Privacy Policy

Last updated: March 2026

AARO ("we", "our", "us") is committed to protecting the privacy of our users, especially children. This Privacy Policy describes how we collect, use and share information when you use our platform.

1. Information We Collect

We collect information that you provide directly to us, including:

  • Account information (name, email, phone, location)
  • Child profile information (name, date of birth, school)
  • Achievement records and supporting documents
  • Communications with us or other users
  • Usage data collected automatically (device info, log data, cookies)

2. Children's Data

We take children's privacy seriously and comply with applicable laws including COPPA and GDPR provisions for minors.

  • Children's accounts are always created and managed by a parent or guardian
  • We do not knowingly collect personal information from children without parental consent
  • Children's profiles are never publicly visible without explicit parent approval
  • Parents can review, modify or delete their child's data at any time

3. How We Share Information

We do not sell your personal information. We may share information in the following circumstances:

  • With institutions you explicitly authorise to verify achievements
  • With service providers who assist in operating our platform
  • When required by law or to protect our rights
  • In aggregated, anonymised form for analytics and improvement

4. Data Security

We implement industry-standard security measures to protect your information. Specific safeguards include:

  • Encryption in transit: all traffic between your browser and our servers is protected with TLS 1.2+ (HTTPS).
  • Encryption at rest: the database and uploaded files are encrypted on disk by our hosting providers.
  • Password hashing: passwords are never stored in plain text — they are hashed with bcrypt (12 rounds) so even we cannot read them.
  • Session security: authentication uses signed, short-lived JWT session tokens delivered as HTTP-only cookies.
  • Bot protection: login and registration forms use a math challenge plus invisible honeypot fields to block automated abuse.
  • Per-record privacy controls:children's profiles, photos and achievements default to Private and can only be widened by the parent.
  • Access controls:every API request is checked against the signed-in user's identity and the requested record's ownership.
  • Sensitive data handling: we never collect bank, card or government-ID numbers through this platform.

While no system is perfectly secure, we work diligently to protect your data and continuously review our practices.

5. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for data processing
  • Object to certain processing activities

6. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@aaro.com.