Privacy Policy

1. Introduction

1.1 Welcome to Aiino!

Welcome! We are excited to have you and your child join the Aiino AI community. Our app, provided by Nomisma LLC ("we," "us," "our"), is a play-based learning application designed for children between the ages of 3 and 9.

This Privacy Policy explains what information we collect from you and your child, how we use it, how we protect it, and the rights you have concerning your data.

Before your child can use the Aiino app, you (the parent or guardian) must review and consent to this Privacy Policy. By using the Aiino app, you agree to the terms described in this Privacy Policy.

1.2 Geographic Availability

Important Notice: Aiino is currently available in selected countries where we can ensure full legal compliance, secure payment processing, and age-appropriate content moderation.

Currently Available in: 20+ countries including United States, UAE, India etc.

Not Currently Available In: European Union, United Kingdom, China, Russia, Nigeria, Vietnam, Turkey, Switzerland, and other countries listed on our availability page.

Coming Soon: We are working toward expanding to the European Union and United Kingdom. We will notify users when these regions become available.

Important Legal Notice: References to GDPR and EU/UK privacy regulations in this policy are included for informational purposes as we plan future expansion to these regions. Currently, these provisions are not applicable as we do not serve users in the European Economic Area, United Kingdom, or Switzerland. This policy is designed to comply with privacy laws in our current operating regions and will be enhanced with additional GDPR-specific requirements before we launch in the EU/UK.

1.3 Our Commitment to Child Privacy

Aiino is designed for children aged 3-9, and we try to follow all applicable privacy regulations, including:

• COPPA (Children's Online Privacy Protection Act) in the United States
• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
• VCDPA (Virginia Consumer Data Protection Act)
• CPA (Colorado Privacy Act)
• CTDPA (Connecticut Data Privacy Act)
• UCPA (Utah Consumer Privacy Act)
• India IT Act 2000 and Information Technology (Reasonable Security Practices) Rules, 2011
• GDPR (General Data Protection Regulation - when we expand to EU/UK)

Our Commitment to Default Privacy: To protect your child's privacy from the very first moment they use our app, we enable stronger privacy settings by default before you provide verifiable parental consent. During this initial period, we do not collect personal information from your child, and features like voice conversations and push notifications are disabled to ensure a safe and private experience.

1.4 Key Terms & Definitions

To help you understand this policy, here are key definitions:

"Child" or "Children": A child who uses the Service under the consent and supervision of their Parent (aged 3-9).

"Parent": A parent or legal guardian of a Child.

"Personal Information": Information that identifies, relates to, or could reasonably be linked with a particular individual or household.

"Service": The Aiino AI mobile application, our website (aiino.ai), and all related content and features provided by us.

"We," "Us," "Our," or "Aiino": Nomisma LLC, the company providing this Service.

2. What Information We Collect

Aiino collects only the minimum information required to provide and improve our services. We are transparent about the types of data we collect and how we use it.

2.1 Information You Provide to Us

Parent Account Information:

When you create an account, we collect:

• Email address - Used for account authentication, password resets, and important communications about your account
• Password - Securely hashed using bcrypt encryption and never stored in plain text. We cannot see or recover your password.

Payment Information:

To process your subscription, we use trusted third-party payment processors:

• Apple App Store (for iOS users)
• Google Play Store (for Android users)

We never store your full credit card details. We only receive a secure payment token from Apple or Google to confirm your subscription status.

Child Information (provided by the parent):

During account setup, you provide minimal information about your child:

• Child Avatar:
  • Parents select from predefined avatar options only
  • Custom photo uploads are NOT permitted (COPPA compliance)
  • No photographs or images of your child are collected or stored
• Nickname - We strongly encourage the use of non-identifiable names (e.g., "Buddy," "Explorer," "Little Star") to protect your child's privacy. We do not require or request your child's real name.
• Avatar - Parents select from predefined avatar images only. Custom photo uploads are NOT permitted for child safety (COPPA compliance).
• Age - This helps us customize educational content to be age-appropriate and effective. We only collect the child's age (3-9), not their birthdate.

Important: We do not collect personally identifiable information (PII) from your child such as: ❌ Real names or last names

• Photos or videos (avatars use predefined images only)
• Audio recordings
• Precise location or GPS coordinates
• Contact information (phone, email, address)
• School information
• Social media profiles or usernames

2.2 Information Collected Automatically

Device and Technical Information:

We collect details such as:

• Device type and model (e.g., iPhone 13, Samsung Galaxy S22)
• Operating system and version (e.g., iOS 17.2, Android 14)
• App version you're using
• Mobile carrier information
• Device language settings
• Time zone
• Screen resolution

This information helps us optimize the app's performance and provide a seamless user experience across different platforms.

Usage Data:

We collect data on how the app is used, such as:

• Which features are accessed (stories, games, AI conversations, educational activities)
• Duration of use and session times
• Interactions with educational content
• Time spent on specific activities
• Learning progress and achievements
• Features enabled or disabled
• When you last used the app

This aggregated and anonymized data helps us improve the app's functionality and educational effectiveness. This data is used only in aggregate form and cannot be traced back to any individual child.

2.3 Privacy Advantage:

This privacy-protective architecture means:

• We cannot track your location history over time
• We cannot build a profile of where you've accessed the app from
• No IP address logs exist that could be compromised in a data breach
• Your location privacy is protected beyond legal requirements

2.4 Voice Input and Text Transcripts

Our app allows your child to interact with Aiino using their voice. Here is exactly how this works:

On-Device Voice Capture (Audio Never Leaves the Device):

When your child speaks:

• The device microphone captures their voice
• The device's built-in speech recognition (Apple Speech Recognition for iOS or Google Speech Services for Android) converts that voice to text locally on the device
• The audio is processed only for this conversion and is then immediately discarded
• Aiino does not receive, access, or store any audio recordings of your child's voice

What We Collect:

After conversion, we receive only the text transcript of what your child said (together with the AI's responses).

These text transcripts may contain information your child chooses to share in the conversation (for example, "I have a little brother" or "My favorite color is blue").

We do not:

• Create or store voiceprints
• Analyze tone, pitch, or voice characteristics
• Use voice for identification or authentication
• Build voice profiles

How We Use Text Transcripts:

We use text transcripts to:

• Generate conversational responses from our AI models
• Provide and improve educational and play-based experiences
• Personalize learning content in a child-appropriate way (e.g., adapting difficulty or topics)
• Allow parents to view conversation history in the Parent Dashboard
• Maintain security, quality assurance, and debug issues
• Ensure content safety and appropriateness

Text-to-Speech (Read-Aloud Feature)

The app can read stories and content aloud to your child using text-to-speech technology.

How It Works:

• Your device converts written text to spoken audio
• Uses device's built-in TTS technology
• iOS uses Joanna Enhanced voice by default
• Processes on-device or through your device provider's servers
• Aiino does not receive, record, or store TTS-generated audio

TTS Providers:

• iOS: Apple Text-to-Speech (processes on-device)
• Privacy Policy: https://www.apple.com/legal/privacy/
• Android: Google Text-to-Speech (may use Google servers)
• Privacy Policy: https://policies.google.com/privacy

Privacy Note: The read-aloud feature generates audio locally. We do not collect or store this audio.

How Long We Keep Text Transcripts:

We store text transcripts for 30 days to support conversation continuity, personalization, and parent review.

Parents can choose a shorter retention period:

• 7 days
• 30 days

Change your setting at: Settings > Privacy > Transcript Retention

After the retention period expires, transcripts are permanently deleted or irreversibly anonymized (stripped of any potentially identifying information).

Parents can request earlier deletion of transcripts at any time (see "Your Privacy Rights" below).

Speech Recognition Technology:

Voice-to-text conversion on your child's device uses the device's own speech recognition technology:

iOS Devices:

• Apple Speech Recognition - Processes voice on-device
• Audio does not leave the device unless you've enabled Siri or other Apple services
• Privacy Policy: https://www.apple.com/legal/privacy/

Android Devices:

• Google Speech Services - May process voice on Google servers depending on your device settings
• Processing is controlled by your device manufacturer, not Aiino
• Privacy Policy: https://policies.google.com/privacy

This processing happens on the device or within your device manufacturer's systems, under the control of your device manufacturer or operating system provider.

Aiino does not control how your device provider processes audio for this conversion.

We recommend reviewing the privacy policy of your device provider for more information about their speech recognition services.

Your Privacy Controls:

You can control voice features at multiple levels:

Device Settings:

• iOS: Settings > Privacy & Security > Speech Recognition > Aiino (Enable/Disable)
• Android: Settings > Apps > Aiino > Permissions > Microphone (Allow/Deny)

In-App Settings:

• Settings > Voice Conversation > Enable/Disable
• Parent Dashboard > Features > Voice Features

Voice features are disabled by default until you explicitly enable them and provide consent during the setup process.

3. How We Use Your Information

We use the information we collect for the following purposes:

Account Management: To create and maintain your account, authenticate logins, manage access to the app, and process subscription changes.

Payment Processing:

To complete transactions for subscriptions via our payment partners (Apple App Store, Google Play Store), verify parental consent through payment verification, and send payment receipts.

Text Conversation and Learning Support:

We use your child's text conversation transcripts to:

• Generate AI responses that are educational, age-appropriate, and engaging
• Maintain continuity in stories and learning activities across sessions
• Tailor experiences to your child's age, interests, and progress
• Personalize educational content to match learning pace
• Remember context from previous conversations

Parent Visibility and Safety:

We make text transcripts available to you in the Parent Dashboard so you can:

• Review your child's conversations with the AI
• Monitor for safety and appropriateness
• Understand what your child is learning
• Manage their learning experience
• Delete conversations if desired
• Report any concerns

No AI Model Training by Third Parties:

Our third-party AI providers (AWS Bedrock) process transcripts only to generate responses on our behalf. They are contractually prohibited from:

• Using Aiino data to train their own AI models
• Storing data beyond what's necessary to generate responses
• Using data for any independent purposes
• Sharing data with any other parties

No Internal AI Training on Individual Data: Aiino does not use your child's individual conversation transcripts to train AI models. We do not use identifiable data from individual children to improve AI systems.

