Charlie.AI

Privacy Policy

Last updated: 24/06/2026

1. Introduction

This Privacy Policy (“Policy”) explains how we collect, use, store, and protect personal data when you and your child use the Charlie.AI mobile application (“App”).

The App is operated by Allright Limited, registered in Cyprus (“Company”, “we”, “us”). Charlie.AI is an educational application that helps children aged 4 to 12 learn English through interactive journey with an AI-powered animated character. You can use the App either through an active account on the allright.com platform (“Platform”) if you hold an All Right Plus subscription, or by registering a separate account directly within the App or via the Company’s advertising page (the “Landing Page”).

This Policy has been prepared in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, "AI Act"), applicable national data protection laws, and the policies of the Apple App Store and Google Play for applications designed for children.

The key terms used in this Policy (such as “you”, “Child”, “App”, and others) are explained in Section 3. If you do not agree with this Policy, please stop using the App.

2. Data controller

The organization responsible for your data is:

Allright Limited

Address: Florinis, 7 Greg Tower, 2nd floor 1065, Nicosia, Cyprus

Email for data protection enquiries: [email protected]

3. Key definitions

Throughout this Policy we use certain terms. Here is what they mean:

4. What data we collect

We only collect the data that is necessary to provide your child with a safe and effective learning experience.

4.1. Data received from the Platform or provided at registration

If you are a Platform User, the App does not have a separate registration process; when you log in to the App using your Platform account, the following data is imported from the Platform:

If you are an App User, the following data is collected directly when you register an account within the App or via the Landing Page:

If you are a Platform User, this data was originally provided by you during registration on the Platform; for information about how the Platform collects and processes your data, please refer to the Platform's own privacy policy. If you are an App User, this data is provided directly by you and is used to create your child's profile, determine an appropriate starting point in the learning journey and your child's experience within the App.

4.2. Data collected automatically

When your child uses the App, we automatically collect certain technical and usage information during the session:

4.3. Voice data

The App includes pronunciation exercises and conversations with the AI character. For this, the App may ask to use the device’s microphone. When your child speaks during these exercises, the audio is recorded and transmitted to Microsoft Corporation (Azure Speech Services), our speech recognition provider, for the purpose of converting speech to text. The audio is processed by Microsoft on servers located in the European Union. Voice recordings are not transmitted to any other third-party AI service. Before any voice data is transmitted, we ask for your explicit consent through an in-app consent screen, as described in Section 6.1.

4.4. What we do not collect

The App does not collect:

5. Why and on what legal basis we process data

Because our App is designed for children, we apply strict standards when deciding why and how we process data. We distinguish between your data (as the parent and account holder) and your child’s data (as the person using the App). This reflects the requirements of Articles 6 and 8 of the GDPR.

5.1. Your data (Parent)

As the account holder and our contracting partner, we process your data on the following bases:

Purposes and legal bases for processing parent data
PurposeLegal basisData
Account registration, login, and access managementContract performance (Art. 6(1)(b) GDPR)Email, password
Subscription management and billing notificationsContract performance (Art. 6(1)(b) GDPR)Email, subscription status
Push notifications (reminders, achievements, new content)Your consent (Art. 6(1)(a) GDPR)Device push token
Responding to your enquiriesContract performance; legitimate interests (Art. 6(1)(b), (f) GDPR)Email, enquiry content
Legal complianceLegal obligation (Art. 6(1)(c) GDPR)As required by law

5.2. Your child’s data

Under Article 8 of the GDPR, we can only process a child’s data when a parent has given consent. This is why almost all processing of your child’s data is based on your parental consent (Article 6(1)(a), together with Article 8 GDPR).

Purposes and legal bases for processing the child's data
PurposeLegal basisData
Providing access to educational content, structured levels, and progress trackingParental consent (Art. 6(1)(a), Art. 8 GDPR)First name, age (or approximate age range and gender for App Users), proficiency level, learning progress, answers, scores
Processing voice data for pronunciation exercises, conversation with the AI character, and quality assurance of speech recognition featuresParental consent (Art. 6(1)(a), Art. 8 GDPR)Audio recordings of the child’s voice
Sharing voice recordings with Microsoft (Azure Speech Services) for speech-to-text conversion, and sharing text data with Groq, Inc. for AI character response generation (see Section 9.2 for details)Parental consent (Art. 6(1)(a), Art. 8 GDPR)Voice recordings (to Microsoft only); first name, age, proficiency level, standard vocabulary list, and current dialogue text where applicable (to Groq only)
Analytics to understand how the App is used and to improve the educational experienceParental consent (Art. 6(1)(a), Art. 8 GDPR)IP address, device ID, usage data (modules accessed, session activity)
Protecting the security and integrity of the AppLegitimate interests (Art. 6(1)(f) GDPR)IP address, device ID, device type, OS version
Legal complianceLegal obligation (Art. 6(1)(c) GDPR)As required by law

5.3. Important clarifications

About your consent. You provide consent in two stages.

