This Privacy Policy explains how Go Huge AB (“HeyKnowee”, “we”, “us”) collects and processes personal data when parents use our services and when children use child profiles under a parent’s account.
Controller: Go Huge AB (org. nr 559041-6243), Karin Boyes gata 7, 411 11 Göteborg, Sweden
VAT: SE559041624301
Contact: [email protected]
Supervisory authority: Integritetsskyddsmyndigheten (IMY), Sweden
No Data Protection Officer is currently appointed. You may contact us at the address above for privacy matters.
This Policy covers our websites, apps, and the HeyKnowee AI tutor service (the “Service”).
Only a parent or legal guardian aged 18+ may register and maintain the account and payment method. Children access the Service solely via child profiles created by their parent/guardian. We do not permit children to register their own accounts.
Parent account data: name, email, password, country/region, settings, customer support messages.
Payment and billing data: subscription status, receipts, billing address, and limited payment metadata. Card details are handled by payment processors (Stripe and/or Apple) as independent controllers; we do not store full card numbers.
Child profile data: profile name, age/date of birth (as provided by the parent), learning preferences, avatars.
Educational content and usage: prompts/messages to the AI tutor, study context provided by the parent/child, progress metrics, timestamps, app and feature usage, and in‑product feedback.
Device and technical data: IP address, device and browser identifiers, language, operating system, crash/diagnostic logs, and security signals.
Cookies and similar technologies: used for authentication, security, basic analytics, and service performance. See “Cookies” below.
Provide and operate the Service (accounts, profiles, content processing, support):
Legal bases: contract (parent); consent of the holder of parental responsibility for a child’s data; legitimate interests for security and service integrity.
Payments, accounting, and fraud prevention:
Legal bases: performance of a contract (parent); legal obligation (book‑keeping and tax); legitimate interests (fraud and abuse prevention).
Safety and abuse prevention (rate limiting, security monitoring, misuse detection):
Legal basis: legitimate interests; legal obligation where applicable.
Service improvement (non‑personal or aggregated insights, diagnostics, performance):
Legal basis: legitimate interests. We do not use user content (including children’s content) to train or improve our models.
Communications (transactional emails, account notices, service changes):
Legal bases: performance of a contract; legal obligation; legitimate interests.
Marketing to parents (where permitted):
Legal bases: consent where required; otherwise legitimate interests. We do not engage in direct marketing to children and we do not use children’s data for behavioral advertising.
Registration: Only a parent/guardian 18+ may create an account. Children use the Service through child profiles created by the parent.
Verifiable parental consent (VPC): We obtain VPC via a monetary transaction or equivalent strong verification (e.g., 3D Secure). We maintain consent logs.
Direct notice to parents: Before collecting a child’s personal data, we provide a clear notice describing what we collect, how we use and share it, and your rights. See the “Direct Notice to Parents”.
Data minimization: We minimize collection about children and ask parents not to include unnecessary personal data in messages. Where possible, we limit collection prior to consent to age‑band information for access gating.
Parental rights and controls: Parents can review, download, delete their child’s personal data, stop further collection, delete child profiles, and close the account. Requests can be made via account settings or by contacting [email protected]. We will verify identity and authority before acting.
No behavioral advertising to children: We do not show targeted advertising to children and do not sell or share children’s personal data for cross‑context behavioral advertising.
Educational purpose: Child data is used solely to provide the educational Service, personalize learning safely, ensure security, and comply with law.
Service providers (processors): hosting, infrastructure, email delivery, error monitoring, customer support. We require data processing agreements and instructions.
Key providers: Google Gemini (AI model provider for content processing; configured so your content is not used for model training), Stripe and/or Apple (payments; independent controllers for payment data they collect).
Legal and safety: we may disclose data to comply with applicable law, enforce terms, or protect rights, safety, and security.
No sale or sharing of personal data for behavioral advertising. We do not allow advertising networks to target children based on their data.
We may transfer personal data outside your country. For EEA/UK data, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses and/or the UK IDTA, plus supplementary measures where needed. We assess the laws of destination countries and update our safeguards as required.
Parent account data: retained for the life of the account and deleted immediately upon account closure from active systems, except where retention is required by law or necessary to establish, exercise, or defend legal claims.
Child profile and learning data: retained while the parent’s account is active. When a parent deletes a child profile or closes the account, we delete associated child personal data from active systems immediately.
Payment, invoicing, and accounting records: retained for 7 years (or longer if required by applicable law).
Security and system logs: typically 90–365 days unless needed longer for investigations or legal purposes.
We employ technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, least‑privilege, monitoring, secure development practices, and incident response. No system is perfectly secure; we encourage strong parent account hygiene and PIN/access controls for child profiles.
EEA/UK residents: access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests; withdraw consent without affecting prior processing. Parents exercise rights on behalf of their children. We respond within one month unless extensions apply.
How to exercise: use in‑app tools (where available) or contact [email protected]. We will verify identity and authority.
Complaints: you may complain to your local data protection authority. Our lead authority in the EU is IMY (Sweden).
The Service uses AI to generate educational guidance and content. We do not use automated decision‑making that produces legal or similarly significant effects on individuals. We do not use children’s data for behavioral profiling.
Parents may receive service announcements and optional marketing. You can unsubscribe from marketing emails at any time.
Cookies: we use only strictly necessary cookies required to operate the Service (e.g., authentication/session and security). We do not use advertising or marketing cookies. See our Cookie Policy for details.
If you subscribe via Apple’s App Store, Apple is the merchant of record for payments and processes your payment data as an independent controller. Cancellations and refunds (including, where applicable, EEA/UK withdrawal) are managed under Apple’s terms.
We will post updates here and, for material changes, provide reasonable advance notice (e.g., email or in‑product notice). Your continued use after the effective date means you acknowledge the updated policy.
Email: [email protected]
Address: Go Huge AB, Karin Boyes gata 7, 411 11 Göteborg, Sweden
Effective: 2 September 2025
Version: 1.0