Phone
Kodwise OÜ
Last Updated: 3 Jun 2026 · Version 1.1
1. INTRODUCTION AND SCOPE
1.1 This Privacy Policy explains how Kodwise OÜ (“Kodwise”, “we”, “us”, “our”) collects, uses, shares, retains, and protects personal data when you and your child use our websites, learning platform (Academy), live lessons, AI assistant (Kodmigo), community features, and related services (the “Services”).
1.2 We process personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, “IKS”). UK GDPR applies additionally to users in the United Kingdom; the Turkish Personal Data Protection Law (KVKK, Law 6698) may also apply to certain processing activities for data subjects in Türkiye (see §15A); and, because we serve children under 13 in the United States, the Children’s Online Privacy Protection Act (COPPA) applies to those children. Region-specific rights are summarised in §15A.
1.3 Our customers are parents and guardians. They create the account, accept our Terms, and make payments. Children (ages 5–17) use the learning product under their parent’s account and consent. This Policy covers both. A short, plain-language summary for children is in §8A.
1.4 This Policy applies to all Kodwise OÜ properties. Not every technology described here operates on every property — for example, advertising-measurement tools run on our public marketing site, not inside the logged-in learning app. This Policy supplements our Cookie Policy and Terms of Service.
2. DATA CONTROLLER AND CONTACT
2.1 The data controller is Kodwise OÜ (registry code 17191501), Ahtri tn 12, Kesklinna linnaosa, 15551 Tallinn, Harju maakond, Estonia.
2.2 For all privacy and data-protection matters, including to exercise your rights, contact legal@kodwise.org. General enquiries: info@kodwise.org.
2.3 We have not appointed a Data Protection Officer, having assessed that we are not required to under GDPR Art. 37. We have documented this assessment and carried out a Data Protection Impact Assessment (DPIA) for our higher-risk processing (children’s data, the AI assistant, lesson recordings, and international transfers), and we reassess the DPO position periodically — in particular if our user base, monitoring, AI, recording, or school operations expand. Our privacy contact point is legal@kodwise.org.
2A. REPRESENTATIVES
2A.1 Kodwise is established in the EU (Estonia), so no EU representative under GDPR Art. 27 is required.
2A.2 United Kingdom. We currently handle UK users on a limited basis and have no UK establishment, and we keep our UK GDPR Art. 27 representative position under review. If our UK offering expands in a way that requires a representative, we will appoint one and publish its name, UK address, and contact details here. UK users may exercise their rights and contact us at legal@kodwise.org at any time.
2A.3 Türkiye. Where a KVKK data-controller representative or VERBİS (data controllers’ registry, “Veri Sorumluları Sicili”) registration obligation applies to us in respect of Turkish data subjects, we will fulfil it. We keep this position under review as our presence in the Turkish market develops.
3. THE PERSONAL DATA WE PROCESS
Depending on how you use the Services, we process the following categories:
• Identity data — parent/guardian name; a child’s first name and age (only as needed to deliver lessons); a public display handle for the child (not the real name).
• Contact data — email, phone, city, country.
• Account & education data — login credentials (stored hashed), course enrolment, lesson progress, projects and code created by the child, achievements, certificates, attendance (live lessons).
• AI assistant (Kodmigo) data — the questions and code a child submits to Kodmigo (with direct personal identifiers removed before processing) and the assistant’s responses, plus quota/usage counters and feedback.
• Billing data — subscription and payment status, billing region/country, invoices and add-on purchases. Full card details are processed by our payment provider (Stripe) and are not stored by us.
• Communications — support messages, emails, and — for live lessons and certain sales/support calls — lawful audio/video recordings.
• Usage & technical data — pages and features used, device/browser information, referrer and campaign (UTM) data, IP address, and events such as form submissions or trial bookings (our product analytics, PostHog, are consent-gated and configured not to store your IP address in analytics event profiles; our server and security logs may still process IP addresses where necessary for security and abuse prevention).
• Marketing data — email opt-in status, marketing preferences, and consent records.
• Consent records — the consents you give (terms, marketing, showcase publishing, verifiable parental consent) and acknowledgements (such as our sub-processor notice), with timestamp, version, and technical context.
We do not intentionally collect special-category data (Art. 9). Please do not submit it (for example, in projects, code, or Kodmigo chat). If such data is nonetheless submitted, we handle it only as necessary to provide, moderate, secure, or delete the content, and we do not use it for profiling or advertising.
4. WHOSE DATA WE PROCESS
Parents/guardians, children (under parental consent), teachers/tutors, school administrators (B2B), website visitors and leads, and people who contact us.
