Kaboosh!

Privacy Policy

Last updated: May 30, 2026

Important note: This policy is written to be easy to read. The bold In short line summarizes each section, but the full text controls.

1. Who We Are And Our Role

In short: Kaboosh is generally the controller for direct accounts and acts as a service provider, processor, or FERPA school official for institution-managed accounts as applicable.

Kaboosh Education Ltd. ("Kaboosh", "we", "us") provides educational websites, apps, APIs, games, and related services (the "Service").

For direct accounts, Kaboosh is generally the controller of account, profile, billing, learning, and support data. For school or institution-managed accounts, Kaboosh processes student data only to provide the Service, support the institution, and meet contractual or legal requirements.

If a signed school, district, data processing, or enterprise agreement conflicts with this policy, the signed agreement controls for that customer.

2. Information We Collect

In short: We collect account, learning, content, technical, payment, referral, and optional AI or speech data needed to provide and protect the Service.
  • Account details: name, email, role, language, timezone, username, password hash, profile settings, avatar, and parent or guardian contact details where needed.
  • Learning data: decks, flashcards, assignments, classes, review history, progress, scores, streaks, achievements, teacher feedback, and reports.
  • User content: text, images, audio, video, deck metadata, notes, public deck listings, ratings, reviews, and support submissions.
  • Speech and AI inputs: audio snippets, transcripts, prompts, OCR text, generated suggestions, pronunciation scores, grading feedback, and related metadata when those features are used.
  • Technical data: device and browser type, app version, IP address, approximate location, logs, crash reports, abuse-prevention signals, Turnstile challenge data where enabled, and security events.
  • Payment data: billing name, email, plan, invoices, and subscription status processed through Stripe. We do not store full card numbers.
  • Referral and affiliate attribution: referral codes, affiliate codes, landing URLs, timestamps, and browser user agent where needed to operate credits or commissions.

We do not require precise location, government identifiers, biometric identifiers, health data, or similar sensitive categories unless a feature, law, or verified support process specifically requires it.

3. How We Use Information

In short: We use data to run accounts, deliver learning features, personalize study, support users, process billing, secure the Service, and comply with legal obligations.
  • create and secure accounts;
  • deliver lessons, decks, assignments, games, reports, classroom workflows, and offline or cached learning experiences;
  • personalize learning and schedule reviews;
  • provide speech, OCR, translation, text-to-speech, image search, writing feedback, and AI-assisted features;
  • process subscriptions, trials, credits, referrals, and affiliate programs;
  • respond to support, safety, and privacy requests;
  • detect spam, fraud, abuse, unsafe content, and security incidents;
  • maintain, debug, and improve the Service; and
  • comply with contracts, school instructions, and legal obligations.

We do not use student or child data for targeted advertising or to build commercial profiles unrelated to education.

4. Legal Bases For EEA/UK Users

In short: Where GDPR or UK GDPR applies, we rely on contract, legitimate interests, consent, legal obligation, and institution instructions as applicable.
  • Contract: to provide the Service requested by a user, parent, teacher, school, or institution.
  • Legitimate interests: for security, fraud prevention, service diagnostics, basic product improvement, and support.
  • Consent: for optional features or non-essential cookies where consent is required.
  • Legal obligation: where laws require retention, disclosure, or compliance action.

For institution-managed accounts, the institution may determine the legal basis for processing student data.

5. Children And Students

In short: Kaboosh is designed for education and may be used by children. We apply child and student privacy protections, including COPPA and FERPA controls where they apply.
  • Direct child accounts: for children under 13 in the United States, or under the local age of digital consent elsewhere, we require verifiable consent from a parent or guardian before collecting personal information unless an exception applies.
  • School use: where a school directs use of the Service for an educational purpose and the arrangement qualifies, the school may consent on behalf of parents under COPPA. Kaboosh remains responsible for applicable operator obligations and provides the required information to the school.
  • Parent rights: parents or guardians may review, correct, or request deletion of child personal information and may refuse further collection, subject to school account rules.
  • Data minimization: we collect and retain child data only as reasonably necessary for the educational purpose, security, and legal obligations.
  • Third-party disclosures: we do not disclose child personal information for targeted advertising. If a future feature requires separate verifiable parental consent for disclosure to a third party for non-service purposes, we will obtain that consent first.

For services likely to be accessed by children in the UK, we aim to use high-privacy defaults, clear age-appropriate language, and proportionate safeguards.

6. Sharing Information

In short: We do not sell personal data. We share data only with the people and providers needed to run, secure, support, and legally protect the Service.
  • with teachers, parents, guardians, and institutions to support learning and account administration;
  • with service providers that host infrastructure, process payments, send email, provide security checks, provide analytics or diagnostics, support speech, AI, translation, OCR, moderation, media search, or secure the Service;
  • with public viewers when a user chooses to publish a public deck, profile element, review, rating, leaderboard entry, or similar content;
  • with law enforcement, regulators, courts, or safety responders when legally required or necessary to protect people, rights, property, or the Service; and
  • in a merger, acquisition, financing, or asset transfer, subject to this policy and applicable law.

