Polymath Privacy Policy (Adult Users)

Last Updated: 27 March 2026

1 Definitions & Scope

• "Polymath", "we", "us", "our" – Celadon AI Ltd., a company incorporated in New Zealand (NZBN 9429049431452) with its principal office at 9 Sunderland Ave, Auckland 0618, New Zealand.
• "Services" – The Polymath educational game, companion websites, mobile/desktop apps, and related features.
• "Personal Data" / "Personal Information" – Information that identifies or can reasonably be linked to an identified or identifiable natural person.
• "Users" – All individuals who interact with the Services, including Guardians, Educators, and Child Users.
• "Adult Users" – Guardians and Educators aged 16 or older.
• "Guardians" – Parents or legal guardians who create, supervise, or manage a child account.
• "Educators" – Teachers or school administrators who use Polymath in a classroom or other educational setting.
• "Child Users", "Children" – Individuals under 16 years of age who use the Services, typically under the supervision of a Guardian or Educator.
• "Polymath Friends" – Features of the Services that enable Child Users to connect and interact with other Child Users within a controlled in-game environment.
• "Friend Code" – A unique, system-generated code that may be used by a Child User to request a connection with another Child User within the Services.
• "Connection" – A relationship established between two Child Users within the Services that enables limited in-game interaction and visibility between those users.
• "Shared Environment" – An in-game space in which multiple Child Users can interact, view, or contribute to gameplay activities.
• "Classroom Setting" – Polymath uses a combination of user behaviours, user role information, IP addresses and publicly available data to attempt to determine when a user is accessing Polymath from within a classroom setting. This data is used to determine whether the Educators or Guardians preferred play settings should take precedence. This is a best-effort estimation.
• "Play Location" – Refers to the location from which a Child User is accessing Polymath (this will be either from within a Classroom Setting, or from a location outside of the Classroom Setting).

This notice explains how Polymath collects, uses, discloses, and protects Adult Users’ Personal Data when you use the Services worldwide. Additional jurisdiction‑specific disclosures appear in Section 6.

2 Types of Information We Collect

2.1 Information you provide to us

Data provided by all Adult Users

• Name, email address, password, and role.
• Any text, images, feedback, or in‑game messages you submit.

Additional data provided by Educators

• Classroom identifiers (e.g., class name, subject, grade).
• Rosters or other classroom data you import or enter, which may include each child’s first name, last name, and grade level.

Data Adult Users provide about Children

• Child first name, last name, grade level, and other classroom‑related details needed to set up a child profile.

2.2 Information we collect automatically

Like most online services, we and our service providers automatically collect certain technical details about your device and how you interact with the Services. This includes identifiers such as your IP address or device ID, browser and operating‑system type, the pages or screens you view (and the page visited just before), crash or diagnostics logs, and a general location inferred from your IP address. We gather this information over time and across different websites and apps using cookies, pixel tags, SDKs, and similar technologies. These tools help keep you signed in, measure traffic and usage trends, and improve performance. In the UK and EU we collect analytics cookies under our legitimate interest in product improvement and do not use cookies for targeted advertising. You can control cookies at any time through your browser settings.

2.3 Information from third‑party sources

We receive limited Personal Data from third parties where you initiate the transfer. These include, but are not limited to single sign‑on (SSO) providers, classroom platforms (such as Google Classroom or Clever). The information we obtain from third-party services depends on your account/privacy settings with those third parties and the third parties’ privacy policies. You are responsible for reviewing the privacy policies of these third parties and adjusting your settings to meet your preferences. When you access the Services through third-party platforms, you are authorizing us to collect, store, and use such information and content in accordance with this Privacy Policy. Please keep in mind that any information provided to us by a third party may also be subject to that third party’s privacy policy.