First, if you are a Platform User, you consent to the general processing of your child’s data necessary for the educational use (such as access to learning content and progress tracking) when you register your account on the Platform; if you are an App User, you provide this same general consent when you register your account directly within the App or via the Landing Page.

Second, before any AI-powered feature is used for the first time, the App displays a dedicated in-app consent screen explaining what data will be sent and to which AI service providers, and asks for your explicit permission before any data is transmitted. The AI features (speech recognition and conversation with the AI character) are activated only after you grant your explicit consent through this screen.

You can withdraw either consent at any time (see Section 6.3). Withdrawing consent does not affect anything we did with the data before you withdrew it.

About security processing. We use your child’s limited technical data (IP address, device ID) to keep the App safe and prevent unauthorized access. We rely on our legitimate interest for this purpose because security measures are essential to protect your child. We only use the minimum data needed, keep it for a short period, and restrict who can access it. We have assessed that this processing does not override your child’s rights.

No profiling or automated decisions with legal effects. The App does not perform profiling of children as defined in Article 4(4) of the GDPR. The learning content follows a fixed, sequential structure and is not adapted based on an automated evaluation of the child's individual characteristics, behavior, or performance. The automated features within the App (such as checking answers and awarding stars) do not produce legal effects on your child and do not significantly affect your child in any way comparable to legal effects within the meaning of Article 22 of the GDPR.

6. Parental consent

Because the App is designed for children, parental consent is central to how we handle your child’s data.

6.1. How we obtain consent

We obtain your consent in two distinct steps.

(a) General consent. If you are a Platform User, you consent to the processing of your child’s data necessary to provide access, including educational content, learning progress, and basic technical operation, when you register your account on the Platform. If you are an App User, you provide this same consent when you register your account directly within the App or via the Landing Page.

(b) Specific consent for AI features. Before your child uses any AI-powered feature of the App (speech recognition and conversation with the AI character) for the first time, the App displays an in-app consent screen that informs you about the use of third-party AI service providers, refers you to this Policy for details, and asks for your explicit permission before any data is transmitted. Voice recordings and other personal data are transmitted to our AI service providers only after you grant your explicit consent through this screen. If you decline, the App's core learning features will not be available, as Charlie is built around AI-powered interaction with your child. You can revoke this consent at any time in the App settings; if you do, non-interactive features such as viewing settings and any previously recorded progress will remain available.

Access to the App requires login through a parent’s Account, whether registered on the Platform or created directly within the App or via the Landing Page. The App uses age-gating mechanisms that prevent children from independently accessing account settings, contacting support, or modifying account information. We take reasonable steps, considering available technology, to verify that consent is provided by the person holding parental responsibility (Article 8(2) GDPR).

6.3. Withdrawing consent

You can withdraw your consent at any time. If you are a Platform User, you may do so by removing your child's access through the Platform. If you are an App User, you may withdraw consent by deleting your App Account directly within the App settings or by contacting us at [email protected]. After withdrawal, we will stop processing your child's data and take steps to delete or anonymize it (see Section 12).

7. Your rights and your child’s rights

You have important rights over your data and your child’s data. You can exercise any of these rights by contacting us at [email protected]. We will respond within one month (or up to three months for complex requests, as permitted by the GDPR).

Your child’s rights. All of the above rights apply equally to your child’s personal data. As a parent, you exercise these rights on your child’s behalf. We are committed to responding to such requests promptly and in accordance with applicable law.

8. Voice data

We understand that voice recordings of children require special care. This section explains in detail how we handle them.

8.1. Why we collect voice data

The App collects voice data only for educational purposes: pronunciation exercises and conversational practice with the AI character. The microphone is activated only during specific exercises and only when your child starts speaking.

8.2. How voice data is processed

Voice data is not processed on your child’s device. When your child speaks during an exercise, the audio recording is transmitted to Microsoft Corporation (Azure Speech Services), our speech recognition provider, where it is converted to text. Microsoft processes the audio on servers located in the European Union, so no transfer of voice data outside the European Economic Area takes place in the course of providing this service. Specifically:

8.3. Retention of voice recordings

We do not retain voice recordings on our own servers at any point. The audio is streamed directly to Microsoft's Azure AI Speech service for real-time transcription. According to Microsoft's published data privacy documentation for Azure AI Speech, real-time speech-to-text audio is processed only in server memory and is not stored at rest, and we have not enabled any optional audio logging features.

