🔒

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how UPEO.AI (Midterm”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you use the Midterm app and the website at https://midterm.world (the “Service”). UPEO.AI is the data controller responsible for your personal data.

We aim to comply with applicable data-protection laws, which may include the Kenya Data Protection Act, 2019, the EU and UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended (CCPA/CPRA). Where these laws give you specific rights, we honour them.

1. Information we collect

  • Account details you provide — such as your phone number, name, username and PIN.
  • Profile information — such as your avatar, age and sex, used to match you with suitable players and content.
  • Gameplay data — scores, XP, streaks, challenges, leaderboards and in-app activity.
  • Payment information — handled by our payment providers; we receive confirmation and limited details, not your full card number.
  • Device & usage data — such as app version, device type, and basic logs needed to keep the Service secure and reliable.
  • Communications — messages you send us (for example, support requests).

2. How and why we use your data

We use personal data to:

  • provide and operate the Service — accounts, gameplay, leaderboards, rewards and family profiles;
  • process subscriptions and payments;
  • keep the Service safe, prevent fraud and abuse, and enforce our Terms;
  • improve the Service and develop new features and game modes;
  • communicate with you about your account, updates and support;
  • comply with legal obligations.

Where the GDPR or similar laws apply, our legal bases are: performance of our contract with you; your consent (which you can withdraw at any time); our legitimate interests in running and improving a safe Service; and compliance with legal obligations.

3. Children & families

Child profiles are created and managed by a parent or guardian and live inside a safe, age-appropriate experience. We do not knowingly collect personal data directly from a child without the consent of a parent or guardian, and we do not serve children targeted advertising. Parents can review, manage and delete a child’s profile, and can contact us to exercise these rights. If you believe a child has given us data without proper consent, contact us and we will delete it.

4. How we share data

We do not sell your personal data. We share it only as needed:

  • Service providers (processors) who help us run the Service — such as hosting, messaging/SMS and payment processing — under contracts that require them to protect your data.
  • Legal & safety — where required by law, regulation, legal process, or to protect the rights, safety and security of users and the public.
  • Business transfers — if we are involved in a merger, acquisition or sale of assets, your data may be transferred, subject to this Policy.

5. International transfers

Your data may be processed in countries other than your own. Where we transfer data across borders, we use appropriate safeguards required by law (such as standard contractual clauses or transfers to countries recognised as providing adequate protection).

6. Data retention

We keep personal data only as long as necessary for the purposes described here — for example, while you have an account — and then delete or anonymise it, unless a longer period is required by law (for example, to keep financial records).

7. Security

We use technical and organisational measures designed to protect your data, including secured access and encryption in transit. No system is perfectly secure, but we work to protect your information and to respond appropriately to any incident.

8. Your rights

Depending on where you live, you may have the right to:

  • access the personal data we hold about you, and receive a copy;
  • correct inaccurate data or complete incomplete data;
  • delete your data (“right to erasure”);
  • restrict or object to certain processing;
  • data portability;
  • withdraw consent at any time, where processing is based on consent;
  • (for California residents) know what we collect, request deletion, and not be discriminated against for exercising your rights — and we do not sell or “share” your personal information for cross-context behavioural advertising.

To exercise any right, email us at hello@upeo.ai. You also have the right to complain to your data-protection authority — for example, the Office of the Data Protection Commissioner (ODPC) in Kenya, or your local supervisory authority in the EU/EEA or UK.

9. Cookies & similar technologies

Our website uses only the cookies and similar technologies needed to function and to understand basic, aggregated usage. We do not use them to build advertising profiles of children.

10. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will take reasonable steps to notify you and will update the date below. Please review it periodically.

11. Contact us

UPEO.AI — operator of Midterm.
Email: hello@upeo.ai
Phone: +254 116 888 777