Privacy Policy

Nuat Computer Software LLC (“Nuat,” “we,” “us,” or “our”), doing business as Nuat Games and operating the Nucleus service, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you access or use our website (https://nucleus-edu.com/ and subdomains) and the Nucleus application (collectively, the “Service”).

By using the Service you acknowledge that you have read and understood this Policy. If you do not agree, you must not use the Service.

Definitions and Key Terms

To help explain things as clearly as possible in this Privacy Policy, every time any of these terms are referenced, they are strictly defined as:

• Cookie: A small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, and remember information about you such as your language preference or login information.
• Company: Nuat Computer Software LLC (doing business as Nuat Games), the entity responsible for your information under this Privacy Policy.
• Country: United Arab Emirates.
• Customer: The company, organization, or person that signs up to use the Nucleus Service.
• Device: Any internet-connected device such as a phone, tablet, computer or any other device that can be used to visit Nucleus and use the services.
• IP address: A number assigned to every device connected to the Internet, which can often be used to identify the location from which a device is connecting.
• Personal Data: Any information that directly, indirectly, or in connection with other information allows for the identification or identifiability of a natural person.
• Service: Refers to the service provided by Nucleus as described in the relative terms (if available) and on this platform.
• Third-party service: Advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
• Website: Nucleus's site, which can be accessed via this URL: https://nucleus-edu.com
• You: A person or entity that is registered with Nucleus to use the Services.

Information We Collect

Information You Provide

When you sign in via Google or Clever, we receive your email address and full name. We do not request or collect any other personal information unless you voluntarily submit it.

Automatically Collected Information

There is some information that is collected automatically when you visit our Service, such as your Internet Protocol (IP) address and/or browser and device characteristics. We automatically collect certain information when you visit, use or navigate the Service. This information may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and other technical information. We also collect pseudonymized analytics data to measure user engagement, retention rates, and drop-off funnels. This information is primarily needed to maintain the security and operation of our Service, and for our internal analytics and reporting purposes.

We also collect detailed gameplay and engagement data (such as levels attempted, time spent on each level, success rates, learning paths, interaction patterns, and progress metrics) to measure user engagement with the games and to generate personalized progress reports for parents or educators. This data is associated with your account (email) to enable cross-device progress restoration and to create educational reports.

Advertising measurement. When you arrive on our Service from a Google Ads campaign, Google sets a click identifier cookie (e.g., _gcl_aw) that allows us to measure whether the campaign resulted in a sign-up or other conversion on our Service. This is used solely for conversion measurement and campaign attribution; we do not use this data for remarketing, cross-context behavioral advertising, or profiling.

How We Use Your Information and Lawful Bases

We process Personal Data only when we have a valid legal basis (GDPR Article 6 where applicable; equivalent standards under UAE PDPL, CCPA/CPRA).

You may object to processing based on legitimate interests at any time via account settings or by contacting us; we will stop unless we demonstrate compelling grounds.

Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Policy, based on the following criteria: (i) duration of the user relationship, (ii) legal obligations, (iii) dispute resolution, and (iv) security and fraud prevention.

Account data is retained for the duration of the account and deleted or anonymized within 12 months after account deletion or prolonged inactivity, unless retention is required by law.

Pseudonymized analytics data is retained for no longer than 12 months and is periodically reviewed for deletion.

Where retention is required for legal compliance, such data will be restricted and not used for other purposes.

Sharing and Third-Party Processors

We do not sell Personal Data (CCPA/CPRA §1798.100).

We share data only with the following vetted Processors under Data Processing Agreements (GDPR Art 28):

• Google LLC and Clever Inc. – receive only email and full name solely for authentication.
• Email delivery provider(s) – used solely to send progress reports to parents/guardians (only the parent's email address and the report content).
• Analytics and advertising measurement provider(s):
  • Google Analytics 4 with IP anonymization enabled – receive only pseudonymized data. Where required by applicable law, we configure analytics services to minimize data collection, including IP anonymization and disabling data sharing features.
  • Google Ads – receives conversion signals (e.g., that a sign-up occurred following an ad click) for the sole purpose of measuring the effectiveness of our own advertising campaigns. We do not enable remarketing, audience targeting, or cross-context behavioral advertising features. No data from children under 13 is shared with Google Ads for advertising purposes.

