Fermi

FERMI - PRIVACY POLICY

Effective Date: 28 April 2026

1. Introduction

Fermi ("we," "our," "us") provides an AI-powered STEM tutoring platform designed to help students learn through problem solving, adaptive hints, simulations, and mastery-based practice.

This Privacy Policy explains how we collect, use, store, process, and protect your personal information across our website, mobile applications, and learning services ("Services").

Data Controller vs. Data Processor

  • For Personal Accounts, Fermi is the Data Controller. The specific Fermi legal entity that controls your data depends on your country of residence — see Section 11 for entity details.
  • For School Accounts, the School (school, district, or authorized teacher) is the Data Controller, and Fermi acts as a Data Processor, handling Student Data only as instructed by the School.

By using the Services, you acknowledge that your data will be processed as described in this Policy.

2. Definitions

  • Student Data: Information relating to a student, including name, email, homework uploads, problem-solving attempts, audio queries, mastery history, and usage logs.
  • Learning Behavior Data: Step-by-step reasoning patterns, hint usage, correctness, latency between steps, pacing, struggle points, correction loops, group study behavior, and revision patterns.
  • School Account: Account created by or for a school, district, or teacher ("School Official").
  • Personal Account: Account created directly by a student or parent.
  • Child: A user who is under 13 years of age (under U.S. COPPA) or under 18 years of age (under India's DPDP Act). Where this Policy refers to "Children's" rights or protections, the applicable age threshold depends on the user's jurisdiction.
  • De-Identified Data: Data stripped of direct and indirect identifiers, protected by technical controls preventing re-identification.
  • Training Data: Data used to improve our AI models. Training is performed only on De-Identified Data. Student Data from School Accounts is never used for training. For Personal Accounts, Training Data is used only with the user's explicit opt-in consent (the default is opt-out). Data from any user under 13 is never used for training, regardless of consent setting.

3. Information We Collect

A. Information You Provide

  • Account Info: name, email, password, grade level.
  • Date of Birth: collected at signup to apply age-appropriate protections (e.g., COPPA, GDPR Article 8, India's DPDP Act). Adults may skip this field.
  • Parent Account Info: if a parent creates or manages a child's account, we collect the parent's name, email, and evidence of parental consent (e.g., a payment-card $0 authorization token from our consent-verification provider, or a signed consent form).
  • Homework & Study Content: photos of handwritten work, problem-solving attempts, notes, videos, attachments.
  • Voice Data: audio queries during voice-based tutoring sessions. Audio is transcribed and is also analyzed for safety signals (including indicators of self-harm, abuse, or harm to others, and acoustic distress signals such as panic or crying). Audio files are retained for up to 30 days and then deleted. Transcripts and any safety flags are retained with the student's record. Sessions flagged by automated review may be reviewed by authorized Fermi staff (subject to role-based access controls and confidentiality obligations) for safety follow-up. We do not perform speaker identification or voice biometrics. We do not use voice or audio for advertising, behavioral profiling, or engagement optimization.
  • Communications: emails, support messages, and feedback.

B. Automatically Collected

  • Usage Data: time spent on tasks, mastery path, attempts, concepts studied, error patterns, revision behavior, hint interactions.
  • Device Data: IP address, browser type, operating system, device model.
  • Location Data: approximate country and region, derived from IP address, used to (i) apply the correct jurisdictional protections (e.g., COPPA for U.S. users, GDPR for EU/UK users, DPDP for India users), (ii) display region-appropriate pricing and marketing content, and (iii) route users to the correct Fermi entity (see Section 11). We do not collect precise geolocation.
  • Generated Content: AI-generated explanations, scoring metadata, hint trees.

4. How We Use Your Information

A. School Accounts — Strict Educational Use Only

We process Student Data solely to:

  • Deliver the Services requested by the School.
  • Provide dashboards, mastery tracking, and learning analytics.
  • Maintain and secure the platform.
  • Conduct safety review of student interactions (including automated and, where flagged, human review of voice transcripts and audio for indicators of self-harm, abuse, or harm to others).
  • Support teacher workflows including homework assignment, grading, and class insights.
  • Ensure compliance with School policies and applicable law.

