Privacy Policy.

1. Introduction

GPTQuest, operated and owned by Kixmeta Labs, LLC ("we", "us", "our"), respects your privacy and is committed to protecting your personal information. GPTQuest is an AI Literacy and educational platform designed for students in grades 3-8. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use the GPTQuest platform and services (the "Service"). We comply with the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA). By using this Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We may collect the following categories of information:

a. Account Information

When you create an account, we collect only essential information:

• Email address (Account Owners only, used for authentication and transactional communications; Student and Teacher accounts use a system-generated synthetic identifier instead, described below)
• Display name (a user-created pseudonym for in-app identification)

During the current launch period, GPTQuest accounts are registered by adults only. The adult who registers the account (the "Account Owner", typically a teacher or a school administrator) provides a real name and email address and agrees to this Privacy Policy and our Terms of Service, which govern their account and any content they create.

The Account Owner creates and manages all other accounts through the Control Panel. They may create Teacher accounts for the adults who run their classrooms and assign each Teacher to one or more classrooms; Teachers have access only to the classrooms assigned to them. Teacher accounts sign in with credentials issued by the Account Owner and, like Student accounts, use a system-generated synthetic email address (not a real mailbox) as their account identifier; we do not collect a real email address for them. Student accounts are likewise created by the Account Owner; for students under 13, accounts are created under the school's authority (see Section 11). Adults may also play Quests; when they do, they receive the same protections as students, and no name, email address, or account identifier is sent to our AI providers.

b. Usage and Interaction Data

We collect data about your use of the Service, including:

• Quest progress, completions, and game state
• Server-side request logs from our hosting provider, used for operational reliability and abuse prevention

We do not currently run dedicated user-behavior analytics (no Google Analytics, Mixpanel, or similar). If we add analytics tooling in the future, we will update this Policy and request consent through the cookie banner before activating any non-essential tracking.

c. Device and Technical Data

We collect:

• Browser type and version
• Operating system
• Device identifiers
• IP address

d. Gameplay Content

Narrative text and choices you create during gameplay. Chat between students is limited to a curated picker of emojis, stickers, and preset phrases (no free-text chat); these selections are relayed in real time within the classroom's private Instance and are not retained as chat logs.

e. Support and Communications

Messages you send us via the Contact Us page or email.

f. Cookies and Similar Technologies

We use only essential cookies needed for authentication, session continuity, and remembering your cookie preferences. We do not currently set analytics or marketing cookies.

3. How We Use Your Information

We use information to:

• Provide, maintain, and improve the Service
• Personalize your experience
• Track educational progression (XP, levels, achievements)
• Communicate updates and support messages
• Protect against fraud and enforce policies
• Comply with legal requirements

We do not sell your personal information.

4. Cookies and Tracking Technologies

What Are Cookies?

Cookies are small pieces of data stored on your device that let the Service recognize your sign-in session and remember your preferences.

Cookies We Currently Use

• Essential authentication cookies set by our auth provider (Supabase) to keep you signed in
• A cookie-consent preference cookie that records your choice on the cookie banner

We do not currently set analytics, advertising, or third-party tracking cookies. The cookie-consent banner you see on the site is forward-looking: if we ever add non-essential cookies, the banner will gate them behind your consent before they are set.

Managing Cookies

You can control cookie preferences through your browser settings. Disabling essential cookies will prevent you from staying signed in.

5. Your Rights (Global)

Access & Correction

You may request a copy of the personal data we hold about you and correct inaccuracies.

Deletion

You may request deletion of your personal data, subject to legal requirements.

Data Portability

You may request your data in a structured, machine-readable format.

Objection & Restriction

You have the right to object to or request restrictions on certain processing activities.

To exercise these rights, visit our Contact Us page.

6. GDPR — European Union / EEA Residents

If you are located in the EU/EEA, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Obtain confirmation whether your data is processed
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Delete personal data (subject to limitations)
• Right to Restrict Processing: Limit how your data is used
• Right to Data Portability: Receive your data in a common format
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: When processing is based on consent

To exercise GDPR rights, visit our Contact Us page.