8.4. Security of voice data

Voice data is encrypted in transit between the App and Microsoft's servers. Access to the speech recognition service is limited to authenticated requests from the App. For information on the security measures we apply to all personal data, see Section 11.

8.5. Microphone permissions

Before the App can use the microphone, it will ask for your permission through the standard device permission dialogue. If you deny microphone access, Charlie will not be able to hear your child, and the voice-based learning exercises (which form the core of the App) will not be available. You can change microphone permission at any time in your device's settings.

9. Artificial intelligence features

9.1. How AI works in the App

The App uses artificial intelligence to deliver an interactive learning experience. The animated character is powered by AI - it is not human. The character talks with your child, checks pronunciation, gives rewards (stars), and guides the child through a structured sequence of levels and modules. The learning content follows a fixed progression: each module must be completed before the next one becomes available.

9.2. What data is shared with AI service providers

The App’s AI features rely on two third-party AI service providers, each with a distinct role and a distinct set of data. We have entered into data processing agreements with both providers in accordance with Article 28 of the GDPR, and both are required to provide protections for personal data equivalent to those described in this Policy. The two providers are:

Microsoft Corporation (Azure Speech Services) — processing details
Data processedvoice recordings of your child made during pronunciation and conversation exercises.
Purposeconverting your child’s speech into text so the App can understand what your child says.
Processing locationEuropean Union.
Data retention by Microsoftaccording to Microsoft's published data privacy documentation for Azure AI Speech, real-time speech-to-text audio is processed only in server memory and is not stored at rest; we have not enabled any optional audio logging features.
Use for model trainingnot used for training or improvement of Microsoft’s models
Legal frameworkMicrosoft Products and Services Data Protection Addendum (DPSA), which incorporates processor obligations under Article 28 of the GDPR and applies automatically to Microsoft online services including Azure AI Speech.
Groq, Inc. — processing details
Data processedyour child’s first name, age, English proficiency level, the standard set of vocabulary words associated with that proficiency level, and, where applicable, the text of the current in-session dialogue (so that the AI character can respond coherently within a single conversation). The vocabulary list is the same for all children at the same level - it is not individually tailored to your child. Important: voice recordings of your child are NOT transmitted to Groq; Groq receives only text-based information.
Purposeenabling the AI character to address your child by their first name and to conduct dialogue using the standard educational content corresponding to your child’s proficiency level.
Processing locationUnited States.
Data retention by Groqby default, Groq does not retain inference inputs or outputs.
Use for model trainingdata submitted via the Groq API is not used by Groq to train or improve its models
Legal frameworkGroq Customer Data Processing Addendum, incorporating GDPR Article 28 processor obligations. International transfer to the United States is governed by EU Standard Contractual Clauses (Module 2, Controller to Processor) included in the Groq DPA.

We do not share your child’s surname, contact details, or any data beyond what is described above. Neither provider may use your child’s data for advertising, profiling, or any purpose other than providing the contracted service to us. Both providers offer protections for personal data equivalent to those described in this Policy and required by applicable data protection law.

If we change our AI service providers or add new ones, we will update this Policy with the new provider’s name and details before any data is transmitted to that new provider, and where required, we will request your renewed consent through the in-app consent screen.

9.3. Automated processing

The AI evaluates whether pronunciation is correct and awards in-app rewards (stars). The learning content follows a fixed sequence and does not adapt based on an automated assessment of the child's individual abilities. These automated features are used only within the educational context of the App. They do not produce legal effects on your child and do not significantly affect your child in any way comparable to legal effects.

You can contact us at any time at [email protected] to ask about the logic behind the automated processing. If you believe that any automated feature has negatively affected your child's experience, we will provide an explanation and, where appropriate, arrange for a human review of the situation.

10. Who we share data with

We do not sell, rent, or trade your or your child’s personal data.

10.1. Service providers

We work with trusted third-party service providers who help us operate the App. These include providers of cloud hosting, AI and speech processing, and analytics infrastructure. All service providers are bound by data processing agreements in accordance with Article 28 of the GDPR, which require them to protect data, keep it confidential, and process it only as we instruct.

We also work with RevenueCat, Inc. and, where applicable, Stripe, Inc., Apple Inc., or Google LLC, to manage Subscriptions purchased directly through the App or the Landing Page. These providers process your email address and Subscription status only; they do not receive your child's personal data for this purpose.

10.2. Access within our Company

Within our Company, personal data is accessible to personnel in accordance with their professional duties. Analytics data is primarily used in aggregated form for reporting and service improvement. We maintain internal data handling procedures and require all personnel with access to personal data to comply with confidentiality obligations.

