Polymath Privacy Policy (Adult Users)

Last Updated: 8 May 2025

1 Definitions & Scope

• "Polymath", "we", "us", "our" – Celadon AI Ltd., a company incorporated in New Zealand (NZBN 9429049431452) with its principal office at 9 Sunderland Ave, Auckland 0618, New Zealand.
• "Services" – The Polymath educational game, companion websites, mobile/desktop apps, and related features.
• "Personal Data" / "Personal Information" – Information that identifies or can reasonably be linked to an identified or identifiable natural person.
• "Users" – All individuals who interact with the Services, including Guardians, Educators, and Child Users.
• "Adult Users" – Guardians and Educators aged 16 or older.
• "Guardians" – Parents or legal guardians who create, supervise, or manage a child account.
• "Educators" – Teachers or school administrators who use Polymath in a classroom or other educational setting.
• "Child Users", "Children" – Individuals under 16 years of age who use the Services, typically under the supervision of a Guardian or Educator.

This notice explains how Polymath collects, uses, discloses, and protects Adult Users’ Personal Data when you use the Services worldwide. Additional jurisdiction‑specific disclosures appear in Section 6.

2 Types of Information We Collect

2.1 Information you provide to us

Data provided by all Adult Users

• Name, email address, password, and role.
• Any text, images, feedback, or in‑game messages you submit.

Additional data provided by Educators

• Classroom identifiers (e.g., class name, subject, grade).
• Rosters or other classroom data you import or enter, which may include each child’s first name, last name, and grade level.

Data Adult Users provide about Children

• Child first name, last name, grade level, and other classroom‑related details needed to set up a child profile.

2.2 Information we collect automatically

Like most online services, we and our service providers automatically collect certain technical details about your device and how you interact with the Services. This includes identifiers such as your IP address or device ID, browser and operating‑system type, the pages or screens you view (and the page visited just before), crash or diagnostics logs, and a general location inferred from your IP address. We gather this information over time and across different websites and apps using cookies, pixel tags, SDKs, and similar technologies. These tools help keep you signed in, measure traffic and usage trends, and improve performance. In the UK and EU we collect analytics cookies under our legitimate interest in product improvement and do not use cookies for targeted advertising. You can control cookies at any time through your browser settings.

2.3 Information from third‑party sources

We receive limited Personal Data from third parties where you initiate the transfer. These include, but are not limited to single sign‑on (SSO) providers, classroom platforms (such as Google Classroom or Clever). The information we obtain from third-party services depends on your account/privacy settings with those third parties and the third parties’ privacy policies. You are responsible for reviewing the privacy policies of these third parties and adjusting your settings to meet your preferences. When you access the Services through third-party platforms, you are authorizing us to collect, store, and use such information and content in accordance with this Privacy Policy. Please keep in mind that any information provided to us by a third party may also be subject to that third party’s privacy policy.

3 How We Use Your Information

We use Personal Data—alone or combined with other information—for the following business and operational purposes:

• Deliver and operate the Services (contractual necessity) – Create and manage accounts, authenticate log‑ins, maintain game progress, and provide customer support.
• Personalise learning and gameplay (legitimate interest) – Adapt difficulty, recommend content, and remember your preferences to make the experience engaging and relevant.
• Communicate with you (legitimate interest for service messages; consent for marketing) – Send service notifications, product updates, surveys, newsletters, and promotional offers you choose to receive.
• Understand and improve our products (legitimate interest) – Monitor usage trends, debug issues, conduct research, and develop new features using aggregated analytics.
• Measure the effectiveness of advertising (legitimate interest, or consent where required by law) – Evaluate which campaigns bring new Adult Users to Polymath, optimise future marketing, and compile statistics.
• Maintain safety and security (legitimate interest; legal obligation where applicable) – Detect, investigate, and prevent fraud, cheating, or unauthorised access, and enforce our Terms of Service.
• Meet legal and regulatory obligations (legal obligation).

4 How We Disclose Information

4.1 Service providers

We share Personal Data with trusted vendors who provide hosting, analytics, customer support, and related services for us. Data are stored in secure facilities located in either the United States or the European Union. Where service providers access data originating in the UK/EU, they must either (a) hold a current certification under the EU–US Data Privacy Framework or (b) have executed the EU/UK Standard Contractual Clauses—or another approved mechanism—and implement equivalent safeguards. See our subprocessors page for more information on which third parties we share with.

