Privacy Policy

CurioPilot is a K-12 AI learning platform operated by MoizLabs LLC. Where this policy refers to “we” or “CurioPilot”, it means MoizLabs LLC acting as the controller (for the public marketing site and family accounts) and as a processor (for school tenants, on behalf of the school as the controller).

Questions about this document should go to our DPO at compliance@moizlabs.com.

We collect different data depending on who you are and what surface of CurioPilot you’re using.

Website visitors

• Cookies + analytics — only after explicit consent. See cookie policy.
• Form submissions — what you type when you request a demo or contact us (name, email, school, message).

School admins, IT directors, DPOs

• Account information (name, email, role, school name).
• Procurement metadata (DPA jurisdiction, region, plan tier).
• TraceLayer audit log activity attributable to your account.

Teachers

• Account information (name, email, school assignment).
• Class roster you create or import via SIS (OneRoster) — pseudonymised in any AI prompt.
• Activities, assignments, and grading actions you author.

Parents (family-tenant)

• Account information (name, email, billing details if Premium).
• Children you add (first name, age band, accommodations).
• Consent decisions per child (COPPA + AI consent).

Students

• First name only by default; full name if explicitly added by the school. Never sent in an AI prompt unredacted.
• Activity attempts, hints requested, time-on-task.
• Mastery state per topic, by Bloom’s level.

We use what we collect to:

• Provide the service you signed up for.
• Generate personalised activities and reading levels via AI — only on redacted, pseudonymised payloads.
• Send transactional email (sign-in links, invoices, account notifications). These are not opt-out — they’re part of the service.
• Maintain the TraceLayer audit log so any AI decision can be reviewed later.
• Detect abuse + bill fairly (per-tenant token meters).

We do nottrain AI models on your students’ data. We do not share data with advertisers. We do not sell your data to anyone, ever.

We use a small set of vetted sub-processors to operate the service. The full list — with what each one does, where it’s hosted, and a link to its DPA — lives at /compliance#sub-processors.

When we add or change a sub-processor that touches student data, we notify school admins at least 30 days in advancevia email. Customers may object; if we can’t mitigate, the school may terminate without penalty.

You have the right to:

• Access a copy of everything we hold on you (or your child) — one click in the parent dashboard, or via compliance@moizlabs.com.
• Correctdata that’s wrong.
• Delete everything we hold (Article 17 / right to be forgotten). One click in the parent dashboard.
• Restrict processing (e.g. pause AI features without deleting the account).
• Object to processing on legitimate-interest grounds.
• Port your data to another service in a structured, machine-readable format.
• Lodge a complaint with your supervisory authority (e.g. ICO in the UK, your state DPA in the EU).

For school-tenant data, the school is the controller — your rights are exercised through the school’s admin contact, with us assisting as the processor.

For children under 13 in the United States, COPPA applies. For family accounts, we collect verifiable parental consent before any AI feature runs. For school accounts, the school provides school-authorised consent under the COPPA school exception.

Detail on what we collect from under-13 students, how consent is gathered + revoked, and how data flows is at /compliance#coppa.

Our primary infrastructure is in the EU. For schools that select UAE residency, primary infrastructure is in the UAE. US/global schools may opt for US residency.

When data leaves the country where it was collected (e.g. EU → US for sub-processor support), we use Standard Contractual Clauses (SCCs) + (where applicable) the UK addendum, the Swiss addendum, or a country- specific equivalent.

Schools can request a Transfer Impact Assessment (TIA) at any time via compliance@moizlabs.com.

We use a small number of essential cookies (auth, CSRF, locale, theme, your consent decision). These are always on — without them the site doesn’t function.

Analytics + marketing cookies are off by default and only load if you explicitly opt in via the cookie banner. The full list and how to opt out is at /legal/cookie-policy.

• Active account data — for as long as the account is active.
• After cancellation — 30 days grace, then hard-deleted. Backups purged within 90 days from cancellation.
• TraceLayer audit log — retention varies by plan (90 days Free, 1 year Premium, 3 years Starter, 7 years Standard and above). Audit logs may persist beyond account deletion if legally required (anti-fraud, regulatory).
• Form submissions / sales correspondence — kept for up to 24 months unless you ask us to delete sooner.

When we make material changes (e.g. a new sub-processor that touches student data, or a change in retention), we’ll:

• Post the new version here with a new version number.
• Notify school admins by email at least 30 days in advance.
• Require parents to re-accept on next sign-in (in-app version-gated re-acceptance).

Older versions remain available — see the changelog.

DPO + privacy questions: compliance@moizlabs.com.

General questions: hello@moizlabs.com.

Postal: MoizLabs LLC, c/o registered agent — full mailing address on the /about page.