Last Updated: March 2026 | Effective Date: March 2026
1. Introduction
Zeluu is committed to protecting your personal data in compliance with the General Data Protection Regulation (EU GDPR 2016/679) and the UK General Data Protection Regulation (UK GDPR). This policy explains how we collect, process, store, and protect personal data.
Data Controller: Zeluu (operated by Zeal Technologies)
Email: support@zeluu.com
Website: https://zeluu.com
2. Data We Collect
Parent/Guardian Data
- Full name and email address (account registration)
- Payment information (processed by LemonSqueezy; we do not store card numbers)
- Account preferences and settings
- IP address and device information (for security)
Child Data (Special Category - Article 8)
- First name (no surname required)
- Grade/year level and studying country
- Learning session data (questions, answers, topics)
- Performance metrics (accuracy, strengths, areas for improvement)
Children's Data (Article 8): We require verifiable parental/guardian consent before processing any child's data. Children cannot create accounts independently.
3. Legal Basis for Processing (Article 6)
| Processing Activity | Legal Basis | GDPR Article |
|---|
| Account creation | Performance of contract | Art. 6(1)(b) |
| AI tutoring delivery | Performance of contract | Art. 6(1)(b) |
| Child learning data | Parental consent | Art. 6(1)(a) + Art. 8 |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| Service emails | Legitimate interest | Art. 6(1)(f) |
| Weekly reports | Performance of contract | Art. 6(1)(b) |
| Security/fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Legal compliance | Legal obligation | Art. 6(1)(c) |
4. Your Rights (Articles 12-22)
Under GDPR, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you and your child. Response within 30 days.
Right to Rectification (Art. 16)
Request correction of inaccurate data. You can also update most data in account settings.
Right to Erasure (Art. 17)
Request deletion of your data. We erase all data unless legal retention obligations apply.
Right to Restrict (Art. 18)
Request we limit how we use your data while a dispute is being resolved.
Data Portability (Art. 20)
Receive your data in JSON/CSV format and transfer to another service.
Right to Object (Art. 21)
Object to processing based on legitimate interests. We stop unless compelling grounds exist.
Withdraw Consent (Art. 7)
Withdraw consent at any time without affecting prior lawful processing.
Automated Decisions (Art. 22)
Our AI provides educational guidance only, not decisions with legal/significant effects.
Exercise Your Rights: Email privacy@zeluu.com with "GDPR Request" in the subject. We respond within 30 days.
5. Children's Data Protection
- Parental Consent Required: Only parents/guardians can create accounts and add children.
- Minimal Data: We collect only first name, grade, country, and learning data necessary for tutoring.
- No Marketing to Children: Children's data is never used for marketing or advertising.
- No Social Features: Children cannot communicate with other users.
- Parent Visibility: Parents have full visibility into their child's data and can request deletion anytime.
- Data Minimization: Upon account deletion, all child data is permanently erased within 30 days.
6. Data Processors (Article 28)
| Processor | Purpose | Data Shared | Location |
|---|
| Supabase | Database, auth | Account + learning data | US (SCCs) |
| Vercel | Web hosting | IP addresses, logs | Global CDN |
| LemonSqueezy | Payments & subscriptions | Payment details (PCI DSS) | US (SCCs) |
| OpenAI | AI tutoring | Learning interactions | US (SCCs) |
| Cloudflare | DNS, security | Domain traffic | Global |
7. International Transfers (Articles 44-49)
- Standard Contractual Clauses (SCCs): Used with all US-based processors.
- UK IDTA: UK Addendum to SCCs for UK GDPR compliance.
- Adequacy Decisions: Relied upon where available.
- Transfer Impact Assessments: Conducted for all international transfers.
8. Data Security (Article 32)
- Encryption: TLS 1.3 in transit, AES-256 at rest.
- Access Controls: Row-Level Security ensures users access only their own data.
- Authentication: JWT-based with bcrypt password hashing.
- Breach Response: Detection and reporting within 72 hours (Article 33).
- Regular Reviews: Security measures reviewed and updated regularly.
9. Data Retention
- Active Accounts: Data retained for account duration + 30 days after deletion.
- Inactive Accounts: Notification after 24 months; deletion if no response within 30 days.
- Payment Records: 7 years (financial regulations).
- Security Logs: 12 months.
10. Data Breach (Articles 33-34)
- Supervisory authority notified within 72 hours (Article 33).
- Affected individuals notified if high risk to rights and freedoms (Article 34).
- Breach register maintained for all incidents.
11. Privacy by Design (Article 25)
- Data Minimization: Only data necessary for tutoring is collected.
- Purpose Limitation: Data used solely for education, never advertising.
- Default Privacy: Strictest settings applied by default.
12. Cookies
- Essential Only: Authentication tokens and session management.
- No Third-Party Tracking: No Google Analytics, Facebook Pixel, or ad cookies.
- No Advertising Cookies.
13. AI Transparency
- AI provides educational guidance only, no automated decisions with legal effects (Art. 22).
- Parents can review all AI interactions via the dashboard.
- Learning data is not used to train AI models.
14. UK-Specific Provisions
- Compliant with UK GDPR (Data Protection Act 2018).
- Supervisory Authority: ICO (ico.org.uk).
- Designed per ICO Children's Code (Age Appropriate Design Code).
15. GCC Data Protection
- UAE: Compliant with Federal Decree-Law No. 45 of 2021.
- Saudi Arabia: Adherent to PDPL.
- Other GCC: Applicable local regulations followed.
16. Complaints
Lodge complaints with your local supervisory authority. EU: local DPA. UK: ICO. UAE: UAE Data Office. Contact us first at support@zeluu.com.
17. Policy Changes
Material changes notified by email at least 30 days before taking effect.