Privacy Policy for the Smart Kiddo Mobile App

This Privacy Policy applies to the Smart Kiddo mobile application available on the Apple App Store (iOS) and Google Play (Android) — an educational game for children ages 2–8.

This document is written primarily for parents and legal guardians who use the app together with their children. We do our best to use plain, parent-friendly English — without legal jargon — but where the law requires it, we cite specific legal bases under the EU/UK General Data Protection Regulation (GDPR), the Children's Online Privacy Protection Act (COPPA) and its 2025 amendments, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable laws.

1. Who we are (Data Controller / Operator)

The data controller under GDPR — and the "operator" under COPPA — is:

Tymoteusz Pasieka, doing business as Lingsoftware Tymoteusz Pasieka
ul. Narcyzowa 55J, 42-224 Częstochowa, Poland
Tax ID (NIP): 9492117912
Business registry (REGON): 242957779
Email: tymoteusz.pasieka@smartkiddo.app

For privacy and data protection matters, please contact us by email with the subject line "Privacy Policy" or "GDPR / COPPA Rights".

We have not appointed a Data Protection Officer (DPO) because applicable law does not require us to. All inquiries go directly to the controller.

2. At a glance — what you should know

In short, no jargon:

The app is built for children ages 2–8 and is meant to be used with a parent present — especially during first launch, in-app purchases, and changes to settings.
Your child's name, which you enter during setup, stays on the device only. It is never sent to any server or third party.
No advertising of any kind, and we do not sell data to advertising brokers.
No accounts, no email, no passwords — the app does not require sign-up.
No camera, microphone, location, contacts, or photos access requested.
No advertising identifier (Apple IDFA, Google Advertising ID).
We use a small number of trusted service providers (Google Firebase, Apple, RevenueCat, OpenAI, ElevenLabs, Singular Kids SDK) only as needed to make the app work. The full list is in Section 5.
You have the right to access, correct, or delete your child's data — see Section 8.

3. What information we collect

3.1 Profile information entered during setup

When the app is launched for the first time, we ask you to set up the child's profile. We collect:

Child's first name — used only inside the app for personalized greetings and prompts. The name is never sent to any external server and is stored only locally on the device.
Child's age (2 to 8 years) — used to choose the right puzzle difficulty. The age (as a numeric value, e.g. "5") is also sent to Firebase Analytics as an event parameter so we can understand which age groups the app works best for.
Child's gender — derived from the avatar/character choice. Sent to Firebase Analytics as a parameter.
Character/avatar selection — the chosen character ID. Sent to Firebase Analytics as a parameter.

3.2 Gameplay data

While the child uses the app, the following data is generated:

solved puzzles (with results and number of attempts);
current positions on game boards;
completed boards;
time spent in the app;
in-game events (quiz start/end, correct/incorrect answers).

This data is stored locally on the device (to preserve progress between sessions) and as anonymized metrics sent to Firebase Analytics (board/puzzle identifiers and scores — no name).

3.3 Technical data

Collected automatically by built-in libraries from Apple, Google, and Firebase:

device model, operating system version, language settings;
session country (derived from the IP address — we do not retain the IP address);
Firebase Installation ID;
iOS-only IDFV (Identifier for Vendor) — stable within our app, deleted on app uninstall; this is not the same as the advertising IDFA;
push notification token (APNs on iOS / FCM on Android) — used only to deliver notifications;
crash and diagnostic logs (Firebase Crashlytics).

3.4 Subscription and purchase data

When you buy a premium subscription or individual game boards:

subscription status (active, canceled, trial);
transaction identifier issued by Apple / Google;
price, currency, subscription duration;
a stable device identifier used by RevenueCat (a UUID stored in iOS Keychain / Android local storage) — used to restore the subscription if the app is reinstalled.

We do not collect payment card data — all billing is handled by the Apple App Store / Google Play.

3.5 AI assistant data (iOS only, optional)

The iOS app offers an optional AI assistant that answers questions asked by the child. This feature is off by default and must be enabled by a parent in Settings (behind a parental gate).