5. HOW WE COLLECT PERSONAL DATA
We obtain personal data:
• directly from you — registration, checkout, forms, support, lessons, and community activity;
• from your child’s use of the learning product, under your account and consent;
• from your device — cookies and similar technologies, where you consent (see the Cookie Policy);
• from live lessons — session recordings, where applicable;
• from third parties (see §5A).
5A. DATA WE RECEIVE FROM OTHERS (GDPR ART. 14)
Some data does not come directly from the data subject:
• Payment provider (Stripe) — payment and subscription status.
• OAuth providers (Google / Apple) — if you sign in with them, your email, name, and basic profile.
• Schools (B2B) — a parent’s or teacher’s name and email, provided by the school so we can send invitations.
These sources are not publicly accessible sources. Where we obtain personal data about you from another party, we provide this Policy as the required information within a reasonable period and at the latest within one month, or at the time of our first communication with you. The categories of such data are identity and contact data; the purpose and legal bases are in §6.
6. PURPOSES & LEGAL BASES (GDPR ART. 6)
• Create and manage accounts; deliver courses, lessons, projects, certificates, live lessons, and the AI assistant — performance of a contract (Art. 6(1)(b)).
• Obtain and record parental consent for a child’s account (incl. verifiable parental consent for under-13s) — consent (Art. 6(1)(a) + Art. 8).
• Process payments, invoicing, accounting and tax records — legal obligation (Art. 6(1)(c)) (and contract for the purchase itself).
• Operate community/showcase features (publishing is optional and parent-controlled) — consent (Art. 6(1)(a)) for publishing; contract (Art. 6(1)(b)) for core features.
• Content moderation, child-safety, fraud prevention, and security — legitimate interest (Art. 6(1)(f)): our interest in keeping children safe on the platform, preventing fraud and abuse, and keeping the Service secure and functioning.
• Keep the Service running, secure and reliable — essential telemetry, error/debug logs, security and abuse monitoring — legitimate interest (Art. 6(1)(f)): our interest in a secure, stable, working Service; and performance of a contract (Art. 6(1)(b)), where the processing is necessary to deliver the Service.
• Product analytics — understand and improve how the Service is used (non-essential) — consent (Art. 6(1)(a)).
• Review a limited sample of AI-assistant (Kodmigo) interactions for quality and child-safety (content is identifier-redacted before processing) — legitimate interest (Art. 6(1)(f)): our interest in a safe, accurate educational AI for children, balanced against the child’s rights, with identifier redaction and the parent’s ability to disable Kodmigo (§8.5).
• Record live lessons (and certain calls) for the purposes in §9A — consent (Art. 6(1)(a)) for the recording, together with performance of a contract (Art. 6(1)(b)) for delivering the live-lesson service.
• Marketing, remarketing and advertising to parents — consent (Art. 6(1)(a)).
• Respond to legal requests and establish/exercise/defend legal claims — legal obligation (Art. 6(1)(c)) / legitimate interest (Art. 6(1)(f)): our interest in complying with law and protecting our rights.
• Respond to a serious, imminent risk to a child’s safety — vital interests (Art. 6(1)(d)), in a genuine emergency only.
Where we rely on legitimate interests, we have balanced our interest against your rights; you may object (see §15). Where we rely on consent, you may withdraw it at any time, without affecting prior processing.
6A. IS PROVIDING DATA REQUIRED?
Providing account, contact, and (for under-13s) parental-consent data is necessary to create an account and deliver the Services; without it we cannot provide them. Billing data is necessary to take payment for a paid plan. Analytics and marketing data are optional, and declining them does not affect your access to the Services.
7. MARKETING AND ADVERTISING
7.1 Marketing and advertising are directed at parents/guardians (adults), not children. We send marketing emails only with consent and you can opt out at any time (every marketing email contains an unsubscribe link, and you can change preferences in your Account).
7.2 For advertising measurement we share only hashed parent identifiers and click identifiers with advertising partners — never a child’s name, age, or date of birth. We do not use children’s data for advertising or profiling, and we never sell personal data.
8. CHILDREN’S DATA
8.1 The Services are designed for children, but all contracts and payments are made with a parent or guardian, and a child uses the learning product only under the parent’s account and consent.
8.2 We collect a child’s first name and age only as needed to deliver lessons. In the child-facing product the child appears under a pseudonymous handle — the real name is never shown publicly, and there is no person-to-person messaging or following between children, by design.