Aggregated Analytics Only: We may use anonymized, aggregated data (data that cannot be used to identify or contact any individual child in the real world) to:

• Identify technical issues.
• Measure overall app effectiveness.

Privacy Note: This aggregated data includes no personal identifiers and cannot be linked to any specific child.

Customer Support: To respond to your inquiries, send service-related messages (such as receipts, password resets, account notifications), provide technical support, and assist with account issues.

App Improvement: We analyze aggregated, non-identifiable data to:

• Understand usage trends and popular features
• Fix bugs and technical issues
• Improve user interface and user experience
• Develop new educational content
• Optimize app performance
• Make informed product decisions

This data is anonymized and cannot be traced back to any individual child or family.

Legal Compliance and Security: To enforce our Terms of Service, prevent fraud and abuse, detect security issues, protect the rights and safety of users, and ensure compliance with applicable laws like COPPA, CCPA, and Indian IT Act.

Communication: To send you important information about:

• Changes to our policies or terms
• Security alerts
• Account status updates
• Subscription renewals
• Service interruptions
• New features (only if you've opted in to product updates)

Legal Basis for Processing (GDPR - Future EU/UK Users):

When we expand to the EU/UK, we will collect and process personal information only where we have a legal basis:

• Consent: You provide explicit consent for specific purposes (e.g., enabling voice features, receiving marketing communications)
• Contract Performance: Processing is necessary to provide the Service you've subscribed to and to fulfill our contractual obligations
• Legitimate Interests: We have legitimate business interests in improving our app, protecting legal rights, and preventing fraud (balanced against your privacy rights and interests)
• Legal Obligation: We must process data to comply with laws and regulations (e.g., COPPA, tax laws, court orders)

4. Our Use of AI for Educational Purposes

Aiino uses AI to provide adaptive learning experiences. We believe in being fully transparent about how this technology works and how your child's data is used.

4.2 Data Used by the AI

The AI uses only:

• Non-personally identifiable data you provide - Child's age (not birthdate or real name)
• Anonymized usage data collected automatically - Interactions with specific content, time spent on activities, features used
• Text transcripts from conversations -

The AI does not process any personally identifiable information (PII) like:

• ❌ Real names or photos
• Location data
• Contact information
• School information
• Audio recordings

4.3 Third-Party AI Providers and Your Privacy

Our AI Infrastructure: Our AI features are powered by leading technologies hosted on Amazon Web Services (AWS), specifically using AWS Bedrock AI models accessed via AWS Bedrock.

What This Means:

• AWS provides the cloud infrastructure (servers, security, networking)
• AWS Bedrock AI provides the language model technology
• AWS Bedrock is the service that connects them securely
• Your child's data is processed on AWS servers in the United States
• The AI model providers (AWS Bedrock) never directly see your child's data

Contractual Protections: We have strong contractual agreements with AWS that legally require them to:

• Comply with all applicable privacy laws, including COPPA, CCPA, and Indian IT Act
• Process data only on our behalf and strictly according to our instructions
• Never store or access any personally identifiable information (PII) from Aiino users for their own purposes
• Never use data to train AI models or for uses beyond generating responses for Aiino
• Implement robust security measures (encryption, access controls) to protect data and prevent unauthorized access
• Only access anonymized or pseudonymized data, ensuring no personal identifiers are exposed
• Delete data when no longer needed for providing the service
• Allow us to audit their compliance with these requirements

How AI Responses Work - Step by Step:

When your child asks a question or has a conversation:

• Your child speaks a question (e.g., "Tell me a story about a dragon")
• Device converts speech to text (on-device, audio never sent to us)
• We send the text (never audio) to AWS servers in us-west1 (Oregon, United States)
• AWS processes the text using AWS Bedrock AI models hosted on AWS Bedrock
• AWS Bedrock AI model generates a response (e.g., an age-appropriate story about a friendly dragon)
• AWS sends the response back to our servers
• We send the response to your child's device
• Text transcript is stored for up to 90 days (or your chosen retention period) so you can review it

Critical Privacy Guarantees:

• AWS does not use your child's data to train AI models - This is contractually prohibited
• AWS does not share your data with model providers (AWS Bedrock etc.) - The model providers never see user data
• Data is processed solely to generate responses for your child - No other use is permitted
• AWS processes data only according to our instructions - They cannot use it for their own purposes
• All data is encrypted in transit and at rest - Using industry-standard AES-256 and TLS 1.3 encryption
• Data is processed in real-time - AWS does not store conversation data long-term on our behalf

Model providers (AWS Bedrock AI) never see your child's data. They provide the AI model technology, but AWS runs these models in isolation without sharing user data with the model creators.

Think of it like this: It's similar to using Microsoft Word on your computer. Microsoft provides the software, but they don't keep copies of your documents. Similarly, AWS Bedrock provides the AI model, but AWS runs it without sharing your child's conversations with AWS Bedrock.

Data Processing Note: When we process requests through AWS:

• Your IP address is transiently accessed by AWS infrastructure during the API call (this is necessary for internet communication)
• AWS does not store IP addresses on our behalf (we have configured AWS not to log IP addresses)
• IP addresses are only used for routing the request and are immediately discarded
• This is standard for any cloud-based service

Third-Party Privacy Policies: For more information about how our infrastructure providers protect data:

• AWS Privacy Policy: https://aws.amazon.com/privacy/
• AWS Customer Agreement: https://aws.amazon.com/agreement/
• AWS Data Processing Addendum: https://aws.amazon.com/compliance/data-privacy-faq/

4.4 AI-Generated Content Disclaimer

The Aiino app uses AI to generate educational content, stories, and conversational responses. This AI-generated content may include:

• Characters and personalities
• Visual descriptions
• Storylines and scenarios
• Educational explanations

Important Disclaimers:

No Real People: AI-generated content may resemble real human beings or portray realistic characters. However, any such resemblance is purely coincidental and does not indicate any connection to real individuals, living or deceased.

Entertainment and Education Only: AI-generated and interactions are designed solely for educational and entertainment purposes and should not be mistaken for real human interactions or professional advice.

No Endorsements: AI-generated content does not constitute endorsements of any products, services, individuals, or organizations.

Liability: We are not responsible for any unintended likeness or similarities that may appear in AI-generated content.

4.5 No Professional Advice

Important: The Service and any AI-generated outputs are provided for general educational and entertainment purposes only.

They do NOT constitute professional advice, including:

• Educational or academic advice , Medical or psychological advice
• Legal advice
• Financial advice
• Parenting advice
• Therapeutic counseling

Always Consult Professionals:

You should not rely on the Service as a substitute for advice from qualified professionals. Always consult appropriate professionals for specific guidance related to your child's:

• Education and learning needs
• Health and medical concerns
• Behavioral or developmental issues
• Special educational requirements
• Any serious matters requiring expert advice

AI Limitations:

AI systems can make mistakes, provide incomplete information, or generate responses that may not be appropriate for every child. Parental supervision and judgment are essential.

5. How We Share or Disclose Information

We do not rent or sell your personal data. We have never sold personal information, and we have no plans to do so.

We only share information with trusted partners in the following limited circumstances:

5.1 Service Providers

We share information with trusted third-party vendors who perform services on our behalf. These partners are bound by strict confidentiality agreements and are only permitted to use the data to fulfill their contractual duties.

All service providers must:

• Sign Data Processing Agreements with privacy and security requirements
• Process data only as we instruct
• Implement appropriate security measures
• Comply with COPPA and other applicable privacy laws
• Not use children's data for their own purposes

Our categories of service providers include:

Cloud Hosting Providers

Amazon Web Services (AWS)

Purpose: Secure hosting of application data, AI services, and infrastructure

Location: United States (us-west1 region in Oregon)

Data Shared: All data necessary to operate the service, including:

• Account information (email, encrypted passwords)
• Child profiles (age, nickname)
• Text conversation transcripts
• Usage data
• Device information (temporarily during requests)

Important Privacy Protections:

• All data stored in us-west1 (Oregon, United States)
• Data encrypted at rest using AES-256
• Data encrypted in transit using TLS 1.3
• IP address logging disabled (not stored)

Privacy Policy: https://aws.amazon.com/privacy/

AWS Compliance: https://aws.amazon.com/compliance/

AI & Machine Learning Services

AWS Bedrock AI (accessed via AWS Bedrock)

Purpose: Generate conversational AI responses from text transcripts to provide educational, age-appropriate conversations for children

Data Shared: Text transcripts of child conversations (NOT voice recordings, NOT real names, NOT photos)

How It Works:

• We send text to AWS Bedrock
• AWS Bedrock processes text using AWS Bedrock AI models
• Models generate educational responses
• Responses sent back to the child
• AWS Bedrock AI (the company) never directly sees or accesses user data

Contractual Protections:

• Prohibited from using data to train their own AI models
• Prohibited from storing data beyond what's needed to generate responses
• Prohibited from sharing data with any third parties
• Must process data only on our behalf and per our instructions
• Must delete data immediately after generating responses

Data Retention by AI Provider: Processes in real-time, does not store long-term

Critical Privacy Guarantee: AWS doesn't train on your data. AWS Bedrock AI (the model provider) never sees your child's conversations.