3 How We Use Your Information

We use Personal Data—alone or combined with other information—for the following business and operational purposes:

• Deliver and operate the Services (contractual necessity) – Create and manage accounts, authenticate log‑ins, maintain game progress, and provide customer support.
• Personalise learning and gameplay (legitimate interest) – Adapt difficulty, recommend content, and remember your preferences to make the experience engaging and relevant.
• Communicate with you (legitimate interest for service messages; consent for marketing) – Send service notifications, product updates, surveys, newsletters, and promotional offers you choose to receive.
• Understand and improve our products (legitimate interest) – Monitor usage trends, debug issues, conduct research, and develop new features using aggregated analytics.
• Measure the effectiveness of advertising (legitimate interest, or consent where required by law) – Evaluate which campaigns bring new Adult Users to Polymath, optimise future marketing, and compile statistics.
• Maintain safety and security (legitimate interest; legal obligation where applicable) – Detect, investigate, and prevent fraud, cheating, or unauthorised access, and enforce our Terms of Service.
• Meet legal and regulatory obligations (legal obligation).

4 How We Disclose Information

4.1 Service providers

We share Personal Data with trusted vendors who provide hosting, analytics, customer support, and related services for us. Data are stored in secure facilities located in either the United States or the European Union. Where service providers access data originating in the UK/EU, they must either (a) hold a current certification under the EU–US Data Privacy Framework or (b) have executed the EU/UK Standard Contractual Clauses—or another approved mechanism—and implement equivalent safeguards. See our subprocessors page for more information on which third parties we share with.

4.2 Business transfers

If Polymath is ever involved in a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred as part of that transaction. We will use commercially reasonable efforts to ensure that any successor or assign continues to handle Personal Data in a manner that is materially consistent with this Privacy Notice and with all applicable privacy laws and safeguards before the transfer takes place, and we will provide advance notice to affected users.

4.3 Disclosures to other users

4.3.1 Sharing among authorised users

• Guardians & Educators – Child profile information (name, grade, classroom membership) is visible to the guardian(s) and educator(s) responsible for that child. Adult Users may also see Personal Data about other Adult Users responsible for that child.
• Classroom peers – Child Users in the same classroom may see each other’s chosen in‑game name, full name, or avatar and aggregate classroom progress. Child Users using Polymath Friends may see additional information - see section 4.3.2 Sharing through multiplayer (Polymath Friends).
• Non-classroom peers – Child Users that are not classroom peers can connect to one another using Polymath Friends and share limited information with one another - see section 4.3.2 Sharing through multiplayer (Polymath Friends).
• Cross‑guardian visibility – Guardians can view the classrooms and educators associated with their own child. Adult Users may also see the chosen in‑game name of a child user they are not responsible for if they are connected as a friend to a Child User account that they are associated with - see section 4.3.2 Sharing through multiplayer (Polymath Friends).
• Public areas – Adult Users who voluntarily join areas such as leaderboards may have minimal information (e.g., classroom name, country or state) shown to other participants. No child Personal Data is displayed in public areas.

4.3.2 Sharing through multiplayer (Polymath Friends)

What is shared

A Child User may exchange a friend code to connect with other Child Users. These connections enable Child Users to interact with one another within the Services in a controlled and limited environment designed for collaborative gameplay and require consent from either an Educator or Guardian.

When connected, Child Users may:

• access shared in-game environments;
• participate in collaborative in-game activities (such as building);
• transfer or share in-game resources; and
• view aspects of each other’s in-game activity within those shared environments.

Connections allow limited in-game visibility, including a Child User’s nickname and avatar, as well as in-game actions and creations within shared gameplay contexts.

Where an Adult User (Guardian or Educator) has enabled Polymath Friends for a Child User, the Guardian can view information about that Child Users connections. This information is limited to information that is visible by the Child User under their guardianship and includes

• the users chosen in-game name and avatar;
• shared in-game environments;
• view aspects of the Child Users in-game activity within those shared environments

For Child Users connected to one another with permission from an Educator, names as entered by the Educator are also shared between connected users and can be visible to their Guardians.

Polymath Friends doesn’t allow for free-text messaging, chat or voice communication. Child Users cannot use Polymath Friends to communicate personal contact information, and Polymath Friends does not enable Child Users to contact one another outside of the Services.