When enabled:

On-device mode (preferred — available on iOS 26+ devices that support Apple Intelligence: iPhone 15 Pro and newer, iPads with M-series chips): questions and responses are processed locally on the device by Apple Intelligence — no data leaves the device.
Cloud mode (fallback when on-device is not available): the text of the child's question and a short context of the conversation are sent to OpenAI to generate a response. For speech synthesis, part of the response may be sent to ElevenLabs (see Section 5).
Cloud mode runs in OpenAI store: false mode — OpenAI does not create a persistent record of the conversation in its dashboard and does not use API data to train its models (the default for all API customers since March 2023). Technical abuse-monitoring logs may be retained by OpenAI for up to 30 days — see Section 5.6.
The child's name is never included in requests to OpenAI or ElevenLabs.

3.6 What we do NOT collect

For full clarity — we do not collect, and have no plans to collect:

email addresses or passwords from end users;
photos, voice recordings, or videos of the child;
location data (GPS, Wi-Fi networks, cellular networks);
contacts from the address book;
health data or biometric identifiers (fingerprints, voiceprints, faceprints, eye patterns, facial templates) — even though COPPA's expanded 2025 definition includes these, we do not handle any such data;
government-issued identifiers (state ID, passport, social security numbers);
phone numbers;
the parent's year of birth entered into the parental gate — this value is checked at the moment of input and immediately discarded; it is not stored on the device or transmitted to any server;
Apple's advertising identifier (IDFA) — the iOS app does not display the App Tracking Transparency prompt;
Google's advertising identifier (Advertising ID).

3.7 Voluntary nature of providing information

All information entered by the parent or child during setup is entirely voluntary and is neither a statutory nor a contractual requirement. The app launches and functions even if the parent skips entering this information:

Name — used only for personalized greetings; without it the app simply omits the name from messages.
Age — helps choose puzzle difficulty; if not provided, the app uses a default value.
Gender and character selection — determine the avatar; without them the app uses a default character.
Push token — without it, the child will not receive notifications, but the app works normally.

Not providing any of this information has no negative consequences for the user or their rights.

3.8 Automated decision-making and profiling

The app automatically chooses puzzle difficulty based on the age in the child's profile. This is a form of profiling within the meaning of Article 4(4) GDPR, but it does not produce legal effects or similarly significant effects for the child — Article 22 GDPR (prohibition of decisions based solely on automated processing producing legal or similarly significant effects) does not apply. If a parent finds the difficulty inappropriate, they can change the age in profile settings at any time, or simply ignore suggested content.

We do not engage in any automated decision-making that would produce legal or similarly significant effects on a child.

4. Why we process information and our legal basis

For each category of processing we list the purpose and the legal basis under GDPR. For US users, the corresponding basis is operator's compliance with COPPA's verifiable parental consent regime where applicable.

Information	Purpose	Legal basis (GDPR)
Child profile (name, age, gender, character)	Provide a personalized gameplay experience	Parental consent given during app setup — Art. 6(1)(a) GDPR in conjunction with Art. 8 GDPR; verifiable parental consent (VPC) under COPPA § 312.5
Gameplay progress	Save game state, continue between sessions	Performance of a service contract — Art. 6(1)(b) GDPR
Age, gender, character, puzzle ID — sent to Firebase Analytics	Measure feature effectiveness, detect didactic issues, age segmentation	Legitimate interest — product development and quality assurance — Art. 6(1)(f) GDPR; for COPPA: "support for internal operations"
Technical data (device model, OS, crash logs)	Diagnose and fix bugs (Firebase Crashlytics)	Legitimate interest — service stability and security — Art. 6(1)(f) GDPR; COPPA "support for internal operations"
Push notification token	Deliver notifications (e.g., new boards, important messages)	Parental consent at the time of enabling notifications — Art. 6(1)(a) GDPR
Subscription and transaction data	Process the purchase, deliver the subscription, handle refunds	Performance of contract — Art. 6(1)(b) GDPR; legal obligations (tax/accounting) — Art. 6(1)(c) GDPR
Content of child's questions to the AI assistant in cloud mode	Generate AI response	Parental consent at the time of enabling the feature — Art. 6(1)(a) GDPR in conjunction with Art. 8 GDPR; VPC under COPPA
Session-based attribution signals (Singular Kids SDK)	Measure marketing campaign effectiveness	Legitimate interest — marketing measurement — Art. 6(1)(f) GDPR