Privacy Policy: https://AWS Bedrock.ai/terms/ (Note: AWS Bedrock processes via AWS and is bound by AWS's Data Processing Agreement with us)

Payment Processing

Apple Inc. (for iOS in-app purchases)

Purpose:

• Process subscription payments securely
• Handle parental consent verification (0.29 USD temporary charge for US users)
• Manage subscription renewals and cancellations

Data Shared:

• Payment information (we never see full card details)
• Subscription status
• Purchase receipts

What We Receive: Only a secure payment token to confirm subscription is active

Privacy Policy: https://www.apple.com/legal/privacy/

Google LLC (for Android in-app purchases)

Purpose:

• Process subscription payments securely
• Handle parental consent verification (0.29 USD temporary charge for US users)
• Manage subscription renewals and cancellations

Data Shared:

• Payment information (we never see full card details)
• Subscription status
• Purchase receipts

What We Receive: Only a secure payment token to confirm subscription is active

Privacy Policy: https://policies.google.com/privacy

Analytics & Performance Monitoring

System Stability & Crash Reporting Provider: Firebase Crashlytics (Google LLC)

Data Retention by Firebase:

• Crash reports automatically deleted after 90 days by Google
• Installation ID resets when app is uninstalled/reinstalled
• Crash data is not linked to your account and cannot be manually deleted
• When you delete your account, crash data remains anonymized and expires per Google's 90-day policy
• No action needed from you - Google handles automatic deletion

Purpose: Identify technical errors, app crashes, and stability issues

COPPA-Compliant Privacy Configuration:

• Custom wrapper automatically strips all personally identifiable information (PII)
• Never logs child names, emails, ages, or conversation content
• Tracks only anonymous technical data: crash types, device models, OS versions
• Installation UUID (random identifier, never linked to child or account)

Data Processed:

• Technical crash logs (error codes and stack traces only)
• Device attributes (operating system version, device model)
• Screen names (anonymized, no user-specific information)
• API errors (sanitized to remove any personal data)
• App navigation breadcrumbs (technical flow only, fully anonymized)

Note: We do not track user behavior, session times, or usage patterns.

Privacy-Protective Configuration:

• Advertising ID collection is technically impossible (not integrated)
• Personalized advertising disabled at code level
• No cross-app tracking
• No behavioral profiling
• Automatic PII filtering before data leaves device

Privacy Policy: https://firebase.google.com/support/privacy

Customer Support & Communication

Amazon SES (Simple Email Service)

Purpose: Send account-related emails and support communications

Emails We Send: Signup OTP, Reset Password OTP, Forget Password OTP, Parent Request AI data, then we send them in pdf via mail, Account Deletion Notification

Data Shared:

• Email address
• Message content (only what you send us or we send you)
• No tracking pixels or read receipts

Privacy Policy: https://aws.amazon.com/privacy/

Push Notifications

Apple Push Notification Service (APNS)

Purpose: Send important notifications about your child's account (only if you enable notifications)

Data Shared:

• Device tokens (unique identifier for your device, not linked to personal information)
• No message content stored by Apple

Types of Notifications:

• Subscription reminders
• Security alerts
• Important account updates

Control: You can disable notifications in your device settings at any time

Privacy Policy: https://www.apple.com/legal/privacy/

SMS/OTP Services (for Indian Users Only)

Amazon SNS (Simple Notification Service)

Purpose: Send one-time passwords (OTP) for parental verification in India

Data Shared:

• Mobile phone number (only for Indian users who choose OTP verification)

How It Works:

• You provide your mobile number
• AWS SNS sends a 6-digit OTP via SMS
• You enter OTP to verify you're a parent
• Verification complete

Data Retention:

• Phone numbers stored securely
• Used only for verification purposes
• Not shared with third parties
• Can be updated in Settings

Privacy Policy: https://aws.amazon.com/privacy/

Device Speech Recognition Providers

Apple Speech Recognition (iOS)

Purpose: Convert your child's voice to text on-device

Processing:

• On-device only (audio does not leave the device unless you've enabled Siri or other Apple services)
• Audio converted to text locally
• Audio immediately discarded after conversion
• Aiino does not receive audio data

What Aiino Receives: Only the text transcript

Control: Settings > Privacy & Security > Speech Recognition > Aiino

Privacy Policy: https://www.apple.com/legal/privacy/

Google Speech Services (Android)

Purpose: Convert your child's voice to text

Processing:

• May use Google servers depending on device settings
• Controlled by your device manufacturer, not Aiino
• Aiino does not receive audio data

What Aiino Receives: Only the text transcript

Control: Settings > Apps > Aiino > Permissions > Microphone

Privacy Policy: https://policies.google.com/privacy

Important: Please refer to your device provider's privacy policy for details on how they process voice data for speech recognition. Aiino does not control this process.

5.2 Complete List of Third-Party Service Providers

For transparency, here is the complete list of third parties that may process children's personal information:

Amazon Web Services (AWS) - Cloud hosting, AI services, email, SMS

AWS Bedrock AI (via AWS Bedrock) - AI response generation

Apple Inc. - Payment processing, push notifications (iOS)

Google LLC - Payment processing, Crash Reporting (Firebase)

We do not use:

• Advertising networks
• Social media platforms
• Marketing automation tools
• Third-party analytics beyond Firebase
• Data brokers
• Any service that sells or shares children's data

5.3 Updates to Service Providers

We will update this list within 30 days if we add new service providers that process children's personal information.

Material changes will be communicated via email to parents.

For questions about our service providers, contact us at info@aiino.ai.

5.4 Legal and Safety Reasons

We may disclose personal data if required by law or in good faith to:

Comply with legal process - Subpoenas, court orders, law enforcement requests (we will notify you unless legally prohibited)

Protect safety - Prevent harm to children, users, or the public (e.g., child safety concerns, threats of violence)

Enforce our rights - Enforce our Terms of Service, prevent fraud, protect intellectual property

Prevent fraud or security threats - Detect and prevent hacking, unauthorized access, or abuse of the Service

If we receive a legal request for your data, we will:

• Carefully review the request for legal validity
• Notify you (unless prohibited by law)
• Provide only the minimum data necessary
• Challenge overbroad requests when possible

5.5 Business Transactions

In the event of a merger, acquisition, bankruptcy, or sale of assets:

We will:

• Notify you via email at least 30 days in advance of the transaction
• Post prominent in-app notification about the change in ownership
• Provide details about the new owner and their privacy practices
• Give you the option to delete your account and data before the transfer
• Require the new owner to honor this Privacy Policy

Your Options:

• Continue using the Service (data transfers to new owner)
• Delete your account before the transfer (data permanently deleted)
• Contact us with questions about the transaction

Personal data may be transferred to the new owner, but you maintain control over your data through the deletion option.

5.6 No Sale of Personal Information

We do not sell personal information. We have never sold personal information, and we have no plans to do so in the future.

We do not:

• Sell or rent personal information to third parties
• Share information for cross-context behavioral advertising
• Allow third parties to collect information for their own advertising
• Participate in data broker arrangements

6. Data Security Practices

We take the security of your data seriously and implement industry-standard technical, physical, and administrative measures to protect it.

6.1 Encryption

Data in Transit:

All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), the latest and most secure encryption standard.

HTTPS-Only Enforcement (Android):

• All Android app communication enforces secure HTTPS protocol only
• Insecure HTTP connections are automatically blocked
• Prevents data interception and man-in-the-middle attacks
• Meets Google Play security requirements

What this means: When your device communicates with our servers, all data is encrypted so that it cannot be intercepted or read by anyone else.

Data at Rest:

All data stored on our servers (AWS) is protected using AES-256 encryption, a military-grade encryption standard used by governments and financial institutions.

What this means: Even if someone gained physical access to our servers (which is extremely unlikely given AWS security), they could not read the data without the encryption keys.

Password Protection:

Passwords are secured using PBKDF2-SHA256 cryptographic hashing with:

• No plain-text storage
• Unique salts per password
• 260,000 computational iterations (brute-force resistant)
• One-way encryption (cannot be decrypted)
• Secure password reset only

What this means: Even we cannot see your password. If you forget it, we can only help you reset it, not recover it.

6.2 Access Control

Role-Based Access:

We use role-based access controls (RBAC) to ensure only authorized personnel have access to user data, and only to the data necessary for their specific job function.

Multi-Factor Authentication (MFA):

All employee accounts with access to user data require multi-factor authentication. This means employees must verify their identity using both a password and a second factor (usually a time-based code from their phone).

Automated Account Protection:

• 5 consecutive failed login attempts trigger automatic 15-minute account suspension
• Suspension automatically lifts after 15 minutes
• Protects your account from unauthorized access attempts and brute-force attacks
• You'll receive notification if your account is temporarily suspended

Rate Limiting (Service Protection):

• Login attempts: 10 per minute per IP address
• Account signup: 5 per minute per IP address
• Password reset requests: 5 per minute per IP address
• OTP (verification code) requests: 10 per minute per IP address
• Demo mode access: 3 per minute per IP address

These limits protect against automated abuse while allowing normal use.

Principle of Least Privilege:

Employees can only access the minimum data necessary to perform their job functions. For example:

• Customer support can see account email and subscription status
• Customer support cannot see conversation transcripts or child information
• Engineers with database access can see data but cannot modify or delete it without approval

Access Logging:

All access to user data is logged and monitored for unusual activity.

6.3 Security Audits and Monitoring

Continuous Monitoring:

We conduct continuous security monitoring to:

• Detect potential vulnerabilities
• Identify suspicious access patterns
• Monitor for unauthorized access attempts
• Track system health and performance
• Alert on security events in real-time

Internal Security Assessments:

We perform regular internal security assessments to:

• Identify and address potential risks
• Review access controls
• Test incident response procedures
• Update security policies and procedures

Privacy-Protective Architecture:

As part of our privacy-by-design approach, we have architected our systems with built-in privacy protections:

No IP Address Logging:

We have deliberately chosen not to store or log IP addresses. This means:

• We cannot track user location history
• We cannot build location-based profiles
• IP addresses are only accessed transiently during request processing
• No IP address logs exist that could be compromised in a data breach
• Your location privacy is protected beyond what is required by law

Privacy by Default:

Our systems are configured to:

• Collect the minimum data necessary
• Apply strictest privacy settings by default
• Automatically delete data when it's no longer needed
• Require explicit opt-in for optional features
• Anonymize data used for crash reporting.

This architectural choice provides enhanced privacy protection and reduces the risk of data exposure in the unlikely event of a security incident.