7. CCPA / CPRA — California Residents

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Your Rights

• Right to Know: What personal data we collect and how we use it
• Right to Delete: Request deletion of personal data
• Right to Opt-Out: Opt out of "sale" of personal data (we do not sell personal data)
• Right to Non-Discrimination: We will not discriminate for exercising your rights

Shine the Light

You may request details about shared personal data with third parties for marketing.

To exercise California privacy rights, visit our Contact Us page.

8. Data Sharing and Disclosure

We may share your information with:

a. Service Providers (Subprocessors)

The vendors below process data on our behalf to operate the Service. Each is bound by their own terms and security commitments and processes data only for the purposes described. Student account and progress data are stored in the United States (Supabase, hosted on Amazon Web Services, US-East region). Some services run on global edge networks or process data outside the United States as noted below and in Section 13.

• Supabase: Postgres database and authentication; stores Student account records, progress, and game state. Hosted in the United States (AWS US-East). supabase.com/privacy
• Vercel: application hosting, edge compute, and platform logs; operational request logs, no student profiles. vercel.com/legal/privacy-policy
• Vercel Blob: storage for user-generated audio and images (e.g., songs from the Songweaver Quest and pictures generated during Quests). vercel.com/legal/privacy-policy
• Cloudflare R2: storage of game assets and player-created avatar images; contains no names, emails, or other personal identifiers. Runs on a global edge network. cloudflare.com/privacypolicy
• Cloudflare / PartyKit: real-time multiplayer presence within a Teacher Instance; transient nickname and position, no stored student records. Runs on a global edge network. cloudflare.com/privacypolicy
• Stripe: payment processing for School Pro subscriptions; teacher/school billing only, no student data. stripe.com/privacy
• Resend: transactional email delivery; teacher and administrator email only, no student email. resend.com/legal/privacy-policy

b. AI and Content Partners

Text, image, and music inputs you submit during gameplay may be processed by third-party AI providers to generate Quest content:

• OpenAI: text and dialogue generation. openai.com/policies/privacy-policy
• Runware: image generation (FLUX-based models). runware.ai/privacy-policy
• Sonauto: music generation (primary). sonauto.ai/privacy
• MusicGPT: music generation (fallback). musicgpt.com/privacy

We do not train any AI models on your inputs. We do not send any user's name, email address, or account identifier to these providers, whether the user is a student or a teacher; only the content needed to generate a result (such as a prompt or song lyrics) is transmitted, and it is not linked to anyone. Our text provider, OpenAI, does not use API submissions to train its models. Our image and music providers may use the content we send, or the result it generates, to improve or train their own AI; because that content carries no user identity, it cannot be used to identify, contact, or profile a child or adult. Prompts and lyrics are free-form text typed by the user, so if someone includes personal information in what they type, that text is transmitted to the provider with the request; we encourage teachers to review gameplay with students to help them avoid entering real names or sensitive details. We continue to review each provider's data-use terms. See our Responsible AI page for more on how AI is used in the Service.

c. Legal Authorities

When required by law or to protect our rights.

d. Affiliates and Business Transactions

In connection with mergers, acquisitions, or asset sales.

e. With Your Consent

When you explicitly agree to share data.

We do not sell your personal information.

9. Data Security

We maintain a written Information Security Program appropriate to the sensitivity of the data we handle. The program includes:

• Encryption of personal data in transit (TLS) and at rest
• Role-based access controls and least-privilege permissions for our team
• Regular vendor risk reviews of all subprocessors listed in Section 8
• Employee training on privacy and data handling
• An incident response process for suspected security events
• Annual review and update of the program

In the event of a confirmed data breach involving student personal information, we will notify affected schools without undue delay and in any case within 72 hours of confirming the breach, and, where required by law, parents and regulators within the timeframes required by applicable law.

No method of transmission over the Internet is 100% secure, but we work continuously to protect your data.

10. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

When you close your account, your authentication record is deleted immediately and the deletion cascades through every per-user table in our database (profile, gem balance, gem transaction history, friendships, Quest sessions, World position, notifications, and similar). Stripe payment records persist independently per Stripe's own retention policy. Platform-level server logs (Vercel, Cloudflare) persist according to those providers' retention windows and are not tied to individual user accounts. Copies of personal data in encrypted backups are removed as backups rotate on our regular schedule, which does not exceed 90 days.

11. Children's Privacy & COPPA Compliance

GPTQuest is designed for students in grades 3-8 (approximately ages 8-14). We are committed to complying with the Children's Online Privacy Protection Act (COPPA) and take special care to protect the privacy of children under 13.

a. School-Authorized Access (Under 13)

GPTQuest operates under the COPPA "school authorization" exception. Under this exception, schools may consent to the collection of personal information from students under 13 on behalf of parents, provided the data is used for an educational purpose authorized by the school and not for any commercial purpose.

By creating Student accounts, the Account Owner confirms that they are authorized by their school or district to do so for educational purposes, and that the school has provided (or will provide) any required notice to parents.

Schools and districts that wish to enter into a formal Data Privacy Agreement (DPA) with us may request one by emailing connect@gptquest.ai. A summary of our data practices for school administrators is available at /for-schools.

GPTQuest collects only the minimum data necessary to provide the Service to young learners.

b. Data We Collect from Students

We collect only the minimum data necessary to provide educational services:

• A system-generated synthetic email address (not a real mailbox) used solely as a unique account identifier; students do not provide a real email and we do not contact students at this address
• Display name (a pseudonym chosen by the Teacher or student for in-app identification)
• Educational progress and gameplay data
• Device and connection data collected automatically from all users (browser type, operating system, device identifiers, IP address, and server-side request logs), used for security, operational reliability, and abuse prevention, as described in Sections 2b and 2c

We encourage Teachers to use pseudonyms rather than real names for student display names.

c. How We Use Student Data

Student data is used exclusively for educational purposes:

• Providing access to educational Quests and content
• Tracking learning progress and achievements
• Enabling collaborative multiplayer features within the student's Teacher Instance

We do not send emails to students. We do not use student data for advertising, marketing, or behavioral profiling. We do not run third-party analytics or behavioral tracking on Student accounts. We do not sell student data.

d. Parental Rights

Parents and legal guardians have the right to:

• Review the personal information we have collected from their child
• Request correction of inaccurate information about their child
• Request deletion of their child's personal information
• Refuse further collection or use of their child's information
• Request that we stop sharing their child's information with third parties

To exercise these rights, contact us through our Contact Us page or contact your child's school.

If a parent's request relates to a Student account managed under the school authorization exception, we may direct the parent to the school or district that authorized the account, in line with FTC guidance. We will respond to verifiable parent requests within 30 days.

e. Account Registration

During the current launch period, only adult Account Owners may register directly through the Service. Student and Teacher accounts (including students aged 13 and older, and students under 13) are created by the school's Account Owner through the Control Panel, subject to the terms of this Privacy Policy.

12. Third-Party Services

We use third-party services that process data on our behalf, including AI providers, hosting, authentication, and storage. The current list is detailed in Section 8. If we add other categories of providers in the future (such as analytics tooling), we will update this Policy. All providers we work with are contractually bound to protect your data and use it only for the purposes described.

13. International Transfers

Your data may be transferred to and processed in countries with different data protection laws, including the United States. By using GPTQuest, you consent to these transfers. We implement appropriate safeguards where required.

Where data is transferred from the EU/EEA, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum where applicable), which are incorporated into our agreements with our subprocessors.

14. Changes to This Policy

We may update this Privacy Policy. We will post the updated version with a new "Last Updated" date at the top and may notify you via the Service. Continued use of the Service constitutes acceptance.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us:

Kixmeta Labs, LLC
848 E Main Street, Suite 800 #1002
Ephrata, PA 17522, United States
Email: connect@gptquest.ai

You can also reach us through our Contact Us page.