Privacy Policy

⚠️ Template — review and complete before launch. Placeholders in [brackets] must be filled in, and the whole document reviewed by a qualified professional (including for COPPA/GDPR-K applicability in your jurisdiction).

Last updated: [date]

1. What we collect

From parents: email address, display name, password (hashed by our auth provider), settings (model choice, timezone, email preferences), and billing details if you subscribe [via processor name].

About children (entered by the parent): a first name or nickname and a free-text learning level. Generated during learning: activity responses (sentences, paragraphs, math answers), AI feedback, progress, streaks, badges, and the learning bank of words and math skills.

2. Children's privacy

Goose Learning is designed so children share as little as possible. Children never create accounts and are never asked for an email address, phone number, photos, or location. They sign in with a one-day code issued by their parent.

No analytics or third-party scripts run on child-facing pages. No advertising anywhere. Video embeds use YouTube’s privacy-enhanced (no-cookie) player.

Parents are in control: parents can view everything a child produced (session reports), download it (Markdown/PDF), remove individual learning items, and delete a child profile or the whole account at any time — deletion removes all of that child’s data.

[If offering the service in the US: add COPPA notice and verifiable parental consent details. The parent-managed account structure supports this, but confirm with counsel.]

3. How we use data

Solely to provide the service: generating activities and feedback, tracking progress and mastery, producing session reports, and sending the emails you have turned on. We do not sell personal data and we do not use it for advertising.

4. AI processing

Activity text (the parent’s prompts, the learner’s level, and the child’s answers) is sent to our AI provider, [Anthropic], to generate lessons and feedback. We send only what the activity needs — never names, emails, or account identifiers. [Confirm and describe the provider’s data-retention and training commitments for API traffic.]

5. Cookies

We use only strictly necessary cookies: the parent’s sign-in session and the child’s short-lived (12-hour) session cookie. No tracking cookies.

6. Storage, security, and processors

Data is stored with [hosting/database providers, regions]. Access is protected by row-level security so each family can only reach its own data; child access codes are stored only as keyed hashes. Sub-processors: [list — e.g. Supabase, Vercel, Anthropic, Resend].

7. Retention and deletion

Data is kept while your account is active. Deleting a child removes all their sessions, reports, and learning bank; deleting your account removes everything. [State backup retention window.]

8. Your rights

Depending on where you live you may have rights to access, correct, export, or erase personal data. Contact us at [email] to exercise them.

9. Changes and contact

We will announce material changes by email or in the app. Questions: [contact email and postal address].

← Back home