Parental consent and Art. 8 GDPR. The app is directed at children under 16 (the EU/UK statutory threshold for consent to information society services; Member States may set a lower threshold, but not below 13). Any processing based on consent requires the consent of a parent or legal guardian. We treat the person who launches the app, configures the child's profile, and authorizes purchases as the parent or legal guardian who consents on the child's behalf. You may withdraw consent at any time — see Section 8.

COPPA and US law. The app is directed to children under 13 within the meaning of COPPA. Where COPPA applies, we obtain verifiable parental consent (VPC) before collecting personal information from a child, using consent methods recognized by the FTC: (a) the parent installs the app from the App Store / Google Play (a paid transaction recognized as a VPC method under COPPA § 312.5(b)(2)(vi)), or (b) the parent passes our parental gate before configuring the profile or enabling any optional feature. We adopted these methods because they are reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.

5. Service providers we share information with

To make the app work, we use the following service providers. Each one processes data only on our instructions and under a Data Processing Agreement (DPA).

5.1 Google (Firebase) — Google Ireland Limited / Google LLC

What it does: Firebase is Google's toolkit that powers core app functions.

Firebase Analytics — anonymous gameplay metrics (events with parameters: age, gender, character, board IDs);
Firebase Crashlytics — crash logs, stack traces (for bug fixing);
Firebase Authentication — anonymous sign-in (no email/password) for secure access to other Firebase services;
Firebase Cloud Storage — game asset downloads (images, sounds, boards);
Firebase Remote Config — manage subscription offers and app configuration without store updates;
Firebase Cloud Messaging (FCM) — push notification delivery;
Firebase App Check / Play Integrity (Android) — prevent abuse of Firebase services.

Kids configuration. We configure Firebase Analytics in line with Google's guidance for child-directed apps — ad personalization signals are disabled, ad data storage is disabled, and the property is tagged for child-directed treatment. The child's name is never sent to Firebase Analytics — it stays on the device only.

Headquarters: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
International transfers: Some Google infrastructure is located in the United States. Google is certified under the EU-U.S. Data Privacy Framework (DPF), Swiss-U.S. DPF, and the UK Extension. Standard Contractual Clauses (SCC) are used as a parallel basis for transfer.
Google's privacy policy: https://policies.google.com/privacy
Firebase privacy: https://firebase.google.com/support/privacy

5.2 Apple — Apple Inc. / Apple Distribution International Ltd.

What it does:

App Store — app distribution and in-app purchase billing;
Apple Push Notification Service (APNs) — push notification delivery;
Apple Intelligence (on-device AI, optional, iOS 26+ on supported hardware: iPhone 15 Pro and newer, iPads with M-series chips) — local processing of AI assistant questions, with no data leaving the device.

Headquarters: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
International transfers: Apple is certified under the EU-U.S. DPF, Swiss-U.S. DPF, and the UK Extension. Apple Intelligence in on-device mode causes no transfer — data does not leave the device.
Privacy policy: https://www.apple.com/legal/privacy/

5.3 Google Play — Google Ireland Limited

What it does:

Google Play Store — Android app distribution, in-app purchase billing;
Google Play Billing — transaction handling;
Google Play Integrity — app integrity verification.

Privacy policy: https://policies.google.com/privacy

5.4 RevenueCat — RevenueCat, Inc.

What it does: Manages subscriptions and in-app purchases — maintains subscription state, validates Apple / Google receipts, restores subscriptions after reinstall.

What data it receives: A stable UUID stored locally on the device (iOS Keychain / Android local storage), Apple / Google transaction IDs, subscription status, country of purchase, currency, and amount.

