Privacy Policy
Version 1.0 · Effective 2026-05-20 · Parent quick summary
A note for kids
English4Kids never sends your voice over the internet. Your nickname stays on your device. Your grown-up can see what you learned, but no one else.
1. Data Controller
The data controller for the information processed through English4Kids is the operator of English4Kids (legal entity to be confirmed before public launch). Our EU representative under GDPR Article 27 is the operator (EU GDPR Article 27 representative to be confirmed before EU launch).
For any privacy question, including data-subject requests, write to the support address listed on the launch site. We respond within 30 days as required by GDPR Article 12(3).
2. What We Collect
The table below lists every category of data we touch. Anything not listed here is not collected.
| Data | Where it lives | Notes |
|---|---|---|
| Display name (an animal nickname, e.g. “Sunny Otter”) | Local (Dexie). Optional cloud sync after VPC. | No real names asked. |
| Age band (6–8 or 9–12) | Local + cloud (post-VPC). | No exact birth date. |
| Progress scores per lesson (0–100) | Local + cloud (post-VPC). | For resuming and the parent dashboard. |
| Pronunciation score (numeric 0–100, NEVER audio) | Local + cloud (post-VPC). | Audio is processed on-device only. |
| Audit events (lesson started/completed, settings changes) | Local 90 days + cloud 90 days. | For the parent dashboard activity log. |
| Parent email | Cloud only, ONLY if the parent completes the VPC upgrade. Resend stores delivery metadata. | Transactional use only. |
| Parent password hash (Argon2id) | Cloud (managed by Supabase Auth). | Plain text never stored. |
| User settings (volume, locale, mascot, font) | Local + cloud (post-VPC). | Preferences only. |
| IP address | Plausible (parent dashboard only, hashed and discarded daily); Supabase auth logs 30 days. | Never linked to a child profile. |
| Raw microphone audio | NEVER STORED, NEVER TRANSMITTED. | Processed on-device by Web Speech or whisper.wasm. |
We do not collect: phone numbers, real names, exact ages, precise location, contact lists, photos, video, audio recordings, or persistent advertising identifiers. We do not place third-party trackers on any page a child can see.
3. Microphone Policy
- Parent gate before first enable. The microphone is off until a grown-up passes the math challenge and turns it on.
- Persistent red-dot indicator. A visible red dot in the top bar appears whenever the microphone is active. Your child can tap it to stop at any time.
- On-device STT only. Speech-to-text runs in the browser (Web Speech API) or via an offline WASM model (whisper.cpp). The audio waveform never leaves the device.
- Only a numeric score crosses the network, and only after the parent completes the VPC email-plus upgrade.
- Auto-disable after 30 minutes of continuous use.
- Parent kill-switch in the Parent Dashboard disables the microphone globally without losing other progress.
See the full parent quick summary for a one-page version.
4. Cloud Sync & Email Verification
Every account is anonymous-first. Local progress is stored on the device only until the parent explicitly upgrades the account by verifying an email address.
The upgrade uses email-plus VPC (verifiable parental consent): we send a first confirmation email, then require a second confirmation no sooner than 24 hours later. The 24-hour delay is enforced on the server, not in the browser, so it cannot be shortened by reloading.
Cloud sync activates only after the second confirmation succeeds. We enforce a three-layer anonymous-first gate: (a) the client refuses to enqueue rows when the profile is anonymous, (b) a Postgres trigger rejects writes from anonymous profiles, and (c) the sync edge function returns 403 if either of the previous checks is bypassed.
Data residency: Supabase Postgres is hosted in the EU region for EU-resident users.
5. Email
We use Resend as our transactional email provider. Resend processes the parent email address solely to deliver the two VPC confirmation messages and Supabase’s own final verification email.
We do not send marketing emails, newsletters, or drip campaigns. The parent can request deletion at any time from the Parent Dashboard.
6. Error Logging
We use Sentry to capture JavaScript errors so we can fix bugs. Sentry is configured to capture errors only — no session replay, no profiling, no performance traces beyond a 10% sampling of transaction starts.
PII is scrubbed at the SDK level before the event leaves the browser: a regex-based filter redactsdisplay_name, email, nickname, and related tokens from event messages and breadcrumb bodies.sendDefaultPii is disabled, so IPs and identifying headers are not forwarded.
The Sentry SDK is DSN-gated: when theNEXT_PUBLIC_SENTRY_DSN environment variable is unset, the SDK does not load and no errors are sent anywhere.
7. Parent Dashboard Analytics
The Parent Dashboard area uses Plausible Analytics (EU-hosted, cookieless) to measure aggregate usage of parent features — for example, how many parents complete the VPC upgrade or use the data export tool.
Plausible does not set cookies, does not capture personal data, and does not track across sites. No consent banner is required, but we disclose it here for transparency. Plausible loads only on /parent/* routes — no child-facing route ever contacts Plausible.
8. Cookies & Storage
- IndexedDB (Dexie): Game state, progress, settings. On-device only. Never read by third parties.
- localStorage: Small hints such as “onboarding complete” and locale preference. Cleared when the parent resets the app or clears browser storage.
- No cookies on child pages. The parent dashboard uses a session-scoped Supabase auth cookie post-VPC; child sessions never set cookies.
9. Your Rights
Under COPPA, GDPR Article 8, and the UK Age-Appropriate Design Code, parents (and children) have the right to:
- Access the data we hold — available instantly via the Parent Dashboard.
- Rectify a wrong nickname or age band in Parent Settings.
- Erase everything via the “Delete all data” flow. A 7-day grace window lets you restore if you change your mind.
- Port the data in a portable JSON file via the “Data export” tool, which also reaches the
parent-exportedge function for a server-side DSAR. - Object to processing by closing and removing the app.
- Withdraw consent to the microphone in Settings without losing other progress.
- Lodge a complaint with a supervisory authority (EU/UK), the ICO (UK), or the FTC (US).
10. Data Retention
- Anonymous progress: auto-purged after 18 months of inactivity.
- Audit events: 90 days (local and cloud).
- VPC pending tokens: 7 days, then automatically expired and deleted.
- IP logs (Supabase auth): 30 days.
- Scheduled deletion grace: 7 days from request, then permanently removed.
11. Contact
For any data-subject request or privacy question, write to the support address listed on the launch site.
Change Log
- v1.0 (2026-05-20): Initial production policy. Covers MVP local-first state plus Phase 2 cloud sync (email-plus VPC), Resend transactional email, Sentry error logging (DSN-gated, PII scrubbed), Plausible parent-only analytics, and the 7-day grace-delete flow.
- v0.x (Sprint 3 draft): MVP-only policy. Covered local IndexedDB storage, math gate, and on-device microphone policy. Superseded by v1.0.