Privacy Policy
Charlie.AI

1. Introduction

This Privacy Policy ("Policy") explains how we collect, use, store, and protect personal data when you and your child use the Charlie.AI mobile application ("App").

The App is operated by Allright Limited, registered in Cyprus ("Company", "we", "us").

Charlie.AI is an educational application that helps children aged 4 to 12 learn English through interactive journey with an AI-powered animated character. To use the App, you need an active account on the allright.com platform ("Platform").

This Policy has been prepared in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, "AI Act"), applicable national data protection laws, and the policies of the Apple App Store and Google Play for applications designed for children.

The key terms used in this Policy (such as "you", "Child", "App", and others) are explained in Section 3. If you do not agree with this Policy, please stop using the App.

2. Data controller

The organization responsible for your data is:

Allright Limited
Address: Florinis, 7 Greg Tower, 2nd floor 1065, Nicosia, Cyprus
Email for data protection enquiries: help@charlie.kids

3. Key definitions

Throughout this Policy we use certain terms. Here is what they mean:

• "We", "us", "our", or "Company" - Allright Limited, the company that operates the App and is responsible for processing your data (see Section 2).
• "You", "your", or "Parent" - the parent or legal guardian who has registered an account on the Platform and is responsible for managing the Child's access to the App. You are the person we enter into a contract with and who provides consent on behalf of the Child.
• "Child" - a minor aged 4 to 12 years who uses the App. Access to the App is linked to your account registered on the Platform.
• "App" - the Charlie.AI mobile application for iOS and Android.
• "Platform" - the allright.com website and online service, which has its own terms and conditions and privacy policy.
• "Account" - your personal account on the Platform, used to log in to the App.
• "Personal Data" - any information that can identify you or your child, directly or indirectly.
• "Processing" - anything we do with Personal Data: collecting, storing, using, sharing, or deleting it.
• "AI Features" - the artificial intelligence tools built into the App, including the AI-powered animated character, speech recognition and pronunciation evaluation. The animated character is not a human - it is powered by artificial intelligence.

4. What data we collect

We only collect the data that is necessary to provide your child with a safe and effective learning experience.

4.1. Data received from the Platform

The App does not have its own registration process. When you log in to the App using your Platform account, the following data is imported from the Platform:

• Your email address (used for login and communication);
• Your child's first name;
• Your child's age;
• Your child's English proficiency level (based on your child's learning history on the Platform).

This data was originally provided by you during registration on the Platform. For information about how the Platform collects and processes your data, please refer to the Platform's own privacy policy.

4.2. Data collected automatically

When your child uses the App, we automatically collect certain technical and usage information during the session:

• IP address and device identifier;
• Device type and operating system version;
• Which modules and content your child interacts with during a session;
• Learning progress: answers, scores, and rewards earned.

4.3. Voice data

The App includes pronunciation exercises and conversations with the AI character. For this, the App may ask to use the device's microphone. When your child speaks during these exercises, the audio is recorded and transmitted to Microsoft Corporation (Azure Speech Services), our speech recognition provider, for the purpose of converting speech to text. The audio is processed by Microsoft on servers located in the European Union. Voice recordings are not transmitted to any other third-party AI service. Before any voice data is transmitted, we ask for your explicit consent through an in-app consent screen, as described in Section 6.1.

4.4. What we do not collect

The App does not collect:

• Precise location data;
• Contact lists or address books;
• Photos, videos, or files from the device;
• Payment or financial information (payments are handled through the Platform);
• Cookies or similar tracking technologies.

5. Why and on what legal basis we process data

Because our App is designed for children, we apply strict standards when deciding why and how we process data. We distinguish between your data (as the parent and account holder) and your child's data (as the person using the App). This reflects the requirements of Articles 6 and 8 of the GDPR.

5.1. Your data (Parent)

As the account holder and our contracting partner, we process your data on the following bases:

5.2. Your child's data

Under Article 8 of the GDPR, we can only process a child's data when a parent has given consent. This is why almost all processing of your child's data is based on your parental consent (Article 6(1)(a), together with Article 8 GDPR).

5.3. Important clarifications

About your consent. You provide consent in two stages. First, when you register your account on the Platform, you consent to the general processing of your child's data necessary for the educational use (such as access to learning content and progress tracking). Second, before any AI-powered feature is used for the first time, the App displays a dedicated in-app consent screen explaining what data will be sent and to which AI service providers, and asks for your explicit permission before any data is transmitted. The AI features (speech recognition and conversation with the AI character) are activated only after you grant your explicit consent through this screen. You can withdraw either consent at any time (see Section 6.3). Withdrawing consent does not affect anything we did with the data before you withdrew it.

