Your child's data is safe with us.

Effective Date: May 6, 2026 Last Updated: May 6, 2026 Operator: Balraj Singh, trading as Bamio

At a Glance — What BAMIO Does and Does Not Do

A parent or guardian creates the account. Children cannot create accounts on their own.
We collect only what we need to teach — account info, child profile basics, voice recordings, uploaded notes, and activity records.
We do not show advertising of any kind — not to children, not to parents.
We do not allow AI providers to train their models on your child's content.
We do not sell or share personal data with third parties for their own purposes.
We do not track your child across other apps or websites.
You can delete your child's profile at any time from inside the app.

Closed Beta Disclosure: BAMIO is currently in a closed beta with a small, invited group of parent testers. Several controls described in this Policy as "in development" are not yet active in the closed-beta build but are scheduled for completion before the public launch. We commit to the public-launch standard described in this Policy and will publish version 1.1 once those controls are live.

1.Introduction

This Privacy Policy describes how Balraj Singh, sole proprietor, trading as "Bamio", having an address at H No.11011, Shahid Bhagat Singh Nagar, Street no.1, Goniana Road, Sri Muktsar Sahib – PIN code-152026, Punjab, India (referred to as "Bamio", "we", "us", or "our"), collects, uses, discloses, stores, transfers, and protects information when you and your child use the BAMIO mobile and web application (the "App"), our website at bamio.in, and related services (together, the "Services").

BAMIO is an educational application designed to help school-age children develop spoken-English fluency, study habits, and self-reflection. Because BAMIO is intended for use by children with the involvement of a parent or legal guardian, this Privacy Policy gives special weight to children's privacy and the rights of parents and guardians. Please read it carefully.

If you do not agree with this Policy, please do not use the Services.

2.Who This Policy Applies To

Parents and legal guardians who create and manage a parent account and provide consent for their child's use of the App.
Children ("Child users" or "Students") who use the App under a parent or guardian's account. "Child" means anyone under 18, with additional protections for users under 13 (US) and under 16 (some EU member states).
Educators or administrators who are explicitly invited by us or by a Parent user.
Visitors to our website at bamio.in.

3.Parental Consent and How a Child Profile Becomes Active

A child cannot create a BAMIO account on their own. During the closed beta, access is by invitation. By registering, a parent confirms they are the parent or legal guardian of any child profile they create, and provides consent for the categories of data we will process.

Post-launch consent flow

The parent or legal guardian creates a parent account, providing a valid email address.
The parent verifies their email by clicking a one-time link or entering a one-time code. Until this verification is complete, no child data is processed.
The parent confirms by checkbox attestation that they are the parent or legal guardian of the child being added.
The parent provides explicit, separate consent for the categories of data we will process from the child.
Only after all four steps does the child profile become active.

This flow is designed to satisfy the requirements of COPPA, the GDPR provisions on children, and India's Digital Personal Data Protection Act 2023 ("DPDP Act"). The flow is in active development and will be live before any public-store submission.

4.Information We Collect

4.1 Information You Provide Directly

Category	Examples	Required?
Parent account information	Parent's name, email address, password (stored as a hash), country	Required
Parent contact	Phone number	Optional during closed beta
Child profile information	Child's first name or display name, age or date of birth, class/grade, school name, avatar selection	Required
Authentication & security	PIN (stored as a hash), session token, device session identifier	Required
Subscription & billing (when launched)	Subscription tier, transaction ID and renewal status from Apple App Store or Google Play	Required when subscribed
Communications & preferences	Messages sent to support, marketing opt-in/opt-out preference, feedback, survey responses	Optional

4.2 Content the Child Creates Inside the App

Voice recordings captured during SpeakUp sessions and Voice Diary entries (audio is discarded after transcription).
Photos and PDFs uploaded to My Bag (class notes, book pages, handwritten notes).
Text inputs such as task descriptions, journal entries, and chat messages.
Activity records such as task completion, drill attempts, scores, and session duration.
Reports generated by the App such as daily summaries, progress charts, and weekly parent reports.

4.3 Information We Do Not Collect From Children

Last name or full legal name.
Home address, phone number, or email address (we contact the parent, not the child).
Precise location (GPS), biometric identifiers, contact list, calendar, or browsing history.
Advertising identifiers (IDFA, GAID) or financial information.

5.How We Use Information

Create and manage parent and child accounts, authenticate users, and enforce subscription entitlements.
Provide the educational features of the App — transcription, vision/OCR, AI feedback, plan generation, drills.
Generate progress reports and weekly summaries for the child and the parent.
Send essential service emails such as account verification, password reset, OTP codes, daily and weekly reports.
Send push notifications (when enabled) for reminders, reports, and account-status messages.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with our legal obligations.
Improve the App using aggregated or de-identified data only.

We do not use children's content to train AI models. We do not authorise any of our AI service providers to use your child's content to train their models, and we use no-training mode with each provider.

7.Children's Privacy

This is the most important section of this Policy. BAMIO is designed for children, including children under 13 (US) and under 16 (some EU member states). We comply on a best-efforts basis with COPPA, GDPR-K, the UK Age Appropriate Design Code, and India's DPDP Act.

No Behavioural Advertising to Children

We do not show advertising of any kind inside BAMIO. We do not allow third-party advertising networks to collect data from child users for ad targeting. We do not profile child users for marketing purposes.

