KlioSafe Family AI

Privacy

Politica de confidentialitate

Data intrarii in vigoare: 28 aprilie 2026

1. Cine suntem

Klio este operat de MONTESSORI RAY OF LIGHT S.R.L., societate inregistrata in Romania, cu sediul social in Bucuresti, Sector 3, Str. Fizicienilor nr. 1, sc. B (Corp B), et. 8, ap. B810, CUI 42902580, inregistrata la Registrul Comertului sub numarul J40/9665/2020 (denumita in continuare “Klio”, “noi” sau “Operatorul”).

In calitate de operator de date cu caracter personal in sensul Regulamentului (UE) 2016/679 (GDPR), suntem responsabili pentru prelucrarea datelor dumneavoastra si ale copiilor dumneavoastra in cadrul platformei Klio.

Contact responsabil protectia datelor: privacy@klio.chat

2. Ce date colectam

2.1 Date ale parintelui (contul adult)

  • Nume complet, adresa de email si parola (criptata)
  • Preferinta de limba (romana sau engleza)
  • Date de facturare (procesate exclusiv de Stripe — nu stocam numere de card)

2.2 Date ale copilului (profil gestionat de parinte)

  • Nume de afisare (poate fi un prenume sau pseudonim — nu cerem nume real complet)
  • Anul nasterii (pentru adaptarea continutului la varsta)
  • PIN de acces (stocat criptat, gestionat de parinte)
  • Continutul conversatiilor cu Klio (mesaje text), inclusiv clasificari de subiect si indicatori de siguranta

2.3 Date generate automat

  • Alerte de siguranta (tipul incidentului, nivelul de escaladare)
  • Clasificari de subiect pe conversatii
  • Numarul de mesaje trimise (pentru limitele de utilizare)

2.4 Date pe care le protejam activ

Klio detecteaza si redacteaza automat informatii personale identificabile (PII) din mesajele copiilor: adrese de email, numere de telefon si coduri numerice personale (CNP). Aceste informatii sunt inlocuite cu “[redacted]” inainte de a fi stocate sau trimise catre modelul AI.

3. Temeiul legal al prelucrarii

  • Consimtamantul parental (Art. 6(1)(a) si Art. 8 GDPR) — pentru prelucrarea datelor copiilor. Contul este creat exclusiv de un adult care confirma ca este parintele/tutorele legal al copilului.
  • Executarea contractului (Art. 6(1)(b) GDPR) — pentru furnizarea serviciului catre adulti (gestionarea contului, facturarea).
  • Interesul legitim (Art. 6(1)(f) GDPR) — pentru monitorizarea sigurantei si prevenirea abuzului (filtrarea continutului, alertele de siguranta).

4. Cum folosim datele

  • Furnizarea serviciului de chat AI (generarea raspunsurilor adaptate varstei)
  • Verificarea de siguranta a mesajelor primite si trimise, inclusiv semnale precum auto-vatamare, manipulare sau continut nepotrivit
  • Trimiterea alertelor de siguranta catre parinti (email)
  • Trimiterea rezumatului saptamanal al subiectelor (digest email)
  • Procesarea platilor si gestionarea abonamentelor
  • Respectarea limitelor de mesaje lunare pe plan de abonament

Nu folosim datele copiilor pentru: marketing, publicitate, profilare comportamentala, antrenarea modelelor AI sau vanzarea catre terti.

5. Furnizorii nostri (imputerniciti)

Partajam date exclusiv cu furnizorii tehnici necesari functionarii serviciului. Avem incheiate acorduri de prelucrare a datelor (DPA) sau termeni contractuali aplicabili, dupa caz:

