Privacy Policy

Effective Date: June 13, 2026 Company Name: Educate Online Inc. Registered Address: 1207 Delaware Ave, Suite 249, Wilmington, DE 19806, USA UK Operations: Operating from the United Kingdom ICO Registration Number: Your ICO registration number — register at ico.org.uk Contact: hello@curio.to

Our Commitment to Privacy

Regardless of where you are located, we protect your data to the highest global standards.

We comply with:

• UK General Data Protection Regulation (UK GDPR)

• EU General Data Protection Regulation (EU GDPR)

• California Consumer Privacy Act (CCPA) and similar US state laws

• General consumer protection standards worldwide

This means all users receive the same strong privacy protections:

• Right to access your data

• Right to delete your data

• Right to correct your data

• Right to export your data

• Right to opt-out of marketing

• Transparent privacy practices

Your location determines which specific law applies to you and which regulator oversees our compliance, but your actual privacy protections remain consistently high regardless of where you live.

1. Who Can Use Curio

Curio is designed for high school students, university students, and adult learners.

Age Requirement: You must be at least 13 years old to create an account and use Curio.

If you are under 18, we recommend reviewing this Privacy Policy with a parent or guardian to ensure you understand how we handle your information.

2. Information We Collect

To provide personalized AI tutoring, we collect:

Account Information:

• Email address

• Password (encrypted)

• Education level (e.g., high school, university)

• Any other details you voluntarily provide

Learning Data:

• Questions you ask and topics you study

• Documents and files you upload (homework, notes, study materials)

• Your responses and interactions with Curio

• Learning progress and mastery levels over time

• Conversation history across study sessions

Usage Data:

• Device information (browser type, operating system)

• Log data (IP address, access times, pages viewed)

• How you interact with Curio’s features

• Session duration and frequency of use

We collect this data to provide continuous, personalized tutoring that builds on your prior learning.

3. Learning Memory and Personalization

What is Learning Memory?

Learning Memory is Curio’s core feature that enables us to provide continuous, personalized tutoring across study sessions. Think of it like a human tutor who remembers what you studied last week.

Learning Memory is ON by default because it’s essential to how Curio works—it’s not an optional enhancement.

What Memory Tracks

When Learning Memory is active, Curio stores:

• Topics you’ve studied and your progress on those topics

• Questions you’ve asked and areas where you’ve struggled

• Your learning patterns and preferences (e.g., whether you prefer visual explanations or step-by-step text)

• Conversation history from previous study sessions

• Documents you’ve uploaded and their context

• Quiz scores and practice test performance over time

Why Memory is ON by Default

Unlike services where personalization is optional, Curio’s purpose is to provide continuous, adapted tutoring. Memory is fundamental to this:

With memory ON:

• Curio remembers what you’ve already learned

• Builds on your prior understanding

• Identifies knowledge gaps from past sessions

• Adapts to your learning preferences

Without memory, Curio would re-explain concepts you’ve already mastered and wouldn’t build on your previous conversations—making it far less effective as a tutor.

This is similar to a human tutor who remembers your progress. We believe this continuity is in students’ best interests.

Your Control

You are always in control of your Learning Memory:

• View your full learning profile anytime (Settings → Data & Memory)

• See exactly what Curio remembers about your learning (knowledge gaps and mastered topics)

• Toggle memory OFF with one click (Settings → Data & Memory → Enable Memory & Learning)

• Delete specific memories or clear your entire learning profile

• Export your learning data in machine-readable format (JSON) via Settings → Data & Memory → Export

If you turn memory OFF:

• Your existing profile is paused (not deleted)

• Curio won’t remember new conversations

• You can turn it back ON anytime

Profiling

Under data protection law, Learning Memory constitutes “profiling”—analyzing your learning patterns over time to personalize education.

We use profiling solely for educational purposes:

• ✓ Personalizing your tutoring experience

• ✓ Understanding what concepts need review

• ✓ Adapting explanations to your learning style

We do NOT use profiling for:

• ✗ Advertising or marketing

• ✗ Selling to third parties

• ✗ Any commercial purpose beyond improving your learning

4. How We Use Your Data

We use your data to:

Educational Purposes:

• Provide personalized AI tutoring across sessions

• Remember your learning progress (Learning Memory)

• Understand which concepts you’ve mastered and which need review

• Adapt explanations to your learning style

• Analyze documents you upload to provide relevant help

• Track your improvement over time

Service Operations:

• Create and manage your account

• Send you important updates about your account or our service

• Respond to your questions and provide customer support

• Improve Curio’s educational effectiveness

Security and Compliance:

• Detect and prevent fraud, spam, or misuse of the platform

• Comply with legal obligations

• Enforce our Terms of Service

Optional Communications:

• Send occasional educational tips or feature updates (you can opt out anytime)

Legal Basis (UK GDPR):

We process your data based on:

• Your consent (by creating an account and using Curio)

• Our legitimate interests in providing effective educational services

• Performance of our contract with you (providing the tutoring service)

For users aged 13–17: You can consent to use Curio yourself under UK law. We process your data based on your consent and our legitimate interests in providing educational services.

