Privacy Policy

1. Who's in charge of your data

Nichy AI is the data controller for the personal data we hold about you and your child. You can reach our data team at info@nichy.ai.

2. What we collect, and why

When you create a parent account, we collect your name, email address, the school year your child is preparing for, and your child's first name. We use this to create your account, save your child's progress and send you product emails (when you've opted in).

When your child uses Nichy AI we collect their answers, scores, time spent, and any handwritten work they upload to the AI Marker. We use this only to mark their work, build their progress dashboard for you, and improve our question banks.

We collect a small amount of technical data automatically: device type, browser, IP address, approximate location (city level), and basic crash/error logs. We use this to keep the service secure and to debug bugs.

If you sign in via Google, we receive your name, email and Google profile picture. We never receive your Google password or your Google contacts.

3. Lawful bases we rely on (UK GDPR)

• Contract — we need your data to provide the learning service you've signed up for.

• Legal obligation — to comply with safeguarding, tax and accounting rules.

• Legitimate interest — to keep Nichy AI safe, improve the platform, prevent fraud, and tell you about important account or service changes.

• Consent — for product marketing emails, the weekly word quiz broadcast and the free Vocabulary Pack lead magnet. You can withdraw consent any time via the one-click unsubscribe link in any email.

4. Who we share it with

We share data only with the suppliers we need to run Nichy AI. These include: our cloud-hosting provider (data stored in the UK / EU); our AI provider (OpenAI, for the AI Marker and AI Tutor — they don't use your child's data to train their public models); our email provider (Microsoft 365); and our payment provider (Stripe, only when you subscribe). Each provider has its own GDPR-compliant data-processing agreement.

We don't sell your data. We don't run third-party advertising on the platform. We don't share your data with data brokers.

5. International transfers

Some of our suppliers (notably OpenAI) are based in the United States. Where data travels outside the UK / EEA we rely on the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or the UK-US Data Bridge — whichever applies — to ensure equivalent protection.

6. How long we keep it

Account data is kept for as long as your account is open. If you close your account we delete the account record within 30 days; aggregated, anonymised statistics (e.g. "this question is tricky for Year 5s") may be kept indefinitely.

Child practice answers are kept for the duration of the account so you can see your child's progress over time. You can request earlier deletion at any time via info@nichy.ai.

Email opt-in records and unsubscribe records are kept for up to 3 years so we can prove compliance with UK GDPR if asked.

7. Your rights

Under UK GDPR you (and your child, with you acting on their behalf) have the right to:

• access the data we hold;

• correct anything that's wrong;

• ask us to delete data we no longer need;

• restrict or object to certain types of processing;

• receive your data in a portable form;

• complain to the UK Information Commissioner's Office (ico.org.uk) if you think we've got something wrong.

Email info@nichy.ai and we'll respond within 30 days.

8. Cookies and tracking

We use the minimum cookies needed to keep you signed in ("strictly necessary"). We don't run advertising trackers and we don't track children across the web. We use a privacy-friendly analytics tool to count page views (no personal data) so we know which pages are popular.

9. Children's data, specifically

Children's accounts are created and managed by a parent or guardian — we never collect data directly from a child without parental consent. Nichy AI follows the principles of the UK Age-Appropriate Design Code (Children's Code): default to high privacy, no behavioural advertising, no profiling that could harm a child, and clear plain-English explanations.

If you're concerned about your child's data, contact info@nichy.ai and we'll help straight away.

10. Security

We protect your data with bcrypt password hashing, encrypted-in-transit traffic (HTTPS), encrypted backups, access controls inside our team, and rate-limiting on sensitive endpoints. No system is bullet-proof — if we ever discover a personal-data breach affecting you we'll notify the ICO within 72 hours and inform affected users without delay.

11. Changes to this Policy

We'll update this Policy as the service evolves. Material changes will be emailed to you at least 14 days before they take effect.