What age group is HeyLoLo designed for?

HeyLoLo is built for children ages 6-14, with age-adaptive content that grows with your child. Younger kids get simpler interactions while older ones can explore deeper topics, all within safe boundaries.

How does HeyLoLo keep my child safe?

HeyLoLo uses real-time safety filters, sentiment analysis, and strict content guardrails. Every interaction is monitored and compliant with GDPR and COPPA regulations. Parents have full visibility through the Family Dashboard.

Can parents monitor what their child does?

Yes. The Family Dashboard gives parents full visibility into conversations, topics discussed, emotional patterns, and usage time. You can set limits, review flagged interactions, and receive daily reports.

Does HeyLoLo replace a tutor or teacher?

HeyLoLo complements education — it doesn't replace teachers or tutors. It helps with homework, encourages curiosity, and supports emotional development, all within age-appropriate boundaries.

Is HeyLoLo free to use?

We'll share pricing details closer to launch. Join the waitlist to be the first to know about our plans, including any early-access offers for founding families.

When will HeyLoLo be available?

HeyLoLo is currently in development. Join the waitlist to get early access and be notified as soon as we launch.

Privacy Policy | HeyLoLo

At a glance

Who we are: Elumi AI Limited (operating the "HeyLoLo" service), a company established in the Dubai International Financial Centre.
What we collect today: on this pre-launch website, only the email address you give us when you join the waitlist (and any optional note you choose to add).
Why: to keep you informed about the launch and to invite you to early access.
How long: until you ask us to delete it, or until two years after the product launches, whichever comes first.
Where it lives: in our database hosted by Supabase in Frankfurt, Germany. Emails are sent through Resend in the United States, under appropriate safeguards.
Children: the production HeyLoLo product is designed for children ages 6–14, with mandatory verifiable parental consent. This website is intended for parents and guardians, not for children. Please do not give us a child's email.
How to contact us: privacy@heylolo.ai.

1. Who is the controller

The data controller is Elumi AI Limited, registered in the Dubai International Financial Centre (DIFC), United Arab Emirates. DIFC registration number: [ELUMIAI DIFC REGISTRATION NO.]. Registered office: [ELUMIAI REGISTERED OFFICE ADDRESS, DIFC, DUBAI, UAE].

You can reach us about anything in this policy at privacy@heylolo.ai.

2. EU and UK representatives

Because Elumi AI Limited is established outside the European Economic Area and outside the United Kingdom, we are in the process of designating representatives under Article 27 GDPR and section 8 of the UK GDPR. Once appointed, contact details will be published here. In the meantime, you can contact us directly at privacy@heylolo.ai.

We have not yet appointed a Data Protection Officer. Given the nature and scale of the planned production processing (children's data at scale), we expect to appoint a DPO before product launch and will update this section accordingly.

3. What this policy covers

This policy covers the personal data we process today via the HeyLoLo marketing website (heylolo.ai, heylolo.ai, and the Replit-hosted pre-launch URL) and the waitlist signup it offers. When the production HeyLoLo product is released, a separate product privacy notice and a child-friendly summary will apply to data processed inside the product. We will not start product processing of a given user's data without notifying that user.

4. What we collect and why

4.1 Waitlist signup

When you submit the waitlist form, we collect:

your email address (required);
an optional source tag (where you heard about us, if you tell us);
an optional note you choose to add;
the date and time of your submission;
a minimal technical record of the request (e.g. IP address as seen by our hosting and email providers, used only to deliver the service and detect abuse).

Legal basis: your consent under Art. 6(1)(a) GDPR (you actively submit the form) and our legitimate interest under Art. 6(1)(f) GDPR in operating and securing the waitlist. You can withdraw consent at any time by emailing us; withdrawal does not affect processing already carried out.

4.2 Confirmation email

We send you one confirmation email through our email provider (Resend). If you reply, that reply is processed for the purpose of answering your message and recorded as long as needed to answer it and meet any legal record-keeping duty.

4.3 Server logs

Our hosting provider keeps short technical logs (URL, status code, IP, user-agent) for security and uptime monitoring. These logs are not used for analytics or profiling.

4.4 Cookies and similar technologies

The pre-launch website does not set any non-essential cookies and does not run any advertising or analytics trackers. Strictly necessary cookies may be set by our hosting provider for security and load balancing. If we later add analytics or any non-essential cookies, we will ask for your prior consent through a cookie banner, in line with the EU ePrivacy Directive and the German TTDSG.

5. Children

The HeyLoLo product is designed for children ages 6–14 under parental supervision. This website, including the waitlist, is intended for parents, guardians, and other adults — not for children.