About security processing. We use your child's limited technical data (IP address, device ID) to keep the App safe and prevent unauthorized access. We rely on our legitimate interest for this purpose because security measures are essential to protect your child. We only use the minimum data needed, keep it for a short period, and restrict who can access it. We have assessed that this processing does not override your child's rights.

No profiling or automated decisions with legal effects. The App does not perform profiling of children as defined in Article 4(4) of the GDPR. The learning content follows a fixed, sequential structure and is not adapted based on an automated evaluation of the child's individual characteristics, behavior, or performance. The automated features within the App (such as checking answers and awarding stars) do not produce legal effects on your child and do not significantly affect your child in any way comparable to legal effects within the meaning of Article 22 of the GDPR.

6. Parental consent

Because the App is designed for children, parental consent is central to how we handle your child's data.

6.1. How we obtain consent

We obtain your consent in two distinct steps.

(a) General consent. When you register your account on the Platform, you consent to the processing of your child's data necessary to provide access, including educational content, learning progress, and basic technical operation.

(b) Specific consent for AI features. Before your child uses any AI-powered feature of the App (speech recognition and conversation with the AI character) for the first time, the App displays an in-app consent screen that informs you about the use of third-party AI service providers, refers you to this Policy for details, and asks for your explicit permission before any data is transmitted.

Voice recordings and other personal data are transmitted to our AI service providers only after you grant your explicit consent through this screen. If you decline, the App's core learning features will not be available, as Charlie is built around AI-powered interaction with your child. You can revoke this consent at any time in the App settings; if you do, non-interactive features such as viewing settings and any previously recorded progress will remain available.

6.2. How we verify parental involvement

Access to the App requires login through a parent's account on the Platform. The App uses age-gating mechanisms that prevent children from independently accessing account settings, contacting support, or modifying account information. We take reasonable steps, considering available technology, to verify that consent is provided by the person holding parental responsibility (Article 8(2) GDPR).

6.3. Withdrawing consent

You can withdraw your consent at any time by contacting us at help@charlie.kids or by removing your child's access through the Platform. After withdrawal, we will stop processing your child's data and take steps to delete or anonymize it (see Section 12).

7. Your rights and your child's rights

You have important rights over your data and your child's data. You can exercise any of these rights by contacting us at help@charlie.kids. We will respond within one month (or up to three months for complex requests, as permitted by the GDPR).

• Access: You can ask us what data we hold about you or your child, and receive a copy of it.
• Correction: If any data is inaccurate or incomplete, you can ask us to correct it.
• Deletion: You can ask us to delete your or your child's data. We will do so unless we are legally required to keep it.
• Restriction: You can ask us to limit how we use the data in certain situations.
• Portability: You can ask to receive your data in a common digital format so you can transfer it.
• Objection: Where we process data based on our legitimate interests, you can object and we will review the situation.
• Withdraw consent: You can withdraw your consent at any time. This will not affect processing that took place before the withdrawal.

Your child's rights. All of the above rights apply equally to your child's personal data. As a parent, you exercise these rights on your child's behalf. We are committed to responding to such requests promptly and in accordance with applicable law.

8. Voice data

We understand that voice recordings of children require special care. This section explains in detail how we handle them.

8.1. Why we collect voice data

The App collects voice data only for educational purposes: pronunciation exercises and conversational practice with the AI character. The microphone is activated only during specific exercises and only when your child starts speaking.

8.2. How voice data is processed

Voice data is not processed on your child's device. When your child speaks during an exercise, the audio recording is transmitted to Microsoft Corporation (Azure Speech Services), our speech recognition provider, where it is converted to text. Microsoft processes the audio on servers located in the European Union, so no transfer of voice data outside the European Economic Area takes place in the course of providing this service. Specifically:

• Microsoft is bound by the Microsoft Products and Services Data Protection Addendum, which incorporates the processor obligations under Article 28 of the GDPR;
• Microsoft processes the voice data only for the purpose of providing the speech-to-text service to us;
• Microsoft does not use the voice data for training or improving its models, for advertising, or for profiling;
• According to Microsoft's published data privacy documentation for Azure AI Speech, the real-time speech-to-text service processes audio only in server memory and does not store audio data at rest. We do not enable any optional logging features that would cause Microsoft to retain audio recordings.

8.3. Retention of voice recordings

We do not retain voice recordings on our own servers at any point. The audio is streamed directly to Microsoft's Azure AI Speech service for real-time transcription. According to Microsoft's published data privacy documentation for Azure AI Speech, real-time speech-to-text audio is processed only in server memory and is not stored at rest, and we have not enabled any optional audio logging features.

8.4. Security of voice data

Voice data is encrypted in transit between the App and Microsoft's servers. Access to the speech recognition service is limited to authenticated requests from the App. For information on the security measures we apply to all personal data, see Section 11.