Headquarters: RevenueCat, Inc., 153 Townsend St., Suite 401, San Francisco, CA 94107, USA.
International transfers: Standard Contractual Clauses (SCC) under RevenueCat's DPA (data stored in AWS in the US). RevenueCat is not certified under the EU-U.S. Data Privacy Framework (verified on dataprivacyframework.gov/list on April 27, 2026); transfers rely solely on SCC.
Privacy policy: https://www.revenuecat.com/privacy/

5.5 Singular — Singular Labs, Inc. (Kids SDK variant)

What it does: Measures the effectiveness of campaigns promoting the app — tells us which campaign led to an install, and handles deep links.

Kids variant. We use the dedicated Singular Kids SDK, designed in line with COPPA, GDPR-K, and Apple's Kids Category requirements. This variant does not collect IDFA, does not collect a persistent per-user device identifier, and does not use device fingerprinting. Attribution works on a session basis only, plus Apple's SKAdNetwork.

Headquarters: Singular Labs, Inc., 100 First Street, Suite 2400, San Francisco, CA 94105, USA.
International transfers: Singular Labs, Inc. is certified under the EU-U.S. Data Privacy Framework and Swiss-U.S. DPF (verified on dataprivacyframework.gov/list on April 27, 2026). SCC is also used as a parallel basis.
Privacy policy: https://www.singular.net/privacy-policy/
Kids SDK details: https://support.singular.net/hc/en-us/articles/360039024132

5.6 OpenAI — OpenAI, L.L.C.

What it does: Generates AI assistant responses in cloud mode (when on-device AI is unavailable or the parent prefers cloud mode).

What data it receives: The text of the child's question and a short context of the current board. We do not send the child's name, age, or any other profile information in the request body.

store: false mode. We use OpenAI in store: false mode — OpenAI does not create a persistent record of the conversation accessible in the customer dashboard, and does not use API data to train models (the default for all API customers since March 2023). Technical abuse-monitoring logs may be retained by OpenAI for up to 30 days, in accordance with the OpenAI Enterprise/API policy.

Headquarters: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.
International transfers: OpenAI Inc. and OpenAI Global LLC are certified under the EU-U.S. Data Privacy Framework, Swiss-U.S. DPF, and UK Extension (verified on dataprivacyframework.gov/list on April 27, 2026). SCC is also used under OpenAI's DPA as a parallel basis.
Privacy policy: https://openai.com/policies/privacy-policy/

5.7 ElevenLabs — ElevenLabs, Inc.

What it does: Speech synthesis (text-to-speech) — converts the AI assistant's textual response into an audio track played to the child.

What data it receives: The response text to be synthesized. The text does not contain the child's name.

Headquarters: ElevenLabs, Inc., 169 Madison Ave #2484, New York, NY 10016, USA.
International transfers: ElevenLabs, Inc. is certified under the EU-U.S. Data Privacy Framework, Swiss-U.S. DPF, and the UK Extension (verified on dataprivacyframework.gov/list on April 27, 2026). SCC is also used as a parallel basis.
Privacy policy: https://elevenlabs.io/privacy

5.8 What we DO NOT do

We do not share data with advertising brokers or ad networks.
We do not sell data in any sense of the word, including the meaning of "sell" and "share" under the California Consumer Privacy Act.
We do not use children's data to train AI models.

6. International data transfers

Most of our service providers (Apple, Google, RevenueCat, OpenAI, ElevenLabs, Singular) are based in or have infrastructure in the United States. Each transfer relies on one of the following bases:

EU-U.S. Data Privacy Framework (DPF) — European Commission Implementing Decision of July 10, 2023, recognizing an adequate level of protection for certified US companies.
Standard Contractual Clauses (SCC) — model clauses issued by the European Commission (Implementing Decision 2021/914 of June 4, 2021), used either as the basis or as a supplement to DPF certification. Regardless of DPF certification, we use SCC with all US service providers as a parallel transfer basis — this ensures continuity of legal data transfer even if an adequacy decision is suspended or revoked.
UK International Data Transfer Agreement (IDTA) / UK Extension to the EU-U.S. DPF — for UK users, transfers rely on the UK Extension to the EU-U.S. DPF (where the provider is certified) and/or the IDTA.