6.4 Incident Response

Data Breach Notification:

In the event of a data breach affecting children's personal information, we will:

Investigate and contain the breach - Immediately upon discovery, assess the scope, stop the breach, and prevent further unauthorized access

Notify affected parents via email within 72 hours of discovering the breach, including:

• What happened and when
• What data was affected
• What we've done to address it
• Steps you can take to protect your child
• Contact information for questions

Notify relevant authorities as required by law:

• Federal Trade Commission (FTC) for COPPA breaches
• State Attorneys General as required
• Other regulatory authorities in affected jurisdictions

Provide detailed information about:

• The nature of the breach
• Types of data affected
• Number of affected users
• Actions taken to mitigate harm
• Additional steps planned

Post a public notice on our website and in-app for 30 days following the breach

Offer assistance such as:

• Guidance on protective measures
• Extended support
• Account monitoring (if applicable)

Because we do not store audio recordings of your child's voice or log IP addresses, there is no stored voice data or location history at risk in the event of a breach.

Our Commitment:

We treat any potential data breach with the utmost seriousness and will be transparent with you about what happened and how we're addressing it.

6.5 Information Security Program

As required by the Children's Online Privacy Protection Act (COPPA), we maintain a comprehensive, written Information Security Program designed to protect children's personal information from unauthorized access, use, or disclosure.

Our Information Security Program includes:

Risk Assessment:

• Annual security risk assessments identifying threats to children's data
• Evaluation of likelihood and impact of potential security events
• Prioritization of risks based on severity and business impact
• Documentation of risk mitigation strategies and action plans
• Regular reviews and updates based on new threats

Administrative Controls:

• Background checks for employees with access to children's data
• Mandatory security awareness training for all staff (annual refresher)
• Clear access control policies based on need-to-know principle
• Incident response procedures with defined roles and responsibilities
• Regular policy reviews and updates
• Security leadership oversight

Technical Controls:

• Data encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all employee access
• Firewall protection and intrusion detection systems
• Regular vulnerability scanning and security testing
• Secure software development practices
• Automated security monitoring and alerting
• No IP address logging (privacy-protective architecture)
• Secure password hashing (bcrypt)

Physical Controls:

• Secure data center facilities (AWS infrastructure with physical security)
• Physical access controls and visitor logs
• Environmental controls (fire suppression, climate control, backup power)
• Secure disposal procedures for any hardware containing data
• Video surveillance and 24/7 monitoring of facilities

Third-Party Management:

• Security requirements in all vendor contracts
• Data Processing Agreements with defined security obligations
• Vendor access limited to minimum necessary
• Regular review of vendor security practices
• Annual security audits of critical service providers (planned)

Continuous Improvement:

• Internal security reviews and assessments
• Security metrics tracking and reporting
• Incident post-mortems and lessons learned
• Regular updates to security controls based on emerging threats
• Staying current with industry best practices

Program Oversight:

Our Information Security Program is overseen by our Technical Lead, who reports on security status to management.

Documentation:

We maintain comprehensive documentation of our security program, including:

• Security policies and procedures
• Risk assessments and mitigation plans
• Incident response plans
• Access control matrices
• Audit logs and monitoring reports

Next Scheduled Review: July 2026

For questions about our security practices, contact us at info@aiino.ai with subject line "Security Question".

7. Children's Privacy and Parental Consent

Aiino is designed for children aged 3-9, and we are fully compliant with the U.S. Children's Online Privacy Protection Act (COPPA) and applicable international privacy laws.

7.1 Verifiable Parental Consent (VPC)

We do not collect any personal information from your child without first obtaining verifiable parental consent through an FTC-approved mechanism.

Legal Requirement: COPPA requires that we verify you are a parent or legal guardian before collecting personal information from children under 13. We take this requirement seriously and have implemented robust verification processes.

7.2 Our Verification Process

Before your child can use features that process personal information, we require you to verify your identity as a parent or legal guardian.

For United States Users: Credit/Debit Card Verification

How it works:

Small temporary charge - We charge 0.29 USD to your credit or debit card

Automatic refund - This charge is fully refunded within 24-48 hours

Why we charge - This proves you control a payment method (children typically cannot)

Legal approval - This method is approved by the Federal Trade Commission (FTC) as a valid parental verification under COPPA

Secure processing - Processed securely through Apple App Store or Google Play Store

Payment Security:

• All payment data is processed through PCI-DSS compliant processors
• We never store your full credit card number
• Only a secure token is kept to confirm your subscription
• Verification is one-time only
• Refunds process automatically within 24-48 hours

Supported Cards:

• Visa
• Mastercard
• American Express
• Discover
• Most major debit cards

For Indian Users: One-Time Password (OTP) Verification

FREE VERIFICATION - NO CHARGE

For users in India, we offer One-Time Password (OTP) verification as an alternative.

How it works:

Provide mobile number - Enter your mobile phone number during signup

Receive OTP - You'll receive a 6-digit code via SMS

Enter OTP - Type the code in the app to verify

Verification complete - Instant verification with no charges

OTP Security & Privacy:

• Processed through secure, encrypted channels (AWS SNS)
• Mobile numbers stored securely and used only for verification
• We never share your phone number with third parties
• Verification is one-time only
• OTP is valid for 10 minutes
• You can request a new OTP if needed (up to 3 times)
• Phone number can be updated in Settings

Alternative Verification (if needed):

If you cannot use credit card or OTP verification, contact us at info@aiino.ai to arrange alternative verification methods. We'll work with you to find a solution that complies with COPPA requirements.

7.3 What Happens Before Verification

Limited Access Mode:

Before you complete parental consent verification, the app operates in a limited exploratory mode:

What Your Child CAN Do:

• Browse available content categories
• See example stories and activities
• Explore the app interface
• View feature descriptions

What Your Child CANNOT Do: Create or save content

Privacy Protections:

• We do not collect personal information during this period
• Voice features are disabled
• Push notifications are disabled
• Default privacy settings are set to maximum protection
• No data is shared with third parties

7.4 What Happens After Verification

Full Access Mode: After you complete verification and provide consent, the full app experience becomes available:

What Becomes Available:

• Full app features and content
• AI conversation capabilities (if you enable voice features)
• Progress tracking and achievements
• Parent Dashboard access
• Ability to save and resume activities

Data Collection Begins:

• We may collect and process personal information as described in this policy
• You can enable voice conversation features
• Educational personalization becomes active
• You can manage all settings in the Parent Dashboard

7.5 Your Consent Covers

By completing verification, you specifically consent to:

• Collection of your child's age and nickname - For account creation and age-appropriate content
• Processing of usage data and educational interactions
• Creation of text transcripts from voice input - If you enable voice features (optional)
• Data sharing with service providers - As described in Section 5 (AWS, payment processors, etc.)
• Storage of data - As described in Section 9 (90-day default for transcripts)
• Use of data for purposes described in this policy - Educational personalization, app improvement, security, etc.

7.6 Consent for Voice-to-Text Features

Voice features are disabled by default and require separate explicit consent.

Before your child can use voice conversation features, we ask you to provide specific consent to:

• Allow your child's voice to be captured on their device and converted to text
• Allow Aiino to receive and store text transcripts of your child's conversations for the limited purposes described in this Privacy Policy
• Understand that audio is processed on-device and never sent to Aiino
• Acknowledge that you can review, manage, and delete transcripts at any time

7.7 Managing Your Consent

You can review, modify, or withdraw your consent at any time:

In-App Settings:

• Settings > Data & Privacy > Voice & AI Consent (toggle with full disclosures)
• Parent Dashboard > Features > Voice Features

View Consent Status:

• Parent Dashboard > Privacy & Consent
• See what you've consented to
• See when consent was given
• View consent history

Modify Feature Permissions:

• Parent Dashboard > Feature Controls
• Enable/disable specific features
• Change transcript retention period
• Adjust privacy settings

Withdraw Consent and Delete Account:

• Settings > Account > Delete Account
• Account deactivated immediately
• All data deleted within 30 days
• Cannot be undone

7.8 No Behavioral Advertising

We do not serve behavioral advertisements to children or use children's data for marketing or advertising purposes, regardless of consent.

We do not:

• Show ads in the app (paid subscription model)
• Track children across websites or apps
• Build advertising profiles
• Share data with advertisers
• Allow third-party advertising networks
• Use children's data for marketing

7.9 Ongoing Parental Rights

After providing consent, you retain all rights to:

Access and Review:

• View text transcripts of your child's AI conversations
• Access all data we've collected about your child
• Download a copy of your child's data

Control and Manage:

• Update your child's profile information
• Modify privacy settings at any time
• Choose transcript retention period
• Enable/disable specific features

Delete and Remove:

• Request deletion of specific conversations
• Delete all data and close account
• Request immediate data deletion (overriding retention periods)

Monitor and Protect:

• Review conversation history
• Report inappropriate content
• Set parental controls
• Manage screen time limits

To exercise these rights, visit the Parent Dashboard or contact us at info@aiino.ai.

7.10 Children's Rights

While parents control account settings and data, children using Aiino have the right to:

Safety and Security:

• Have their personal information protected with industry-standard security measures
• Use an app designed with their safety as the top priority
• Be protected from inappropriate content through content filtering

Privacy:

• Not have their data sold or used for behavioral advertising
• Have their information deleted upon parental request
• Have their data processed only with parental consent
• Have their conversations kept private and secure

Appropriate Experience:

• Access age-appropriate educational content
• Interact with AI that's designed for children
• Learn without manipulation or pressure
• Have a safe, fun, and educational experience

Children can speak to their parents about these rights or contact us with a parent's help at info@aiino.ai.

8. International Data Transfers

8.1 Data Storage Location

Aiino stores and processes data in secure Amazon Web Services (AWS) data centers.