Service providers may process data only for our instructed purposes and must protect it under appropriate contractual, confidentiality, and security obligations.

7. Cookies And Similar Technologies

In short: We use storage required for login, security, preferences, checkout, media caching, and offline learning. Optional analytics or advertising storage is not initialized by default.

Kaboosh uses cookies, local storage, IndexedDB, and similar technologies for authentication, security, preferences, core app functionality, offline learning, and media performance.

The codebase includes consent controls for future optional analytics or functional cookies. If non-essential analytics, advertising, or tracking technologies are enabled later, we will provide notice and consent controls where required.

See the Cookie Policy for more detail.

8. AI, Speech, Translation, OCR, And Moderation

In short: Optional AI and speech features may send limited inputs to providers to generate the requested output. Important outputs should be reviewed by a human.

Optional features may send limited inputs to service providers to generate transcripts, translations, text-to-speech audio, pronunciation scores, writing feedback, deck suggestions, OCR text, or moderation decisions.

Providers may include services such as Supabase, Cloudflare, Stripe, Sentry, OpenAI, Google, Google Vertex/Gemini, Azure, Deepgram, iFlytek, Hugging Face, Pixabay, Openverse, Pexels, Klipy, Serper, and similar providers depending on which feature is used and how the Service is configured.

We do not permit third-party AI providers to train their general models on identifiable student or child content unless the relevant parent, user, or institution explicitly authorizes it and applicable law allows it. We may use de-identified or aggregated diagnostics to improve safety, reliability, and learning quality.

AI outputs may be wrong, incomplete, biased, or inappropriate. Teachers, parents, and users should review important outputs before relying on them.

9. Retention And Deletion

In short: We retain data only as long as reasonably needed for education, account operation, security, legal compliance, audits, or school instructions.
  • active account and learning data: while the account is active or as instructed by the institution;
  • inactive direct accounts: may be deleted or de-identified after a reasonable inactivity period with notice where practical;
  • logs and telemetry: usually 12-18 months unless needed for security or investigations;
  • support records: usually up to 24 months;
  • backups: kept on a rolling, time-limited basis; and
  • billing, tax, affiliate, and audit records: retained as required for financial, legal, and fraud-prevention purposes.

Deletion requests can be made using the contact details below. For school accounts, we may route the request to the institution.

10. Security

In short: We use technical and organizational safeguards, but no online service can be guaranteed completely secure.

We use safeguards designed to protect personal data, including TLS in transit, encryption at rest for primary stores, role-based access, staff access controls, MFA for sensitive systems, monitoring, code review, dependency management, backups, and incident response procedures.

Users should use strong passwords and protect their login credentials.

11. International Transfers

In short: We may process data in the UK, EEA, United States, and other provider locations using appropriate safeguards where required.

Where required, we use safeguards such as adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, and related technical and organizational measures.

12. Your Rights And Choices

In short: Depending on your location and account type, you may be able to access, correct, delete, export, object to, restrict, or opt out of certain processing.
  • access, correct, or delete personal data;
  • export data;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent;
  • opt out of sale or sharing where applicable;
  • limit use of sensitive personal information where applicable; and
  • lodge a complaint with a privacy regulator.

California residents may exercise CCPA/CPRA rights, including rights to know, delete, correct, opt out of sale/share, limit certain sensitive personal information use, and avoid discrimination for exercising rights. We honor Global Privacy Control signals where applicable.

For school accounts, contact the school or institution first. We will assist them in responding to requests.

13. Public Content And Third-Party Links

In short: Public decks, ratings, reviews, profiles, and leaderboard entries may be visible to other people.

If you publish content publicly, such as a public deck, rating, review, profile element, or leaderboard entry, other people may see it. Do not publish personal data that you do not want shared.

The Service may link to third-party websites, media sources, or integrations. Their privacy practices are governed by their own policies.

14. Changes To This Policy

In short: We may update this policy as law, product features, technology, or business practices change.

We will provide prominent notice or seek consent where required for material changes, especially changes affecting children, students, or school data.

15. Contact

In short: Contact us for privacy requests, safety concerns, or general support.

Privacy requests and questions:

General support:

For institution-managed accounts, also contact your school or institution administrator.

16. Regulatory Contacts

In short: You may contact the privacy regulator that applies to your location or account type.
  • United States: Federal Trade Commission for COPPA issues; U.S. Department of Education Student Privacy Policy Office for FERPA issues.
  • United Kingdom: Information Commissioner's Office.
  • European Union/EEA: your local Data Protection Authority.
  • California: California Privacy Protection Agency and California Department of Justice.

17. Key References

In short: This policy is intended to align with applicable student, child, and privacy laws where they apply.

Applicable frameworks may include FERPA, COPPA, GDPR, UK GDPR, PECR, CCPA/CPRA, and similar student privacy laws depending on the user, school, location, feature, and data involved.