DPF status of our service providers (verified April 27, 2026 on dataprivacyframework.gov/list):

Provider	EU-U.S. DPF	Swiss-U.S. DPF	UK Extension	Transfer basis
Apple	✓	✓	✓	DPF + SCC
Google	✓	✓	✓	DPF + SCC
OpenAI	✓	✓	✓	DPF + SCC
ElevenLabs	✓	✓	✓	DPF + SCC
Singular Labs	✓	✓	—	DPF + SCC
RevenueCat	—	—	—	SCC only

RevenueCat does not hold an active DPF certification — transfers to RevenueCat rely solely on SCC under RevenueCat's DPA. We commit to verifying the DPF status of our service providers at every material policy update.

You may request a copy of the relevant transfer basis by emailing the address in Section 1.

7. How long we retain information

Category	Retention period
Child profile and gameplay progress (locally on the device)	Until the app is uninstalled or the profile is deleted in settings
Firebase Analytics — events with parameters	14 months from last activity (Firebase default configuration)
Firebase Crashlytics — crash logs	90 days
Push notification token	Until the app is uninstalled or notifications are turned off
RevenueCat subscription data	Active subscription period + 5 years after termination (tax and accounting obligations under Polish Accounting Act art. 74)
Content of queries to OpenAI (cloud AI mode)	No persistent conversation record in OpenAI (`store: false`); OpenAI technical logs may be retained up to 30 days for abuse detection
Text passed to ElevenLabs (speech synthesis)	No retention on our account; ElevenLabs technical logs per provider's policy (typically up to 30 days for the customer dashboard)
Singular attribution signals	Up to 6 months from install

When retention obligations expire, the data is deleted or anonymized irreversibly.

8. Your rights (as a parent / legal guardian)

Acting on behalf of your child, you may exercise the following rights at any time under the GDPR and applicable laws:

Right of access (Art. 15 GDPR) — request a copy of the data we process about your child.
Right to rectification (Art. 16 GDPR) — when data is inaccurate or incomplete.
Right to erasure ("right to be forgotten") (Art. 17 GDPR) — request deletion of your child's data. Most data is stored only locally on the device and disappears with app uninstall; data held by processors (Firebase Analytics, RevenueCat) is deleted on request.
Right to restriction of processing (Art. 18 GDPR) — e.g., while we verify the accuracy of data.
Right to data portability (Art. 20 GDPR) — receive the data in an electronic format (JSON or CSV).
Right to object (Art. 21 GDPR) — to processing based on legitimate interest (e.g., Firebase Analytics, Singular attribution).
Right to withdraw consent (Art. 7(3) GDPR) — you may withdraw any previously given consent at any time. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
Right to lodge a complaint — with the data protection authority of your country of residence. See Section 15 for jurisdiction-specific authorities.

Additional COPPA rights for parents in the United States:

Right to review the personal information we have collected from your child;
Right to refuse further collection or use of your child's personal information;
Right to direct us to delete your child's personal information at any time.

How to exercise your rights

Send an email to tymoteusz.pasieka@smartkiddo.app with the subject line "GDPR / COPPA Rights — Smart Kiddo".
In the message, please include: your child's first name (optional — may help locate the request, although some data exists only on the device and has no server-side counterpart), approximate install date, platform (iOS / Android), and a description of the request.
We may ask for additional information to verify your parental / guardian status — e.g., a confirmation of an App Store / Google Play purchase made from the same email address.
We will respond within 30 days at the latest (Art. 12 GDPR); for COPPA requests, we will respond within a reasonable time. In particularly complex cases, the GDPR deadline may be extended by up to 60 additional days — we will notify you with reasons.
Exercising your rights is free of charge.

9. Data security

We apply technical and organizational measures appropriate to the scale and nature of processing:

Encryption in transit — all connections from the app to external services use HTTPS (TLS 1.2+).
Anonymous Firebase sign-in — the app does not require a password; there is no password to compromise.
Stable subscription identifier in the iOS Keychain — encrypted, hardware-protected storage by Apple.
No advertising identity — eliminates the risk of cross-app tracking.
Industry-standard processors — Google, Apple, RevenueCat, OpenAI, ElevenLabs, and Singular hold security certifications such as SOC 2 and/or ISO 27001.
Written information security program — we maintain a written information security program addressing risks to children's personal information, as required under COPPA § 312.8 (effective April 22, 2026).

