Privacy Policy
Last updated: June 2026
1. Controller
The controller responsible for data processing at Kavelu is:
Milad Heidari / Kavelu
c/o IP-Management #10534
Ludwig-Erhard-Strasse 18
20459 Hamburg
Germany
Email: support@kavelu.app
2. General Information
Kavelu is a learning app for primary school children. Parents or legal guardians create the account and set up child profiles. Children should not enter full names, addresses, or other sensitive information in Kavelu. Kavelu does not use ads in the child app, does not sell learning currencies, and does not build advertising profiles for children.
3. Data We Process
- Parent account: email address, authentication data, technical account IDs, consent timestamps, optional parent PIN hash, support information, and security information.
- Child profiles: nickname or display name, grade, avatar and skin settings, learning preferences, XP, Gold, streaks, and achievements.
- Learning data: completed tasks, answers, correct/incorrect signals, time spent, error types, learning level, topic progress, recommendations, and review logic.
- Technical data: IP address, request timestamp, browser and device information, visited pages, server logs, security signals, and rate-limit signals.
- Support and admin data: support requests, manual email confirmations, password reset processes, account unlocks, bug reports, and necessary processing notes.
- Payment data: for paid offers, Stripe processes payment status, subscription data, and invoice data. Kavelu does not store full credit card, bank, or PayPal payment details.
4. Purposes and Legal Bases
- Account, login, learning progress, child profiles, parent features, subscription management, and support: performance of a contract or pre-contractual steps, Art. 6(1)(b) GDPR.
- Consents, optional notifications, and optional AI features: consent, Art. 6(1)(a) GDPR.
- Security, abuse prevention, rate limits, error analysis, and product improvement: legitimate interests, Art. 6(1)(f) GDPR.
- Retention of tax or commercial-law relevant data: legal obligation, Art. 6(1)(c) GDPR.
5. Child and Family Protection
In the current product phase, Kavelu is intended for children in grades 1 to 4 and is set up by parents or legal guardians. Parents are responsible for ensuring that children use Kavelu only with their permission. We ask parents to use nicknames only and not to enter sensitive child data in free text fields, support requests, or AI features.
6. AI Features
Kavelu may use optional AI features, for example for explanations, error analysis, task help, or parent insights. Only the content required for the respective feature is transmitted, such as the task prompt, answer context, and error type. Children's names or other sensitive data should not be sent to AI providers. AI outputs can be incorrect and do not replace a teacher, school, or individual educational advice.
7. Cookies, Local Storage, and Tracking
Kavelu uses technically necessary cookies and local storage for login, security, language settings, and app functionality. These are required for operation (Section 25(2) TDDDG) and do not require consent.
For campaign reach and advertising measurement, and only after your active consent through the cookie banner (Art. 6(1)(a) GDPR, Section 25(1) TDDDG), we use the Meta Pixel and Meta Conversions API. This helps us measure which steps (for example visiting the start page, registering, or starting a trial) happen after someone clicks one of our ads. Only after consent are the related cookies (including _fbp and _fbc) set and event data transmitted to Meta, where applicable in pseudonymized hashed form on the server side. Without consent, this transmission does not take place. You can withdraw your consent at any time for the future, for example by deleting cookies. This marketing tracking is not used in the native iOS or Android app versions.
8. Service Providers and Recipients
Kavelu uses technical service providers that should process personal data only for providing the product, security, communication, payments, or support.
- Supabase: database, authentication, storage, realtime features, and account management.
- Vercel: hosting, serverless functions, CDN, technical logs, and website delivery.
- Resend: registration, confirmation, password reset, system, and support emails.
- Anthropic: optional AI explanations, error analysis, and task help where an AI feature is used.
- Upstash: rate limiting, abuse prevention, and technical security controls where active.
- Stripe: payment processing, subscriptions, invoices, payment status, fraud prevention, and refunds where paid offers are used.
- Meta (Meta Platforms Ireland Ltd.): reach and advertising measurement through Meta Pixel and Conversions API, but only after your consent (see Section 7). For collection and transmission of this data, we and Meta may be joint controllers under Art. 26 GDPR. Data may be transferred to the United States; according to Meta, this may rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.
- Impressum-Privatschutz / IP-Management: management of the serviceable postal address and forwarding of postal inquiries.
Where service providers process data outside the EU or EEA, or use subprocessors outside the EU or EEA, this is, to our current knowledge, based on appropriate safeguards such as Standard Contractual Clauses, data processing agreements, or adequacy decisions.
9. Social Media
If Kavelu operates official profiles on social networks such as Instagram, TikTok, YouTube, LinkedIn, Facebook, or X and you visit those profiles, the privacy notices of the respective platform also apply. We usually receive aggregated statistics there and process messages or comments where this is necessary to communicate with you.
10. Communication and Support
If you contact us by email, social media, or support features, we process your information to handle the request. We may send product and security information to account holders where this is necessary for operation, security, or contract performance. We send advertising or newsletters only where there is a legal basis.
11. Retention and Deletion
Account and learning data are stored while the account is active or while the data is needed to provide Kavelu. Parents can request deletion of their account or individual child profiles. After deletion, personal data is generally deleted or anonymized within reasonable timeframes unless statutory retention duties apply. Payment and booking data may be subject to statutory retention periods. Technical security logs are stored only as long as necessary for operation, security, and error analysis.
12. Data Security
We use technical and organizational measures to protect personal data against unauthorized access, loss, misuse, and alteration. These include access controls, role-based admin features, rate limits, server-side handling of sensitive keys, encrypted transmission, and regular security checks.
13. Data Subject Rights
Data subjects have rights under the GDPR, including access, rectification, deletion, restriction of processing, data portability, objection, and withdrawal of consent. There is also a right to lodge a complaint with a competent data protection supervisory authority.
14. Privacy Contact
Privacy requests can be sent by email to: support@kavelu.app
Source and Adaptation
This English version is a translation of Kavelu's German privacy policy. The policy is based on a template by Impressum-Privatschutz and was adapted with Kavelu-specific information about children, learning data, app features, AI, payment processing, and technical service providers.