No Public Profiles or Open Communication

BAMIO does not have a public profile surface. A child cannot be searched, friended, followed, or messaged by strangers. There is no community feed, no public leaderboard, and no open chat.

Parental Rights

Parents and legal guardians have the right at any time to review, correct, delete, or refuse further collection of their child's personal information. During the closed beta, these rights are exercised by emailing info@bamio.in. Self-service tools are in development for public launch.

8.Service Providers and Sub-Processors

We do not sell or share personal data with third parties for their own purposes. The following third parties process personal data on our behalf, strictly under our instructions:

Provider	Purpose	Data Shared	Region
Groq, Inc.	LLM inference & speech-to-text (AI training disabled)	Voice recordings (transient), image/PDF content (transient), text prompts	USA
Google LLC (Gemini API)	Fallback LLM inference (no-training enforced)	Text prompts, transcribed text, child display name & age/grade	USA
MongoDB, Inc. (Atlas)	Primary application database (encrypted at rest)	All persistent application data	USA / Region of cluster
Expo (650 Industries)	Push notification delivery	Device push token, push payload	USA
Resend Inc.	Transactional email delivery	Parent email address, child display name, report content	USA
Render, Inc.	Application hosting and compute	All data passing through application servers	USA
Apple Inc. / Google LLC	App Store distribution & in-app purchase processing (when subscriptions launch)	Subscription transaction data	USA

9.Data Retention

Category	Retention Period
Parent and child account profile	Until the parent deletes the account, or 24 months of full inactivity
Voice recordings (audio file)	Discarded by Groq after transcription; deleted from our servers immediately after upload
Voice transcripts and analysis results	Stored while the account is active; deleted within 30 days of account deletion
Uploaded photos and PDFs (My Bag)	Retained while the account is active and for 30 days after a child profile is deactivated, then deleted
Coaching data files (per-child)	Retained while the child profile exists; deleted with the profile
Activity records, reports, plans, voice diary entries	Retained while the account is active. Aggregated, de-identified statistics may be retained indefinitely.
OTP codes	1-hour TTL via database TTL
Backups	Up to 35 days
Legal / financial records	As required by applicable law (typically 7 years in India)

10.Data Security

Encryption in transit: All traffic is protected by TLS 1.2 or higher.
Encryption at rest: Account data is encrypted at rest in MongoDB Atlas.
Authentication: Passwords and PINs are never stored in plain text. They are stored as a one-way hash using HMAC-SHA256 with a server-side secret key. We are evaluating a migration to bcrypt before public launch.
Session tokens: Short-lived opaque bearer tokens with a 7-day expiry enforced server-side.
Access controls: Production access is limited to authorised personnel under the principle of least privilege.
Backups: Encrypted backups, retained for up to 35 days.

12.Your Rights

Rights Available to All Users

Access — request a copy of the personal data we hold about you or your child.
Correction — ask us to correct inaccurate or incomplete data.
Deletion — ask us to delete personal data, subject to legal retention requirements.
Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
Portability — receive your data in a structured, machine-readable format.

Additional Rights for Indian Residents (DPDP Act 2023)

Right to a summary of personal data processed.
Right to correction, completion, updating, and erasure of personal data.
Right to nominate another individual to exercise rights in the event of death or incapacity.
Right of grievance redressal — see Section 18.

How to Exercise Your Rights

In-App where available (delete child, update child profile).
Email info@bamio.in with the subject line "Privacy Request".
Public form at bamio.in/delete-account once launched.

We will verify your identity (typically by confirming control of the parent email on file) and respond within 30 days.

17.How to Delete Your Account or Data

During the closed beta

Delete a child profile in-App: Open the App → Parent Dashboard → child → "Delete child". Personal data is permanently removed within 30 days.
Delete the parent account: Email info@bamio.in with the subject line "Delete my account" from the email address registered to the account. We will confirm and complete deletion within 30 days.

At public launch

In-App "Delete Account" button for both deactivate (recoverable for 30 days) and permanently delete.
Public form at bamio.in/delete-account — no login required.
Email path remains available.

16.Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify the Parent user via email and via an in-App banner at least 14 days before the change takes effect. For changes that expand how children's personal data is processed, we will request fresh parental consent before the new processing begins. A public archive of past versions is maintained at bamio.in/privacy/archive.

18.Contact Us

Data Controller

Balraj Singh, sole proprietor, trading as "Bamio"

H No.11011, Shahid Bhagat Singh Nagar, Street no.1, Goniana Road, Sri Muktsar Sahib – PIN code-152026, Punjab, India

Email: info@bamio.in · Subject line: "Privacy Request"

Grievance Officer (India – DPDP Act 2023 & IT Rules 2021)

Name: Balraj Singh · Designation: Grievance Officer

Email: admin@bamio.in

Acknowledges within 24 hours · Resolves within 15 days

19.Glossary

"Child" — any user under 18, with additional protections for users under 13 (US – COPPA) and under 16 (some EU member states – GDPR-K).
"Parent" — a parent or legal guardian who has created a Bamio parent account on behalf of a child.
"Personal data" — any information that identifies or could reasonably be linked to a particular individual.
"Service provider" — a third party engaged to perform a specific function on our behalf under written instructions.
"Verifiable parental consent" — consent obtained through a method reasonably designed to ensure the person providing consent is the child's parent or legal guardian.

A parent-friendly one-page summary is at bamio.in/privacy-summary. This full Policy is the legally binding version.