COPPA & FERPA

This page describes how CurioPilot complies with the Children’s Online Privacy Protection Act (COPPA) for students under 13 in the United States, and the Family Educational Rights and Privacy Act (FERPA) for education records held by schools and districts.

For non-US jurisdictions, separate frameworks apply (UK GDPR children’s code, EU GDPR Article 8, UAE Wadeema, etc.) — see /legal/gdpr and the order form for country specifics.

We collect the minimum necessary to deliver the service:

• First name (full name only when explicitly added by the school).
• School-assigned identifier (when applicable).
• Activity attempts, hint requests, and time-on-task.
• Mastery state per topic, mapped to Bloom’s level.
• Avatar / nickname (parent-controlled).

We never collect:

• Precise geolocation.
• Persistent identifiers used for behavioural advertising.
• Photos, voice recordings, or videos of the child without explicit, separate consent per upload.

Family tenants

Before any AI feature runs for a child under 13, we collect verifiable parental consent (credit-card-on-file or signed consent form). The consent decision and timestamp are stored in the audit log and shown on the parent dashboard.

School tenants

Schools provide consent under the COPPA school exception: the school acts in loco parentis for educational use of the service. The school confirms in the DPA that it has notified parents and obtained any jurisdiction-specific consent required.

In both cases, consent is revocable. Revocation is one click in the parent or admin dashboard.

• We don’t serve advertising to students.
• We don’t share student data with third parties for marketing.
• We don’t train AI models on student data.
• We don’t use student data to build behavioural profiles for any commercial purpose.
• We don’t track students across third-party sites.

When CurioPilot processes student data on behalf of a school or district, we operate as a school official with a legitimate educational interest under FERPA. The school remains the controller of education records; we are the processor.

This means:

• We only use student PII for the educational purposes the school authorises.
• We don’t re-disclose education records without the school’s instruction.
• The school controls access — adding / removing teachers, parents, and students.
• Parents and eligible students exercise their FERPA rights through the school; we assist on request.

Under FERPA, parents (and eligible students aged 18+) have the right to:

• Inspect their education records held in CurioPilot.
• Request amendment of records they believe are inaccurate.
• Consent to disclosures of personally identifiable information from those records (with statutory exceptions).
• File a complaintwith the US Department of Education’s Family Policy Compliance Office.

Schools direct these requests to us via their admin contact; we fulfil within 45 days as required by FERPA.

Schools may designate certain data as “directory information” (name, grade level, achievements). Schools control which categories are designated and which audiences can see them. Parents can opt out of directory disclosure via the school.

Student data is protected by the same controls described in our security overview: TLS 1.3, AES-256 at rest, field-level encryption for PII, multi-tenant isolation, annual penetration testing.

School agreements include:

• Data Processing Agreement
• FERPA school-official designation
• State-specific student-privacy addenda where applicable (CA AB 1584, NY Ed Law 2-d, IL SOPPA, etc.)

Compliance questions: compliance@moizlabs.com. For school-specific student-data inquiries, contact your school’s admin who will route through us.