← Back to Home

Privacy Policy

Last updated: June 23, 2026

Our Commitment

UrSetu ("we," "us," or "our") is built for families with children. Privacy is not a feature — it is the architecture. We comply with COPPA (Children's Online Privacy Protection Act), including the 2025 amendments effective April 22, 2026, and design every system to minimize data collection.

What We Collect

From Parents & Guardians

  • Account information: Name, email address, phone number, and school affiliation.
  • Early access registration: Name, email, phone, city/state, user type, and feature interests. We hash your IP for duplicate detection (we never store the raw IP).
  • Usage data: Anonymous pageview data (path, referrer). No cookies. No cross-site tracking. Session IDs are random and stored only in your browser's sessionStorage.

About Children

Child information is entered and managed exclusively by parents. We collect only:

  • First name (or nickname)
  • Age or grade level
  • School affiliation
  • Avatar selection (no photos required)

We do not collect child email addresses, phone numbers, social media handles, precise geolocation, photos (unless explicitly uploaded by a parent), or biometric data.

How We Use Your Data

  • To provide and improve the UrSetu platform
  • To verify school membership and connect families
  • To send notifications you have opted into (bus alerts, messages, events)
  • To personalize your demo experience during early access
  • To respond to your support requests

We never use child data for advertising, profiling, or marketing purposes.

Who We Share Data With

We do not sell, rent, or trade your personal information. We share data only with:

  • Your school community: Other verified parents and teachers at your school, subject to your visibility settings.
  • Service providers: Cloud hosting (AWS), email delivery, and error monitoring — under strict data processing agreements. These providers never receive child PII.
  • Legal requirements: Only when required by law, court order, or to protect safety.

We do not share data with advertisers, data brokers, or social media platforms.

What We Never Do

  • We never sell, share, or monetize your data
  • We never show ads to children
  • We never allow children to create accounts — parents control everything
  • We never send child PII to AI models, analytics, or error tracking
  • We never use algorithmic feeds designed to maximize screen time
  • We never collect biometric data (fingerprints, facial recognition, voiceprints)
  • We never bundle consent — each data use requires separate, informed consent

Data Retention

  • Location data near schools is auto-deleted within 24 hours.
  • Chat messages are retained for the duration of your account, unless you delete them.
  • Account data is retained while your account is active. Upon account deletion, all data is permanently removed within 72 hours.
  • Early access data is retained for up to 12 months after registration, then automatically purged.
  • Analytics data is anonymized and aggregated — no individual records are retained beyond 90 days.

Schools may configure custom data retention periods through their admin dashboard.

COPPA Compliance

UrSetu is fully compliant with COPPA, including the 2025 amendments (effective April 22, 2026). Our compliance measures include:

  • Verifiable parental consent: Required before any child data is entered. Parents must explicitly consent through a dedicated consent flow — not a buried checkbox.
  • Parent-managed accounts: Children never have their own login credentials. All child profiles are created and controlled by parents.
  • Data minimization: We collect only what is necessary for the service (name, age/grade, school, avatar).
  • No bundled consent: Each category of data use requires separate opt-in consent, in compliance with the 2025 amendments.
  • Mandatory retention limits: All child-related data has defined retention periods and is automatically purged when no longer needed.
  • Server-side moderation: All content is moderated before it is visible to children.
  • Third-party SDK controls: No third-party SDK in our application collects data from children. We audit all dependencies for COPPA compliance.

Your Rights as a Parent

Under COPPA, you have the right to:

  • Review all data we have collected about your child
  • Request deletion of your child's data at any time — we will complete deletion within 72 hours across all services
  • Withdraw consent for future data collection about your child
  • Refuse further data collection while still allowing your child to use the service (where possible)
  • Export your family's data in a portable format

To exercise any of these rights, use the "My Data" section in your account settings, or email privacy@ursetu.com.

Data Security

We protect your data with industry-standard measures including encryption in transit (TLS 1.3) and at rest (AES-256), hashed passwords (bcrypt), role-based access controls, and regular security audits. Our infrastructure is hosted on AWS with SOC 2 compliant data centers.

Changes to This Policy

We will notify you of material changes to this policy via email and an in-app notice at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

COPPA Compliance Contact

Our designated COPPA Compliance Officer can be reached at:

UrSetu Privacy Team
Email: privacy@ursetu.com
Website: ursetu.com/privacy