8.5. Microphone permissions

Before the App can use the microphone, it will ask for your permission through the standard device permission dialogue. If you deny microphone access, Charlie will not be able to hear your child, and the voice-based learning exercises (which form the core of the App) will not be available. You can change microphone permission at any time in your device's settings.

9. Artificial intelligence features

9.1. How AI works in the App

The App uses artificial intelligence to deliver an interactive learning experience. The animated character is powered by AI - it is not human. The character talks with your child, checks pronunciation, gives rewards (stars), and guides the child through a structured sequence of levels and modules. The learning content follows a fixed progression: each module must be completed before the next one becomes available.

9.2. What data is shared with AI service providers

The App's AI features rely on two third-party AI service providers, each with a distinct role and a distinct set of data. We have entered into data processing agreements with both providers in accordance with Article 28 of the GDPR, and both are required to provide protections for personal data equivalent to those described in this Policy. The two providers are:

• Microsoft Corporation (Azure Speech Services) - speech recognition provider. Legal entity: Microsoft Corporation, with European operations through Microsoft Ireland Operations Limited. Data processed: voice recordings of your child made during pronunciation and conversation exercises. Purpose: converting your child's speech into text so the App can understand what your child says. Processing location: European Union. Data retention by Microsoft: according to Microsoft's published data privacy documentation for Azure AI Speech, real-time speech-to-text audio is processed only in server memory and is not stored at rest; we have not enabled any optional audio logging features. Use for model training: not used for training or improvement of Microsoft's models. Legal framework: Microsoft Products and Services Data Protection Addendum (DPSA), which incorporates processor obligations under Article 28 of the GDPR and applies automatically to Microsoft online services including Azure AI Speech.
• Groq, Inc. - language model inference provider for the AI character's text responses. Legal entity: Groq, Inc., Mountain View, California, United States. Data processed: your child's first name, age, English proficiency level, the standard set of vocabulary words associated with that proficiency level, and, where applicable, the text of the current in-session dialogue (so that the AI character can respond coherently within a single conversation). The vocabulary list is the same for all children at the same level - it is not individually tailored to your child. Important: voice recordings of your child are NOT transmitted to Groq; Groq receives only text-based information. Purpose: enabling the AI character to address your child by their first name and to conduct dialogue using the standard educational content corresponding to your child's proficiency level. Processing location: United States. Data retention by Groq: by default, Groq does not retain inference inputs or outputs. Use for model training: data submitted via the Groq API is not used by Groq to train or improve its models. Legal framework: Groq Customer Data Processing Addendum, incorporating GDPR Article 28 processor obligations. International transfer to the United States is governed by EU Standard Contractual Clauses (Module 2, Controller to Processor) included in the Groq DPA.

We do not share your child's surname, contact details, or any data beyond what is described above. Neither provider may use your child's data for advertising, profiling, or any purpose other than providing the contracted service to us. Both providers offer protections for personal data equivalent to those described in this Policy and required by applicable data protection law.

If we change our AI service providers or add new ones, we will update this Policy with the new provider's name and details before any data is transmitted to that new provider, and where required, we will request your renewed consent through the in-app consent screen.

9.3. Automated processing

The AI evaluates whether pronunciation is correct and awards in-app rewards (stars). The learning content follows a fixed sequence and does not adapt based on an automated assessment of the child's individual abilities. These automated features are used only within the educational context of the App. They do not produce legal effects on your child and do not significantly affect your child in any way comparable to legal effects.

You can contact us at any time at help@charlie.kids to ask about the logic behind the automated processing. If you believe that any automated feature has negatively affected your child's experience, we will provide an explanation and, where appropriate, arrange for a human review of the situation.

10. Who we share data with

We do not sell, rent, or trade your or your child's personal data.

10.1. Service providers

We work with trusted third-party service providers who help us operate the App. These include providers of cloud hosting, AI and speech processing, and analytics infrastructure. All service providers are bound by data processing agreements in accordance with Article 28 of the GDPR, which require them to protect data, keep it confidential, and process it only as we instruct.

10.2. Access within our Company

Within our Company, personal data is accessible to personnel in accordance with their professional duties. Analytics data is primarily used in aggregated form for reporting and service improvement. We maintain internal data handling procedures and require all personnel with access to personal data to comply with confidentiality obligations.

10.3. Legal disclosures

We may disclose personal data where required by law, a court order, or a governmental authority, or where necessary to protect the rights, safety, or property of our users or third parties.

10.4. Business transfers

If our Company is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor. We will ensure that the receiving party is bound by obligations consistent with this Policy.

11. Data security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit between the App and our servers;
• Appropriate technical measures for the transmission of voice data;
• Access controls that limit who within our organization can access personal data;
• Regular review and improvement of our security practices.