5. Sharing Your Data

We do not sell your personal data or learning profiles to anyone.

For California Residents: We do not “sell” or “share” your personal information as those terms are defined under the California Consumer Privacy Act (CCPA). We have not sold or shared personal information in the past 12 months.

We share data only with:

Service Providers:

We use trusted third-party services to operate Curio:

• Amazon Web Services (AWS): Cloud hosting, database, and storage services (data stored in the UK/EU region)

• OpenAI, Anthropic, and Google: AI model providers that process your study content to generate tutoring responses on our behalf

• Sentry: Error monitoring and application diagnostics

• Mixpanel: Product analytics to understand feature usage and improve the service

• Customer.io: Email and customer engagement communications

• Google Tag Manager: Website analytics and measurement

• Paddle: Payment processing for subscriptions

These providers process data on our behalf under strict Data Processing Agreements that comply with UK GDPR, including Standard Contractual Clauses where applicable. These providers are not permitted to use your data for their own purposes. This does not constitute a “sale” or “sharing” under CCPA.

Legal Requirements:

We may disclose your information if required by law, court order, or government request, or if necessary to:

• Comply with legal obligations

• Protect our rights, property, or safety

• Protect the rights, property, or safety of our users or the public

• Detect, prevent, or address fraud or security issues

Business Transfers:

If Curio is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

We never share your individual learning profiles, conversation history, or personal study data with third parties for their commercial purposes.

6. Your Rights

Your privacy rights depend on where you are located.

For UK/EEA Users

You have the following rights under UK GDPR:

Right of Access: Request a copy of all personal data we hold about you, including your learning profile. We will provide this within one month, free of charge.

Right to Rectification: Correct any inaccurate or incomplete personal data.

Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, including your entire learning profile. We will delete your data within 30 days, including from backup systems.

Right to Restrict Processing: Ask us to stop processing your data temporarily while we investigate a concern you’ve raised.

Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON) to transfer it to another service.

Right to Object: Object to processing based on our legitimate interests. If you object, we will stop processing unless we have compelling grounds to continue.

Right to Withdraw Consent: If we process your data based on your consent (e.g., marketing emails), you can withdraw that consent at any time. This won’t affect processing that occurred before you withdrew consent.

Right to Lodge a Complaint: If you’re unhappy with how we handle your data, you have the right to lodge a complaint with the UK’s Information Commissioner’s Office (ICO):

• Website: ico.org.uk

• Phone: 0303 123 1113

• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

For EU users, contact your local Data Protection Authority.

For US Users

Federal Rights: Under US federal law, you have the right to honest and transparent privacy practices, notification if our practices change, and opt-out of marketing communications.

State-Specific Rights (California, Virginia, Colorado, Connecticut, Utah): If you reside in one of these states, you have the right to know/access, delete, correct, opt-out of sale/sharing (we do not sell or share), non-discrimination, and data portability (California).

How to Exercise Your Rights: Email us at hello@curio.to with your request, location/state of residence (if applicable), and information to help us verify your identity (e.g., email address associated with your account).

We will respond within:

• 45 days for most US state requests

• 30 days for UK/EU requests

• We may extend this by 30 days if needed for complex requests

For All Users (Regardless of Location)

Even if your country or state doesn’t have specific privacy laws, we commit to providing access to your data, deleting your data upon request, correcting inaccurate information, and responding to privacy inquiries within 30 days. Contact hello@curio.to to exercise any rights.

7. Children’s Privacy

Age Requirement: Curio is designed for high school students, university students, and adult learners. You must be at least 13 years old to create an account and use our service.

Children Under 13: We do not knowingly collect personal information from children under 13. Our service is not directed at children under 13. If we discover that a user is under 13, we will delete their account and all associated data promptly.

Parental Rights: If you are a parent or guardian and believe your child under 13 has created an account, please contact us immediately at hello@curio.to. We will verify your relationship to the child, delete the account and all associated data within 7 days, and provide you with confirmation of deletion.

Young People (13–17): If you are between 13 and 17 years old, we recommend reviewing this Privacy Policy with a parent or guardian. Under UK GDPR, you can consent to use Curio yourself at age 13. However, your parent or guardian can contact us at hello@curio.to to request information about your data, request deletion of your account, disable Learning Memory, or ask questions about our practices. We will verify their identity and relationship to you before responding to their request.

8. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures:

Security Measures:

• Encryption in transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption

• Encryption at rest: Your learning profile and personal data are encrypted when stored in our database

• Access controls: Only authorized personnel can access personal data, limited to what’s necessary for their role

• Secure infrastructure: We use Amazon Web Services (AWS) with data hosted in the United Kingdom/European Union region

• Regular security updates: We keep our systems patched and up to date

• Monitoring and logging: We monitor for unauthorized access and security incidents

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data using commercially acceptable means, we cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify you without undue delay, notify the Information Commissioner’s Office (ICO) within 72 hours as required by UK GDPR (for UK users), notify relevant authorities as required by applicable law, and provide information about the nature of the breach and steps you can take to protect yourself.

9. Data Retention

Active Accounts: Your learning profile and data are retained while your account is active and Learning Memory is enabled.