FurnizorScopLocatie date
Google Ireland Ltd. (Gemini)Modelele Gemini proceseaza majoritatea conversatiilor si ruleaza verificarile de siguranta. Procesare in regiunea UE (Frankfurt/Belgia). Acord de procesare a datelor conform GDPR.UE (Frankfurt/Belgia)
Anthropic Ireland Ltd. (Claude)Modelul Claude este folosit pentru conversatiile sensibile, adica situatii care necesita tact si atentie sporita. Acord de procesare a datelor conform GDPR.UE / SUA
SupabaseStocarea bazei de date (conturi, profiluri copii, conversatii, alerte) si autentificareaUE (Frankfurt, Germania)
StripeProcesarea platilor, gestionarea abonamentelor, emiterea facturilor si colectarea taxelor/TVA. Stripe primeste doar date ale adultului (email, date de facturare), nu date ale copiilor.UE / SUA
ResendTrimiterea emailurilor tranzactionale (bun venit, alerte de siguranta, rezumatul saptamanal)SUA
VercelGazduirea aplicatiei web (regiunea Frankfurt)UE (Frankfurt, Germania)

Nu vindem, nu inchiriem si nu partajam date cu terti in scopuri de marketing sau publicitate. Continutul mesajelor nu este folosit pentru antrenarea modelelor AI. Ambii furnizori AI au acorduri contractuale care interzic acest lucru.

6. Transfer international de date

Baza de date principala este stocata exclusiv in UE (Frankfurt, Germania). Furnizorii AI proceseaza date in principal in regiunea UE unde este disponibil; unii furnizori (Anthropic, Stripe, Resend) pot prelucra date in SUA. In aceste cazuri, transferul este protejat prin Clauzele Contractuale Standard (SCC) ale Comisiei Europene si/sau prin cadrul EU-US Data Privacy Framework, conform Art. 46 si Art. 49 GDPR.

7. Durata pastrarii datelor

  • Conversatii si mesaje: sterse automat dupa 90 de zile (implicit). Perioada poate fi ajustata de administrator per organizatie.
  • Conturi de adult: pastrate pe durata abonamentului si 30 de zile dupa incetare, apoi sterse.
  • Profiluri de copil: sterse la cererea parintelui sau la stergerea contului de adult.
  • Alerte de siguranta: pastrate pe durata abonamentului pentru transparenta parentala.
  • Date de facturare: conform obligatiilor legale fiscale (minim 10 ani pentru documente contabile).

8. Drepturile dumneavoastra

In calitate de persoana vizata, aveti urmatoarele drepturi conform GDPR:

  • Dreptul de acces (Art. 15) — puteti solicita o copie a datelor prelucrate
  • Dreptul la rectificare (Art. 16) — puteti corecta datele inexacte din setarile contului
  • Dreptul la stergere (Art. 17) — puteti solicita stergerea contului si a tuturor datelor asociate
  • Dreptul la restrictionarea prelucrarii (Art. 18)
  • Dreptul la portabilitate (Art. 20) — puteti solicita exportul datelor in format structurat
  • Dreptul de opozitie (Art. 21)
  • Dreptul de a retrage consimtamantul in orice moment, fara a afecta legalitatea prelucrarii anterioare

Pentru exercitarea acestor drepturi, scrieti la privacy@klio.chat. Vom raspunde in termen de 30 de zile.

Aveti de asemenea dreptul de a depune o plangere la Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP): www.dataprotection.ro

9. Protectia copiilor (Art. 8 GDPR)

  • Copiii nu au conturi proprii. Accesul este controlat integral de parinte prin PIN.
  • Nu solicitam si nu stocam informatii personale ale copiilor (adresa, scoala, numar de telefon). Daca un copil introduce astfel de informatii in chat, acestea sunt redactate automat.
  • Fiecare mesaj este verificat inainte sa ajunga la AI-ul de conversatie, iar raspunsul este verificat inainte sa fie afisat copilului.
  • Parintii primesc alerte imediate pentru incidente de siguranta grave si rezumate saptamanale ale subiectelor discutate.
  • Parintele poate sterge profilul copilului si toate datele asociate in orice moment.

10. Cum functioneaza verificarile de siguranta

Fiecare mesaj pe care copilul il trimite trece printr-un AI de siguranta separat inainte sa ajunga la modelul principal de conversatie. Raspunsul AI-ului este verificat la randul lui inainte sa ajunga la copil. Aceasta verificare dubla ruleaza in fundal pe fiecare mesaj si nu pastreaza continutul — doar rezultatul clasificarii (sigur / necesita atentie) si o eticheta de categorie sunt salvate pentru raportare catre parinte.

