Privacy Policy

Last Updated: December 09, 2025

1. Introduction

Kekula ("we," "our," or "us") is a DBA of Prismo LLC, a company registered in the State of Washington, USA. We are committed to protecting the privacy of our users - especially children - who use our educational platform (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

For Parents: We take children's privacy very seriously. This policy explains our practices in compliance with the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), and other applicable privacy laws.

By using Kekula, you agree to this Privacy Policy and our Terms of Service.

2. Information We Collect

2.1 Account Registration Requirements

You must be at least 18 years old to create an account. All accounts must be created and managed by adults. Adults with paid subscriptions may create Student Accounts for children under their care.

2.2 Information from Children (Student Accounts)

In compliance with COPPA and other applicable laws, we collect only the minimum necessary information from children using Student Accounts.

With adult consent (via paid subscription), we may collect:

  • First name (or username/nickname)
  • Learning progress and quiz scores
  • Content created within the platform (projects, drawings, assignments)

We DO NOT collect from children:

  • Full name or surname
  • Email address (for children under 13)
  • Home address or physical location
  • Phone number
  • Government-issued IDs (e.g., SSN)
  • Photos, videos, or voice recordings (except as part of educational activities)
  • Precise geolocation data
  • Any unnecessary personal or contact information

2.3 Information from Adults (Account Holders)

We may collect:

  • Name and email address
  • Account credentials
  • Profile information (e.g., role, grade, school)
  • Payment information (handled securely by third-party processors)
  • Learning progress and performance data
  • User-generated content
  • Device and usage information

2.4 Information from Teachers and Institutions

We may collect:

  • Name and email address
  • Payment and billing details
  • Account management preferences
  • Communication preferences
  • Limited information about students under their supervision (with appropriate consent)

2.5 Automatically Collected Information

We automatically collect non-personal usage information such as:

  • Device type and operating system
  • Browser type
  • IP address (anonymized for Student Accounts)
  • Usage activity (pages visited, features used, session duration)
  • Cookies and similar technologies (see Section 11)

3. How We Use Your Information

3.1 For Children (Student Accounts)

We use children's information only to:

  • Provide the educational Service
  • Track learning progress and enable personalized learning
  • Communicate with account holders (parents or educators)
  • Improve platform functionality and safety
  • Comply with legal and regulatory requirements

3.2 For All Users

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process subscriptions and payments
  • Respond to support inquiries
  • Send administrative and service-related communications
  • Analyze usage to improve content and user experience
  • Prevent fraud and ensure platform security
  • Comply with applicable laws

3.3 We DO NOT:

  • Sell or rent personal data to any third parties
  • Use children's data for advertising or profiling
  • Require children to disclose unnecessary personal information
  • Share data with third parties for their marketing purposes

4. How We Share Information

4.1 We Share Information With:

Authorized Service Providers: We engage trusted third-party vendors to help us operate and improve the Service, including providers for cloud hosting, authentication, payment processing, email delivery, and analytics.

A complete list of our data subprocessors is available at subprocessors.

Educational Institutions: For school or classroom accounts, authorized teachers and administrators can access student progress and content.

Parents or Guardians: Parents have full access to their child's account and associated data.

Legal Compliance: We may disclose data to comply with legal obligations, enforce our policies, or protect our rights, safety, or users.

4.2 We DO NOT Share:

  • Children's personal data for marketing or advertising
  • Information with third parties beyond what is necessary to provide the Service
  • Data with data brokers or for profiling purposes

5. Adult Rights and Controls

5.1 Verifiable Parental Consent (COPPA Compliance)

COPPA requires us to obtain verifiable parental consent before collecting personal information from children under 13. We use the following FTC-approved verification method:

Credit Card Transaction Method:

  • Parents must complete a paid subscription using a valid credit card
  • The credit card transaction serves as verification that the account holder is an adult with financial responsibility
  • We charge a small Verifiable Parental Consent (VPC) fee during checkout to verify adult status
  • Credit card details are processed and stored securely by our payment processor (Stripe)
  • The cardholder name and billing address are retained as evidence of parental consent

Why this method satisfies COPPA:

  • The FTC recognizes credit card transactions as an approved method of obtaining verifiable parental consent
  • The financial transaction provides reasonable assurance that the person providing consent is an adult
  • We retain transaction records as proof of consent

For School/Institutional Accounts:

  • Schools may provide consent on behalf of parents for educational purposes under COPPA's "school consent" exception
  • Schools must have appropriate consent mechanisms in place with parents
  • See Section 5.4 for Data Processing Addendums with educational institutions

5.2 Account Holder Access and Control

Account holders (parents, guardians, or authorized educators) may:

  • Review children's personal information in Student Accounts
  • Delete or correct children's information
  • Refuse further collection or use of children's data by deleting the Student Account
  • Manage privacy settings and communication preferences
  • Download children's data
  • Delete Student Accounts at any time

Contact us at support@kekula.ai to exercise these rights.

