Privacy Policy

Effective date: [EFFECTIVE DATE] · Last updated: [LAST UPDATED DATE] · Version 1.0

Template & disclaimer. This document is a sophisticated starting template for the Boppers service. It is provided for convenience and does not constitute legal advice. Privacy laws differ by jurisdiction and change over time. Before publishing, replace every [BRACKETED] placeholder and have this Policy reviewed and adapted by qualified privacy counsel for your specific data practices, jurisdictions, and business model.

This Privacy Policy explains how [COMPANY LEGAL NAME] ("Boppers," "we," "us," or "our") collects, uses, discloses, retains, and protects information in connection with the Boppers application, website, and related services (collectively, the "Service"). Boppers is an audio-first early-learning application intended for young children and is designed to be set up and supervised by a parent or legal guardian.

We have built Boppers around the principle of data minimization: we collect as little information as possible, we do not show third-party advertising, we do not use the Service to build advertising profiles of children, and we do not sell or "share" personal information as those terms are defined under applicable law.

1. Scope & who this applies to

This Policy applies to all users of the Service, including parents and guardians who create accounts and the children for whom those accounts are used. It applies regardless of how you access the Service (web browser or, where offered, a mobile application). Capitalized terms are defined in Section 2 or where first used.

2. Key definitions

"Personal Information" / "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable law (including, where relevant, the expanded definition under the amended COPPA Rule, the GDPR/UK GDPR, and the CCPA/CPRA).
"Child" means a user under the age of 13 (and, where a higher age applies under local law, under that age).
"Parent" means a parent or legal guardian who creates and controls an account.
"Process"/"Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
"Service Provider" / "Processor" means an entity that Processes Personal Data on our behalf and under our instructions.

3. Who is responsible (data controller)

The controller responsible for your Personal Data is:

[COMPANY LEGAL NAME], [ENTITY TYPE], [REGISTERED ADDRESS]
General privacy contact: [PRIVACY EMAIL]
Data Protection Officer (if appointed): [DPO EMAIL]
EU representative (Art. 27 GDPR, if applicable): [EU REPRESENTATIVE NAME & CONTACT]
UK representative (if applicable): [UK REPRESENTATIVE NAME & CONTACT]

4. A note to parents

Boppers is directed to children and is intended to be used under the supervision of a Parent. Accounts are created and controlled by a Parent. We collect Personal Data relating to a Child only from the Parent, with the Parent's consent, and only to the extent reasonably necessary to provide the Service. A Parent may review, correct, export, or delete their Child's information, refuse further collection or use, and withdraw consent at any time (see Sections 15–18 and 21).

5. Information we collect

The categories of information we collect depend on how you use the Service. If you use Boppers without creating an account, your learning progress is stored only on your device and is not transmitted to us.

Category	Examples	Collected when
Account / contact data	Parent email address; authentication identifiers and tokens; sign-in method (email link, Google, Apple)	You create or use a Parent account
Child profile data	A first name or nickname chosen by the Parent; an optional avatar selection	The Parent adds a child profile
Learning & usage data	Lesson activity, items practiced, correct/incorrect responses, stars, rounds, mastery indicators, session counts	The Child uses the Service
Device / technical data	Basic technical data needed to operate the Service and maintain security (e.g., browser type, approximate region inferred from IP by our hosting providers, error logs)	Automatically, during use

We instruct Parents not to enter a Child's full legal name or any sensitive information into profile fields. We do not intentionally collect biometric identifiers, precise geolocation, contacts, photos, or government identifiers. We do not require a Child to disclose more information than is reasonably necessary to participate in the Service.

6. How we collect it

Directly from the Parent — when an account or child profile is created and configured.
Automatically — limited technical and usage data generated as the Service is used, including via our local storage and our hosting/authentication providers' logs.
From service providers — our authentication provider returns identifiers necessary to maintain a signed-in session.

7. How and why we use information

To provide, maintain, and personalize the Service, including saving and synchronizing each Child's learning progress across the Parent's devices and adapting lessons to a Child's demonstrated needs;
To authenticate Parents and secure accounts;
To provide the parent dashboard and progress reporting;
To maintain the security, integrity, and reliability of the Service, prevent fraud and abuse, and debug;
To comply with legal obligations and enforce our Terms.

We do not use Personal Data for behavioral or targeted advertising, and we do not use a Child's Personal Data to train artificial-intelligence or machine-learning models. (The natural-voice audio in Boppers is generated by us in advance using a third-party text-to-speech provider; no Child or account data is transmitted to that provider from a user's device.)

8. Legal bases for processing (EEA / UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Performance of a contract — to provide the Service the Parent has requested;
Consent — for the Processing of a Child's Personal Data, and where otherwise required; consent may be withdrawn at any time;
Legitimate interests — to secure the Service, prevent abuse, and maintain reliability, balanced against the rights of data subjects;
Legal obligation — to comply with applicable law.

9. Children's privacy (COPPA and similar)

Boppers complies with the U.S. Children's Online Privacy Protection Act and the FTC's COPPA Rule, as amended (effective June 23, 2025, with applicable compliance dates), and with comparable children's-privacy requirements in other jurisdictions. In particular:

We provide direct notice to Parents and obtain verifiable parental consent before collecting Personal Data from a Child, except where an exception applies (see Section 18);
We practice data minimization and do not condition a Child's participation on disclosing more information than is reasonably necessary;
We do not disclose a Child's Personal Data to third parties for targeted advertising or other non-essential purposes, and we will not do so without obtaining separate verifiable parental consent;
We maintain a written information-security program and a written data-retention policy (Sections 12–13), and we delete a Child's Personal Data when it is no longer reasonably necessary for the purpose collected;
We do not use a Child's Personal Data to train AI models;
A Parent may review the Child's information, refuse to permit further collection or use, and request deletion by contacting us (Section 21).