How connections are enabled

• Where access to the Services is provided for a Child through an Educator in a Classroom Setting, an Educator must grant the Child User permission to use Polymath Friends. Child Users granted permission in this manner can only connect to other Child Users within the same classroom.
• Where access to the Services is provided for a Child through a Guardian not in a Classroom Setting, a Guardian must grant the Child User permission to use Polymath Friends. Guardians are notified as connections are made, and can manage and remove these at https://relate.polymath.how/parent at any time.

These controls are intended to ensure that interactions occur only between known peers and within appropriate contexts.

How users connect

Friend codes are used to facilitate connections between Child Users. A connection requires action by both Child Users (one must initiate the request, the other must accept).

Child Users may control certain permissions within shared environments (for example, whether another Child User may view or modify in-game content), and may remove connections at any time.

These features are designed to support collaborative learning while limiting the sharing of Personal Data and reducing the risk of misuse or harmful behaviour.

4.4 Anonymisation of data

When an Adult User deletes their connection to a child, that link is removed; if no other Adult User remains, we anonymise the child’s data within 30 days. When Anonymisation occurs the Child User loses the ability to have an active connection to another Child Users account and both Child Users lose visibility of any data otherwise shared with eachother through Polymath Friends (see section 4.3).

4.5 Legal requirements

We may disclose Personal Data when we believe in good faith that doing so is necessary to comply with applicable laws or regulations—such as COPPA, FERPA, GDPR, or valid law‑enforcement requests—or to protect the rights, safety, or property of Polymath, our Users, or the public, or to enforce our Terms of Service.

4.6 No selling of data

Polymath does not “sell” Personal Information as defined by the California Consumer Privacy Act (CCPA), nor do we share it for cross‑context behavioural advertising without your consent.

5 How We Protect Your Information

We employ a layered security programme built on recognised industry best practices:

• Encryption. All traffic between your device and our servers travels over encrypted connections (TLS). Where technically feasible, data are also encrypted while stored in our databases and backups.
• Access controls. Role‑based permissions ensure that only authenticated users can view their own data. Internally, employees must use strong credentials and multi‑factor authentication, and all access is logged and periodically reviewed.
• Limited employee access. Polymath staff may access Personal Data only when necessary to operate, maintain, or improve the Services, or to meet legal obligations.
• Secure development & internal policies. We follow a secure software‑development life cycle that includes peer code reviews, dependency management, and regular security training for engineers and support staff.
• Data retention. We delete or anonymise Personal Data within 30 days of account deletion and remove encrypted backups within 90 days.

For your data to be safe, you must do your part to keep it secure. Choose a strong, unique password, keep it confidential, sign out of shared devices, and maintain the security of your own hardware and software.

6 Your Rights & Choices

You can ask us to access, correct, or delete the Personal Data we hold about you. To make a request, email help@polymath.how. Before we act, we may ask you to verify your identity (and, if you are acting on behalf of someone else, your authority to do so). We may retain certain information where required by law, to prevent fraud, or to enforce our Terms of Use.

6.1 Marketing preferences

Adult Users can opt‑out of marketing emails at any time by clicking the “unsubscribe” link included in each message or by emailing help@polymath.how.

6.2 UK/EU GDPR rights

We process personal information on the following legal bases:

• With your consent;
• As necessary to Polymath to perform its obligations under any agreement with you;
• As necessary for our legitimate business interests to provide the Services where those interests do not override your fundamental rights and freedoms related to data privacy.

If you are located in the United Kingdom or European Union, you also have the right to:

• Access the Personal Data we hold about you;
• Correct inaccurate or incomplete data;
• Request deletion or anonymisation;
• Restrict or object to specific processing;
• Receive a portable copy of your data; and
• Withdraw consent at any time (this will not affect prior processing).

You also have the right to lodge a complaint with your local data‑protection authority.

6.3 Deleting your account

You can permanently delete your Polymath account by emailing help@polymath.how. Once deletion is complete, we will remove or anonymise your Personal Data within 30 days, except for information we are required to keep to comply with legal obligations or resolve disputes.

7 Updates to this Policy

We may update this notice from time to time. We will post the revised version and, where material changes occur, notify you via email or in‑app banner.

8 Contact Us

If you have questions or comments about this Privacy Policy, please contact us at help@polymath.how.