11. Utilizarea inteligentei artificiale

Klio foloseste modele AI diferite in functie de tipul conversatiei: modele rapide pentru majoritatea intrebarilor, modele mai puternice pentru teme complexe si un model separat pentru conversatii sensibile. Furnizorii AI folositi sunt listati in sectiunea despre imputerniciti.

  • Furnizorii AI nu antreneaza modele pe datele trimise prin API
  • Nu folosim conversatiile copiilor pentru antrenarea modelelor AI
  • Nu se iau decizii automate cu efecte juridice pe baza raspunsurilor AI.

12. Securitatea datelor

Implementam masuri tehnice si organizatorice adecvate: criptarea datelor in tranzit (TLS) si in repaus, hashing PIN cu comparatie timing-safe, Row Level Security (RLS) pe toate tabelele din baza de date, validarea stricta a datelor la nivel de API, si stergerea automata a datelor conform perioadelor de retentie.

13. Module cookie

Klio foloseste exclusiv module cookie strict necesare functionarii serviciului (autentificarea sesiunii, preferinte de limba). Nu folosim cookie-uri de publicitate, de marketing sau de urmarire. Nu folosim Google Analytics sau alte instrumente de analiza a comportamentului.

Lista completă este disponibilă în politica de cookie-uri.

14. Modificari ale politicii

Puteti fi notificati prin email in cazul modificarilor semnificative ale acestei politici. Versiunea actualizata va fi intotdeauna disponibila la aceasta pagina.

Pentru orice intrebare: privacy@klio.chat

Privacy Policy

Effective date: April 28, 2026

1. Who We Are

Klio is operated by MONTESSORI RAY OF LIGHT S.R.L., a company registered in Romania, with its registered office at Bucharest, Sector 3, Str. Fizicienilor no. 1, sc. B (Corp B), fl. 8, ap. B810, Tax ID (CUI) 42902580, Trade Registry no. J40/9665/2020 (referred to as “Klio”, “we”, or the “Controller”).

As the data controller under Regulation (EU) 2016/679 (GDPR), we are responsible for the processing of your data and your children's data within the Klio platform.

Data protection contact: privacy@klio.chat

2. What Data We Collect

2.1 Parent data (adult account)

  • Full name, email address, and password (encrypted)
  • Language preference (Romanian or English)
  • Billing data (processed exclusively by Stripe — we do not store card numbers)

2.2 Child data (parent-managed profile)

  • Display name (can be a first name or nickname — we do not require a full real name)
  • Birth year (for age-appropriate content adaptation)
  • Access PIN (stored encrypted, managed by parent)
  • Conversation content with Klio (text messages), including topic classifications and safety flags

2.3 Automatically generated data

  • Safety alerts (incident type, escalation level)
  • Topic classifications on conversations
  • Message count (for usage limits)

2.4 Data we actively protect

Klio automatically detects and redacts personally identifiable information (PII) from children's messages: email addresses, phone numbers, and Romanian personal numeric codes (CNP). This information is replaced with “[redacted]” before being stored or sent to the AI model.

3. Legal Basis for Processing

  • Parental consent (Art. 6(1)(a) and Art. 8 GDPR) — for processing children's data. The account is created exclusively by an adult who confirms they are the child's parent or legal guardian.
  • Contract performance (Art. 6(1)(b) GDPR) — for providing the service to adults (account management, billing).
  • Legitimate interest (Art. 6(1)(f) GDPR) — for safety monitoring and abuse prevention (content filtering, safety alerts).

4. How We Use Your Data

  • Providing the AI chat service (generating age-appropriate responses)
  • Safety checks on incoming and outgoing messages, including signals such as self-harm, grooming, or unsafe content
  • Sending safety alerts to parents (email)
  • Sending weekly topic summary (digest email)
  • Payment processing and subscription management
  • Enforcing monthly message limits per subscription plan

We do not use children's data for: marketing, advertising, behavioral profiling, AI model training, or sale to third parties.

