Skip to main content
← Back to WizKid

WizKid Privacy Policy

Version 1.0.0-beta

Effective: 24 February 2026

1. Overview

This policy explains what data we collect, why, and how we protect it. It applies under the Australian Privacy Principles (APPs), Privacy Act 1988 (Cth).

Audience: parents, guardians, teachers, and children aged 8+.

2. What We Collect

2.1 Parent/Teacher Accounts

  • Display name
  • Authentication data (managed by Clerk; email not stored in our database)
  • Account timestamps

2.2 Child Profiles (set by parent)

  • First name and age
  • Avatar choice
  • Learning preferences: jurisdiction, year level, language, strengths, challenges, interests, learning style, stay-on-task setting

2.3 Chat Data (generated through use)

  • Child messages and AI responses
  • Image attachments (processed in memory only — not stored)
  • Session metadata: subject, mode, timestamps, message count
  • Safety alerts from content moderation

2.4 Technical Data (automatic)

  • Session duration and timing
  • Device/browser info (from HTTP headers)
  • Engagement stats: message counts, streaks, sessions
  • Error logs

2.5 What We Don't Collect

  • No ad or tracking cookies
  • No precise geolocation
  • No cross-site tracking
  • No biometric data

3. How We Use It

PurposeLegal BasisData Used
AI tutoringPrimary purpose (APP 6)Chat messages, child profile
Personalise responsesPrimary purpose (APP 6)Learning preferences, age, interests
Content safetyPrimary purpose / Legal obligationChat messages, safety alerts
PII detection & redactionPrimary purpose / Legal obligationChat messages
Parent oversightPrimary purpose (APP 6)Chat history, alerts, engagement stats
AchievementsPrimary purpose (APP 6)Message counts, streaks, badges
System improvement BetaConsent required (APP 6)Anonymised transcripts
Research BetaConsent required (APP 6)De-identified usage patterns
Account managementPrimary purpose (APP 6)Parent credentials, child profiles
SecurityPrimary purpose (APP 6)Session data, safety alerts

4. Who We Share With

We use a small number of service providers. Each only receives the data it needs.

ProviderLocationPurposeNotes
OpenRouterUSAI model routingPrompts transmitted, not stored
Google GeminiUSAI language model (via OpenRouter)Processes chat content
ClerkUSParent authenticationDPA with SCCs
NeonAustraliaDatabaseDPA in place
VercelFunctions hosted in AustraliaHosting & deliveryDPA in place; transit only

We do not: sell data, share with advertisers, let third parties use children's data for unrelated purposes, or share identifiable data.

5. Cross-Border Transfers (APP 8)

Some providers process data in the US and other countries. We maintain Data Processing Agreements (DPAs) with all providers, including Standard Contractual Clauses where applicable, to ensure APP compliance.

6. Security (APP 11)

  • HTTPS/TLS encryption in transit
  • Neon native encryption at rest
  • Clerk-managed auth for parents
  • Security headers: CSP, HSTS (2-year), X-Frame-Options DENY, MIME sniffing prevention
  • Rate limiting on auth endpoints
  • Regular security reviews
  • Role-based access: parents see only their own children's data

7. Retention

DataKept For
Active accountsLife of the beta release
Chat messagesWhile account is active (for parent audit)
Redacted PIIUntil parent reviews it
Safety alertsUntil parent reviews the alert
Deleted accountsRemoved within 1 day of request
Anonymised dataIndefinitely (cannot be re-identified)

Data may be kept longer if required by law or legal hold.

8. Children's Protections

  • Parent-activated sessions required — children can't access the platform alone
  • Real-time AI safety filtering on all conversations
  • Automatic PII detection and redaction
  • Age-appropriate content tailored to configured subjects
  • No independent account creation by children
  • No advertising or marketing use of children's data

9. PII Detection Limits

We use pattern matching and AI to detect personal info shared by children in chat. Detection is not perfect. It may miss:

  • Unusual formats of personal info
  • Context-dependent info (e.g. a street name alone)
  • Info spread across multiple messages
  • Info inside images

Tell your children not to share personal information online. If you spot something we missed, contact us for manual review and deletion.

10. Parent Rights & Controls

What you can see

  • Full chat history per child
  • Safety alerts and flagged content
  • Engagement stats and usage patterns

What you can manage

  • Permitted topics and subjects
  • Child age and learning preferences
  • Device session activation and duration

Your data rights (APPs 12–13)

  • Access: get a copy of all data held about you or your child
  • Correction: fix inaccurate or outdated info
  • Deletion: request removal (subject to legal requirements)
  • Withdraw consent: opt out of secondary uses like research, any time
  • Portability: request data in a standard format

11. Cookies

We use only essential cookies:

  • Clerk session cookie — keeps you signed in
  • wizkid_session — httpOnly cookie for child sessions (not readable by JavaScript)

No ad cookies. No third-party tracking. Vercel Speed Insights collects anonymous performance data only.

12. Changes to This Policy

We may update this policy. Material changes will be emailed to you and require renewed consent before taking effect. Check the effective date at the top for the last update.

© 2026 WizKid. All rights reserved.