8.3 Under 13 (verifiable parental consent). For children under 13 we obtain verifiable parental consent before the child uses the Services — we verify parental authority, including, where applicable, via a payment-card verification step, and record it. The digital-consent age in Estonia under GDPR Art. 8 is 13. We grant the child access only after consent is captured.
8.4 COPPA (US children under 13). As a non-US operator that knowingly collects personal information from children under 13 in the United States, COPPA (16 CFR Part 312) applies to us (it reaches foreign operators), and we align our practices with the current Rule, including its 2025 amendments:
• Operator: Kodwise OÜ, Ahtri tn 12, 15551 Tallinn, Estonia; contact legal@kodwise.org for COPPA matters.
• We give parents direct notice of what we collect from a child, how we use it, and to whom we disclose it.
• We obtain verifiable parental consent before collecting personal information from a child, and collect only what is reasonably necessary to participate.
• We obtain a separate verifiable parental consent before disclosing a child’s personal information to any third party for that third party’s own purposes (for example, targeted advertising, which we do not do for children). This is distinct from service providers/processors that handle children’s data only on our behalf and on our instructions (such as our hosting, live-lesson, lesson-summary, and AI-moderation providers, listed at /en/subprocessors), to whom this separate-consent requirement for third-party disclosure does not apply.
• We do not condition a child’s participation on disclosing more data than necessary, and we do not use children’s data for behavioural advertising or profiling.
• We do not retain children’s personal information indefinitely: we keep it only as long as reasonably necessary for the purpose collected, per our retention policy (§13), and then delete it.
• “Personal information” includes biometric identifiers and government-issued identifiers; we do not collect biometric identifiers or government-issued identifiers from children. (If we ever introduce identity-based age verification, we will address it in a separate, updated notice before doing so.)
• We maintain a written information-security programme appropriate to the sensitivity of children’s data.
• A parent may, at any time: review the child’s personal information; refuse to permit further collection or use; and direct us to delete it — by contacting legal@kodwise.org (we verify parental authority first).
8.5 Parental controls. A parent/guardian can, at any time: review the child’s projects, lessons, and Kodmigo history; correct or delete the child’s data; disable the AI assistant for the child; control whether projects are published; and exercise the rights in §15 — via legal@kodwise.org and, where available, in the parent dashboard.
8A. FOR KIDS — YOUR PRIVACY IN PLAIN WORDS
If you’re a young coder using Kodwise, here’s what you should know:
• We keep your real name private. Other people only see your handle (a nickname), not your real name.
• Kodmigo is a friendly AI helper, not a real person. It helps you with code. Don’t type private things (like your real full name, address, school, or phone) into your projects or to Kodmigo.
• Your parent can see your projects, lessons, and Kodmigo chats, and can delete them.
• You choose (with your parent) whether to share a project. You can unshare it any time.
• If something online feels wrong or scary, tell a grown-up and use the Report button.
9. AI ASSISTANT (KODMIGO)
9.1 Kodmigo provides coding hints and educational chat using third-party AI providers (currently Anthropic for the assistant and OpenAI for content moderation).
9.2 Data minimisation. We remove direct personal identifiers before sending content to the AI provider, limit the size of prompts and outputs, and apply moderation to both input and output. (Removing direct identifiers is best-effort; we ask users not to submit personal data — see §3 — but we do not claim the data is fully anonymised.)
9.3 Training and retention. Our AI providers do not use the data we send them to train their general models — this is the default and contractual position for our commercial/API use — and they apply limited retention as described in our contracts and the sub-processor list (/en/subprocessors). Our Data Processing Agreements with these providers (including EU Standard Contractual Clauses for any transfer) are on file.
9.4 No solely-automated decisions with legal/significant effect. Kodmigo gives educational suggestions; it does not make decisions producing legal or similarly significant effects about you or your child (see §16).
9.5 Parents can disable Kodmigo per child (see §8.5).
9.6 AI transparency (EU AI Act). We tell users, in age-appropriate plain language, that Kodmigo is an AI system and not a person (Regulation (EU) 2024/1689, Art. 50; transparency obligations apply from 2 August 2026). In its current configuration, Kodmigo provides hints and educational chat only: we do not use Kodmigo to make, or materially influence, any assessment, admission, progression, or grading decision about a child, and it does not determine access to education or steer a child’s learning path. On that basis we treat it as a limited-risk (transparency) AI system rather than a high-risk education system under Annex III. If a feature were ever to assess a child and adapt their learning path on that basis, we would reassess this classification before deploying it.