Primary Data Center Location:

us-west1 (Oregon, United States)

What this means:

• All user data (account info, transcripts, usage data) is stored on AWS servers in Oregon
• Data is subject to United States laws and regulations
• AWS provides physical security, network security, and compliance certifications
• Data remains within the United States unless transferred with your consent or as required by law

8.2 Transfers from Outside the United States

If you are located outside the United States (e.g., in India or other countries where we operate):

Your data will be transferred to and processed in the United States.

By using the Service, you consent to:

• The transfer of your data to the United States
• Processing of your data under United States privacy laws
• Storage of your data on AWS servers in Oregon

Why We Transfer Data:

• Our infrastructure and AI services are hosted in the United States
• This allows us to provide the best performance and service quality
• AWS's Oregon data center provides robust security and compliance

Protections for International Data Transfers:

• Data Processing Agreement with AWS
• Industry-standard encryption in transit and at rest
• Compliance with applicable privacy laws in your country
• Your rights under this Privacy Policy apply regardless of where data is stored

8.3 Future EU/UK Expansion

When we expand to the European Union and United Kingdom, we will ensure that any international data transfers comply with GDPR requirements.

Our GDPR Compliance Plan (before EU/UK launch):

Standard Contractual Clauses (SCCs):

• We will implement Standard Contractual Clauses approved by the European Commission
• SCCs are legally recognized contracts that ensure adequate protection of personal data when transferred outside the European Economic Area (EEA)

Additional Safeguards:

• Supplementary measures to protect data during transfers
• Data protection impact assessments (DPIAs)
• Regular audits of data transfer processes

EU/UK Data Residency (Planned):

• We plan to store EU/UK user data within the European Economic Area
• Likely using AWS eu-central-1 (Frankfurt, Germany) or AWS eu-west-2 (London, UK)
• Data will not leave the EEA except as required by law or with explicit consent

Transparency:

• We will clearly notify EU/UK users about data storage location
• We will provide information about any cross-border transfers
• We will update this policy before launching in EU/UK

8.4 Data Localization for Indian Users (Future-Proofing)

Current Practice:

Data for Indian users is currently stored in us-west1 (Oregon, United States).

Why United States Storage:

• Our infrastructure is currently US-based
• AWS Oregon provides excellent performance for Indian users
• Complies with current Indian privacy laws

If Indian Law Changes: India's upcoming Digital Personal Data Protection Act (DPDP Act) may require data localization. We are prepared to comply:

Our Plan:

• If data localization is required, we will migrate Indian user data to AWS ap-south-1 (Mumbai, India)
• We will notify Indian users 30 days before any changes to data storage location
• We will ensure seamless transition with no data loss
• All protections in this Privacy Policy will continue to apply

Commitment: We will comply with all Indian data protection requirements and will keep Indian users informed of any changes.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy and to comply with our legal obligations.

Our guiding principle: Keep data only as long as needed, no longer.

9.1 Retention Periods

Crash Reports (Firebase Crashlytics):

What: Anonymous crash logs, device information, Installation ID

Retention: 90 days, then automatically deleted by Google (Firebase)

Deletion: Cannot be manually deleted (not linked to your account). Data is anonymous and tied to app installation, not your user account. Auto-expires after 90 days.

Why we keep it: Required for app stability and fixing technical issues

Crash Data: 90 days (automatically deleted by Firebase, see Section 5.1 for details)

Account and Subscription Data:

What: Email address, encrypted password, subscription status, payment tokens

Retention: As long as your account is active

Deletion: If you delete your account, this data will be permanently deleted from our live systems within 30 days

Why we keep it: Necessary to provide the Service, manage your account, and process payments

Child Profile Data:

What: Child's age, nickname

Retention: As long as your account is active

Deletion: Deleted within 30 days of account closure

Why we keep it: Necessary to provide age-appropriate content

Text Conversation Transcripts:

What: Text transcripts of your child's conversations with the AI

Retention: 30 days from creation

Parent Choice: You can choose a shorter retention period:

• 7 days - Transcripts deleted after one week
• 30 days - Transcripts deleted after one month
• 90 days - Transcripts deleted after three months

Early Deletion:

Parents can request earlier deletion at any time:

• Parent Dashboard > Conversations > Delete All
• Parent Dashboard > Conversations > Select specific conversation > Delete
• Email info@aiino.ai with subject "Delete Conversation Transcripts"

Why we keep them: Safety monitoring (we can review if you report concerns)

Audio Recordings of Your Child's Voice:

Retention: We do not collect or store audio recordings

What happens to audio:

• Captured by device microphone
• Converted to text on-device
• Immediately discarded after conversion
• Never sent to Aiino servers
• Never stored anywhere

Device Information:

What: Device type, OS version, app version

Retention: As long as your account is active

Deletion: Deleted within 30 days of account closure

Why we keep it: To provide technical support and optimize app performance

IP Addresses:

Retention: We do not store or log IP addresses

What happens to IP addresses:

• Temporarily accessed during API requests
• Used for security and compliance during the request
• Immediately discarded after request is processed
• Never written to logs or databases
• Cannot be retrieved or reviewed

Why we don't keep them: Privacy protection - we cannot track your location history or build location profiles

Data Stored Locally on Your Device:

What: Some non-personal data, such as app settings, learning progress before account creation, cached content

Retention: Until you delete the app or clear app data

Control: You control this data:

• iOS: Settings > General > iPhone Storage > Aiino > Delete App
• Android: Settings > Apps > Aiino > Storage > Clear Data

Important: We do not have access to this data. It's stored only on your device.

9.2 Backup Retention (Future Implementation)

Current Status: We do not currently maintain encrypted backups. All data deletion is immediate from our live systems.

Future Implementation:

When we implement backup systems for disaster recovery:

Backup Schedule: Encrypted backups created every 7 days

Backup Retention: Rolling 90-day basis (old backups automatically deleted)

Data Deletion from Backups:

• When you delete data from live systems, it will be permanently erased from backups within 90 days
• This is because backups are point-in-time snapshots
• New backups created after deletion will not contain your deleted data
• After 90 days, all backups containing your data will be overwritten

Backup Security:

• Encrypted using AES-256
• Stored in separate AWS region for redundancy
• Access restricted to authorized personnel only
• Regular testing to ensure restoration works

Why 90 days:

• Industry standard for disaster recovery
• Balances data protection with disaster recovery needs
• Complies with legal retention requirements

9.3 Secure Deletion

When data is deleted (either by you or automatically after retention period), we use industry-standard secure data-wiping methods to ensure that no data can be recovered after deletion.

Our Deletion Process:

Immediate Deactivation: Data is immediately marked as deleted and becomes inaccessible

Overwriting: Data is overwritten with random data multiple times

Verification: Deletion is verified through automated checks

Certificate of Destruction: For account deletions, we can provide confirmation upon request

Compliance:

• NIST guidelines for media sanitization
• GDPR "right to erasure" requirements
• COPPA parental deletion rights

No Recovery Possible: Once data is deleted using our secure methods, it cannot be recovered by us or anyone else, even with advanced forensic tools.

Backup Deletion (when implemented):

• Deleted data excluded from new backups immediately
• Existing backups containing deleted data purged within 90 days
• No restoration of deleted data, even in disaster recovery scenarios

Exception for Crash Reports:

• Anonymized crash data collected by Firebase Crashlytics is not deleted when you delete
• your account because it is not linked to your account - it's tied to the app installation.
• This data automatically expires after 90 days per Google's retention policy.

9.4 Legal Retention Requirements

In some cases, we may be required to retain certain data for legal or regulatory reasons:

Legal Hold:

If we receive a court order, subpoena, or legal hold, we may need to preserve data beyond normal retention periods. We will notify you if legally permitted.

Tax and Accounting Records:

Payment records may be retained for tax compliance (typically 7 years as required by law)

Dispute Resolution:

If there's an ongoing dispute, complaint, or legal proceeding, we may retain relevant data until the matter is resolved

Compliance Records:

Records demonstrating COPPA compliance (parental consent, verification) may be retained as required by law

10. Your Privacy Rights

Depending on your jurisdiction, you have certain rights regarding your personal data. You can manage many of these rights directly within the Parent Dashboard in the app for ease of access.

10.1 Complete List of Parental Rights

As a parent or legal guardian, you have the following rights regarding your child's personal information:

10.1.1 RIGHT TO ACCESS

What it means: View and obtain a copy of what personal information we have collected about your child

What you can access:

• Account information (email, child's age, nickname)
• Text transcripts of your child's AI conversations
• Usage data and learning progress
• Data collection summary
• Subscription and payment history
• List of devices used to access your account (device types, not IP addresses)

What we cannot provide (because we don't collect or store it):

• IP address history - We don't log or store IP addresses
• Precise location data - We don't collect GPS coordinates
• Audio recordings - We never receive or store audio
• Browsing history - We don't track activity outside our app
• Real-time location - We don't track movements

How to exercise:

• Mobile App: Settings > Data & Privacy > Data Rights Requests (submit requests directly)
• Parent Dashboard: Privacy > View My Data
• Email: info@aiino.ai with subject "Data Access Request"
• Include: Your account email address

What you'll receive: PDF document containing all your collected data

Timeline: We will provide your data within 30 days (usually much faster)

10.1.2 RIGHT TO CORRECTION

What it means: Update or correct inaccurate information about your account or child

What you can correct:

• Child's age (if entered incorrectly)
• Child's nickname
• Your email address
• Account settings
• Any other inaccurate information

How to exercise:

• Mobile App: Settings > Data & Privacy > Data Rights Requests (submit requests directly)
• Parent Dashboard: Child Profile > Edit
• Settings: Account > Edit Profile
• Email: info@aiino.ai with subject "Data Correction Request"

Timeline: Changes take effect immediately after you make them

10.1.3 RIGHT TO DELETION

What it means: Delete your child's data and close the account permanently

What gets deleted:

• All account information
• All conversation transcripts
• All usage data
• All stored personal information
• Payment tokens (subscription will be cancelled)

Important: This action can be undone within 30 days. All data will be permanently erased.

