Privacy Policy

1. Who we are

Topiti is operated by Daniel Alejandro Nader de León, a Mexican Persona Física con Actividad Empresarial (PFAE). For the purpose of this policy, that individual is the data controller responsible for personal information processed on the Topiti website and applications.

RFC: NALD900723M50.
Tax domicile: Via Borelli 400, Colonia Del Valle, San Pedro Garza García, Nuevo León.
Privacy contact: privacy@topiti.xyz.

2. Scope

This policy covers Topiti as offered to families in Mexico and the United States. Topiti is designed for children in early grades (PreK to 6th grade, approximately ages 3 to 12) and their parents.

We do not direct Topiti to children outside the parent-supervised flow. Children cannot create accounts on their own; only a verified parent can.

3. Information we collect

From the parent

• Email address and a salted, hashed password.
• Optional payment information processed by Stripe (we store a Stripe customer identifier, not the card number).
• Optional OpenAI API key, if the parent chooses to bring their own. The key is encrypted at rest with AES-256-GCM.
• Limited dashboard usage data (page views, feature toggles) used to operate the service.

From the child

• First name (or chosen nickname) and age, supplied by the parent.
• Voice recordings during conversational activities. Audio is transcribed by a speech-to-text provider and the transcript is retained; the raw audio is not persisted after transcription.
• Drawings the child creates inside the app, plus the prompt that produced them.
• Chat transcripts between the child and Topiti.
• Mastery state: which curricular objectives have been exposed, practiced, and consolidated.

4. How we use information

• To provide the tutoring service to the child.
• To produce parent-facing reports in pedagogical language.
• To process subscription payments through Stripe.
• To respond to support requests sent to privacy@topiti.xyz.
• To meet legal obligations (tax, regulatory requests, ARCO requests).

We do not sell personal information. We do not use child information to deliver behavioral advertising. We do not use child content to train external AI models without explicit, separate, opt-in consent from the parent.

5. Third parties we share with

We rely on the following service providers to operate Topiti. Each is bound by a written agreement and processes data only on our instructions.

• OpenAI (United States) — language and speech-to-text models that power tutoring and transcription. openai.com/policies/privacy-policy.
• ElevenLabs (United States) — text-to-speech for the Topiti mascot voice. elevenlabs.io/privacy.
• Vercel (United States) — web hosting and edge delivery. vercel.com/legal/privacy-policy.
• Neon (United States) — managed PostgreSQL database for accounts and learning state. neon.tech/privacy-policy.
• MongoDB Atlas (United States) — storage for drawings and other media. mongodb.com/legal/privacy-policy.
• Stripe (United States) — subscription billing. stripe.com/privacy.

Because all providers are based in the United States, your information is transferred to and processed in the United States. By using Topiti the parent acknowledges this transfer; for Mexican users a separate, explicit consent is requested in the Aviso de Privacidad.

6. Children under 13 in the United States (COPPA)

Topiti complies with the U.S. Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501–6506; 16 C.F.R. Part 312, including the 2025 amendments effective 2025-06-23).

• Verifiable parental consent. Before any personal information is collected from a child under 13, the parent creates the account, verifies the email address, and acknowledges this policy. A child cannot register without a verified parent.
• Right to review and delete. The parent may, at any time, review the personal information collected from the child, request deletion, and refuse further collection. These actions are available from the parent dashboard.
• No conditioning.A child’s participation in any activity is never conditioned on disclosing more information than is reasonably necessary.
• No behavioral advertising. We do not deliver behavioral advertising to children and we do not enable third-party advertising in the child experience.
• No in-app purchases visible to the child. All payment surfaces live in the parent dashboard. The child never sees pricing and cannot initiate a purchase.

7. Retention

• Voice recordings: transcribed and discarded. Raw audio is not persisted to long-term storage.
• Chat transcripts, drawings, mastery state: retained while the account is active so the tutor maintains context across sessions.
• Account deletion: a parent may delete the account at any time from the dashboard. After deletion we keep data for a 30-day grace period in case the parent wants to undo, then perform a hard purge from PostgreSQL and MongoDB. We also request deletion from OpenAI logs through their data deletion endpoint.
• Billing records: retained as required by Mexican and U.S. tax law (typically up to 5 years), even after account deletion.

8. Parental rights

The parent may at any time:

• Review the information collected about the parent and child.
• Request correction of inaccurate information.
• Delete the child profile or the entire account; deletion cascades to all related data after the 30-day grace period.
• Opt out of optional uses (for example, AI improvement opt-in).
• Receive a portable export of the child’s data on request. We aim to fulfil data export requests within 30 days.

Requests can be sent to privacy@topiti.xyz from the email address registered on the account.

9. Security

• Transport security: TLS 1.2+ for all traffic between the device and our servers.
• At-rest encryption: managed encryption on PostgreSQL (Neon) and MongoDB Atlas. Sensitive parent-supplied secrets, such as an OpenAI key, are additionally encrypted with AES-256-GCM before storage.
• Password storage: salted bcrypt hashes; plaintext passwords are never stored.
• Access control: production database access is limited to authorized operators and audited.
• Periodic review: we review our security posture at least annually and after any significant architectural change.

No system is perfectly secure. If we become aware of a breach affecting personal information, we will notify affected parents without undue delay and as required by applicable law.

10. California residents (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act. Parents and children residing in California have the right to know, delete, correct, and limit the use of sensitive personal information. Requests may be submitted to privacy@topiti.xyz.

11. International users

Topiti is currently offered in Mexico and the United States only. We do not knowingly accept registrations from the European Economic Area, the United Kingdom, or other jurisdictions outside MX and US. When we expand to those markets, this policy will be updated to reflect GDPR and equivalent obligations.

12. Changes to this policy

When we make a material change, we will update the “last updated” date at the top, post a notice in the parent dashboard, and email registered parents. Continued use of the service after the change indicates acceptance of the updated policy. A parent who does not accept the change may delete the account.

13. Contact

Questions, requests, or complaints about this policy can be sent to privacy@topiti.xyz. Mexican users may also contact INAI (home.inai.org.mx) if they believe their rights have not been respected.