9A. LIVE-LESSON AND CALL RECORDINGS
9A.1 What may be recorded. Where we provide instructor-led live lessons, a session may be recorded (video, audio, the child’s display name, and attendance). Certain sales or support calls with a parent/guardian (an adult) may also be recorded. We make clear, before or at the start of a session, when it is being recorded.
9A.2 Purpose. Recordings are used only to: allow a participant who missed or wishes to revisit a lesson to review it; support teaching quality and tutor coaching; resolve a dispute, safety, or conduct concern; and meet legal obligations. We do not use recordings to train AI models, we do not use them for advertising, and we do not sell them.
9A.3 Legal basis. For a child’s live-lesson recording we rely on parental consent (Art. 6(1)(a)) together with performance of the live-lesson contract (Art. 6(1)(b)). For adult sales/support call recordings we rely on consent and/or our legitimate interest in quality assurance and record-keeping (Art. 6(1)(f)). Declining a recording does not affect a child’s access to the underlying lesson content.
9A.4 Who can access. Access is limited to the staff and tutors who need it for the purposes above, under confidentiality obligations. Recordings are not published and are not shared with advertising partners.
9A.5 Where recordings are stored and for how long. We do not keep our own copy of live-lesson video on our servers. Recordings live with the providers that capture them:
• Live lessons are recorded by Zoom (cloud) and auto-deleted by Zoom after roughly 30 days (then a further ~14 days in trash) — about 44 days in total.
• Trial (demo) lessons are recorded by the instructor running the session and stored in our Google Workspace (Google Drive); access is limited to the staff who need it, and they are deleted within 12 months unless a specific recording is needed for an ongoing or anticipated legal claim.
• An AI lesson-summary assistant (“Spiky”, operated by Spiky.AI Inc.) joins each live lesson and produces a summary for parents after the lesson (what was covered, how the child did, and any homework). It therefore processes the child’s lesson audio/video and a transcript. Spiky processes this data only on our instructions under a Data Processing Agreement with EU Standard Contractual Clauses, does not use it to train AI models, and its sub-processors are Amazon Web Services, OpenAI and Recall (Hyperdoc Inc.). Data is hosted in the United States under those safeguards.
• Sales/support call recordings (adults) are kept on our systems for up to 24 months and then automatically deleted (see §13); a specific recording may be kept longer where it relates to an ongoing or anticipated legal claim.
9A.6 Your controls. A parent/guardian may ask whether a recording exists, request a copy, ask us not to record their child, or request deletion, by emailing legal@kodwise.org; we verify parental authority first.
10. COMMUNITY AND SHOWCASE
Publishing a child’s project to the community/showcase is optional and parent-controlled, and published content appears under a pseudonymous handle. Community content is moderated. See our Community Guidelines.
11. SHARING AND SUB-PROCESSORS
11.1 We share personal data only with service providers (“sub-processors”) that process it on our behalf under written data processing terms and confidentiality obligations, in these categories: hosting and infrastructure; payments; AI processing; email/SMS/voice communications; live-lesson video; analytics and monitoring; advertising measurement (to parents); CRM and lead handling; and authentication.
11.2 A current, itemised list of sub-processors (name, purpose, data, location, transfer mechanism) is published at /en/subprocessors and kept in sync with our systems.
11.3 We may also disclose personal data: to public authorities or courts where legally required; to protect the safety of a child or any person; to enforce our terms or defend legal claims; and to a successor in a merger, acquisition, or reorganisation (with your rights preserved).
11.4 We do not sell personal data.
12. INTERNATIONAL TRANSFERS
12.1 Our primary systems (database, application servers, object storage, transactional email, and product analytics) are located in the EU/EEA.
12.2 Some sub-processors are located outside the EEA (primarily the United States). Our primary transfer mechanism is the European Commission’s Standard Contractual Clauses (SCCs — Implementing Decision (EU) 2021/914), together with supplementary measures and a Transfer Impact Assessment (following the Schrems II judgment and EDPB Recommendations 01/2020). Where a US recipient is certified under the EU–US Data Privacy Framework (DPF), we may additionally rely on that adequacy decision; because the DPF is the subject of a pending legal challenge before the EU courts, we maintain SCCs as the fallback safeguard for those transfers. The specific mechanism for each recipient is shown in the sub-processor list (§11.2). After the removal of TikTok and X, we make no transfers to a country without an EU adequacy decision (such as China).