5. Our Providers (Sub-Processors)

We share data only with the technical providers necessary for the service to function. We have Data Processing Agreements (DPA) or applicable contractual terms in place, as appropriate:

ProviderPurposeData Location
Google Ireland Ltd. (Gemini)Gemini models process most conversations and run safety checks. Processing is in the EU region where available (Frankfurt/Belgium). A GDPR Data Processing Agreement is in place.EU (Frankfurt/Belgium)
Anthropic Ireland Ltd. (Claude)Claude is used for sensitive conversations, meaning situations that require extra tact and care. A GDPR Data Processing Agreement is in place.EU / US
SupabaseDatabase storage (accounts, child profiles, conversations, alerts) and authenticationEU (Frankfurt, Germany)
StripePayment processing, subscription management, invoicing, and tax/VAT collection. Stripe receives only adult data (email, billing details), not children's data.EU / US
ResendSending transactional emails (welcome, safety alerts, weekly digest)US
VercelWeb application hosting (Frankfurt region)EU (Frankfurt, Germany)

We do not sell, rent, or share data with third parties for marketing or advertising purposes. Message content is not used to train AI models. Both AI processors have contractual agreements that prohibit this.

6. International Data Transfers

Our primary database is stored exclusively in the EU (Frankfurt, Germany). AI providers process data primarily in the EU region where available; some providers (Anthropic, Stripe, Resend) may process data in the US. In such cases, the transfer is protected by the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, in accordance with Art. 46 and Art. 49 GDPR.

7. Data Retention

  • Conversations and messages: automatically deleted after 90 days (default). The period can be adjusted by the administrator per organization.
  • Adult accounts: retained for the duration of the subscription and 30 days after termination, then deleted.
  • Child profiles: deleted at the parent's request or when the adult account is deleted.
  • Safety alerts: retained for the duration of the subscription for parental transparency.
  • Billing data: retained as required by Romanian tax law (minimum 10 years for accounting documents).

8. Your Rights

As a data subject, you have the following rights under GDPR: right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), right to object (Art. 21), and the right to withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, email privacy@klio.chat. We will respond within 30 days.

You also have the right to file a complaint with Romania's National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro

9. Children's Protection (Art. 8 GDPR)

  • Children do not have their own accounts. Access is fully controlled by the parent via PIN.
  • We do not request or store children's personal information (address, school, phone number). If a child enters such information in chat, it is automatically redacted.
  • Every message is checked before it reaches the conversation AI, and every reply is checked before your child sees it.
  • Parents receive immediate alerts for serious safety incidents and weekly topic summaries.
  • Parents can delete a child's profile and all associated data at any time.

10. How Safety Checks Work

Every message your child sends passes through a separate safety AI before it reaches the main conversation model. The AI reply is checked too before your child sees it. This double check runs in the background on every message and does not keep the content — only the classification result (safe / needs attention) and a category label are saved for parent reporting.

11. Use of Artificial Intelligence

Klio uses different AI models depending on the conversation: fast models for most questions, more capable models for complex homework, and a separate model for sensitive conversations. The AI providers we use are listed in the sub-processors section. They do not train models on API data, and we do not use children's conversations to train AI models. No automated decisions with legal effects are made based on AI responses.

12. Data Security

We implement appropriate technical and organizational measures: encryption of data in transit (TLS) and at rest, PIN hashing with timing-safe comparison, Row Level Security (RLS) on all database tables, strict API-level data validation, and automatic data deletion according to retention periods.

13. Cookies

Klio uses only strictly necessary cookies for service operation (session authentication, language preferences). We do not use advertising, marketing, or tracking cookies. We do not use Google Analytics or other behavioral analytics tools.

The full list is available in the cookie policy.

14. Changes to This Policy

You will be notified by email of significant changes to this policy. The updated version will always be available on this page.

Questions: privacy@klio.chat