4.2 Business transfers

If Polymath is ever involved in a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred as part of that transaction. We will use commercially reasonable efforts to ensure that any successor or assign continues to handle Personal Data in a manner that is materially consistent with this Privacy Notice and with all applicable privacy laws and safeguards before the transfer takes place, and we will provide advance notice to affected users.

4.3 Disclosures to other users

Some features of the Services enable limited sharing among authorised users:

• Guardians & Educators – Child profile information (name, grade, classroom membership) is visible to the guardian(s) and educator(s) responsible for that child. Adult Users may also see Personal Data about other Adult Users responsible for that child.
• Classroom peers – Child Users in the same classroom may see each other’s chosen in‑game name or avatar and aggregate classroom progress.
• Cross‑guardian visibility – Guardians can view the classrooms and educators associated with their own child.
• Public spaces – Adult Users who voluntarily join areas such as leaderboards may have minimal information (e.g., classroom name, country or state) shown to other participants. No child Personal Data is displayed in public areas.

4.4 Legal requirements

We may disclose Personal Data when we believe in good faith that doing so is necessary to comply with applicable laws or regulations—such as COPPA, FERPA, GDPR, or valid law‑enforcement requests—or to protect the rights, safety, or property of Polymath, our Users, or the public, or to enforce our Terms of Service.

4.5 No selling of data

Polymath does not “sell” Personal Information as defined by the California Consumer Privacy Act (CCPA), nor do we share it for cross‑context behavioural advertising without your consent.

5 How We Protect Your Information

We employ a layered security programme built on recognised industry best practices:

• Encryption. All traffic between your device and our servers travels over encrypted connections (TLS). Where technically feasible, data are also encrypted while stored in our databases and backups.
• Access controls. Role‑based permissions ensure that only authenticated users can view their own data. Internally, employees must use strong credentials and multi‑factor authentication, and all access is logged and periodically reviewed.
• Limited employee access. Polymath staff may access Personal Data only when necessary to operate, maintain, or improve the Services, or to meet legal obligations.
• Secure development & internal policies. We follow a secure software‑development life cycle that includes peer code reviews, dependency management, and regular security training for engineers and support staff.
• Data retention. We delete or anonymise Personal Data within 30 days of account deletion and remove encrypted backups within 90 days.

For your data to be safe, you must do your part to keep it secure. Choose a strong, unique password, keep it confidential, sign out of shared devices, and maintain the security of your own hardware and software.

6 Your Rights & Choices

You can ask us to access, correct, or delete the Personal Data we hold about you. To make a request, email help@polymath.how. Before we act, we may ask you to verify your identity (and, if you are acting on behalf of someone else, your authority to do so). We may retain certain information where required by law, to prevent fraud, or to enforce our Terms of Use.

6.1 Marketing preferences

Adult Users can opt‑out of marketing emails at any time by clicking the “unsubscribe” link included in each message or by emailing help@polymath.how.

6.2 UK/EU GDPR rights

We process personal information on the following legal bases:

• With your consent;
• As necessary to Polymath to perform its obligations under any agreement with you;
• As necessary for our legitimate business interests to provide the Services where those interests do not override your fundamental rights and freedoms related to data privacy.

If you are located in the United Kingdom or European Union, you also have the right to:

• Access the Personal Data we hold about you;
• Correct inaccurate or incomplete data;
• Request deletion or anonymisation;
• Restrict or object to specific processing;
• Receive a portable copy of your data; and
• Withdraw consent at any time (this will not affect prior processing).

You also have the right to lodge a complaint with your local data‑protection authority.

6.3 Deleting your account

You can permanently delete your Polymath account by emailing help@polymath.how. Once deletion is complete, we will remove or anonymise your Personal Data within 30 days, except for information we are required to keep to comply with legal obligations or resolve disputes.

7 Updates to this Policy

We may update this notice from time to time. We will post the revised version and, where material changes occur, notify you via email or in‑app banner.

8 Contact Us

If you have questions or comments about this Privacy Policy, please contact us at help@polymath.how.