We do NOT use Student Data for:

  • Model training (including in De-Identified form)
  • Advertising, behavioral profiling, or engagement optimization
  • Commercial purposes outside the educational service
  • Selling or sharing with unauthorized third parties

B. Personal Accounts

We use your data to:

  • Provide tutoring, adaptive hints, and personalized learning paths.
  • Generate mastery maps, revision tasks, and study plans.
  • Conduct safety review of user interactions (as described in Section 3.A).
  • Improve service quality and detect misuse.

Training Data (model improvement):

  • Only De-Identified Data is used.
  • Personal Account users may opt in to contribute Training Data; the default is opt-out. Users can change this setting at any time in account settings.
  • Data from any user under 13 is never used for model training, regardless of consent setting.
  • Student Data from School Accounts is never used for training, even in De-Identified form.

5. Artificial Intelligence & Third-Party Processors

We use external AI providers (large language models and related services) to power explanations, reasoning, transcription, and safety analysis.

To protect your data:

  • We send only the minimum data necessary to fulfill the AI task.
  • Providers are bound by written data-processing agreements that prohibit (i) using your data to train or improve their foundation models, (ii) using your data for advertising or behavioral profiling, and (iii) retaining your data beyond what is necessary to provide the service.
  • Student Data from School Accounts is never used for training, even in De-Identified form.

A current list of our AI providers and other sub-processors — including legal entity, country, and purpose — is published at fermi.ai/subprocessors and is updated promptly when sub-processors change.

6. Data Sharing & Disclosure

We share data only in the following situations:

Operational Sub-processors

We engage sub-processors in the following categories, each under a signed data-processing agreement. The current list (with legal entity, country, and purpose) is published at fermi.ai/subprocessors:

  • Cloud hosting and infrastructure
  • Database and data storage
  • AI inference (LLM providers)
  • Product analytics
  • Error monitoring and performance tooling
  • Email and communications delivery
  • Payment processing (including parental-consent verification for under-13 users)
  • Customer support tooling

School Access

For School Accounts, teachers, administrators, and other school officials may access Student Data, mastery progress, and class analytics in accordance with the School's policies and applicable law (e.g., FERPA).

Legal

We may disclose data to comply with valid legal requests or to protect safety (e.g., self-harm signals, threats of harm to self or others).

What We Never Do

  • No third-party advertising
  • No behavioral or targeted advertising
  • No selling of Personal or Student Data
  • No cross-site tracking
  • No use of student or child data for AI model training by us or by our sub-processors

7. Global Compliance

United States

COPPA (Children's Online Privacy Protection Act, 15 U.S.C. Sections 6501–6506; 16 C.F.R. Part 312). Fermi complies with COPPA for users under 13:

  • School-based use: When Fermi is used through a school under the FTC's school authorization framework, the school provides consent for use of the Services on behalf of parents. The school is the data controller for Student Data; Fermi acts as a data processor.
  • Direct (non-school) use: For under-13 users signing up directly, we obtain verifiable parental consent before account creation. Accepted methods include payment-card $0 authorization (via our consent-verification provider) and signed consent form.
  • Parental rights: Parents may review their child's personal information, request correction or deletion, refuse further collection, or withdraw consent at any time, by contacting privacy@fermi.ai or using parental controls in the Fermi app.
  • Direct notice to parents: Our COPPA Notice to Parents is available at fermi.ai/coppa-notice.

FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g; 34 C.F.R. Part 99). When Fermi provides services to a U.S. educational institution, the institution designates Fermi as a "school official" with "legitimate educational interests" under 34 C.F.R. Section 99.31(a)(1)(i)(B). Fermi remains under the direct control of the institution with respect to Education Records.

State Student-Privacy Laws.

  • California SOPIPA (BPC Section 22584). Fermi is an "operator" of a K-12 educational service. We do not (i) use Student Data for targeted advertising, (ii) create profiles of students for non-educational purposes, (iii) sell Student Data, or (iv) disclose Student Data except as permitted by SOPIPA.
  • Other state laws. When Fermi enters into agreements with school districts in states with specific student-privacy laws — including New York Education Law Section 2-d and 8 NYCRR Part 121, Colorado CSDPA (CRS Section 22-16-101 et seq.), Illinois SOPPA (105 ILCS 85), and Connecticut Public Act 16-189 — we comply with the requirements set out in those laws and the per-contract obligations they impose.

Across all jurisdictions, Fermi does not use Student Data for targeted advertising, sell Student Data, or create profiles of students for any non-educational purpose.

