REGULATORY & ETHICS
HeyLoLo is being designed from the ground up around children's data protection, AI transparency, and meaningful parental control. Here's how we approach the frameworks that govern this space.
HeyLoLo is being designed to comply with COPPA. Before launch, we will operate verifiable parental consent flows for any data collection involving a child under 13. Until that infrastructure is live, we do not knowingly collect personal information from children under 13 — the only data collected via this site today is a parent's waitlist email.
HeyLoLo is being designed to comply with the GDPR, including the enhanced protections for children's data in Article 8. Today, the only personal data we process via this site is the waitlist email you choose to provide. Our production database for the waitlist is hosted by Supabase in Frankfurt, Germany (eu-central-1). Where we use providers outside the EEA (for example, our email delivery provider in the United States), transfers are made under appropriate safeguards as described in our Privacy Policy.
HeyLoLo is being designed in anticipation of EU AI Act obligations. We expect the production service to be subject to Article 5 (no exploitation of the vulnerabilities of children), Article 50 (transparency — users will be informed they are interacting with an AI system), and, depending on final scope, the obligations applicable to providers and deployers of general-purpose AI. We continue to monitor harmonised standards published under the Act and will update our practices as guidance matures.
HeyLoLo follows the 15 standards of the ICO's Age Appropriate Design Code. The product defaults to the most privacy-protective settings, applies a high standard of data minimisation, does not use nudge techniques against the child's interest, and turns off profiling and behavioural advertising by default.
Elumi AI Limited is established in the Dubai International Financial Centre. As a DIFC-registered controller we apply the DIFC Data Protection Law 2020, which is broadly aligned with the GDPR. The DIFC Commissioner of Data Protection is the supervisory authority for our establishment.
Every product decision is evaluated through the lens of child wellbeing. If a feature could compromise safety, it doesn't ship.
Parents see what their child shares with HeyLoLo and how the assistant responds. No hidden collection. No opaque algorithms. Clear disclosure that the assistant is an AI.
HeyLoLo will not show advertising to children and will not sell personal information. The product is funded by family subscriptions, not by monetising attention or data.
Following the UK Age Appropriate Design Code and Article 8 GDPR: privacy-protective defaults, minimised data, no dark patterns, no profiling against the child's interest.
Parents have meaningful, real-time visibility through the dashboard and can pause, restrict, or end any interaction. The AI never takes safety-critical decisions on its own.
We treat safety as an ongoing program. We continually review our models, content filters, and processes as regulations, threat models, and harmonised standards evolve.
We rely on the following providers to operate this pre-launch website and waitlist. We will update this list before adding any new sub-processor that processes personal data.
| Provider | Role | Region |
|---|---|---|
| Supabase, Inc. | Application database & authentication | EU — Frankfurt, Germany (eu-central-1) |
| Resend, Inc. | Transactional email delivery (waitlist confirmation) | United States — transfer under appropriate safeguards |
| Replit, Inc. | Website hosting (pre-launch marketing site) | United States — transfer under appropriate safeguards |
The world's first AI assistant designed for the whole family. Redefine how children learn and grow safely in a digital world.