Privacy Policy

1. Who We Are

Bachu (“we”, “our”, “us”) is an AI-powered educational tutor for children in Grades 2-8, operated by Bachu AI, based in Dubai, UAE.

We operate under a strict “Parent-First” philosophy: you own your data, and we do not sell it to anyone.

We comply with the Children's Online Privacy Protection Act (COPPA), the UAE Personal Data Protection Law (PDPL), the UAE Child Rights in Cyberspace Law, and other applicable data protection regulations.

Privacy contact: hello@heybachu.com

2. Who Can Use Bachu

• A parent or legal guardian must create the account.
• Parents add child profiles and manage access.
• Children cannot sign up directly. If we learn a child account was created without parent authorization, we will suspend or delete it.

3. Information We Collect

A. Information You Provide

• Parent Account: Name and email address to create your account and send important service updates.
• Child Profile: Your child's first name (or nickname) and grade level to personalize the tutoring experience.
• Chat Data: Text conversations between your child and the AI tutor, stored to maintain context and show history in the Parent Dashboard.

B. Voice & Worksheets

• Voice Input: When your child uses the microphone, audio is sent to our AI partner for transcription and immediately discarded. We do not store audio recordings.
• Worksheet Uploads: Images or PDFs uploaded for homework help are stored securely in encrypted storage. These files are accessible only to you and your child via the Parent Dashboard, and can be deleted upon request.

C. Technical Data

• Analytics: We use Umami Analytics (cookie-free, privacy-friendly) to track anonymous product usage data. This data is aggregated and does not identify individuals.
• Session Telemetry: Technical logs for troubleshooting and performance monitoring.
• Device Identifiers: Browser and device information used for account security and session management.

4. How We Use Your Information

• Provide and improve AI tutoring sessions
• Maintain account security and prevent abuse
• Detect and alert parents to potentially harmful content
• Troubleshoot service issues and monitor performance
• Respond to parent requests, including data deletion
• Comply with legal obligations

5. How We Use Artificial Intelligence

Bachu uses enterprise-grade AI to provide tutoring. We have strict data agreements with our providers:

• Google Gemini (Chat & Vision): Used for the main tutoring conversation and reading worksheets. We use a paid commercial license — your data is NOT used to train their public models.
• OpenAI (Voice): Used for text-to-speech and speech-to-text. We use a commercial license — your data is NOT used to train their public models.

6. COPPA Compliance (US Children Under 13)

If your child is under 13 and located in the United States, COPPA applies. We comply by:

• Requiring parent/guardian account creation before any child data is collected
• Providing direct notice to parents about data practices
• Obtaining verifiable parental consent before collecting child data
• Allowing parents to review, delete, and control their child's data
• Limiting data collection to what is reasonably necessary for the tutoring service

7. How We Share Data

We do not sell, rent, or trade user data. We only share data with service providers necessary to run the app:

• Supabase: Secure database hosting (encrypted)
• Google Gemini API: AI tutoring response generation (data is transient)
• OpenAI: Voice processing (data is transient)
• Vercel: Website hosting and infrastructure
• Umami: Privacy-friendly analytics (cookie-free, no personal data)

We may also disclose information if required by law or to protect the safety of our users and the security of our platform.

8. International Data Transfers

Your data may be processed in multiple countries depending on our infrastructure and service provider locations. We apply contractual and technical safeguards appropriate for cross-border data processing.

9. Data Retention

• Parent account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Child profile data: Retained while the linked parent account is active. Deleted upon parent request.
• Chat and session logs: Retained for service quality and safety. Deleted when the parent account is deleted or upon request.
• Technical logs: Retained for up to 90 days for troubleshooting, then automatically deleted.
• Backups: Retained for up to 30 days for disaster recovery, then purged.

10. Parental Rights & Control

As a parent or guardian, you have full control:

• View: Read every message your child sends and receives via the Parent Dashboard.
• Delete: Request complete deletion of your account and all associated child data.
• Export: Request an export of your child's data.
• Correct: Update your child's profile information at any time.
• Withdraw consent: Revoke consent for data processing where applicable.

To exercise any of these rights, contact us at hello@heybachu.com. We will verify your identity before fulfilling requests.

11. Data Security

We use industry-standard encryption (SSL/TLS) for data in transit and secure database encryption for data at rest. Access to user data is restricted by role-based access controls. While no service is 100% immune to attacks, we prioritize security at every layer.

12. Third-Party Links

If our service links to third-party resources, those services have their own privacy policies. We are not responsible for the practices of third-party websites or services.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the site or via email. Continued use after changes constitutes acceptance of the updated policy.

14. Contact Us