be construed to fall within that definition, Koydo applies the consent and rights regime described in Privacy Policy §10 to such data and treats it as Sensitive Personal Information per California CPRA standards.

Breach notification follows RCW 19.255 for Washington residents — without unreasonable delay and in any event no later than 30 days after discovery, with content specified by the statute.

Nothing in these Terms waives any non-waivable consumer-protection right available to Washington residents.

Washington Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the Commonwealth of Virginia. Version: 2026-05-09 Effective Date: 2026-05-09

Virginia residents whose accounts are subject to the VCDPA (Va. Code § 59.1-575 et seq.) may exercise:

• Right of access — request a copy of personal data.
• Right to correct inaccuracies.
• Right to delete personal data.
• Right to data portability in machine-readable format.
• Right to opt out of targeted advertising — n/a; Koydo runs no advertising.
• Right to opt out of the sale of personal data — n/a; Koydo does not sell.
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects — Koydo's PRISM does not produce such effects (see /legal/automated-decisions).
• Right to appeal a denied request — appeals to privacy@koydo.app, subject "VCDPA Appeal." Response within 60 days; if denied, the Virginia Attorney General contact is included in the response.

Recurring-plan disclosures and cancellation controls are provided in purchase and account workflows.

Nothing in these Terms limits non-waivable protections available under Virginia law.

Virginia Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of Colorado. Version: 2026-05-09 Effective Date: 2026-05-09

Colorado residents whose accounts are subject to the CPA (Colo. Rev. Stat. § 6-1-1301 et seq.) may exercise:

• Right of access, correction, deletion, and data portability.
• Right to opt out of targeted advertising — n/a; Koydo runs no advertising.
• Right to opt out of the sale of personal data — n/a; Koydo does not sell.
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects — opt-out via Account Settings → Privacy → "Disable Adaptive Learning"; see /legal/automated-decisions for logic disclosure.
• Right to appeal a denied request — appeals to privacy@koydo.app, subject "CPA Appeal."

Koydo honors universal opt-out mechanisms including the Global Privacy Control (GPC) browser signal as a valid CPA opt-out, consistent with the Colorado AG's regulations.

Voice clips for pronunciation exercises are processed-and-discarded; no biometric template is stored. To the extent any data could be characterized as biometric within the meaning of the CPA's biometric provisions, the consent regime in Privacy Policy §2.8 applies.

Recurring billing authorization and cancellation pathways are provided as part of checkout and account workflows. Nothing in these Terms limits non-waivable rights under Colorado law.

Colorado Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of Connecticut. Version: 2026-05-09 Effective Date: 2026-05-09

Connecticut residents whose accounts are subject to the CTDPA (Conn. Gen. Stat. § 42-515 et seq.) may exercise: access, correction, deletion, portability, opt-out of targeted advertising / sale / profiling for decisions with significant effects, and appeal of denied requests (privacy@koydo.app, subject "CTDPA Appeal"). Koydo honors the GPC as a valid opt-out signal.

For Users under 16 in Connecticut, Koydo applies the heightened protections described in Privacy Policy §2 and §3, including no targeted advertising (n/a) and no sale of personal data (n/a). Where Connecticut law imposes additional protections beyond COPPA, those protections apply.

Recurring-subscription disclosures are presented before purchase, and cancellation access is provided through account controls or support. Nothing in these Terms waives non-waivable Connecticut consumer protections.

Connecticut Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in the State of Vermont. Version: 2026-05-09 Effective Date: 2026-05-09

For Vermont consumers purchasing auto-renewing subscriptions through Koydo:

• For subscriptions with a term of one year or more, a written reminder notice between 30 and 60 days before the next renewal date stating the renewal date, the cancellation method, and the renewal price.
• Clear disclosure at purchase of all material terms.
• Easy cancellation in Account Settings → Subscription, with no friction designed to deter cancellation.

Recurring charge disclosures and cancellation methods are provided with the objective of plain-language consumer notice. Nothing in these Terms limits non-waivable rights under Vermont law.

