Privacy Policy
Effective Date: January 1, 2025
Last Updated: December 29, 2024
Version: 1.0
Introduction
Welcome to Glow & Grow! We are committed to protecting the privacy and security of our users, especially children. This Privacy Policy explains how we collect, use, disclose, and safeguard information from parents and children who use our educational platform.
Important Information:
- Glow & Grow is designed for students in grades 3-5 (typically ages 8-11)
- We comply with the Children's Online Privacy Protection Act (COPPA) in the United States
- We comply with the General Data Protection Regulation (GDPR) in the European Union
- We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
- Parents create and manage all accounts - children cannot sign up independently
Contact Information:
1. Information We Collect
1.1 Information from Parents
When parents create an account, we collect:
- Parent's email address (used for account login and communication)
- Parent's name (first name)
- Password (encrypted and stored securely)
- Google profile information (if signing in with Google):
- Email address
- Name
- Profile picture (optional)
- Google account ID
1.2 Information About Children
With parental consent, we collect:
- Child's first name (for personalization)
- Grade level (3rd, 4th, or 5th grade)
- Learning progress data:
- Exercise completion records
- Quiz scores and answers
- Time spent on activities
- Learning strengths and areas for improvement
- Gamification data:
- Experience points (XP)
- Achievement levels
- Streak counts
- Earned badges
- Educational analytics:
- Performance patterns
- Knowledge gaps identified by our AI
- Recommended next exercises
1.3 Information We DO NOT Collect from Children
We do NOT collect:
- Children's email addresses (except auto-generated internal identifiers)
- Children's photographs
- Children's physical addresses
- Children's phone numbers
- Children's geolocation data
- Children's social media information
- Any personal information beyond what is necessary for educational purposes
1.4 Technical Information
We automatically collect certain technical information:
- Device information: Device type, operating system, browser type
- Usage data: Pages visited, features used, session duration
- Cookies: Authentication tokens, language preferences (see Cookie Policy)
- IP addresses: For security and to comply with legal obligations
2. How We Use Information
2.1 Educational Purposes
We use children's information to:
- Provide personalized learning experiences
- Track educational progress and achievements
- Adapt exercise difficulty based on performance
- Identify knowledge gaps and recommend appropriate content
- Generate learning insights for parents
- Award XP, levels, badges, and maintain streak counts
2.2 Platform Operation
We use information to:
- Authenticate users and maintain account security
- Provide customer support to parents
- Send important account notifications (to parents only)
- Improve our educational content and features
- Ensure platform security and prevent fraud
- Comply with legal obligations
2.3 AI-Powered Features
Our platform uses artificial intelligence to:
- Provide smart hints during exercises (not chatbot conversations)
- Recommend appropriate next exercises based on performance
- Detect knowledge gaps and suggest targeted practice
- Analyze learning patterns to optimize educational content
Important: Our AI features are educational tools, not conversational chatbots. Children do not engage in open-ended chat conversations with AI.
2.4 Communications
We send emails to parents only (never directly to children):
- Account creation confirmations
- Password reset requests
- Important platform updates
- Educational progress reports
- Security notifications
3. How We Share Information
3.1 We Do NOT Sell Children's Information
We do NOT and will NEVER:
- Sell children's personal information to third parties
- Use children's information for behavioral advertising
- Share children's information for marketing purposes
- Allow third-party advertising networks to collect children's data
3.2 Limited Third-Party Services
We share information only with essential service providers:
Google OAuth (Authentication)
- Purpose: To allow parents to sign in using their Google accounts
- Information shared: Email address, name, profile picture (if provided)
- Privacy Policy: https://policies.google.com/privacy
- Data retention: We store only the Google account ID and profile information you choose to share
Self-Hosted Infrastructure
- All educational data is stored on our own servers
- We do not use third-party analytics services
- We do not use third-party advertising services
- Database: SQLite (stored locally on our servers)
3.3 Legal Requirements
We may disclose information when required by law:
- To comply with court orders, subpoenas, or legal processes
- To protect the safety of children or others
- To investigate fraud or security issues
- To enforce our Terms of Service
3.4 Business Transfers
In the event of a merger, acquisition, or sale of assets:
- We will notify parents via email before any transfer of children's information
- The acquiring entity must honor this Privacy Policy
- Parents will have the opportunity to delete their children's accounts
4. Parental Rights and Controls
4.1 COPPA Rights (United States)
Parents have the right to:
- Review all personal information collected from their child
- Request deletion of their child's personal information
- Refuse further collection or use of their child's information
- Update or correct their child's information
4.2 GDPR Rights (European Union)
Under GDPR, parents and users have the right to:
- Access: Request a copy of all personal data we hold
- Rectification: Correct inaccurate or incomplete data
- Erasure ("Right to be Forgotten"): Request deletion of personal data
- Restriction: Limit how we process personal data
- Data Portability: Receive data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time without affecting prior processing
4.3 PIPEDA Rights (Canada)
Canadian users have the right to:
- Know what personal information we collect and why
- Access their personal information
- Challenge the accuracy of their information
- Request deletion of their information
4.4 How to Exercise Your Rights
To exercise any of these rights:
- Email us at privacy@glowandgrow.fun
- Include your account email address
- Specify your request (access, deletion, correction, etc.)