If you believe a Child has provided us Personal Data without the required parental consent, please contact [PRIVACY EMAIL] and we will take appropriate steps to delete it.

10. Cookies, local storage & similar technologies

Boppers uses browser localStorage to save game progress and preferences on the device, and—when a Parent signs in—authentication tokens necessary to keep the session active. We do not use third-party advertising or cross-site tracking cookies. Because we use only strictly necessary storage, no advertising consent banner is required for that purpose; where local law requires notice for any storage, this Section provides it.

11. Disclosures of information & service providers (sub-processors)

We disclose Personal Data only in the following circumstances, and only to the extent necessary:

Service Providers / Sub-processors acting on our behalf under contract, including:
- [SUPABASE / HOSTING PROVIDER] — authentication and database hosting (parent login and saved progress);
- [CONTENT DELIVERY / HOSTING] — delivery of the application's static files;
- [TEXT-TO-SPEECH PROVIDER] — used by us during development only to pre-generate audio; not used at runtime and not provided with Child or account data.
Legal & safety — where required by law, legal process, or to protect the rights, safety, and security of users, the public, or the Service;
Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy and applicable law;
With your direction or consent.

12. No sale or "sharing" of personal information

We do not sell Personal Data, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and similar laws. We have not done so in the preceding 12 months. We do not sell or share the Personal Data of any individual we know to be under 16.

13. Data retention

We retain Personal Data only for as long as reasonably necessary to fulfill the purposes described in this Policy, including providing the Service and complying with legal obligations, after which we delete or de-identify it in accordance with our written data-retention policy. Account and child-profile data are retained while the account is active; upon account deletion, associated data is deleted within [RETENTION/DELETION WINDOW, e.g., 30 days], except where retention is required by law.

14. Data security

We maintain a written information-security program with administrative, technical, and organizational safeguards appropriate to the sensitivity of the data, including encryption in transit, access controls, and provider-level row-level security so that each family can access only its own data. No method of transmission or storage is completely secure; we cannot guarantee absolute security. In the event of a personal-data breach affecting your rights, we will notify affected users and regulators where required by applicable law.

15. International data transfers

We and our service providers may Process Personal Data in countries other than your own, including the United States. Where we transfer Personal Data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), or another lawful transfer mechanism. You may request a copy of the relevant safeguards by contacting us.

16. Your rights (EEA, UK & similar)

Subject to applicable law, you have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection to processing; and withdrawal of consent (without affecting prior lawful processing). You also have the right to lodge a complaint with your supervisory authority. To exercise these rights, contact us (Section 21); we will respond within the timeframes required by law.

17. Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to: know/access the categories and specific pieces of Personal Information we collect, use, and disclose; correct inaccurate information; delete your information; and opt out of any sale or sharing (we do not sell or share). You also have the right not to receive discriminatory treatment for exercising your rights. We do not use or disclose "sensitive personal information" for purposes that would trigger a right to limit. In the preceding 12 months we have collected the categories described in Section 5 (identifiers, customer-account information, and internet/usage activity) for the business purposes described in Section 7, and disclosed them only to the service providers described in Section 11. To submit a request, contact us at [PRIVACY EMAIL]; you may use an authorized agent. We will verify your request consistent with applicable law.

18. Other U.S. state privacy rights

Residents of states with comprehensive privacy laws (for example, Virginia, Colorado, Connecticut, Utah, Texas, and others) may have rights to access, correct, delete, and obtain a portable copy of their Personal Data, and to opt out of targeted advertising, sale, or certain profiling. We do not engage in targeted advertising or sale. To exercise applicable rights, contact us (Section 21). Where offered by law, you may appeal a decision regarding your request by replying to our response.

19. Verifiable parental consent & withdrawal

Before collecting Personal Data from a Child, we obtain verifiable parental consent through a method reasonably calculated, in light of available technology, to ensure that the person providing consent is the Child's Parent (for example, [DESCRIBE METHOD(S): account creation with a verified email plus confirmation, payment-method verification, or other approved method]). A Parent may withdraw consent at any time by [DESCRIBE: deleting the child profile in the parent area, or emailing us]; following withdrawal, we will stop collecting the Child's Personal Data and will delete previously collected data as described in Section 13.

20. Third-party links & services

The Service may reference third-party services (for example, sign-in providers or, in app versions, app stores). Those third parties are governed by their own privacy policies, and we are not responsible for their practices. We encourage you to review them.

21. Changes to this Policy

We may update this Policy from time to time. We will revise the "Last updated" date above and, for material changes affecting a Child's Personal Data, provide notice and, where required, obtain renewed parental consent.

22. How to contact us

[COMPANY LEGAL NAME]
Privacy: [PRIVACY EMAIL]
Postal: [POSTAL ADDRESS]
Data Protection Officer (if any): [DPO EMAIL]

EEA/UK users may also contact their local data protection supervisory authority. California users may contact the California Privacy Protection Agency.