CCPA / CPRA (California Consumer Privacy Act, as amended). California residents have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. Fermi does not sell or share personal information as those terms are defined under CCPA/CPRA.

India

IT Rules 2021 and SPDI Rules 2011. Fermi is registered as Fermi AI Pvt Ltd in India and complies with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. A Grievance Officer is designated and contactable as set out in Section 11; grievances are acknowledged within 24 hours and resolved within 15 days, as required by Rule 3(2).

Digital Personal Data Protection Act, 2023 (DPDP). The DPDP Act has been enacted but is not yet fully operative as of the effective date of this Policy. Fermi will comply with the DPDP Act and its implementing rules as they enter into force. In anticipation of those obligations:

  • Users under 18 are treated as Children. For direct (non-school) signups, parental consent is required.
  • For students enrolled at partner educational institutions in India, the institution may provide consent to the extent permitted under the final DPDP Rules.
  • A Grievance Officer is published; a Data Protection Officer will be designated if Fermi is notified as a Significant Data Fiduciary.

Cross-border transfers. Personal data of Indian users may be processed outside India consistent with applicable Indian law and our sub-processor arrangements (see fermi.ai/subprocessors).

United Kingdom and European Union

GDPR / UK GDPR. For users in the EU and the UK, Fermi complies with the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation.

  • Legal bases: We rely on contractual necessity (to deliver the Services), legitimate interests (for Personal Account analytics and security), and consent (for opt-in features such as Training Data contribution). For School Accounts, the School's lawful basis (typically public task or legitimate interests) applies; Fermi processes Student Data as processor on the School's instructions.
  • Children: Fermi applies a default digital age of consent of 13, consistent with the United Kingdom's threshold under UK GDPR. Verifiable parental consent is required for users below age 13. Some EU Member States set higher thresholds under GDPR Article 8 (between 13 and 16). Parents of EU-resident users in those Member States may contact privacy@fermi.ai to exercise parental rights, including consenting to or withdrawing their child's account at any time. UK users under 18 are additionally protected under the UK Age-Appropriate Design Code, with high-privacy settings applied by default.
  • EU/UK Representative (Article 27): Fermi has appointed an Article 27 Representative for EU and UK users. Contact details are published in Section 11.
  • Lead Supervisory Authority: Fermi has no establishment in the European Union; the GDPR one-stop-shop mechanism does not apply. EU users may direct inquiries to our Article 27 Representative or to the supervisory authority of their member state. UK users may contact the Information Commissioner's Office (ICO).
  • Cross-border transfers: Transfers from the EU/UK to non-adequate countries are made under the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA), or other lawful mechanisms.

In addition to the rights described in Section 10, EU/UK children and their parents have the right to object to profiling and automated decision-making that produces significant effects, and the right to lodge a complaint with their member-state supervisory authority (or the ICO for UK users).

United Arab Emirates

UAE PDPL. For users in the UAE, Fermi complies with Federal Decree Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and its implementing regulations as they come into force.

  • Lawful processing: We process Personal Data on the legal bases set out in Article 4 of the PDPL, including the user's consent and the necessity of processing for the performance of a contract.
  • Children: For users under the age of 18, we obtain the consent of a parent or legal guardian before account creation, except where Fermi is engaged by a school or educational institution that has authority to consent on the parent's behalf consistent with local law.
  • Cross-border transfers: Personal Data of UAE users may be transferred outside the UAE for processing by our sub-processors (see fermi.ai/subprocessors). Such transfers are made under appropriate safeguards consistent with PDPL Articles 22 and 23, including transfers to countries that provide an adequate level of data protection or under appropriate contractual safeguards.
  • Rights: UAE residents have the rights to access, correct, delete, and restrict processing of their Personal Data, to object to processing, to data portability, and to withdraw consent. Requests may be made to privacy@fermi.ai.
  • Regulator: The UAE Data Office is the competent supervisory authority.

School deployments in the UAE. Where Fermi is engaged by a UAE school or educational institution, the institution is the data controller and Fermi acts as a processor. We will discuss data residency and processing-location requirements with each institution at the time of engagement. Currently, Fermi's primary processing locations are in the United States, India, and Germany (EU); see fermi.ai/subprocessors for details.