10.3. Legal disclosures

We may disclose personal data where required by law, a court order, or a governmental authority, or where necessary to protect the rights, safety, or property of our users or third parties.

10.4. Business transfers

If our Company is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor. We will ensure that the receiving party is bound by obligations consistent with this Policy.

11. Data security

We implement appropriate technical and organizational measures to protect personal data, including:

No system is completely secure. If a data breach occurs that poses a risk to your rights, we will notify the relevant supervisory authority and, where required, inform you in accordance with the GDPR.

12. How long we keep data

12.1. How long we keep your data

We keep data only for as long as needed. Here is an overview:

When data is no longer needed, we securely delete or anonymize it.

12.2. How to delete data

If you delete the App from your child's device, any data stored locally on the device will be removed. However, deleting the App does not delete your account or any data stored on our servers.

If you are an App User, you may delete your App Account directly within the App settings. Account deletion will result in the permanent removal of your App Account and your child's associated data held in connection with the App, subject to the exceptions set out at the end of this section.

You may also request the deletion of your child's data associated with the App by contacting us at [email protected]. Upon receiving your request, we will delete or anonymize the child's data held on our servers, including voice recordings and usage data, within a reasonable timeframe.

Please note that, if you are a Platform User, your account on the Platform and your child's data within the App are managed separately; deleting your child's data from the App does not affect your account on the Platform, and vice versa. If you are an App User, your App Account and your child's data within the App are managed together; submitting a deletion request to [email protected] will also result in the deletion of your App Account.

Following a deletion request, your child's personal data will no longer be actively processed or accessible. Certain data may be retained in anonymized or aggregated form where it can no longer be linked to your child. We may also retain limited data where required by applicable law.

13. International data transfers

Where personal data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place as required by Articles 44 – 49 of the GDPR. The transfer arrangements for our AI and subscription/payment service providers are as follows:

All international transfers of personal data are covered by at least one of the safeguards described above. You can contact us at [email protected] for more information about the specific safeguards we apply.

14. Children’s privacy and protection

Protecting your child’s privacy is a core priority for us. We have designed the App with the following safeguards:

14.1. Parental control

14.2. Safe environment

14.3. Regulatory compliance

We comply with the GDPR provisions on children's data (Article 8), the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), applicable national laws of EU Member States, and the requirements of the Apple App Store and Google Play for applications designed for children. We also take into account the guidance issued by data protection authorities and the European Commission regarding children's privacy and the responsible use of AI.

15. Push notifications

The App may send push notifications to your device, such as learning reminders, new lesson announcements, or achievement updates. When you first use the App, you will be asked to allow or decline notifications. You can change this at any time in your device’s settings. Turning off notifications does not affect the App’s educational features.

16. App stores and third-party platforms

The App is available through the Apple App Store and Google Play. These platforms may collect certain data in accordance with their own privacy policies. We encourage you to review:

This Policy covers only the data that we process in connection with the App. Data processing related to the Platform is governed by the Platform's own privacy policy. For information about how Apple and Google handle your data, please refer to the links above.

17. Changes to this Policy

We may update this Policy from time to time. The updated version will be published within the App and/or on the Platform with a new “Last updated” date.

Material changes take effect no earlier than 30 days after publication. Where a change significantly affects how we process your child’s data, we will seek your renewed consent where required by law.

18. Contact us and complaints

18.1. Contact us

If you have questions about this Policy or want to exercise your rights:

Email: [email protected]

Address: Florinis, 7 Greg Tower, 2nd floor 1065, Nicosia, Cyprus

18.2. Complaints

If you have any concerns about how we handle your or your child's personal data, we encourage you to contact us first at [email protected]. We will do our best to address your concern promptly and find a resolution.

If you are not satisfied with our response, or if you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.

For users in the European Union:

You may lodge a complaint with the data protection authority in your country. A list of all EU/EEA authorities is available at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

As our Company is registered in Cyprus, the lead supervisory authority is:

Office of the Commissioner for the Protection of Personal Data (Cyprus)

Website: http://www.dataprotection.gov.cy

Email: [email protected]

For users in Ukraine:

You may lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman):

Website: https://www.ombudsman.gov.ua

Address: 01008, Kyiv, 21/8 Instytutska Street

Hotline: 0 800 501 720 (free within Ukraine)

For users in other countries:

If you are located outside the European Union and Ukraine, you may contact us directly at [email protected] with any concerns about how we handle your or your child's personal data. We will respond to your enquiry in accordance with this Policy and applicable data protection laws in your jurisdiction.

You may also have the right to lodge a complaint with your local data protection authority. We will cooperate with the relevant authorities to resolve any concerns.