Privacy Policy

KidSpark (“KidSpark”, “we”, “our”, “us”) is a game-based learning platform for children aged 5–12, covering maths, finance, English, geography, and computer science. We are the data controller responsible for the personal data processed through the KidSpark web application.

For all data protection enquiries, please contact us at: privacy@kidspark.app

KidSpark is operated under the laws of England and Wales. We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where our users are based in the European Economic Area (EEA), we also comply with EU GDPR. Where applicable, we comply with the Children's Online Privacy Protection Act (COPPA) for users in the United States.

Account information (parent / guardian):

• Full name and email address (provided at registration or via Google sign-in)
• Profile photo (optional; supplied by Google if you use Google sign-in)
• Password (stored as a one-way hash by Firebase Authentication — we never see your password)
• Notification and communication preferences
• Consent record: the date, time, IP address, device details, and version of policies you accepted at signup

Children's information (added by you):

• Child's first name and date of birth
• Child's avatar and display name
• Chosen subjects and difficulty/level preferences
• Daily time limits you configure
• Learning progress: game scores, completed exercises, stars earned, and session history
• Rewards and achievements unlocked within the app

Usage and technical data:

• IP address (captured server-side at consent and sign-in)
• Browser type, operating system, and device identifiers
• Pages visited, games played, and session duration (via Firebase Analytics if enabled)
• Error logs and crash reports

All children's data — including names, learning progress, avatars, and game history — is entered by, and stored under, the parent or guardian's account. You are solely responsible for ensuring you have the appropriate authority to store data about the children you add to your account.

Children's learning data:Game scores, session history, and progress records are stored in Firebase Firestore under your account's private folder, accessible only to your authenticated account.

COPPA (US users):If you are located in the United States, we comply with the Children's Online Privacy Protection Act. We do not knowingly collect personal information from children under 13 as account holders. If you believe a child under 13 has created an account without parental consent, please contact us at privacy@kidspark.app and we will delete the account promptly.

• Account data — necessary to perform the contract with you (provide the KidSpark service). Legal basis: contract performance (UK GDPR Article 6(1)(b)).
• Children's data you enter — you provide explicit consent for us to store and process this data when you create your account and add children. Legal basis: consent (UK GDPR Article 6(1)(a)) and legitimate interests in delivering the core service.
• Usage and technical data — used to operate, secure, and improve the service. Legal basis: legitimate interests (UK GDPR Article 6(1)(f)) — specifically our interest in maintaining a secure and functional service.
• Marketing emails — only sent if you opt in during signup. Legal basis: consent (UK GDPR Article 6(1)(a)). You can withdraw consent at any time by unsubscribing.

KidSpark is built on Google Firebase, which is ISO 27001 certified and SOC 2 Type II compliant. Your data is stored in Google's secure cloud infrastructure.

• Firestore (database):All structured data (account information, children's profiles, learning progress) is stored in Google Cloud Firestore with strict security rules enforced at the database level — only the authenticated account owner can read or write their own data.
• Firebase Authentication:Passwords are hashed using industry-standard algorithms. We use Firebase Auth's secure session management with server-verified session cookies.
• Encryption in transit: All data is transmitted over HTTPS/TLS. We do not support HTTP connections.
• Encryption at rest: All data stored in Firebase (Firestore) is encrypted at rest by Google.

Breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware, as required by UK GDPR Article 33.

We do not sell your personal data. We only share it with the following service providers who help us operate KidSpark, and only to the extent necessary:

• Google Firebase (Google LLC) — authentication, database, and hosting infrastructure. Data may be stored in the United States or European Union data centres. Google is certified under the EU-US Data Privacy Framework. Google Firebase Privacy

We may also disclose your data where required by law, to comply with a court order, or to protect the safety of our users or the public.

• Account and children's data:Retained for the lifetime of your account, plus 30 days following account deletion to allow for recovery in case of accidental deletion.
• Learning progress and game history:Retained until you delete the child profile or your account. After account deletion, all records are permanently removed within 30 days.
• Consent records: Retained for the duration of your account plus 7 years, to demonstrate legal compliance.
• Server logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.

Under UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact us at privacy@kidspark.app. We will respond within 30 days.

• Right of access: You can request a copy of all personal data we hold about you and your children.
• Right to rectification: You can correct inaccurate personal data directly within the app (Settings → Profile) or by contacting us.
• Right to erasure (“right to be forgotten”): You can request deletion of your account and all associated data, including your children's profiles and progress. We will complete erasure within 30 days.
• Right to data portability: You can request an export of your data in a machine-readable format. Contact us at privacy@kidspark.app.
• Right to restrict processing: You can ask us to restrict processing of your data in certain circumstances.
• Right to object: You can object to processing based on legitimate interests at any time. You can also withdraw marketing consent by unsubscribing from any email we send.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

KidSpark uses a minimal set of cookies necessary to operate the service:

• Session cookie: A secure, HTTP-only session cookie is used to maintain your authenticated session. This cookie is essential and cannot be disabled without breaking the service.
• Firebase Analytics:We may use Firebase Analytics to understand how features are used. This data is aggregated and does not identify individual users. You can opt out of analytics by enabling “Do Not Track” in your browser or using a browser extension that blocks analytics.

We do not use advertising cookies or sell data to advertising networks. We do not use behavioural tracking or cross-site tracking.

Your data may be transferred to and processed in countries outside the UK and EEA, including the United States, where our infrastructure provider (Google Firebase) operates.

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards including:

• UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
• The EU-US Data Privacy Framework (where applicable)
• Adequacy decisions by the UK or EU authorities

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the change takes effect, or by displaying a prominent notice within the app.

The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of KidSpark after the effective date of any change constitutes acceptance of the updated policy.

The version you accepted at signup is recorded in your consent record.

For all privacy-related enquiries, data subject requests, or complaints:

• Email: privacy@kidspark.app

We aim to respond to all data-related requests within 30 days. For urgent matters relating to a suspected data breach or child safety, please mark your email “URGENT” and we will respond within 24 hours.