5.3 Data Breach Notification

We will notify account holders if a data breach affects their information or their children's information:

Notification Timelines:

  • EU/UK Users (GDPR): Within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
  • Parents of Children (COPPA): Without unreasonable delay after discovering a breach involving children's personal information
  • California Residents (CCPA): In the most expedient time possible and without unreasonable delay
  • All Other Users: Promptly after discovery, and in compliance with applicable state and federal laws

Notification Contents:

  • Description of the nature of the breach
  • Types of data potentially affected
  • Steps we are taking to address the breach
  • Recommendations for protective measures you can take
  • Contact information for further questions

5.4 Data Processing Addendums for Educational Institutions

FERPA Compliance: Kekula executes Data Processing Addendums (DPAs) with educational institutions in compliance with FERPA and state student data privacy laws upon request.

School Official Exception: When contracting with educational institutions:

  • Kekula acts as a "School Official" under FERPA
  • We process student data only per school instructions and for authorized educational purposes
  • We maintain the same level of data protection as the educational institution
  • We do not use student data for any purpose other than providing the contracted educational services

DPA Terms: Our standard DPA includes:

  • Data security requirements and certifications
  • Incident notification procedures
  • Data deletion and return procedures
  • Prohibition on secondary use of student data
  • Compliance with state student privacy laws (e.g., SOPIPA, state-specific requirements)

Requesting a DPA: Educational institutions may request a Data Processing Addendum by contacting support@kekula.ai. We support common state DPA frameworks including the Student Data Privacy Consortium (SDPC) National DPA.

6. Data Security

We use industry-standard security measures to safeguard all personal data:

  • Encryption (in transit via HTTPS/TLS and at rest)
  • Access controls based on least privilege
  • Secure authentication (Firebase, Auth0)
  • Regular security audits and testing
  • Employee training on privacy and security protocols
  • Incident response procedures for potential breaches

Despite our efforts, no online service can guarantee absolute security. We will notify affected users and relevant authorities in the event of a data breach as required by law.

7. Data Retention

7.1 Retention Schedule

We retain data according to the following schedule:

Data Type Purpose Retention Period Deletion Method
Account Information (name, email) Account management Duration of account + 30 days Secure deletion from databases
Student Account Data (first name/username) Provide educational service Duration of account + 30 days Secure deletion from databases
Learning Progress (scores, completion) Track educational progress Duration of account + 30 days Secure deletion from databases
User-Created Content (projects, work) Provide service features Duration of account + 30 days Secure deletion from storage
Payment Records Legal/tax compliance 7 years (as required by law) Secure archival then deletion
Support Communications Customer service 3 years after last contact Secure deletion
Server Logs (anonymized) Security and debugging 90 days Automatic purging
Backup Data Disaster recovery 90 days after primary deletion Secure destruction
Consent Records Compliance documentation 7 years or as required by law Secure archival then deletion
Anonymized Analytics Service improvement Indefinite N/A (not personally identifiable)

7.2 For Children

We retain children's data only as long as necessary to:

  • Provide the Service
  • Comply with legal obligations
  • Resolve disputes

Upon parental request, we delete a child's data within 30 days, unless retention is legally required.

7.3 For Other Users

We retain account data while the account is active or as needed to provide the Service. Users may request deletion at any time.

7.4 After Account Deletion

When an account is deleted:

  • Personal data is deleted within 30 days
  • Anonymized usage data may be retained for analytics
  • Backup copies are deleted within 90 days
  • Some data may be retained as required by law

8. International Data Transfers

8.1 Data Location

Our primary servers are located in the United States. If you are located outside the United States, your information may be transferred to and processed in the U.S.

