Privacy Policy

1. Who we are

Brainsmith (“we”, “us”, or “our”) is operated by Brainsmith, Inc. (“Brainsmith”). You can contact us at privacy@brainsmith.app.

2. Summary (the short version)

• We collect the minimum data needed to run the app.
• The app is for kids 6–10. Only a parent or legal guardian can create an account. Kids do not sign up directly.
• We do not show ads. We do not sell or rent personal information. We never use kid data for advertising or marketing.
• All kid activity data is stored under the parent's account and only the parent can see it.
• We use third-party services (Supabase, RevenueCat, Sentry, PostHog) to operate the app — see Section 8 for what each one sees.

3. COPPA compliance

Brainsmith is directed in part to children under 13. We comply with the Children's Online Privacy Protection Act (COPPA).

• The parent must create the account and explicitly grant verifiable parental consent before any kid profile can be created or any kid activity data is collected.
• We do not knowingly collect more personal information from a child than is reasonably necessary to participate in the activity.
• A parent can review, delete, or request export of all kid data at any time from the Parent Lounge → Settings → Privacy.

The verifiable consent mechanism we use is confirmed at the time of subscription purchase. Please contact privacy@brainsmith.app for details.

4. What we collect

From parents

• Email address (for account login + receipts).
• Display name (optional).
• Subscription status (managed by RevenueCat → Apple / Google / Stripe).
• Notification preferences.
• Device information (model, OS version) for crash reporting (Sentry).

From kids (under the parent's account)

• Display name or nickname (parent-provided).
• Birth year only (NOT full date of birth). Used to surface age-appropriate content.
• ADHD diagnosis flag if the parent indicates it (used for in-app copy framing — never shared, never used for marketing).
• Per-game scores, accuracy, response times, and difficulty level.
• Streaks and theme preferences.

We do not collect: precise geolocation, full date of birth, photos or video of the child, contact lists, microphone or camera input, behavioral advertising IDs, or persistent device identifiers beyond what RevenueCat/Apple/Google provide for receipt validation.

5. How we use it

• To run the app: render the warmup, save scores, compute streaks, render the parent dashboard.
• Aggregate, de-identified analytics: which games are popular, completion rates, retention. We use PostHog for this and we never include kid display name, birth year, or any kid-identifying field in analytics events.
• Customer support and account recovery.
• Compliance with applicable law.

We do not use kid data to train AI/ML models, and we do not share kid data with any third party except the operational sub-processors listed in Section 8.

6. How long we keep it

• Kid data is retained while your subscription is active and for 90 days after cancellation, then permanently deleted.
• Parents can trigger immediate deletion at any time from the Parent Lounge.

7. Security

• All data in transit is encrypted (TLS 1.2+).
• Database access is gated by Postgres row-level security: a parent's API requests can only ever see rows under their own account.
• We follow OWASP guidance for mobile and web security.

8. Sub-processors

9. Your choices

Parents can:

• Review, export, or delete all kid data from Parent Lounge → Settings → Privacy.
• Disable notifications.
• Cancel subscription at any time via Apple / Google / Stripe.
• Request that we delete the parent account: privacy@brainsmith.app.

10. International users

Brainsmith is currently offered only in the United States. We do not intentionally direct the app to users in the EEA, UK, or other jurisdictions, but if you access the app from outside the US, you are responsible for compliance with local law.

11. Changes to this policy

If we make a material change, we will email account holders at least 30 days before the change takes effect.