10. Children's privacy — enhanced protections

Smart Kiddo was designed for children ages 2–8 and meets the heightened children's privacy requirements arising from:

Art. 8 GDPR / UK GDPR — processing children's data on the basis of consent requires consent of a parent or legal guardian (threshold: under 16 in the EU/UK by default; Member States may lower this to 13);
Children's Online Privacy Protection Act (COPPA) — for users in the United States, applicable to children under 13; expanded by the FTC's 2025 amendments effective for compliance on April 22, 2026;
UK Children's Code (Age Appropriate Design Code) — 15 standards published by the UK Information Commissioner's Office (ICO) under the UK GDPR;
Apple App Store Review Guidelines, section 1.3 (Kids Category) — minimal data collection requirement, no behavioral advertising, parental gate before purchases;
Google Play Families Policy — analogous requirements on Android;
Australia's Children's Online Privacy Code (in force from December 10, 2026) — we monitor implementation and will align as the Code takes effect;
Quebec Law 25 — for users in Quebec, Canada, parental consent for processing minors' personal information under 14.

The specific protections we have implemented:

Parental gate — access to settings, purchases, and advanced AI assistant features requires passing a gate that verifies an adult is present. The gate asks the adult to enter their 4-digit year of birth, while playing a short audio prompt that explains the task (a child of preschool or early-school age does not know and cannot reliably enter a parent's correct year of birth). The app verifies only that the value falls within an adult range (18–115 years). The entered year of birth is not stored on the device, not transmitted to any server, and not logged in analytics. It is used solely for an immediate "adulthood" check.
No account registration — the app does not require an email or password. We do not send mailings to children.
No advertising and no ad personalization — Firebase Analytics is configured in child-directed mode (ad personalization signals disabled, ad data storage disabled).
AI assistant only with parental consent — the AI assistant feature is off by default. Activation requires passing the parental gate and choosing a mode (on-device or cloud).
Child's name never leaves the device — no external processor receives the child's name.
High privacy by default — consistent with the UK Children's Code; the app does not require account creation and does not enable optional data collection without explicit parental action.
Data minimization — we collect only what is necessary for the app's functions.
No "nudge" techniques — we do not use design patterns to push children to share more personal information or weaken privacy settings.

10.1 Direct Notice to Parents (COPPA § 312.4)

Before we collect any personal information from a child within the meaning of COPPA, we provide the parent with a direct notice that includes:

the categories of personal information we collect from the child (see Section 3);
the specific third parties to which we disclose this information and the purposes of such disclosure (see Section 5);
a description of the parent's rights under COPPA (see Section 8);
a link to this Privacy Policy.

This notice is delivered in-app at first launch, before profile setup begins.

10.2 Verifiable Parental Consent (VPC)

We obtain verifiable parental consent before collecting personal information from a child, using the following FTC-recognized methods:

App Store / Google Play purchase as VPC — for paid features, the parent's confirmed purchase using a credit/ debit card or other payment method recognized by the platform serves as VPC under COPPA § 312.5(b)(2)(vi).
Parental gate — for free use of the app, we use the parental gate described above before any personal information collection or before enabling optional features (such as the cloud AI assistant). The gate is reasonably calculated, in light of available technology, to ensure that the person providing consent is a parent.

If you believe your child has provided personal information to us without your consent, please contact us at tymoteusz.pasieka@smartkiddo.app — we will delete the data without delay.

10.3 Parents' right to review and delete

In addition to GDPR rights (Section 8), under COPPA you have the right to:

review the personal information collected from your child;
refuse further collection or use of the child's personal information;
direct us to delete the child's personal information at any time.

To exercise these rights, follow the procedure in Section 8.