We do not knowingly collect personal information from a child under 13 (COPPA) or, where applicable, under the digital age of consent set by the EU/EEA member state in which the child resides (16 by default; 13–16 depending on the country).
If a parent or guardian becomes aware that a child has submitted personal information through this site, please contact us at privacy@heylolo.ai and we will delete the data promptly.
In the production HeyLoLo product, we will operate verifiable parental consent procedures consistent with COPPA (15 U.S.C. §§ 6501–6506 and 16 C.F.R. Part 312) before collecting any data from a child. Parents will be able to review, correct, and delete their child's data and refuse further collection at any time.

6. How we share data

We do not sell personal information. We do not share it with advertisers or data brokers. We use a small number of vetted processors who act only on our instructions and are bound by written data-processing terms compliant with Art. 28 GDPR:

Supabase, Inc.— application database and authentication for the waitlist. Hosted in the EU (Frankfurt, Germany; eu-central-1).
Resend, Inc.— transactional email delivery. Hosted in the United States.
Replit, Inc.— website hosting for the pre-launch site. Hosted in the United States.

We may also share data when required by law, legal process, or to protect the rights, safety, or property of Elumi AI Limited, our users, or the public.

7. International transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or the DIFC — for example to Resend or Replit in the United States — we rely on:

the EU–US Data Privacy Framework where the recipient is certified;
the European Commission's Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum, with supplementary measures as needed;
for transfers from the DIFC, the equivalent transfer instruments recognised under the DIFC Data Protection Law 2020.

You can request a copy of the safeguards we rely on by emailing privacy@heylolo.ai.

8. How long we keep your data

Waitlist email and submission record: until you ask us to delete it, or two years after the production launch of HeyLoLo, whichever is sooner.
Email correspondence: as long as needed to answer your message and meet any legal record-keeping duty, then deleted.
Server logs: typically up to 30 days, unless a longer period is needed to investigate a specific security event.

9. Your rights

Depending on where you live, you may have the following rights over the data we hold about you:

Access— ask us what we hold and receive a copy.
Rectification— ask us to correct data that is wrong or incomplete.
Erasure— ask us to delete your data.
Restriction— ask us to pause processing in certain situations.
Objection— object to processing based on legitimate interests.
Portability— receive your data in a machine-readable format.
Withdraw consent— at any time, with no effect on processing already carried out.
Not be subject to a decision based solely on automated processing with legal or similarly significant effects (Art. 22 GDPR). We do not make such decisions on this website. In the product, any AI-assisted decisions affecting a child will be subject to meaningful parental oversight.

To exercise any of these rights, email privacy@heylolo.ai. We respond within the statutory time limits (one month under the GDPR, extendable by two further months for complex requests).

You also have the right to lodge a complaint with a data protection supervisory authority. In particular:

in the EU/EEA, with the supervisory authority of your country of residence (a list is maintained by the European Data Protection Board);
in the United Kingdom, with the Information Commissioner's Office (ICO);
for our DIFC establishment, with the DIFC Commissioner of Data Protection.

10. United States — state privacy rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or any other US state with a comprehensive privacy law, you have the following rights in addition to those above, to the extent the relevant law applies to us:

the right to know what categories of personal information we collect and to access that information;
the right to correct inaccurate information;
the right to delete your information;
the right to opt out of sale or sharingof personal information for cross-context behavioural advertising — we do not engage in either, so there is nothing to opt out of today;
the right to limit use and disclosure of sensitive personal information;
the right not to be discriminated against for exercising any of these rights.

To exercise these rights, email privacy@heylolo.ai. We will verify your request using the email associated with your waitlist submission. You may use an authorised agent.

11. How we secure data

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR), including:

encryption in transit (TLS) for all traffic to this site and to our processors;
encryption at rest for data stored in our database;
row-level security policies that prevent unauthorised access to waitlist rows;
access on a least-privilege basis with multi-factor authentication for administrative accounts;
vetted, contractually bound sub-processors;
regular backups and a documented incident-response process.

No system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required (Art. 33 GDPR) and notify you without undue delay where the risk is high (Art. 34 GDPR).

12. Automated decision-making and AI

This website does not make automated decisions about you. In the production HeyLoLo product, the AI assistant is, by design, a tool that supports parents and children rather than an autonomous decision-maker. Where AI is used to filter content or flag safety signals to a parent, the parent retains review and override. We will provide clear, plain-language information about AI-assisted processing in the product's own privacy notice, in line with Article 50 of the EU AI Act.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top, post a clear notice on the website, and — where we have a relationship with you (for example, you are on the waitlist) — email you in advance. For changes that expand the use of your data beyond what you originally consented to, we will ask for your fresh consent before relying on them.

14. Contact

For any privacy question, request, or complaint, email privacy@heylolo.ai.

Postal: Elumi AI Limited — [ELUMIAI REGISTERED OFFICE ADDRESS, DIFC, DUBAI, UAE].