12.3 You can request a copy of the relevant safeguards (for example, the SCCs) by emailing legal@kodwise.org.
13. DATA RETENTION
We keep personal data only as long as necessary for the purpose for which it was collected, and then delete or anonymise it:
• Account & education data — for the life of the account; on closure, deleted or anonymised after a short restore window (around 30 days).
• Contractual & financial records (invoices, accounting) — as required by Estonian accounting/tax law (around 7 years).
• Live-lesson recordings (Zoom) — not stored on our servers; Zoom auto-deletes after ~30 days (+~14 days trash).
• Trial-lesson recordings (Google Drive) — stored in our Google Workspace and deleted within 12 months (longer only where needed for an ongoing/anticipated legal claim); see §9A.5.
• Sales/support call recordings (where applicable) — up to 24 months, then automatically deleted; a specific recording may be kept longer where it relates to an ongoing or anticipated legal claim.
• Communications content & attachments (chat/email messages, files) — up to 24 months, then deleted (a specific thread may be kept longer for an ongoing/anticipated claim).
• AI assistant (Kodmigo) interaction data — minimised; on our systems, AI-assistant cache is deleted within 30 days and usage records within ~60 days; provider-side retention is limited as described in our contracts and the sub-processor list (§9.3).
• Marketing data & consents — until you withdraw consent/object; consent records kept as evidence for the period needed to demonstrate compliance (and no longer than is necessary for that purpose).
• Analytics data — up to 14 months, then deleted or aggregated (not left at provider defaults).
• Support communications — as long as needed to handle the matter, and then up to 24 months.
We do not retain children’s personal information indefinitely; we keep it only as long as reasonably necessary for the purpose for which it was collected and then delete or anonymise it (consistent with COPPA’s data-retention requirement for US children).
14. SECURITY
We apply technical and organisational measures appropriate to the risk, including: encryption in transit and at rest; access controls and per-account isolation; pseudonymisation of children in public features; removal of direct personal identifiers before AI processing; hashed credential storage; logging and monitoring with personal data redacted in error logs; rate-limiting and bot protection; staff/contractor access discipline and confidentiality obligations. Our product analytics do not use session recording. Where any session-analytics tool is used on a public marketing page, it is consent-gated and configured to mask inputs. We maintain an incident-response process: we notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach, and we notify affected individuals where the breach is likely to result in a high risk to their rights (GDPR Arts. 33–34).
15. YOUR RIGHTS UNDER GDPR
15.1 You have the right to: access your data and receive a copy; rectify inaccurate or incomplete data; erase data (“right to be forgotten”); restrict or object to processing (including objecting to direct marketing at any time); data portability; and withdraw consent at any time (without affecting prior processing). For a child’s data, the parent/guardian exercises these rights.
15.2 How to exercise. Email legal@kodwise.org. We may ask for information to verify your identity and, for a child’s data, your parental authority. We respond within one month, extendable by up to two further months for complex or numerous requests, with notice and reasons.
15.3 You may exercise rights free of charge; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, as the law allows.
15.4 Complaints. You may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — https://www.aki.ee/en — or with your local supervisory authority (UK: Information Commissioner’s Office, ico.org.uk; Türkiye: KVKK, kvkk.gov.tr). We would appreciate the chance to address your concern first at legal@kodwise.org.
15A. REGION-SPECIFIC RIGHTS
• EU/EEA & Estonia (primary): the rights in §15; supervisory authority = Estonian AKI.
• United Kingdom (UK GDPR): the same rights; supervisory authority = ICO (ico.org.uk); a UK Art. 27 representative will be appointed if/when required (§2A.2).
• Türkiye (KVKK): rights under KVKK Art. 11 (including to learn whether your data is processed, request correction/deletion, and object to solely-automated adverse decisions); authority = KVKK.
• United States (COPPA): parental rights over a child’s data in §8.4. We do not sell personal data.
16. AUTOMATED DECISION-MAKING AND PROFILING
We do not make decisions that produce legal or similarly significant effects about you or your child based solely on automated processing within the meaning of GDPR Art. 22. We do not profile children for advertising. Analytics and moderation are used to operate and protect the Services, not to make significant automated decisions about individuals.
17. CHANGES TO THIS POLICY
We may update this Policy to reflect legal, technical, or operational changes. We will post the updated Policy here with a new “last updated” date and, for significant changes, give additional notice; where the law requires, we will ask for fresh consent.
18. CONTACT
Kodwise OÜ
Ahtri tn 12, Kesklinna linnaosa, 15551 Tallinn, Harju maakond, Estonia
Privacy / data protection: legal@kodwise.org · General: info@kodwise.org
Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), https://www.aki.ee/en