10.4 UK Children's Code (Age Appropriate Design Code)

For UK users, our service complies with the 15 standards of the ICO's Age Appropriate Design Code, in particular:

Best interests of the child (UN Convention on the Rights of the Child) — privacy decisions are designed with the child's well-being as the primary consideration;
Data Protection Impact Assessment — we maintain an internal DPIA for the Smart Kiddo app and review it at material updates;
Age-appropriate application — the app is built for ages 2–8 and uses age-appropriate language;
Transparency — this policy is written in plain English; a parent-friendly summary appears at the top (Section 2);
Detrimental use of data — we do not use personal information in ways that have been shown to be detrimental to children's well-being;
Policies and community standards — we adhere to our published policies;
Default settings — high privacy by default; optional features (AI assistant, push notifications) are disabled until enabled by a parent;
Data minimization — we collect only data necessary for the app's stated purpose;
Data sharing — we do not share children's data except with the processors listed in Section 5, each under a DPA;
Geolocation — the app does not collect geolocation data; this option is off by default and not user-enableable;
Parental controls — the parental gate provides parental oversight of settings, purchases, and AI features;
Profiling — limited to puzzle difficulty selection (Section 3.8); no profiling that produces legal or similarly significant effects;
Nudge techniques — we do not use nudge techniques to encourage children to provide unnecessary data or weaken privacy;
Connected toys and devices — N/A;
Online tools — we provide clear in-app tools (and the email channel in Section 8) for exercising parental rights.

11. Local on-device storage (instead of cookies)

The mobile app does not use "cookies" in the classical web sense. Instead, it uses local system storage:

iOS: UserDefaults (preferences, child profile, progress), Keychain (RevenueCat subscription UUID).
Android: DataStore (preferences, child profile, progress).
Game asset cache (images, sounds, boards) — in the app's cache directory.

All of this storage is wiped on app uninstall.

12. Advertising and tracking — what we don't do

The Smart Kiddo app:

does not display any advertising (no ad SDKs such as AdMob, AppLovin, Unity Ads, etc.);
does not sell or share data with advertising brokers within the meaning of GDPR or the CCPA/CPRA;
does not use a device advertising identifier — on iOS, there is no App Tracking Transparency prompt; on Android, the app does not use the Google Advertising ID;
uses marketing attribution exclusively in the Kids SDK variant (Singular), which does not collect persistent per-user identifiers.

12a. Website (smartkiddo.pl / smartkiddo.app) — analytics

This policy also covers the Smart Kiddo marketing website available at smartkiddo.pl and smartkiddo.app. To measure traffic and marketing conversions (e.g. how often the „Download the app" button is clicked or how many newsletter sign-ups we receive), we use Umami, provided by Umami Software, Inc. in its hosted variant Umami Cloud, with servers located in the European Union.

Cookieless. Umami stores no cookies or other identifiers on your device. We do not use fingerprinting or cross-site tracking.
Data collected: the URL of the page you visit, the referrer (the page that brought you here), country (derived from IP geolocation — the IP itself is not stored), device type, browser, operating system, screen size, and visit time.
No personal data. None of the above information allows us to identify an individual — the data is aggregated and anonymous.
Conversion events. We track the names of interactions: download_click (a click on the „Download the app" CTA; properties: platform and on-page placement) and newsletter_signup (a successful newsletter sign-up, without the email address).
Retention: analytics data is retained for up to 6 months (the limit of the Umami Cloud Hobby free plan), after which it is automatically deleted.

The legal basis for processing is Art. 6(1)(f) GDPR — the legitimate interest of the controller in measuring traffic and marketing effectiveness of the website. Given the cookieless model and the absence of personal data, we do not display a cookie consent banner (consistent with the 2021 guidance of the French data protection authority CNIL and the European Data Protection Board on analytics tools exempt from the consent requirement).

Provider's privacy policy: umami.is/privacy.

13. Changes to this policy

We may update this policy when the scope of processing changes, when we add a new service provider, or when the law changes. Each change receives a new version number and effective date.

Material changes (e.g., adding a new processor, a new processing purpose, a change of legal basis) — we will notify you in-app at first launch after the change and, where possible, by email to people who have voluntarily provided their email to us.
Cosmetic changes (style improvements, minor clarifications) — without active notification; the current version is always available at this URL.

For California residents: this policy is reviewed and, if needed, updated at least every 12 months as required by the CCPA.