- We will respond within 30 days (or as required by applicable law)
Account Management:
- Parents can update child information through their dashboard
- Parents can delete their child's account at any time
- Upon deletion, we will remove all personal information within 30 days
5. Data Security
5.1 Security Measures
We implement industry-standard security measures:
- Encryption: All passwords are hashed using bcrypt
- Secure transmission: HTTPS encryption for all data transfers
- Access controls: Limited employee access to personal information
- Regular security audits: Ongoing monitoring and testing
- Secure authentication: Token-based authentication system
5.2 Data Storage
- Location: Data is stored on secure servers in [Specify location for GDPR compliance]
- Database: SQLite database with restricted access
- Backups: Encrypted backups stored securely
- Retention: See Section 6 for data retention policies
5.3 No Absolute Security
While we implement strong security measures, no internet transmission is 100% secure. We cannot guarantee absolute security but continuously work to protect user information.
6. Data Retention
6.1 Active Accounts
We retain personal information as long as accounts remain active and as necessary to:
- Provide educational services
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
6.2 Account Deletion
When a parent deletes an account:
- Personal information is deleted within 30 days
- Learning progress and exercise data are permanently deleted
- Some information may be retained for legal compliance (e.g., transaction records for tax purposes)
6.3 Inactive Accounts
Accounts inactive for 3 years will be:
- Flagged for review
- Parent notified via email
- Deleted after 6 months if no response (with 60-day notice)
6.4 Legal Retention
We may retain certain information longer when required by law:
- Financial records: As required by tax laws
- Security logs: For fraud prevention and investigation
- Legal disputes: Until resolution
7. Cookies and Tracking
7.1 Types of Cookies We Use
Essential Cookies (Required)
- Authentication tokens (to keep users logged in)
- Language preference (English/French selection)
- Session management
We Do NOT Use:
- Third-party advertising cookies
- Third-party analytics cookies (like Google Analytics)
- Social media tracking cookies
- Cross-site tracking cookies
7.2 Cookie Management
- Essential cookies are required for the platform to function
- You can delete cookies through your browser settings
- Deleting authentication cookies will require re-login
For more details, see our full Cookie Policy.
8. International Data Transfers
8.1 Data Processing Locations
Our servers are located in [Specify location]. If you access Glow & Grow from outside this region:
- Your data may be transferred to and processed in [Location]
- We ensure appropriate safeguards are in place
- For EU users, we comply with GDPR requirements for international transfers
8.2 GDPR Safeguards
For transfers from the EU:
- We implement Standard Contractual Clauses (SCCs) where required
- We ensure adequate protection equivalent to GDPR standards
- You have the right to request information about transfer safeguards
9. Children's Privacy Protections
9.1 Age Restrictions
- Glow & Grow is designed for children in grades 3-5 (typically ages 8-11)
- Children cannot create accounts independently
- All accounts must be created by a parent or legal guardian
- We require verifiable parental consent before collecting children's information
9.2 Parental Consent
Before collecting any information from a child:
- Parent creates an account with their email address
- Parent provides child's first name and grade level
- Parent accepts this Privacy Policy and Terms of Service
- Parent confirms they are the legal guardian
9.3 No Behavioral Advertising
We do NOT:
- Show behavioral advertising to children
- Create advertising profiles based on children's activities
- Allow third-party advertisers to target children
- Use children's information for marketing purposes
9.4 Parental Oversight
Parents have full oversight of their children's accounts:
- View all learning progress and activities
- Monitor time spent on the platform
- Review earned badges and achievements
- Delete the child's account at any time
10. Changes to This Privacy Policy
10.1 Notification of Changes
- We may update this Privacy Policy periodically
- Material changes will be communicated via email to parents
- The "Last Updated" date will reflect the most recent changes
- Continued use after changes indicates acceptance
10.2 Material Changes Affecting Children
If we make material changes to how we collect or use children's information:
- We will notify parents via email
- We will request renewed parental consent
- Parents can refuse consent and delete their child's account
11. Your Choices
11.1 What Parents Can Do
- Update information: Change child's name or grade level
- Review activity: View all learning progress and data
- Limit data collection: Close the account to stop data collection
- Delete account: Permanently remove all child data
- Export data: Request a copy of all collected data
11.2 What Children Cannot Do
For safety, children cannot:
- Change account settings independently
- Delete their own accounts
- Communicate with other users
- Share information publicly
- Access parental account information
12. Legal Basis for Processing (GDPR)
For EU users, we process personal data based on:
12.1 Consent
- Collection of children's educational data (with parental consent)
- Optional Google OAuth sign-in
12.2 Contract Performance
- Providing the educational platform services
- Account authentication and management
12.3 Legitimate Interests
- Platform security and fraud prevention
- Improving educational content
- Technical support and troubleshooting
12.4 Legal Obligations
- Compliance with COPPA, GDPR, and other laws
- Responding to legal requests
13. Contact Information
13.1 Privacy Inquiries
For privacy-related questions:
13.2 Data Protection Officer (GDPR)
For EU-related inquiries:
13.3 Supervisory Authority (GDPR)
EU users have the right to lodge a complaint with their local data protection authority:
13.4 Parental Rights Requests
To exercise parental rights under COPPA:
- Email: privacy@glowandgrow.fun
- Subject line: "COPPA Parental Rights Request"
- Include: Account email, child's name, specific request
14. State-Specific Rights (United States)
14.1 California (CCPA/CPRA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale (Note: We do NOT sell personal information)
- Right to non-discrimination for exercising rights
14.2 Other States
We extend similar rights to users in all states and will comply with state-specific privacy laws as they take effect.
Acknowledgment
By creating an account and using Glow & Grow, parents acknowledge that they:
- Have read and understood this Privacy Policy
- Consent to the collection and use of their child's information as described
- Are the legal parent or guardian of the child
- Are at least 18 years old
This Privacy Policy is effective as of January 1, 2025.
For the French version of this policy, see: Politique de Confidentialité (Français)