How to exercise (3 options):

Option 1 - In-App (Fastest):

Open Aiino app

Go to Settings > Account > Delete Account

Complete parental verification (to ensure request is from parent)

Confirm to delete

Account immediately deactivated

Option 2 - Parent Dashboard:

Log in to Parent Dashboard

Go to Privacy > Delete All Data

Confirm deletion

Account immediately deactivated

Option 3
Mobile App: Settings > Data & Privacy > Data Rights Requests (submit requests directly)

Timeline:

• Account deactivated immediately (app access stops)
• 30-day grace period: Restore account by logging back in during this time
• After 30 days: Permanent deletion process begins
• Data deleted from live systems within 30 days
• Data removed from backups within 90 days (when implemented)

What happens to subscription:

• Subscription automatically cancelled
• No refund for remaining subscription period (per Apple/Google policy)
• You can cancel subscription first, then delete account to avoid being charged again

10.1.4 RIGHT TO DELETE SPECIFIC DATA

What it means: Delete specific conversations or data without closing your entire account

What you can delete:

• Individual conversation transcripts
• Multiple selected conversations
• All conversations from a specific time period
• Specific child profiles (if you have multiple children)

How to exercise:

• Parent Dashboard: Conversations > Select conversation(s) > Delete

Timeline: Immediate deletion from live systems

10.1.5 RIGHT TO OBJECT

What it means: Object to specific data processing activities you don't agree with

You can object to:

• Use of anonymized data for service improvement
• Specific features or data collection practices
• Any processing you believe is unnecessary or unfair
• Data processing that goes beyond what's needed for the service

Timeline: We will respond within 30 days and either:

• Stop the processing you objected to, OR
• Explain why we must continue (e.g., legal requirement, necessary for the service)

Your Options if We Must Continue:

• You can delete your account if you disagree
• You can file a complaint with regulatory authorities

10.1.6 RIGHT TO DATA PORTABILITY

What it means: Receive your child's data in a format you can transfer to another service

Format provided: PDF document containing all collected data in human-readable format

What's included:

• Account details
• Conversation transcripts
• Usage data
• Learning progress
• All personal information we've collected

Delivery: Sent via secure email within 24-48 hours

File Security: PDF is password-protected (we'll send password in separate email)

10.1.7 RIGHT TO COMPLAIN

What it means: File a complaint with relevant authorities if you believe we've violated your privacy rights

Where to complain:

United States - Federal (COPPA): Federal Trade Commission (FTC)

• Online: ftc.gov/complaint
• Phone: 1-877-FTC-HELP (1-877-382-4357)
• Mail: Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580

California (CCPA/CPRA): California Attorney General

• Online: oag.ca.gov/contact/consumer-complaint-against-business-or-company
• Phone: 1-800-952-5225
• Mail: California Department of Justice, ATTN: Public Inquiry Unit, P.O. Box 944255, Sacramento, CA 94244-2550

Other States:

• Contact your state Attorney General
• Most states have consumer protection divisions

India:

• Contact our Grievance Officer (see Section 13)
• Ministry of Electronics and Information Technology (MeitY)
• Website: meity.gov.in

We will assist you with the complaint process upon request. Email info@aiino.ai with subject "Complaint Assistance" and we'll provide guidance.

10.2 Response Timeframe and Process

How quickly we respond:

• Simple requests (correction, access): Within 7 days
• Complex requests (portability, deletion): Within 30 days
• Very complex requests: May extend by additional 30 days (we'll notify you if needed)

Our process:

Receive your request via email or Parent Dashboard

Verify your identity (to protect privacy, we confirm you're the account holder)

Process your request according to the timelines above

Confirm completion via email with details of what we did

Identity Verification:

To protect your privacy, we verify your identity before processing requests:

• Confirming your account email address
• Asking security questions
• In some cases, matching verification method used at signup (credit card, OTP)

10.3 Contact for Rights Requests

Email: info@aiino.ai

Subject Line: Use specific subject lines for faster processing:

• "Data Access Request"
• "Data Correction Request"
• "Delete My Child's Data"
• "Data Portability Request"
• "Object to Data Processing"
• "Restrict Data Processing"
• "Withdraw Consent"

Include in Your Email:

• Your full name
• Email address associated with your account
• Specific request details
• Any additional context that helps us process your request

Phone: +1 510 565 0510 (Available 24/7 for urgent requests)

Mail: Nomisma LLC, ATTN: Privacy Rights Request

33438 13th St, Union City, California 94587, United States

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, new features, or other operational needs.

11.1 What Constitutes a Material Change

We consider the following to be material changes requiring 30-day advance notice and, in some cases, renewed parental consent:

Material Changes Requiring Notice and Consent:

• NEW data collection practices - Collecting types of data we didn't collect before
• NEW third-party data sharing - Sharing with parties not previously disclosed in this policy
• CHANGES to how we use children's personal information - Using data for purposes not previously described
• WEAKENING of security or privacy protections - Reducing encryption, removing privacy features
• CHANGES to data retention periods - Keeping data longer than previously stated
• CHANGES to parental rights or access procedures - Making it harder to access or delete data
• CHANGES to arbitration or dispute resolution terms - Altering how disputes are resolved
• CHANGES to voice/audio processing - If we ever started storing audio (we currently don't and don't plan to)

Non-Material Changes (updated on website, no advance notice required):

• Clarifications or corrections that don't change the meaning or substance
• Adding new privacy protections or security measures
• Contact information updates (new email, phone, address)
• Grammar, formatting, or organizational changes
• Updates to third-party privacy policy links (when providers update their policies)
• Adding detail to existing practices without changing what we actually do
• Legal updates that don't affect our practices (e.g., new laws that we already comply with)

11.2 How We Notify You of Material Changes

For material changes, we will:

1. Email Notification (30 days in advance):

• Sent to your account email address
• 30 days before the changes take effect
• Clear subject line: "Important: Aiino Privacy Policy Changes"
• Plain language summary of what changed and why
• Link to full updated policy
• Link to current policy for comparison
• Explanation of your options

2. Prominent In-App Notification:

• Displayed upon next login
• Cannot be dismissed without acknowledging
• Summary of key changes
• Link to full policy
• Option to review changes before continuing

3. Website Update:

• Updated "Last Updated" date at top of policy
• Change summary at top of policy page
• Full policy updated with effective date

4. Change Log:

• Maintained at aiino.ai/privacy-policy-changes
• Complete history of all policy versions
• Side-by-side comparison of changes
• Archived versions available for reference

11.3 Your Options When We Make Material Changes

When we make material changes, you have these options:

Option 1: Continue Using the Service

• Your continued use after the effective date constitutes acceptance of changes
• New policy applies to your account
• You can still delete your account later if you change your mind

Option 2: Delete Your Account Before Changes Take Effect

• No penalty for deleting before effective date
• All data permanently deleted
• No charges for remaining subscription period (for policy changes)

Option 3: Disable Specific Features

• If changes relate to optional features (e.g., new voice features), you can disable them
• Continue using other features under existing terms

Option 4: Contact Us with Questions

• Email info@aiino.ai with subject "Policy Change Questions"
• We'll explain changes in detail
• We'll address your concerns
• We may adjust changes based on feedback

For Changes Requiring Renewed Consent: For certain sensitive changes (e.g., changes to voice features, new data collection), we may require you to actively provide renewed consent rather than accepting through continued use.

This means:

• You'll see a consent screen in the app
• You must actively agree to continue using affected features
• Features disabled until you provide consent
• You can choose not to consent and continue using other features

11.4 Non-Material Updates

For non-material changes (clarifications, link updates, etc.):

We will:

• Update the policy on our website
• Update the "Last Updated" date
• Add to change log at aiino.ai/privacy-policy-changes

We will NOT:

• Send email notifications
• Require renewed consent
• Wait 30 days before implementing

You can:

• Check change log to see what changed
• Contact us with questions
• Subscribe to policy update notifications (optional)

11.5 Consent to Other Policies

By agreeing to this Privacy Policy, you also acknowledge and consent to our other policies that govern your use of the Aiino app:

Related Policies:

• Terms of Use - Legal agreement for using the Service
• Community Guidelines - Rules for appropriate use
• Acceptable Use Policy - What's allowed and not allowed
• Subscription Terms - Payment and billing terms

These policies:

• Are incorporated by reference into this Privacy Policy
• Are subject to updates (we'll notify you of material changes)
• Work together to govern your use of Aiino

Where to find them:

• aiino.ai/terms
• aiino.ai/community-guidelines
• Linked in app Settings > Legal

You are encouraged to review these policies regularly to stay informed.

11.6 Policy Change Log

We maintain a complete change log of all policy updates for transparency.

Change Log Location: aiino.ai/privacy-policy-changes

What's in the change log:

• All versions of the Privacy Policy since launch
• Date of each version
• Summary of changes
• Whether changes were material or non-material
• Effective date of each version
• Archive of previous versions (full text)

Current Version Information:

Version: 1.1

Effective Date: April 10, 2026

Last Updated: April 10, 2026

Next Scheduled Review: July 2026

Change Log:

• Added COPPA avatar enforcement (predefined avatars only, no photo uploads)
• Added in-app data rights request tool location
• Added text-to-speech (read-aloud) feature disclosure
• Enhanced Crashlytics privacy protections (automatic PII filtering)
• Added account suspension for failed login attempts
• Added in-app support ticket submission
• Added 30-day account deletion grace period with restore option
• Added rate limiting disclosure for API protection
• Added HTTPS-only enforcement for Android
• Updated voice consent toggle location

12. State-Specific Privacy Rights (US)

If you reside in certain U.S. states, you may have additional rights under state privacy laws beyond those provided by COPPA.

12.1 Applicable State Laws

This section applies to residents of:

• California - California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia - Virginia Consumer Data Protection Act (VCDPA)
• Colorado - Colorado Privacy Act (CPA)
• Connecticut - Connecticut Data Privacy Act (CTDPA)
• Utah - Utah Consumer Privacy Act (UCPA)

Additional states may be added as they enact privacy laws.