Vermont Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in any Member State of the European Union or the wider European Economic Area. Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative documents: /legal/terms-of-service and /legal/privacy-policy This Addendum supplements the Terms of Service and Privacy Policy as they apply to Koydo Users in the EU/EEA. Where this Addendum and the body conflict, this Addendum controls solely with respect to EU/EEA Users.

For consumers residing in the European Union or European Economic Area (EEA), nothing in these Terms deprives you of the protection afforded by mandatory provisions of your country of residence. The binding arbitration and class-action waiver provisions of TOS Section 11 do not apply to EU/EEA consumers. You have the right to bring legal proceedings in the competent courts of your country of residence. If you reside in the EU/EEA, you have a statutory right to withdraw from a paid subscription within 14 days of purchase without giving any reason (Consumer Rights Directive 2011/83/EU), unless you expressly consented to immediate digital performance and acknowledged the loss of the withdrawal right. To exercise this right, contact support@koydo.app within 14 days. To the extent required by EU law, the governing law of Texas (TOS §11.8) is superseded by the mandatory consumer-protection laws of your EU member state of residence. The European Commission provides an Online Dispute Resolution (ODR) platform at ec.europa.eu/consumers/odr. Koydo's contact point for ODR is legal@koydo.app.

Data Controller. KOYDO LLC, 940 W. FM 544 #332, Wylie, Texas 75098-5157, United States, is the data controller for personal data collected through the Service. Contact: privacy@koydo.app. Data Protection Officer. Koydo has not appointed a formal DPO under GDPR Article 37. Where Koydo becomes required to maintain a formal DPO, the appointment will be reflected at the international transfer notice and Koydo's legal version history. Pending such appointment, data-protection enquiries are handled by Koydo's Privacy Team at privacy@koydo.app. EU Article 27 Representative — pending appointment. See the international transfer notice for current status. EEA data subjects retain the right to lodge a complaint with the supervisory authority of their habitual residence; a list of national authorities is at edpb.europa.eu. Lawful bases (Art. 6 GDPR).

• (a) Contract performance (Art. 6(1)(b)) — account creation, authentication, learning progress tracking, subscription management, and customer support.
• (b) Consent (Art. 6(1)(a)) — analytics (Mixpanel), opt-in adaptive learning (Koydo Intelligence), opt-in marketing/showcase use of co-created content (TOS §8.4(c)). Withdrawable at any time.
• (c) Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, abuse detection, service-integrity protection. Balancing test performed and documented.
• (d) Legal obligation (Art. 6(1)(c)) — billing/tax retention, response to lawful requests, child-safety obligations.

Special-category data. Koydo does not intentionally collect data within Art. 9 GDPR. Voice clips for pronunciation exercises are biometric only in the COPPA sense (under-13 voiceprints, processed-and-discarded with no storage). Learning progress is not health data. Children's data. For Users under the GDPR Article 8 age threshold (13 in some member states, 14, 15, or 16 in others — Koydo applies the stricter member-state threshold where higher than 13), Koydo requires verifiable parental consent before processing personal data beyond the minimum for account security. AI features are restricted for users under 13. Parents may request access, correction, or deletion of a child's data via privacy@koydo.app. International transfers. See the international transfer notice. Transfers from the EEA to the U.S. and other third countries rely on EU SCCs Modules 2 and 3 with documented Transfer Impact Assessments under EDPB Recommendations 01/2020. Retention. See Privacy Policy §8 for the per-category retention table, including the tiered AI-conversation retention (30 days under 13 / 90 days teens / 12 months adults). Your rights under GDPR (Art. 15–22). Access, rectification, erasure, restriction of processing, portability, objection (including profiling), withdrawal of consent at any time, and the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects. To exercise any of these, contact privacy@koydo.app. Response within 30 days (extendable by 60 per Art. 12(3)). Right to lodge a complaint. Direct complaints to the supervisory authority of your member state of residence (links at edpb.europa.eu). Automated decision-making. Koydo's PRISM adaptive-learning system does not produce decisions with legal or similarly significant effects within the meaning of Art. 22. Detailed disclosure at /legal/automated-decisions.