8. Data Security

We implement administrative, technical, and physical safeguards to protect your information. Specifically:

  • Transport encryption: TLS 1.2 or higher for all data in transit.
  • Encryption at rest: AES-256-GCM for personally identifiable information stored in our databases (including names, email addresses, phone numbers, and authentication tokens).
  • Role-based access control with least-privilege principles.
  • Multi-factor authentication for administrative access.
  • Audit logs of administrative and privileged access.
  • Internal access monitoring.
  • Regular third-party penetration testing; reports available to enterprise customers under NDA.
  • Alignment with the NIST Cybersecurity Framework.
  • Documented incident response plan with breach notification procedures consistent with applicable law (including, where applicable, 72-hour notification under GDPR and breach notification timelines under U.S. state laws).

Student Data access is strictly limited to authorized personnel under signed confidentiality obligations.

Where third-party security certifications are held by our sub-processors (e.g., SOC 2 Type II, ISO 27001), we publish those on our sub-processor list at fermi.ai/subprocessors.

9. Data Retention

Retention by account type:

  • School Accounts: Student Data is deleted within 60 days of school instruction or contract termination, whichever is earlier. Backups are cleared within an additional 30 days. De-Identified aggregate data may be retained for research and service improvement consistent with Section 2.
  • Personal Accounts: Personal Data is deleted within 30 days of an account-deletion request or account closure. Backups are cleared within an additional 30 days.
  • Child Accounts (under 13): If inactive for 24 consecutive months, the account is auto-purged regardless of status.
  • Voice audio (all account types): Audio files are retained for up to 30 days for safety review and then deleted (see Section 3.A). Transcripts and safety flags are retained with the student's record subject to the account-type retention above.
  • De-Identified Data: May be retained indefinitely for research and service improvement, subject to the technical and contractual re-identification restrictions described in Section 2.

You may request earlier deletion at any time by contacting compliance@fermi.ai or using the in-app deletion controls.

10. Children's Rights

Parents (and Children, where appropriate under local law) may exercise the following rights regarding a Child's account:

  • Access: review the personal information collected about the Child, including voice transcripts, homework content, and usage data.
  • Correct: request correction of inaccurate information.
  • Delete: request deletion of the Child's account and associated data, including voice audio and transcripts.
  • Withdraw consent: withdraw previously-granted consent at any time.
  • Refuse further collection: refuse the further collection or use of the Child's information.
  • Object to profiling: object to automated decision-making with significant effects (where applicable under GDPR/UK GDPR).

How to exercise rights

Send a request to compliance@fermi.ai from the email address registered to the parent (or Child, where applicable). For requests where verification is required, we may ask for additional information to confirm identity before acting.

Response timelines

  • India: 24-hour acknowledgement, 15-day resolution (per IT Rules 2021).
  • EU/UK: 1 month, extendable by up to 2 additional months for complex requests (per GDPR/UK GDPR Article 12).
  • United States and other jurisdictions: 5 business day acknowledgement, 30 calendar day resolution.

Right to lodge a complaint

  • EU users may lodge a complaint with their member-state supervisory authority.
  • UK users may contact the Information Commissioner's Office (ICO).
  • India users may escalate to the Data Protection Board once it is operational.
  • U.S. users may contact the Federal Trade Commission for COPPA-related concerns.

11. Contact Information

Privacy and data protection inquiries

  • Privacy Contact: compliance@fermi.ai
  • Data Protection: compliance@fermi.ai

India Grievance Officer (per IT Rules 2021)

Manish Singh

compliance@fermi.ai

EU, UK, and Switzerland Representative

Fermi has appointed DataRep as our representative under Article 27 of the EU GDPR, Article 27 of the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). Data subjects and supervisory authorities in the EU, UK, and Switzerland may contact our representative by emailing datarequest@datarep.com with “Fermi AI Pte Ltd” in the subject line.

General inquiries

info@fermi.ai

Legal Entities

Fermi is operated by the following legal entities. The entity that acts as data controller for your account depends on your country of residence (see Section 1).

  • United States: Fermi AI Inc. (Delaware, USA)
    809 Cuesta Dr, Suite B PMB 1203, Mountain View, CA 94040, United States
  • Singapore (parent entity; controller for users outside the United States, India, EU, and UK): Fermi AI Pte. Ltd.
    160 Robinson Road, #20-03, SBF Centre, Singapore 068914
  • India: Fermi AI Pvt Ltd
    15th Main Rd, Sector 4, HSR Layout, Bengaluru, Karnataka 560102, India