Privacy Policy

Effective Date: [DATE]

[COMPANY NAME] (“we,” “us,” or “our”) operates [APP NAME], an educational spelling application for children and families. This Privacy Policy explains how we collect, use, and protect information when you use our website at [WWW.EXAMPLE.COM] and our application (collectively, the “Service”).

We are committed to protecting the privacy of all our users, particularly children. We comply with the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

1. Information We Collect

1.1 Account Information

We collect only the minimum information necessary to provide our Service:

• Email address: We collect the email address of parents (for parent accounts) or users age 16 or older (for student accounts). This is used for account authentication via one-time passcode (OTP), account recovery, and service-related communications.
• Account type: Whether the account is a parent account or a student account.
• Age verification result: We record that age verification was performed and the outcome (e.g., “16 or older” or “under 16 - parent required”). We do not store your date of birth.

1.2 Learning Data

When students use the Service, we collect information about their learning activity, including:

• Words practiced and spelling attempts
• Scores, progress, and performance metrics
• Spaced repetition scheduling data
• Gamification achievements and unlocked content
• Session timestamps and duration

This data is used to personalize the learning experience, track progress, and improve our educational algorithms.

1.3 Information We Do Not Collect

We do not collect:

• Names of children
• Physical addresses
• Phone numbers
• Photos or videos
• Precise geolocation
• Data from third-party tracking or advertising networks

2. How We Use Information

We use collected information to:

• Provide and maintain the Service
• Authenticate users and secure accounts
• Track and display learning progress
• Personalize the learning experience using spaced repetition and adaptive algorithms
• Send transactional emails (password resets, account notifications)
• Send marketing communications (parents/adults only, with consent, and with easy unsubscribe)
• Improve our educational algorithms using anonymized, aggregated data
• Respond to support requests

We do not sell personal information. We do not use personal information for behavioral advertising.

3. Children’s Privacy

We take children’s privacy seriously and comply with COPPA and GDPR requirements for processing children’s data.

3.1 Age Verification

Users who indicate they are under 16 years old cannot create their own accounts. A parent or guardian must create a parent account and add child profiles. We verify age by collecting date of birth during signup; this date of birth is used only to determine the appropriate signup path and is not stored.

3.2 Parental Consent

For children under 16, a parent must create the account. By creating a child profile, the parent consents to our collection and use of their child’s learning data as described in this policy. Parents can review, modify, or delete their child’s information at any time by logging into their parent account or contacting us.

3.3 Limited Data Collection

For child profiles created under a parent account, we collect only learning activity data. We do not collect email addresses or other contact information directly from children.

3.4 Parental Rights

Parents have the right to:

• Review their child’s personal information
• Request deletion of their child’s account and data
• Refuse further collection of their child’s information (by deleting the child profile)
• Receive information about our data practices

To exercise these rights, log into your parent account or contact us at [PRIVACY@EXAMPLE.COM].

4. Cookies and Tracking

Our Service uses only strictly necessary cookies required for authentication and session management. These cookies:

• Keep you logged in while using the Service
• Are automatically deleted when your session ends or after a short period
• Cannot be used to identify you across other websites

We do not use cookies for analytics, advertising, or tracking. We do not use any third-party tracking pixels or similar technologies.

Because we use only strictly necessary cookies, we do not display a cookie consent banner.

5. Data Sharing

We share personal information only with service providers who help us operate the Service:

• Postmark (Wildbit, LLC): Processes transactional emails (OTP codes, account notifications). Postmark receives email addresses for delivery purposes only.
• Railway (Railway Corporation): Hosts our application and database infrastructure in the United States.

These providers are contractually obligated to protect your information and use it only as directed by us.

We may also disclose information if required by law, such as in response to a valid legal request from law enforcement.

We do not sell personal information to third parties.

6. International Data Transfers

We are based in the United States, and our servers are located in the United States. If you access the Service from outside the United States, including from the European Economic Area (EEA) or United Kingdom, your information will be transferred to and processed in the United States.

For users in the EEA and UK, we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection for personal data transferred internationally.

7. Data Retention and Deletion

7.1 Active Accounts

We retain account information and learning data for as long as your account remains active.

7.2 Account Deletion

You may delete your account at any time through your account settings or by contacting us. When you delete your account:

• Your email address is permanently deleted from our active systems immediately
• Learning data associated with your account is retained but can no longer be linked back to you, as the identifying information has been removed
• This anonymized learning data may be used to improve our educational algorithms
• Backup systems may retain deleted data for up to 30 days before automatic purging

7.3 Anonymized Data

We retain anonymized, aggregated learning data (with all personal identifiers permanently removed) to improve our educational algorithms. This data cannot be used to identify any individual.

8. Your Rights

8.1 All Users

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and personal information
• Export your data in a portable format
• Opt out of marketing communications

8.2 European Economic Area and UK Residents

Under GDPR and UK GDPR, you also have the right to:

• Restrict processing of your personal information
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority

Our legal basis for processing your data is: (a) contract performance (to provide the Service you requested), and (b) consent (for marketing communications and, for children under 16, parental consent for data collection).

8.3 California Residents

Under the CCPA, California residents have the right to:

• Know what personal information is collected and how it is used
• Delete personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising privacy rights

To submit a request, contact us at the email address below. We will verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organizational measures to protect personal information, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Secure authentication via one-time passcodes
• Regular security assessments
• Access controls limiting employee access to personal data

No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and relevant authorities as required by law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (for account holders) and by posting a notice on our website. We encourage you to review this policy periodically.

For material changes affecting children’s data, we will obtain new parental consent where required.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

Email: [PRIVACY@EXAMPLE.COM]

[COMPANY NAME] San Francisco, California, USA

For users in the European Economic Area, you may also contact your local data protection supervisory authority.

Last updated: [DATE]