8.2 Transfer Safeguards

For transfers from the EU/EEA/UK, we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all subprocessors
  • Technical and organizational security measures

8.3 Transfer Impact Assessment

In accordance with EU/UK requirements, we conduct Transfer Impact Assessments (TIAs) to evaluate the risks of transferring personal data to the United States:

Assessment Factors:

  • We evaluate U.S. surveillance laws and their potential impact on transferred data
  • We assess whether supplementary measures are needed to ensure adequate protection
  • We document our assessment and update it as legal circumstances change

Supplementary Measures:

  • Data minimization: We transfer only necessary personal data
  • Encryption: Data is encrypted in transit and at rest
  • Access controls: U.S.-based personnel access only data necessary for their role
  • Contractual protections: Our subprocessors are bound by SCCs and DPAs

Risk Determination: Based on our assessment, the nature of our educational service data (which does not typically involve high-risk categories such as political opinions, health data, or communications content) and our supplementary measures provide adequate protection for transferred data.

9. GDPR Rights (EU/EEA/UK Users)

If you are in the European Economic Area (EEA), European Union (EU), or United Kingdom (UK), you have rights under the GDPR and UK GDPR, including:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at support@kekula.ai.

9.1 Legal Basis for Processing

We process data under these legal bases:

  • Consent: Parental consent for children; user consent for optional features
  • Contractual Necessity: To provide the Service you requested
  • Legal Obligations: To comply with applicable laws
  • Legitimate Interests: To improve our Service and prevent fraud (balanced against user rights)

9.2 Data Protection Officer

For GDPR inquiries, you may contact our Data Protection Officer at support@kekula.ai.

9.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in your country of residence.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: What personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Correct inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell personal data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

10.1 Categories of Information Collected

In the past 12 months, we have collected:

  • Identifiers (name, email, IP address)
  • Commercial information (subscription history)
  • Internet activity (usage data, browsing history on our Service)
  • Education information (learning progress, quiz scores)

10.2 How to Exercise Your Rights

To exercise your California privacy rights:

We will verify your identity before processing your request.

11. Cookies and Tracking Technologies

11.1 What We Use

We use cookies and similar technologies to:

  • Keep users signed in
  • Remember preferences
  • Improve performance and analytics
  • Prevent fraud

11.2 Types of Cookies

  • Essential Cookies: Required for the Service to function (authentication, security)
  • Functional Cookies: Remember your preferences (e.g., sidebar state)
  • Analytics (Cookie-less): We use privacy-focused, cookie-less analytics that do not store cookies on your device

11.3 Cookie Consent Mechanism

Cookie Consent Banner: When you first visit our Service, we display a cookie consent banner that allows you to:

  • Accept all cookies (including analytics tracking)
  • Accept essential cookies only
  • Customize your preferences

Your consent is stored locally and you can change your preferences at any time through the banner or by clearing your browser's local storage.

Analytics Opt-In: Our analytics use a cookie-less approach (no tracking cookies stored), but we still request consent for any analytics tracking in compliance with GDPR and ePrivacy regulations. If you decline analytics, no usage data is collected beyond what is necessary for the Service to function.

11.4 Do Not Track (DNT)

Our Service respects "Do Not Track" browser signals. When we detect a DNT signal:

  • We disable non-essential analytics tracking
  • We treat this as equivalent to declining analytics consent
  • Essential functionality cookies continue to work

Note: DNT is not uniformly implemented across browsers, so we recommend using our consent banner for explicit control.

11.5 Children's Accounts

For children under 13, we use only essential cookies necessary for the Service to function. We do not use tracking or advertising cookies for child accounts, regardless of consent settings.

11.6 Managing Cookies

You can manage cookies through:

  • Our cookie consent banner (displayed on first visit)
  • Your browser settings
  • Clearing local storage to reset preferences

Note that disabling essential cookies may affect Service functionality.

See our Cookie Policy for more details.

12. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies before providing any information.

13. AI and Educational Use

13.1 AI Technology

Kekula uses artificial intelligence ("AI") technologies strictly for educational purposes. This includes:

  • AI-powered learning recommendations
  • Interactive AI demonstrations and experiments
  • AI-assisted content creation tools

13.2 AI Model Training Policy

Children's Data:

  • We do not use children's data to train AI models. This is an absolute prohibition.
  • Children's inputs to AI features are processed only to generate immediate responses and are not stored for training purposes.
  • Children's learning patterns are not used to improve or train any machine learning models.