12.2 Additional Rights Under State Laws

In addition to your rights under Section 10 (Your Privacy Rights), state privacy laws may provide:

Right to Know:

• Know what categories of personal data we collect and disclose
• Understand the specific pieces of personal information we've collected
• Know the purposes for which we use personal data
• Know the categories of third parties with whom we share personal data

Right to Delete:

• Request deletion of your personal data (subject to certain legal exceptions)

Right to Correct:

• Request correction of inaccurate personal data

Right to Opt-Out of Sale/Sharing:

• Opt out of the "sale" or "sharing" of personal data (as defined by state law)
• Opt out of sharing for cross-context behavioral advertising

Right to Opt-Out of Automated Decision-Making:

• Opt out of profiling or automated decision-making that has legal or significant effects

Right to Non-Discrimination:

• Not be discriminated against for exercising your privacy rights
• Receive equal service and pricing

Right to Limit Use of Sensitive Personal Information (California):

• Limit our use of "sensitive personal information" to what's necessary to provide the Service

12.3 California-Specific Rights (CCPA/CPRA)

12.3.1 California Privacy Rights Notice

Business or Commercial Purposes for Collection:

• Provide and improve the Service
• Personalize educational content
• Process payments and manage subscriptions
• Communicate with you about your account
• Ensure security and prevent fraud
• Comply with legal obligations
• Respond to your requests and provide customer support

Categories of Third Parties We Share Personal Information With:

• Cloud service providers (AWS)
• AI service providers (AWS Bedrock via AWS Bedrock)
• Crash report providers (Firebase)
• Payment processors (Apple, Google)
• Email service provider (Amazon SES)

Data Retention: See Section 9 for detailed retention periods. Generally:

• Account data: Until account deletion
• Transcripts: 7-90 days (your choice)
• Usage data: Up to 12 months (anonymized)

12.3.2 Do Not Sell My Personal Information

We do not sell personal information.

We have never sold personal information, and we have no plans to do so in the future.

However, you have the right to opt out if our practices ever change.

To opt out of any future sale of personal information:

• Email: info@aiino.ai
• Subject: "Do Not Sell My Personal Information"
• We will confirm receipt and honor your request

We will place a "Do Not Sell or Share My Personal Information" link in:

• Website footer at aiino.ai
• App Settings > Privacy > California Privacy Rights

12.3.3 Limit Use of Sensitive Personal Information

Under CPRA, the following information we collect is considered "sensitive personal information":

• Child's precise age - Sensitive because it relates to a minor
• Text transcripts that may contain sensitive topics - Could include health, emotions, etc.

You can limit our use of sensitive personal information to only what's necessary to provide services you requested.

To limit use of sensitive personal information:

• Parent Dashboard: Privacy > Limit Sensitive Data Use
• Email: info@aiino.ai with subject "Limit Sensitive Data"

What this means:

• We will only use sensitive information to provide the core Service
• We will not use it for analytics or service improvement (even in anonymized form)
• Personalization may be less effective

12.3.4 Opt-Out of Automated Decision-Making/Profiling

We use AI to personalize educational content and adapt to your child's learning pace. This may constitute "profiling" under California law.

To opt out of AI personalization:

• Settings: Personalization > Disable AI Personalization
• Parent Dashboard: Features > AI Personalization > OFF

Note: This may reduce educational effectiveness, as content will not adapt to your child's level.

12.3.5 California "Shine the Light" Law

California Civil Code Section 1798.83 (the "Shine the Light" law) permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes.

We do not disclose personal information to third parties for their direct marketing purposes.

If you have questions about this, email info@aiino.ai with subject "Shine the Light Request".

12.3.6 California Minors' Privacy Rights

California Business and Professions Code Section 22581 allows California residents under 18 to request removal of content they posted.

Our policy:

• Children do not post content visible to others (no social features)
• Parents can delete all content (conversation transcripts) at any time
• See Section 10 (Right to Deletion) for instructions

12.4 Other States' Privacy Rights

Virginia, Colorado, Connecticut, and Utah residents have similar rights to California residents, with some variations.

Key rights include:

• Right to confirm whether we're processing your personal data
• Right to access your personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to obtain a copy of your data
• Right to opt out of targeted advertising (we don't do this)
• Right to opt out of sale of personal data (we don't sell data)
• Right to opt out of profiling (you can disable AI personalization)

How to exercise these rights: See Section 10 for detailed instructions, or:

• Email: info@aiino.ai with subject "[State] Privacy Request"
• Include: Your state of residence, specific right you're exercising

12.5 How to Exercise Your State Privacy Rights

Methods to Submit Requests:

1. Parent Dashboard:

• Privacy > State Privacy Rights
• Select your state
• Choose type of request
• Submit online

2. Phone:

• Call: +1 510 565 0510
• Say: "I'd like to make a state privacy rights request"
• Available 24/7

Information to Include in Your Request:

• Your full name
• Email address associated with your account
• State of residence
• Specific right you wish to exercise
• Details of your request
• Preferred method of response

Verification Process:

To protect your privacy, we will verify your identity before processing requests:

For Account Holders:

• Email confirmation (we send verification link to your account email)
• Security questions
• Multi-factor authentication (if enabled)

For Authorized Agents:

• Written authorization from the account holder
• Proof of agent's identity
• Verification of account holder's identity

Response Time:

• We will acknowledge your request within 10 business days
• We will respond within 30 days (may extend to 60 days for complex requests)
• We will notify you if we need more time

No Fee:

• No charge for requests (unless excessive or repetitive)
• If we must charge, we'll notify you in advance

12.6 Right to Appeal (Virginia, Colorado, Connecticut)

If you are a resident of Virginia, Colorado, or Connecticut and are not satisfied with our response to your privacy request, you have the right to appeal.

How to Appeal:

Email: info@aiino.ai

Subject: "Privacy Request Appeal - [State]"

Include:

• Original request details
• Our response
• Reason for appeal
• What outcome you're seeking

Appeal Process:

• We will acknowledge your appeal within 10 days
• We will provide a written decision within 30 days (Virginia) or 45 days (Colorado, Connecticut)
• If we deny your appeal, we'll explain why and provide information about contacting your state Attorney General

Contact Regulatory Authorities:

If your appeal is denied, you can contact:

Virginia:

• Virginia Attorney General
• Website: oag.state.va.us
• Consumer Protection Section

Colorado:

• Colorado Attorney General
• Website: coag.gov
• Consumer Protection Section

Connecticut:

• Connecticut Attorney General
• Website: portal.ct.gov/AG
• Consumer Protection Department

12.7 Authorized Agents

You may designate an authorized agent to submit privacy requests on your behalf.

Requirements for Authorized Agents:

Written Authorization:

• Signed document from you authorizing the agent
• Must be notarized or witnessed

Proof of Agent Identity:

• Agent must provide their own identification
• Business license (if representing a business)

Verification of Your Identity:

• We will still verify your identity directly
• May require you to confirm the agent's authority

To Submit as an Authorized Agent:

• Email authorization documents to: info@aiino.ai
• Subject: "Authorized Agent Request - [State]"
• Include: All required documentation

12.8 Non-Discrimination for Exercising Rights

We will not discriminate against you for exercising your state privacy rights.

We will not:

• Deny goods or services to you
• Charge different prices or rates
• Provide a different level or quality of service
• Suggest that you will receive different prices or services
• Retaliate in any way

We may:

• Charge different prices if the difference is reasonably related to the value provided by your data (we currently don't do this)
• Offer financial incentives for data collection (with your explicit opt-in consent - we currently don't do this)

13. Privacy Rights for Indian Users

13.1 Applicable Indian Laws

This section applies to users in India under:

• Information Technology Act, 2000 (IT Act)
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Digital Personal Data Protection Act, 2023 (DPDP Act - when effective)

13.2 Your Rights Under Current Indian Law (IT Act 2000)

Under the IT Act and related rules, you have the following rights:

Right to Be Informed:

• Right to know what information is being collected
• Right to understand how information is used
• Right to know with whom information is shared

Right to Object:

• Right to object to data processing you don't agree with
• Right to withdraw consent

Right to Data Security:

• Right to have your data protected with reasonable security practices
• Right to be notified of data breaches

Right to Grievance Redressal:

• Right to file a complaint with our Grievance Officer
• Right to receive a response within one month

How to Exercise These Rights: See Sections 10 (Your Privacy Rights) and 13.5 (Grievance Officer) below.

13.3 Upcoming Rights Under DPDP Act (When Effective)

When India's Digital Personal Data Protection Act, 2023 becomes effective, you will have additional rights similar to GDPR:

Right to Access:

• Right to obtain confirmation of whether we're processing your data
• Right to access your personal data

Right to Correction:

• Right to have inaccurate or incomplete data corrected

Right to Erasure:

• Right to have your data deleted in certain circumstances

Right to Nominate:

• Right to nominate another person to exercise your rights in case of death or incapacity

Right to Grievance Redressal:

• Enhanced grievance redressal mechanism
• Right to approach Data Protection Board of India

We will update this policy when the DPDP Act becomes effective and will notify Indian users of the additional rights.

13.4 Data Processing Under Indian Law

Lawful Basis for Processing:

We process personal data of Indian users based on:

• Consent - You provide explicit consent during account setup and for specific features
• Contract Performance - Processing necessary to provide the Service you've subscribed to
• Legal Obligation - Processing required to comply with Indian laws

Sensitive Personal Data or Information (SPDI):

Under Indian law, the following is considered SPDI:

• Passwords (we encrypt and hash these)
• Financial information (processed by Apple/Google, not stored by us)

We handle SPDI with additional protections:

• Enhanced encryption
• Strict access controls
• Mandatory Data Processing Agreements with processors
• Explicit consent required

Purpose Limitation:

We collect and use personal data only for the purposes described in this Privacy Policy. We do not use data for unrelated purposes without obtaining fresh consent.

13.5 Grievance Officer for Indian Users

Under Indian law, we have designated a Grievance Officer to address your privacy concerns and complaints.