Inactive Accounts: If you don’t log in for 12 consecutive months, we will send you an email before archiving or deleting your data. If you don’t respond within 30 days, we may delete your learning profile to minimize data storage.

Deleted Accounts: When you delete your account, we permanently erase all your data within 30 days, including from backup systems.

Legal Retention: In some cases, we may be required to retain certain data for longer periods to comply with legal obligations (e.g., financial records for tax purposes).

10. International Data Transfers

Your data is stored and processed in the United Kingdom and/or European Economic Area using Amazon Web Services (AWS) infrastructure.

Company Structure: Educate Online Inc. is a company incorporated in Delaware, USA, but operates from the United Kingdom. Your data protection rights are governed by UK GDPR (for UK users) or other applicable laws based on your location, regardless of our corporate structure.

Transfers Outside UK/EEA: If we ever transfer data outside the UK or European Economic Area, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office, adequacy decisions, or other approved transfer mechanisms. We will notify you of such transfers in this Privacy Policy.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your browsing experience, analyze site traffic, and personalize content.

Types of Cookies:

• Essential Cookies (Always Active): Required for our website to function properly — authentication cookies (keep you logged in), security cookies (protect against fraud), and session cookies (maintain your session)

• Analytics Cookies (Optional): Help us understand how visitors use Curio — page views and navigation patterns, feature usage statistics, error tracking and debugging

• Marketing Cookies (Optional): Used with your consent for remembering your preferences, personalizing content, and measuring effectiveness of communications

Your Cookie Choices: You can manage your cookie preferences through our cookie banner when you first visit, in your browser settings at any time, or by contacting us at hello@curio.to.

Note: Learning Memory is stored in our secure database, not in browser cookies. Your learning profile persists across devices when you log in. Disabling cookies will not delete your learning profile — use the Clear all option in Settings → Data & Memory to delete your profile.

12. Do Not Sell My Personal Information (California)

California residents: We do not sell your personal information.

Under the California Consumer Privacy Act (CCPA), you have the right to opt-out of the “sale” of your personal information. We do not sell personal information as defined by CCPA — we do not share your data with third parties for monetary compensation, for cross-context behavioral advertising, or with data brokers. We only share data with service providers (like AWS for hosting) who are contractually prohibited from using your data for their own purposes.

If our practices change in the future, we will update this Privacy Policy, provide a “Do Not Sell My Personal Information” link on our website, and notify California residents via email.

If you have questions about how we handle your data, contact hello@curio.to.

13. Jurisdiction and Applicable Privacy Laws

The privacy laws that protect you depend on where you are located.

For Users in the United Kingdom: Your data is protected by UK GDPR, the Data Protection Act 2018, and the Age Appropriate Design Code (for users under 18). Your supervisory authority is the Information Commissioner’s Office (ICO) — ico.org.uk, phone 0303 123 1113.

For Users in the European Union/EEA: Your data is protected by EU GDPR. Contact your local Data Protection Authority in your EU member state.

For Users in the United States: Your data is protected by general consumer protection laws enforced by the Federal Trade Commission (FTC). COPPA: Curio is not directed at children under 13. Our Terms of Service require users to be at least 13 years old. State privacy laws (California CCPA/CPRA, Virginia, Colorado, Connecticut, Utah, etc.) may provide additional rights — contact hello@curio.to to exercise them.

For Users in Other Countries: We treat all users with the same high standards of data protection, regardless of location.

Our Commitment: Regardless of where you are located, we collect only data necessary for our educational service, do not sell your data to third parties, use your data solely for educational purposes, provide transparency about our practices, and respond to your privacy requests promptly.

Company Structure and Data Location: Educate Online Inc. is incorporated in Delaware, USA, but operates from the United Kingdom. Your data is stored in the UK/EU region using secure cloud infrastructure (Amazon Web Services). Regardless of our company structure, we comply with the privacy laws applicable to you based on your location.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When We Update:

• We will update the “Effective Date” at the top of this policy

• For significant changes, we will notify you via email to your registered email address, prominent notice on our website or in the application, and in-app notification when you next log in

Your Rights: If you disagree with changes to this policy, you can stop using Curio, delete your account and all data, or contact us with questions or concerns. Continued use of Curio after changes indicates your acceptance of the updated policy.

15. Contact Us

Questions or Concerns: If you have any questions about this Privacy Policy, how we handle your data, or want to exercise your rights, please contact us:

• Email: hello@curio.to

• Postal Address: Educate Online Inc., 1207 Delaware Ave, Suite 249, Wilmington, DE 19806, USA

• UK Contact: Operating from the United Kingdom

Data Protection Authority: For UK users, you can also contact the Information Commissioner’s Office — ico.org.uk, phone 0303 123 1113, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. For EU users, contact your local Data Protection Authority. For US users, contact the Federal Trade Commission (FTC) or your state’s Attorney General.

We aim to respond to all inquiries within 7 days, and formal data subject rights requests within one month (UK/EU) or 45 days (US states) as required by applicable law.

Last Updated: June 13, 2026

© 2025 Educate Online Inc. All rights reserved.