Cub-Coach

👋 Who We Are

Cub Coach ("we," "us," or "our") operates an educational web application designed to help young children practice foundational skills such as letters, numbers, reading, and time-telling. This Privacy Policy explains what personal information we collect when you use the App, why we collect it, how we use and protect it, and what rights you have over it.

This policy applies to all users of the App, including parents and guardians who create and manage accounts on behalf of children.

Short version: We collect only what is needed to run the app. We never sell your data, never show ads, and never track children for commercial purposes.

📋 Information We Collect

We collect information in two ways: information you provide directly, and information generated automatically when you use the App.

Category	What it includes	How it's collected
Account information	Username, display name, age range, chosen avatar emoji, hashed password	Provided during registration
Learning progress	Quiz scores, letters/lessons practiced, time spent, achievement badges earned, per-item response history	Generated automatically during app use
Uploaded images	Photos or images a parent/guardian uploads to personalise letter-learning activities	Uploaded voluntarily through the App
Usage data	Aggregate, non-identifying information about which features are used and session timing	Logged automatically on the server
Payment confirmation	Transaction ID and purchase record (for paid modules only) — no card numbers or billing addresses	Received from our payment processor after a completed purchase

We do not collect email addresses, phone numbers, precise location data, IP addresses tied to individual user profiles, or any biometric data.

🎯 How We Use Your Information

We use the information we collect only for the following purposes:

To provide the App. Account information and learning progress data are used to deliver personalised learning experiences, track progress, and award achievements.
To improve the App. Aggregate, non-identifying usage data helps us understand which features work well and where we can improve.
To process purchases. Payment confirmation records are used to verify and activate access to paid modules.
To ensure security. We use account information to authenticate users and detect abuse or unauthorised access.
To respond to requests. If you contact us with a question or a data request, we use the information you provide solely to respond to that inquiry.

We do not use your information for advertising, behavioural profiling, automated decision-making with legal effects, or any purpose beyond those listed above.

🤝 How We Share Your Information

We do not sell personal information. We share it only in these limited circumstances:

Hosting infrastructure. The App runs on a server hosted by a third-party provider. That provider may have technical access to server data as part of normal operations but is contractually prohibited from using it for any other purpose.
Payment processor. When you purchase a paid module, your payment details are handled entirely by our third-party payment processor. We receive only a transaction confirmation; the processor's own privacy policy governs how it handles your payment data.
Legal requirements. We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights or safety of any person.

No other sharing occurs. We do not share data with advertisers, data brokers, analytics companies, or social media platforms.

🧒 Children's Privacy (COPPA)

The App is designed for use by young children under the supervision of a parent or guardian. We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws.

Parental consent required for children under 13. Accounts for children under 13 must be created and managed by a verifiable parent or legal guardian. By registering such an account, you confirm you are the child's parent or guardian and consent to the collection described in this policy on the child's behalf.
We do not market to children. The App contains no advertising, no in-app purchase prompts directed at children, and no mechanisms to collect information from children beyond what is required to run the learning activities.
Parental review and deletion. At any time, a parent or guardian may request to review, correct, or delete the personal information associated with their child's account. We will honour such requests within 30 days. See the Contact section below.
No third-party tracking of children. We do not embed third-party trackers, social widgets, or advertising SDKs in any part of the App accessible to children.

🍪 Cookies & Local Storage

The App uses a small number of browser storage mechanisms:

localStorage (authentication token). After signing in, a JSON Web Token (JWT) is stored in your browser's localStorage to keep you signed in across sessions. This token expires after 7 days. It is never used for tracking or advertising.
httpOnly cookie (image auth). A short-lived session cookie is set to authorise access to user-uploaded images. It contains no personal information beyond a session identifier.

We do not use third-party cookies, advertising cookies, or any persistent tracking cookies. You can clear localStorage and cookies at any time through your browser settings; doing so will sign you out of the App.

🗄️ Data Retention

Active accounts. Account and progress data is retained for as long as the account is active and in use.
Inactive accounts. Accounts with no login activity for 12 consecutive months may be deleted. Where contact information is available, we will provide at least 30 days' notice before deletion.
Account deletion. When you delete your account — either through the profile page or by contacting us — we permanently erase all associated personal data, progress records, achievements, and uploaded images within 30 days. Aggregate, non-identifying usage statistics that cannot be linked back to you may be retained.
Backups. Deleted data may persist in encrypted server backups for up to 30 additional days before those backups are rotated and the data is irrecoverably removed.

🔐 Security

We implement industry-standard measures to protect your information:

Passwords are stored as one-way cryptographic hashes (bcrypt) — we cannot recover or read your password.
Authentication uses signed JWTs with expiry; tokens are never transmitted in plain text.
All data is transmitted over HTTPS (TLS).
User-uploaded images are stored outside the publicly accessible web root and served only to authenticated users.

No system is perfectly secure. If you believe your account has been compromised, please contact us immediately so we can help secure it.

⚖️ Your Rights

Depending on where you are located, you may have the following rights regarding your personal information. We honour these rights for all users regardless of jurisdiction.

Access. You may request a copy of the personal information we hold about you or your child.
Correction. You may update your display name, age, and avatar directly from the profile page. For other corrections, contact us.
Deletion. You may delete your account and all associated data at any time from the profile page, or by contacting us. We will complete the deletion within 30 days.
Restriction. You may ask us to stop processing your data for improvement purposes (aggregate usage logging) while retaining your account.
Portability. You may request an export of your learning progress data in a structured, machine-readable format.
Withdraw consent. Where processing is based on consent (e.g., parental consent for a child's account), you may withdraw that consent at any time by deleting the account.

To exercise any of these rights, contact us as described below. We do not require you to create an account or pay a fee to make a request.

🌍 International Users

The App is operated from the United States. If you are accessing it from outside the United States — including from the European Economic Area (EEA), United Kingdom, or Canada — please be aware that your information will be transferred to, stored, and processed in the United States. Data protection laws in the US may differ from those in your country.

For users in the EEA or UK, our legal basis for processing personal data is:

Contract performance — processing necessary to provide the App you signed up for.
Legitimate interests — aggregate usage analysis to improve the App, where those interests are not overridden by your rights.
Consent — for the creation of a child's account, we rely on parental consent as required by COPPA and Article 8 of the GDPR.

🔄 Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. For material changes — such as collecting new categories of data or sharing data with new third parties — we will provide at least 14 days' notice via a prominent notice within the App before the change takes effect.

Continued use of the App after an updated policy is posted constitutes acceptance of the revised terms. If you do not agree to a change, you may delete your account before it takes effect.

📬 Contact Us

For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your data, please email us at [email protected].

We aim to acknowledge all inquiries within 5 business days and to fully resolve data-related requests within 30 days. For COPPA-related requests (parental review or deletion of a child's data), we treat these as highest priority.