Aprendi — Privacy Policy

Aprendi is developed and operated by: TwoBrains Technology (Silva e Costa Tecnologia LTDA) Goiânia/GO, Brazil Website: https://twobrainstechnology.com Data Protection Officer (DPO): [email protected] App support: [email protected]

Aprendi has two profile types within the same app: • Guardian (parent or legal guardian): creates the account, registers the children, and accesses the progress dashboard. • Child (student): accesses the app through the profile created by the guardian, secured by a 4-digit PIN. The child does not create an account, provide an email, log in via social networks, or leave child mode without the guardian's PIN. All personal data collection happens under the guardian account, who is the legal data subject and provides parental consent under LGPD art. 14 and COPPA.

(a) Guardian account: name, email, password (stored as hash), and — optionally — phone number for support. (b) Child profile: nickname, age, avatar (chosen from in-app options, no photo upload), and 4-digit PIN set by the guardian. (c) Book page photos: images sent from the device camera or gallery. These photos are processed so the AI can read the text and generate exercises. They are stored temporarily on AWS S3 (sa-east-1) and discarded within 24 hours of exercise generation. (d) Usage data: exercise answers, response time, hits, misses, achievements, current level, and exercise history — used only for the guardian dashboard and to personalize the next study session. (e) Technical data: anonymous device identifier, model, OS, app version, language, time zone, crash logs, and performance metrics. (f) In-app purchases (IAP): Aprendi Premium subscriptions are processed by Apple App Store or Google Play. We only receive status (active/cancelled) and transaction identifier. We do not receive card numbers. We DO NOT collect: precise location (GPS), device contacts, calendar, microphone, biometric data, browsing history, social posts, or any sensitive data per LGPD art. 5(II).

• Generate personalized exercises from submitted photos; • Show progress, achievements, and reports to the guardian; • Adapt exercise difficulty to the child's age and performance; • Allow multiple children per account; • Validate Premium subscription and unlock features; • Handle support requests from the guardian; • Identify and fix app errors (crash logs); • Comply with legal obligations. We do NOT use data for ad profiling, third-party content recommendations, or selling to partners.

Aprendi uses Google Gemini as the AI provider to read text from photos and generate exercises. Calls to the Gemini API are made from our server (not from the child's device), so credentials and prompts are never exposed to the client. Important guarantees: • Book page photos are NOT used to train public AI models. The contract with Google explicitly states this restricted use. • No photo containing a child's face, voice, or image is requested or used by the app. We only ask for book pages. • Content generated by AI is a textual derivation of the page. We keep only the generated exercise (structured JSON) — the original photo is discarded within 24 hours. • Upon guardian request, we immediately remove any residual photo via the DPO.

Aprendi is intended for children ages 6 to 12. We process child data under the following terms: • Child accounts are only created by a legally authenticated guardian; • The child does not provide email, phone, personal photo, or external identifier; • The child cannot communicate with third parties inside the app — the only interlocutor is Tuca, an AI assistant controlled by TwoBrains, with no open chat; • We do not show third-party ads on child profiles; • We do not allow purchases from the child profile — only the guardian authorizes subscription; • Child mode is locked behind the guardian's PIN; • We comply with Apple App Store's "Made for Kids" requirements and Google Play's "Designed for Families" section.

We share personal data only with processors strictly necessary to operate the app, under data processing agreements: • Apple App Store / Google Play — subscriptions and app delivery; • Amazon Web Services (AWS) — server hosting and temporary photo storage (sa-east-1, São Paulo); • Google Gemini — AI processing of pages (no training and no retention beyond what's needed for response); • Transactional email providers for password reset. We do not sell data to advertisers. We do not share with data brokers.

• Page photos: up to 24 hours after generating the exercise, then automatically discarded; • Generated exercises (structured text): retained while the account is active, for the progress dashboard; • Guardian account and child profiles: retained while the account is active. Deleted within 30 days of deletion request; • Error logs and technical metrics: up to 90 days.

The guardian may, at any time, exercise the following rights over the family's personal data, by writing to [email protected]: • Confirm the existence of processing; • Access the data; • Correct incomplete or outdated data; • Request anonymization, blocking, or deletion; • Request portability; • Revoke consent; • Request full deletion of the family account. We respond to these requests within 15 days.

• Traffic always over HTTPS / TLS 1.2+; • Passwords stored as bcrypt hash; • Short-expiry session tokens; • Administrative server access is limited, with multi-factor authentication; • Encrypted backups; • Continuous incident monitoring; in case of breach, notification to ANPD and data subjects under LGPD art. 48.

We may update this policy to reflect changes in the app, partners, or legal obligations. Whenever there is a relevant change, we will communicate by email and in-app notice before the new version takes effect.

For any question about this policy or how we handle your data: TwoBrains Technology Email (DPO): [email protected] App support: [email protected] Website: https://twobrainstechnology.com