EU/EEA Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in England, Wales, Scotland, or Northern Ireland. Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative documents: /legal/terms-of-service and /legal/privacy-policy This Addendum supplements the Terms of Service and Privacy Policy as they apply to Koydo Users in the United Kingdom.

For consumers residing in the United Kingdom, nothing in these Terms limits your statutory rights under the Consumer Rights Act 2015 or any other non-waivable UK consumer-protection legislation. The binding arbitration provision of TOS Section 11 is not mandatory for UK consumers. You may bring proceedings in the courts of England, Wales, Scotland, or Northern Ireland depending on your place of residence. You have a statutory right to cancel a paid digital subscription within 14 days of purchase, subject to your consent to begin digital service delivery immediately (Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013). To cancel, contact support@koydo.app. Any unfair terms under the Consumer Rights Act 2015 are unenforceable against you to the extent they are unfair.

UK Data Controller. KOYDO LLC, 940 W. FM 544 #332, Wylie, Texas 75098-5157, United States, is the data controller for personal data processed in relation to UK Users. The UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018 govern our processing. Contact: privacy@koydo.app. UK Article 27 Representative — pending appointment. See the international transfer notice for current status. UK data subjects retain the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by telephone at 0303 123 1113. Lawful bases. Same as EU Addendum §2: contract, consent, legitimate interest, legal obligation. Mapped to UK GDPR Articles 6(1)(a)–(f). Children's data — UK Age Appropriate Design Code (Children's Code). Koydo is designed to be used by children and implements the Children's Code standards, including:

• Privacy settings defaulted to high for child users.
• No nudge techniques that encourage children to weaken their privacy protections.
• No behavioral advertising targeting users under 18 — and indeed Koydo runs no advertising of any kind.
• Data minimisation for child accounts.
• Age-appropriate, plain-language privacy information — see the /legal/privacy-summary and the summary block at the top of the Privacy Policy.
• Detrimental use prohibited — Koydo does not use child users' personal data in ways that have been shown to be detrimental to their well-being.
• Profiling off by default for child users; PRISM is opt-in via Verifiable Parental Consent only.
• Parental controls at /parent/dashboard.

International transfers. Transfers from the UK rely on the UK Addendum to the EU SCCs (B1.0, 21 March 2022) issued by the ICO, executed alongside the EU SCCs. Where executed separately, Koydo relies on the UK International Data Transfer Agreement (IDTA). See the international transfer notice. Retention. See Privacy Policy §8 for the per-category retention table, including tiered AI-conversation retention. Your rights under UK GDPR. Access, rectification, erasure, restriction, portability, objection, automated-decision-making safeguards. To exercise, contact privacy@koydo.app. Response within one calendar month (extendable by two months for complex requests, Art. 12(3) UK GDPR). Governing law for UK consumer matters. English law (or Scots law where applicable) applies to non-waivable UK consumer-protection issues, notwithstanding the Texas choice-of-law clause in TOS §11.8.

UK Addendum v2026-05-09 — Effective May 9, 2026

Applies to: Users physically located in or with primary residence in Switzerland or the Principality of Liechtenstein. Version: 2026-05-09 Effective Date: 2026-05-09

For Swiss Users, Koydo's processing is governed by the revised Swiss Federal Act on Data Protection (FADP), in force from 1 September 2023. Swiss data subjects have rights of access, rectification, deletion, restriction, objection, and data portability substantially equivalent to GDPR. To exercise, contact privacy@koydo.app. The right to lodge a complaint may be exercised with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

Transfers from Switzerland to the United States rely on the EU SCCs supplemented by the FADP-specific addendum recognized by the FDPIC. See the international transfer notice.

Nothing in these Terms limits non-waivable consumer rights under Swiss law.

Switzerland Addendum v2026-05-09 — Effective May 9, 2026