Privacy Policy
Effective date: 7 July 2026
Vivarth is a learning platform for children aged 6–14, built on a parent-consent model: a parent or legal guardian creates the account, provides consent, and adds each child. Children do not register themselves. This policy explains what we collect, why, and the rights you and your child have. We are not certified under the U.S. COPPA programme and do not target children in the United States; our services are offered in India and the Netherlands.
1. Who we are (Data Controller)
The service “Vivarth” (vivarth.app) is operated by [LEGAL ENTITY NAME], [REGISTERED ADDRESS] (“Vivarth”, “we”, “us”). We are the data controller for the personal data described in this policy.
For any privacy request or complaint, contact our privacy contact / grievance officer, [GRIEVANCE OFFICER NAME], at privacy@vivarth.app.
2. What data we collect
From the parent / guardian (account holder):
- Name and email address
- A password (stored only as a secure hash) or a Google sign-in identifier if you use Google
- Language preference and account status
- Guardian consent / attestation and its timestamp
- Subscription and billing status. Card and payment details are collected and processed directly by Stripe; we never see or store your full card number.
- Technical/security data: IP address, browser user-agent, and a security audit log of sign-ins and account changes
About each child (created by the parent):
- A username and chosen avatar (we ask you not to use the child’s full real name)
- Date of birth (used to confirm the age range and tailor content)
- An optional login PIN (stored only as a secure hash)
- Learning activity: lesson progress, quiz results, XP, levels, streaks, badges, certificates, saved code, and completed challenges
- Interactions with the “Cosmo” AI helper (the messages your child sends and the responses)
- Product analytics events about how features are used
3. Why we use it and our legal basis
Under the GDPR (for users in the Netherlands/EU) and the Digital Personal Data Protection Act, 2023 (for users in India), we rely on:
- Performance of a contract — to create accounts, deliver lessons, track progress, and run subscriptions you buy.
- Parental consent — for creating a child profile and processing a child’s personal data. In the Netherlands the digital age of consent is 16, so a parent/guardian must provide consent for younger children; India’s DPDP Act requires verifiable parental consent for anyone under 18. You may withdraw consent at any time (see Your Rights).
- Legitimate interests / legal obligation — to keep the service secure, prevent fraud and abuse, and comply with law.
We do not sell personal data, and we do not use children’s data for behavioural advertising, ad targeting, or tracking-based profiling.
4. The Cosmo AI helper
To power Cosmo’s answers, the messages a child sends are transmitted to our AI provider, Anthropic, to generate a response. We apply child-appropriate instructions and usage limits. Please remind children not to share personal information (real name, address, school, phone) in the chat. AI answers can occasionally be wrong and are for learning, not professional advice.
5. Service providers (sub-processors)
We share data only with providers who help us run the service, under contract and only as needed:
- Google Cloud — hosting and database
- Stripe — payment processing
- Resend — transactional email (sign-in links, account notices)
- Anthropic — the Cosmo AI helper
- Cloudflare — bot/abuse protection (Turnstile)
6. Where your data is stored (international transfers)
Our servers are currently hosted with Google Cloud in the United States. This means data of users in the Netherlands/EU and India is transferred to and stored in the U.S. Where required, such transfers are protected by appropriate safeguards (such as Standard Contractual Clauses and our providers’ compliance frameworks). [Confirm the hosting region and transfer mechanism with your DPO before launch.]
7. How long we keep it, and deletion
We keep account and learning data while the account is active. When a parent requests account deletion, we begin a 30-day grace period (so it can be cancelled), after which the parent account and all associated children’s data are permanently and irreversibly deleted, and audit records are anonymised. You can request a full copy of your data (data export) at any time from the parent dashboard.
8. Your rights
Depending on where you live, you and your child have the right to:
- Access the personal data we hold and get a copy (portability)
- Correct inaccurate data
- Delete the account and data (“right to be forgotten”)
- Restrict or object to certain processing, and withdraw consent
- Nominate another person to exercise rights on your behalf (India DPDP)
- Lodge a complaint with a regulator — the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in the Netherlands, or the Data Protection Board of India
To exercise any right, email privacy@vivarth.app. Most actions (data export, account deletion) are also available directly in the parent dashboard.
9. How we protect data
We use encryption in transit (HTTPS), store passwords and PINs only as secure hashes, restrict internal access, and keep a security audit log. No system is perfectly secure, but we work to protect your family’s data.
10. Cookies
We use only the cookies needed to run the service — chiefly a secure, http-only cookie to keep you signed in — plus limited abuse-prevention and product analytics. We do not use advertising cookies.
11. Changes to this policy
We may update this policy and will change the “effective date” above. For material changes we will notify account holders by email.
Questions? Contact us at privacy@vivarth.app.