GDPR

The General Data Protection Regulation (GDPR — EU 2016/679 and the UK GDPR / Data Protection Act 2018) applies to personal data of people in the European Economic Area, the United Kingdom, and Switzerland.

This page describes how CurioPilot meets it. For the underlying policy, see /legal/privacy.

For school tenants, the school is the controller and MoizLabs LLC is the processor. The DPA at /legal/dpa sets out the Article 28 relationship.

For family tenants and the public marketing site, MoizLabs LLC is the controller for the data we collect directly from you.

• Contract (Art. 6(1)(b)) — to provide the service to our customers (schools, parents).
• Consent (Art. 6(1)(a)) — for analytics + marketing cookies, and for AI features when used with under-13 children on family tenants.
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud detection, and service improvement (balanced against user rights via DPIA).
• Legal obligation (Art. 6(1)(c)) — for tax records, regulatory disclosures, and law-enforcement responses.

You have the right to:

• Access (Art. 15) — request a copy of all personal data we hold on you.
• Rectification (Art. 16) — request correction of inaccurate data.
• Erasure (Art. 17) — request deletion (subject to legal-retention exceptions).
• Restriction (Art. 18) — limit processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object (Art. 21) — object to processing on legitimate-interest grounds.
• Withdraw consent (Art. 7(3)) — at any time, with no effect on prior processing.
• Complain to your supervisory authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany).

We action access + erasure requests within 30 days. Most are self-service in the parent dashboard; for complex requests email dpo@moizlabs.com.

Our DPO can be reached at dpo@moizlabs.com. For UK-specific inquiries, our UK representative under Article 27 UK GDPR is provided on request.

The full list with locations and DPA links is at /compliance#sub-processors. We notify school admins at least 30 days in advance of changes that touch student data; the school may object and (if we can’t mitigate) terminate without penalty.

Primary infrastructure for EU customers stays in the EU. When data must leave the EEA / UK (typically for sub-processor support), we rely on:

• Standard Contractual Clauses (2021 SCCs, with the UK addendum where applicable).
• Adequacy decisions where they exist (UK adequacy, Swiss adequacy).
• Transfer Impact Assessments documenting risk and mitigations — available to school admins on request.

See /legal/privacy#retention for the per-data-category schedule.

Per Article 33, we notify our supervisory authority within 72 hours of detection where a personal-data breach is likely to result in risk to rights and freedoms. Per Article 34 we notify affected individuals without undue delay where the risk is high. School-tenant notifications are governed by the DPA.

DPO + GDPR inquiries: dpo@moizlabs.com. For school-specific data subject requests, route through your school’s admin.