No system is completely secure. If a data breach occurs that poses a risk to your rights, we will notify the relevant supervisory authority and, where required, inform you in accordance with the GDPR.

12. How long we keep data

12.1. How long we keep your data

We keep data only for as long as needed. Here is an overview:

• Account and profile data: kept while your account on the Platform is active. If you delete the App account, your child's App data will be removed. Deleting the App account does not automatically delete your Platform account.
• Voice data: not retained on our servers. The audio is streamed to Microsoft's Azure AI Speech service for real-time transcription and, according to Microsoft's documentation, is processed only in server memory.
• Usage and analytics data: kept in aggregated or pseudonymized form for service improvement.
• Security logs (IP, device ID): kept for a limited period for security and troubleshooting, then deleted.

When data is no longer needed, we securely delete or anonymize it.

12.2. How to delete data

If you delete the App from your child's device, any data stored locally on the device will be removed. However, deleting the App does not delete your account or any data stored on our servers.

You may request the deletion of your child's data associated with the App by contacting us at help@charlie.kids. Upon receiving your request, we will delete or anonymize the child's data held on our servers, including voice recordings and usage data, within a reasonable timeframe.

Please note that your account on the Platform and your child's data within the App are managed separately. Deleting your child's data from the App does not affect your account on the Platform, and vice versa.

Following a deletion request, your child's personal data will no longer be actively processed or accessible. Certain data may be retained in anonymized or aggregated form where it can no longer be linked to your child. We may also retain limited data where required by applicable law.

13. International data transfers

Where personal data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place as required by Articles 44 - 49 of the GDPR. The transfer arrangements for each of our AI service providers are as follows:

• Microsoft Corporation (Azure Speech Services): voice recordings are processed within the European Union and are not transferred outside the European Economic Area in the course of providing the speech recognition service to us. No transfer mechanism is therefore required for this processing.
• Groq, Inc.: text-based data (your child's first name, age, English proficiency level, standard vocabulary list for the level, and where applicable the text of the current in-session dialogue) is transferred to the United States. This transfer is governed by the EU Standard Contractual Clauses (Module 2, Controller to Processor) incorporated into the Groq Customer Data Processing Addendum, in accordance with Article 46(2)(c) of the GDPR.
• Voice recordings of your child are not transferred outside the European Economic Area at any point.

All international transfers of personal data are covered by at least one of the safeguards described above. You can contact us at help@charlie.kids for more information about the specific safeguards we apply.

14. Children's privacy and protection

Protecting your child's privacy is a core priority for us. We have designed the App with the following safeguards:

14.1. Parental control

• Only a parent can own the account. Children cannot create accounts, change settings, or contact support without passing through age-gating verification.
• You can review your child's learning activity by opening the App and viewing the modules your child has studied.
• You can withdraw consent and request deletion of your child's data at any time.

14.2. Safe environment

• The App contains no advertising.
• There are no in-app purchases (payments are managed through the Platform).
• Children cannot publicly share personal information or communicate with other users.
• The App does not use cookies or third-party tracking.
• We follow the data minimization principle: we collect only what is necessary for the educational purpose.

14.3. Regulatory compliance

We comply with the GDPR provisions on children's data (Article 8), the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), applicable national laws of EU Member States, and the requirements of the Apple App Store and Google Play for applications designed for children. We also take into account the guidance issued by data protection authorities and the European Commission regarding children's privacy and the responsible use of AI.

15. Push notifications

The App may send push notifications to your device, such as learning reminders, new lesson announcements, or achievement updates. When you first use the App, you will be asked to allow or decline notifications. You can change this at any time in your device's settings. Turning off notifications does not affect the App's educational features.

16. App stores and third-party platforms

The App is available through the Apple App Store and Google Play. These platforms may collect certain data in accordance with their own privacy policies. We encourage you to review:

• App Store: https://www.apple.com/legal/privacy/data/en/app-store/
• Google Play: https://play.google.com/about/privacy-security-deception/

This Policy covers only the data that we process in connection with the App. Data processing related to the Platform is governed by the Platform's own privacy policy. For information about how Apple and Google handle your data, please refer to the links above.

17. Changes to this Policy

We may update this Policy from time to time. The updated version will be published within the App and/or on the Platform with a new "Last updated" date.

Material changes take effect no earlier than 30 days after publication. Where a change significantly affects how we process your child's data, we will seek your renewed consent where required by law.

18. Contact us and complaints

18.1. Contact us

If you have questions about this Policy or want to exercise your rights:

Email: help@charlie.kids
Address: Florinis, 7 Greg Tower, 2nd floor 1065, Nicosia, Cyprus

18.2. Complaints

If you have any concerns about how we handle your or your child's personal data, we encourage you to contact us first at help@charlie.kids. We will do our best to address your concern promptly and find a resolution.

If you are not satisfied with our response, or if you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.