We disclose Personal Data only to vetted processors necessary to operate the Service, including authentication providers, analytics providers, and cloud hosting providers.

Each processor acts under our instructions and is contractually bound to comply with applicable data protection laws.

We do not sell or share Personal Data, including for cross-context behavioral advertising purposes as defined under CPRA.

We may disclose data to affiliates or in the event of a merger/sale of assets, provided the recipient agrees to equivalent protections.

International Transfers

Where Personal Data is transferred outside the UAE or EEA, we implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.

Where required, we conduct transfer impact assessments and apply supplementary safeguards such as encryption and access controls.

Your Rights

You may exercise rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (where applicable). California residents have additional rights under CCPA/CPRA. To exercise any right, please contact us. We will respond within one month (GDPR) or 45 days (CCPA/CPRA).

We may require verification of your identity before fulfilling requests. If your request is denied, you have the right to appeal our decision. We will not discriminate against you for exercising your rights under applicable law.

Cookies and Tracking Technologies

We use strictly necessary cookies for functionality, pseudonymized analytics cookies, and click-identifier cookies set by Google Ads (e.g., _gcl_aw) used solely to measure conversions from our own advertising campaigns. Non-essential cookies are only deployed after obtaining your prior consent through a granular cookie banner where required by law. We do not use tracking technologies for remarketing or cross-context behavioral advertising.

You may withdraw your consent at any time. We maintain records of consent where required by GDPR Article 7.

Children's Privacy (COPPA / GDPR Art 8)

Nucleus is an educational platform that includes content suitable for young students, such as grade 1 games. The Service may therefore be used by children under the age of 13. We are fully committed to protecting children's privacy and comply with the Children's Online Privacy Protection Act (COPPA), GDPR Article 8, and applicable UAE laws.

We do not knowingly collect, use, or disclose Personal Data from children under 13 without verifiable parental consent or, in the school context, consent from a school official acting in the student's educational interest (as permitted under COPPA's school exception). When a child under 13 signs in through Google or Clever (particularly school-managed accounts), we rely on the consent obtained by the parent or the educational institution.

We generate personalized progress reports based on gameplay and engagement data. These reports may be emailed to parents or guardians (or provided to schools) to support student learning. For children under 13, such reports are only sent where we have obtained verifiable parental consent or are operating under the school's consent as permitted under COPPA's school exception. Parents/guardians may review, correct, or request deletion of their child's progress data at any time by contacting us.

We apply strict data minimization for child users and do not use children's Personal Data for behavioral advertising, profiling, or automated decision-making.

Where services are provided through schools, the school may act as the data controller and we act as a processor under its instructions.

We implement additional safeguards including limited retention and restricted access to child-related data.

Parents or guardians may review, correct, or delete their child's Personal Data at any time by contacting us. If we discover that we have collected Personal Data from a child under 13 without the required verifiable consent, we will promptly delete that information.

Security

We implement appropriate technical and organizational measures (GDPR Art 32) to protect Personal Data, including encryption in transit, access controls, and regular security reviews. No method is 100% secure; we cannot guarantee absolute security.

Links to Other Websites

This Policy applies only to the Service. We are not responsible for the privacy practices of third-party websites.

Changes to This Privacy Policy

We may update this Policy. Material changes will be notified via the Service or email at least 30 days before they take effect. Continued use after notification constitutes acceptance of the revised Policy.

Governing Law

This Policy is governed by the laws of the United Arab Emirates. Any disputes shall be subject to the exclusive jurisdiction of the courts of the UAE, without prejudice to any mandatory consumer protections or data-subject rights under GDPR, CCPA/CPRA, or other applicable law.

Contact Us

For questions, rights requests, or complaints:

• Email: admin@nuatgames.com
• Via the in-app support form (if available)

You may also contact our data protection representative where required by law.