Grievance Officer Contact Information:

Email: info@aiino.ai

Subject Line: "Grievance - India"

Phone: +1 510 565 0510 (US number - Indian number not yet available)

Mailing Address:

Nomisma LLC

ATTN: Grievance Officer

33438 13th St

Union City, California 94587

United States

Note: We do not currently have a registered office or local representative in India. All correspondence should be sent to the above US address or via email for fastest response.

Grievance Redressal Process:

Submit Your Grievance:

• Email info@aiino.ai with subject "Grievance - India"
• Include: Your account email, nature of grievance, desired resolution

Acknowledgment:

• We will acknowledge receipt within 48 hours
• You'll receive a ticket number for tracking

Investigation:

• We will investigate your grievance thoroughly
• May contact you for additional information

Resolution:

• We will provide a resolution within one month (30 days)
• You'll receive a written response explaining the outcome

Appeal:

• If unsatisfied, you can email back to request reconsideration
• You can also contact Ministry of Electronics and Information Technology (MeitY)

Types of Grievances We Handle:

• Privacy complaints
• Data security concerns
• Questions about data usage
• Requests to exercise your rights
• Complaints about our service
• Any other concerns related to your data or privacy

13.6 Data Storage for Indian Users

Current Data Storage Location:

Data for Indian users is currently stored in us-west1 (Oregon, United States).

Why United States Storage:

• Our infrastructure is currently US-based with AWS
• Provides excellent performance and reliability for Indian users
• Complies with current Indian privacy laws (IT Act 2000)
• All data protections in this Privacy Policy apply

Data Transfer Safeguards:

• Encryption in transit and at rest
• Data Processing Agreement with AWS
• Compliance with Indian IT Act requirements
• Your rights under Indian law remain intact

Future Data Localization (If Required by DPDP Act):

If the DPDP Act requires data localization, we are prepared to comply:

Our Plan:

• Migrate Indian user data to AWS ap-south-1 (Mumbai, India)
• Complete migration within timeframe required by law
• Notify Indian users 30 days before any changes to data storage location
• Ensure seamless transition with no data loss or service interruption
• All protections in this Privacy Policy will continue to apply

Commitment:

We will comply with all Indian data protection requirements as they are enacted and will keep Indian users fully informed of any changes.

13.7 Data Minimization for Indian Users

As part of our commitment to data minimization principles under Indian privacy law and best practices:

What We Don't Store (Even Though It Might Help Compliance):

• IP addresses - Even though storing IP addresses could help us verify Indian residency for compliance purposes, we have chosen not to log or store them to protect your privacy
• Precise location data - We don't collect GPS coordinates or track your physical location
• Unnecessary device identifiers - We collect only what's essential for the Service to function
• Excessive personal information - We don't collect real names, photos, or other identifying information beyond what's necessary

Privacy Beyond Legal Requirements:

This approach exceeds the minimum requirements of the IT Act 2000 and anticipated DPDP Act requirements, providing enhanced protection for Indian families.

What This Means for You:

While we temporarily access your IP address during API calls (as required for basic internet communication), we do not retain this information. This means we cannot:

• Track your location history over time
• Build profiles based on where you access the app from
• Share location data with third parties (because we don't store it)
• Use location for advertising or marketing

This privacy-protective architecture demonstrates our commitment to Indian families' privacy rights.

13.8 Content Moderation for Indian Users

Aiino respects Indian cultural values, sensitivities, and diversity. Our AI is designed to:

What We Do:

• Respect all religions and communities (Hindu, Muslim, Sikh, Christian, Buddhist, Jain, and all others)
• Avoid sensitive political topics inappropriate for children
• Use age-appropriate, respectful language
• Respect family structures and traditions
• Provide content appropriate for Indian children aged 3-9
• Avoid stereotypes or bias

What We Filter:

• Religious insensitivity or disrespect toward any faith
• Politically divisive or partisan content
• Culturally inappropriate topics for children
• Content that violates Indian law or cultural norms
• Language or topics that could offend Indian families

Language Support:

Currently Available:

• English (Indian English)

Planned:

• Hindi (in development)
• Additional Indian languages (future)

Report Inappropriate Content:

If you encounter any content that you believe is inappropriate, culturally insensitive, or concerning:

• Email: info@aiino.ai
• Subject: "Content Report - India"
• Include: Screenshot or description of concerning content, why it's inappropriate

We will review all reports within 48 hours and take appropriate action.

13.9 Parental Verification for Indian Users

For Indian users, we offer One-Time Password (OTP) verification as a free, convenient parental consent method.

Why OTP for India:

• No credit card required (many Indians don't use credit cards regularly)
• Free verification (no charges)
• Instant verification
• Widely trusted method in India
• Complies with Indian regulations

How It Works: See Section 7.2 for detailed OTP verification process.

OTP Privacy:

• Your mobile number is used only for verification
• Stored securely with encryption
• Never shared with third parties
• Can be updated in Settings anytime
• Not used for marketing or other purposes

13.10 Subscription Pricing for Indian Users

Pricing in Indian Rupees:

All prices displayed to Indian users are in INR (Indian Rupees) and include all applicable taxes.

Subscription Plans:

• Free Plan: $0 USD
• Explorer Plan: $9.99 USD
• Pro Explorer Plan: $19.99 USD
• Master Explorer Plan: $29.99 USD

GST (Goods and Services Tax):

• 18% GST is included in all displayed prices
• GST details shown on your receipt/invoice
• For business users: GST-compliant invoices provided

Payment Methods:

• Google Play billing (UPI, Paytm, PhonePe, Credit/Debit cards)
• All payment processing handled securely by Google

Refunds:

• Processed through Google Play
• Follow Google Play's refund policy
• Typically processed within 5-7 business days to original payment method

14. Do Not Track Policy

Some web browsers and mobile operating systems transmit "Do Not Track" (DNT) signals to websites and online services to indicate that users don't want their online activity tracked.

Our DNT Policy:

We currently do not respond to DNT signals because:

• There is no industry consensus on how to interpret DNT signals
• Different browsers implement DNT differently
• There is no standardized framework for what websites should do when receiving DNT signals

But Here's What We Do Anyway:

Even though we don't respond to DNT signals specifically, our practices are already privacy-protective:

• We do not track users across websites or apps
• We do not use children's data for advertising or marketing
• We do not sell personal information
• We do not share data for cross-context behavioral advertising
• We do not build advertising profiles
• We do not use tracking cookies

If a DNT standard is established in the future:

If an industry standard for DNT emerges that provides clear, consistent guidance, we will:

• Review the standard
• Update our practices if necessary
• Update this Privacy Policy to reflect our DNT response
• Notify users of any changes

Your Privacy Controls:

Instead of relying on DNT, you can control your privacy directly:

• Delete your data: See Section 10 (Your Privacy Rights)
• Control permissions: Device settings > Aiino > Permissions

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We're here to help!

15.1 General Contact Information

Nomisma LLC

Email: info@aiino.ai

Phone: +1 510 565 0510 (Available 24/7)

Mailing Address:

Nomisma LLC

33438 13th St

Union City, California 94587

United States

Business Hours: We provide support 24/7 via email and phone

Website: aiino.ai

15.2 Specific Inquiry Types

To help us route your inquiry to the right person and respond more quickly, please use these specific email subjects:

For Privacy Questions:

• Email: info@aiino.ai
• Subject: "Privacy Question"

For Data Requests (Access, Deletion, Correction):

• Email: info@aiino.ai
• Subject: "Data Access Request" (or "Data Deletion Request", "Data Correction Request", etc.)

For Security Issues or Vulnerabilities:

• Email: info@aiino.ai
• Subject: "Security Issue - URGENT"
• We will respond within 24 hours

For COPPA-Related Questions:

• Email: info@aiino.ai
• Subject: "COPPA Question"

For Indian Users (Grievances):

• Email: info@aiino.ai
• Subject: "Grievance - India"
• See Section 13.5 for Grievance Officer details

For State Privacy Rights (California, Virginia, etc.):

• Email: info@aiino.ai
• Subject: "[State] Privacy Request - [Type]"
• Example: "California Privacy Request - Data Access"

For Legal Notices:

• Email: info@aiino.ai
• Subject: "Legal Notice"
• Also send via certified mail to our physical address above for important legal matters

For DMCA Copyright Notices:

• Email: info@aiino.ai
• Subject: "DMCA Notice"
• See our Terms of Use for DMCA requirements

For Feedback or Suggestions:

• Email: info@aiino.ai
• Subject: "Feedback"

For Account Support or Technical Issues:

• Email: info@aiino.ai
• Subject: "Account Support" or "Technical Issue"

15.3 Response Time

How quickly we respond:

• General inquiries: Within 48 hours (business days)
• Privacy rights requests: Within 30 days (may extend to 60 days for complex requests)
• Security issues: Within 24 hours
• Grievances (India): Acknowledgment within 48 hours, resolution within 30 days
• Urgent safety concerns: Immediate response

We prioritize:

• Child safety concerns (immediate response)
• Security issues (24-hour response)
• Privacy rights requests (legally required timelines)

15.4 Language Support

Primary Support Language: English

Additional Languages (Planned):

• Hindi (in development for Indian users)
• Other languages as we expand

If you need assistance in a language other than English:

• Indicate this in your email
• We will do our best to accommodate
• We may use translation services to assist

15.5 Support

Please use email for:

• Privacy rights requests (we need written documentation)
• Detailed questions
• Non-urgent matters
• Requests requiring research or review

15.6 In-App Support

In-App Support:

• Settings > Help & Support > Contact Us
• Submit support tickets directly from mobile app
• Parent email automatically pre-filled
• Track ticket status
• Browse FAQs

15.7 Social Media

We may provide support through social media channels in the future. Current official channels:

• Website: aiino.ai
• Email: info@aiino.ai (most reliable contact method)

Be careful of impersonators: Always verify you're contacting official Aiino channels. We will never ask for your password or payment information via social media.