14. Contact

For privacy matters, including the exercise of rights under Section 8:

Email: tymoteusz.pasieka@smartkiddo.app (subject line: "Privacy Policy" or "GDPR / COPPA Rights")
Postal address: Tymoteusz Pasieka, ul. Narcyzowa 55J, 42-224 Częstochowa, Poland

Response time: within 30 days (Art. 12 GDPR); COPPA requests are answered within a reasonable time.

15. Region-specific provisions

15.1 California (CCPA / CPRA) — Notice at Collection

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you specific rights regarding your personal information.

Categories of personal information collected in the past 12 months:

Category (CCPA § 1798.140(v))	Collected?	Source	Purpose	Retention
Identifiers (e.g., device IDs, IP-derived country)	Yes — IDFV (iOS), Firebase Installation ID, RevenueCat UUID, push token	Device, processors	App functionality, analytics, billing	See Section 7
Personal info under California Civil Code § 1798.80(e)	First name, age, gender (entered by parent)	App user (parent)	Personalization	Local until uninstall
Protected classification	Age, gender	App user (parent)	Personalization, age-appropriate content	Local until uninstall
Commercial information	Subscription status, transaction IDs	App user (parent)	Billing, refund handling	5 years (tax/accounting)
Internet/network activity	App events (puzzle solved, board completed)	App use	Analytics, bug fixing	14 months (Firebase default)
Geolocation data	NO — we do not collect	—	—	—
Audio/visual	NO — we do not collect	—	—	—
Professional/employment info	NO	—	—	—
Education info	NO	—	—	—
Inferences	Puzzle difficulty selection (from age)	App use	In-app personalization	Local until uninstall
Sensitive personal information (CCPA § 1798.140(ae))	NO — we do not collect; we do not use any personal info to infer sensitive characteristics	—	—	—

We do not "sell" or "share" personal information within the meaning of the CCPA. We do not engage in cross-context behavioral advertising. As a result, we do not provide a "Do Not Sell or Share My Personal Information" link, because there is no such activity to opt out of.

Your CCPA rights:

Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
Right to delete personal information collected from you.
Right to correct inaccurate personal information.
Right to limit the use and disclosure of sensitive personal information — we do not collect such information, so this right has no application here.
Right to opt out of sale/sharing — N/A (we do not sell or share).
Right of no retaliation for exercising your CCPA rights.

Children's data under CCPA. For California residents under 16, we do not sell or share personal information; opt-in consent would otherwise be required, with parental consent required for users under 13. The CCPA imposes enhanced statutory penalties (up to USD 7,500 per violation involving the personal information of a known child under 16).

To exercise these rights, follow the procedure in Section 8.

15.2 Other US states with comprehensive privacy laws

Residents of the following states have rights similar to those above under their respective state laws: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Montana. To exercise these rights, contact us using the email in Section 14.

We do not engage in "targeted advertising," "sale" of personal data, or "profiling" in furtherance of decisions producing legal or similarly significant effects.

15.3 United Kingdom (UK GDPR + Children's Code)

All principles described in this policy apply analogously under the UK GDPR. UK users may lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk. Our service is designed to comply with the ICO's Age Appropriate Design Code (Children's Code) — see Section 10.4. International transfers from the UK rely on the UK Extension to the EU-U.S. DPF (where the provider is certified) and/or the UK International Data Transfer Agreement (IDTA).

15.4 European Economic Area (EU GDPR)

EEA users may lodge a complaint with the data protection authority of their country of residence. For Polish users, the supervisory authority is the President of the Personal Data Protection Office (Prezes UODO): ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl.

A list of EEA data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

15.5 Australia

Australian users may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au. Australia's Children's Online Privacy Code is scheduled to take effect on December 10, 2026; we are monitoring its implementation and will align our practices accordingly.

15.6 Canada (PIPEDA / Quebec Law 25)

Canadian users may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information du Québec (CAI) at https://www.cai.gouv.qc.ca. Under Quebec Law 25, we obtain parental consent for processing personal information of minors under 14.

15.7 Other countries

Residents of other countries may exercise rights under their local data protection law by contacting us at the email in Section 14.