Privacy & Data
Plain-language summary of what Tumio collects about a child, why, and the controls a grown-up has. This is a working prototype notice; a full legal review is required before a public launch with children under 13.
Who can create a child account
Only a grown-up (a parent/guardian, or an educator with school authorization) can create a student account. At creation we record an explicit consent attestation: who created the account and when. A child cannot self-register.
What we collect about a child
A name or nickname; a kid-friendly username; an optional, non-invasive ability profile (verbal, literate, hearing sensitivity, grade/reading level, free-text notes the grown-up writes); the avatar they build; and gameplay progress (coins, stars, completed stories, collectibles). We do not ask for or store a diagnosis, IEP, address, or photo.
Free-text and spoken answers
During a story a child may type or speak an answer. Those answers are sent to an AI grader to score politeness and reply in character. We do NOT store the text of ordinary answers. The one exception: if an answer trips an automated safety screen for possible self-harm, abuse, or acute distress, we store that single answer so a grown-up can review it. Schools are mandatory reporters; this exists so a real disclosure is not lost.
How a grown-up stays in control
The account owner can, at any time: edit the profile, reset the child’s password, export all of the child’s data as a file, and permanently delete the child’s account (which removes their progress, scrapbook, assignments, and any stored flags).
Sharing with a teacher
A parent can link their own child into a teacher’s class using a join code. That gives the teacher the ability to assign lessons and see progress for that child. The parent remains the account owner and can remove the link. A teacher with class access cannot delete the child or change their password.
Retention & security
Data is kept for as long as the account exists. Deleting the account removes the child’s records. Passwords are stored only as salted hashes. Sign-in is rate limited. For a production launch we additionally require encryption at rest, automated off-site backups, and a signed data-processing agreement for school use.
What this prototype does NOT yet have
Verifiable parental consent in the strict COPPA sense (for example credit-card or government-ID verification), a completed FERPA/EdTech legal review, and a published data retention schedule. These are required before onboarding real children at scale and are tracked in the project’s pilot checklist.
Questions about a child’s data? Contact the account owner’s school, or the Tumio operator, to request access, correction, or deletion.