Adult Data:

  • We do not use adult users' personal data to train AI models without explicit consent.
  • Anonymized and aggregated usage patterns (with all personal identifiers removed) may be used to improve our educational content and features.

Third-Party AI Services:

  • When we use third-party AI services (e.g., for text or image generation), user inputs may be processed by those services according to their policies.
  • We select AI providers that commit to not training on user data or we disable training features where available.
  • We do not share personal information with AI providers beyond what is necessary for the feature to function.

Logs and Analytics:

  • Server logs and analytics data are anonymized and are not used to train AI models.
  • We do not use any personally identifiable information to improve AI systems.

13.3 Automated Decision-Making and Profiling (GDPR Article 22)

Kekula uses AI to personalize the learning experience. In compliance with GDPR, we disclose the following:

Types of Automated Processing:

  • Learning Recommendations: AI suggests courses or content based on a student's progress and performance
  • Difficulty Adjustment: Content difficulty may be adjusted based on quiz scores and completion rates
  • Progress Tracking: Automated calculation of learning progress and achievement badges

Data Influencing AI Behavior:

  • Quiz and assessment scores
  • Course completion status
  • Time spent on content
  • Interaction patterns with learning materials
  • Age/grade level (for age-appropriate content)

No High-Impact Decisions: Our automated processing does not produce legal effects or similarly significant effects on users. AI recommendations are suggestions only and do not:

  • Determine academic grades or credentials
  • Affect access to educational opportunities outside our platform
  • Make decisions about a child's capabilities or potential

Your Rights Regarding Automated Processing:

  • Right to Human Review: You may request human review of any AI-generated recommendation or assessment
  • Right to Explanation: You may request an explanation of how AI recommendations are generated
  • Right to Object: You may object to profiling for personalization purposes
  • Right to Opt-Out: You may request that personalization features be disabled for your account

To exercise these rights, contact us at support@kekula.ai with subject "AI Processing Request."

13.4 Sensitive Data Notice

Categories of Sensitive Data We Do NOT Collect:

We do not collect, request, store, or process the following categories of sensitive personal data:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for identification purposes
  • Health or medical information
  • Sexual orientation or sex life
  • Criminal history

We Do Not Infer Sensitive Attributes:

  • Our AI systems are not designed to infer sensitive characteristics from user behavior
  • We do not profile users based on sensitive categories
  • Learning recommendations are based solely on educational progress and preferences, not protected characteristics

Exception for Educational Content:

  • Users may voluntarily create content (e.g., projects, drawings) that touches on sensitive topics for educational purposes
  • Such content is not analyzed or used to profile users
  • Users control their own content and may delete it at any time

13.5 Disclaimer

AI outputs may contain errors or inaccuracies. All AI activities on the platform are intended solely for safe, supervised, educational exploration.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. If we make material changes, we will notify users by:

  • Updating this page with a new "Last Updated" date
  • Email notification (for registered users)
  • Parental notice (for child accounts)
  • In-app notification for significant changes

Continued use of the Service after such updates constitutes acceptance of the revised policy.

15. Relationship to Other Policies

This Privacy Policy should be read together with:

If any conflict arises between this Privacy Policy and the Terms of Service, the Terms of Service shall govern your use of the Service.

16. Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, please contact:

Kekula Privacy Team Email: support@kekula.ai

For COPPA Inquiries (Children's Privacy) Email: support@kekula.ai Subject: "COPPA Request"

For GDPR Inquiries (EU/EEA/UK) Email: support@kekula.ai

For California Privacy Requests Email: support@kekula.ai Subject: "California Privacy Request"

Mailing Address: Prismo LLC (DBA Kekula) Attn: Privacy Team 522 W RIVERSIDE AVE STE N, SPOKANE WA 99201-0581

17. Regulatory Compliance

We comply with:

  • COPPA (Children's Online Privacy Protection Act) - US
  • GDPR (General Data Protection Regulation) - EU/EEA
  • UK GDPR - United Kingdom
  • CCPA/CPRA (California Consumer Privacy Act/California Privacy Rights Act) - California
  • FERPA (Family Educational Rights and Privacy Act) - For institutional users
  • Other applicable US and international privacy laws

This Privacy Policy was last updated on December 09, 2025.

Kekula is a registered DBA of Prismo LLC, Washington, USA.