Privacy Policy

1. Data Controller

The personal data controller is AppleNet SRL, headquartered at Bd. Ion Mihalache, nr. 166, sector 1, Bucharest, Romania, registered with the Trade Registry under no. J40/14687/2007, tax ID RO16775402. You can contact us at contact@gritsprout.com or through the Contact.

2. Data We Collect

We collect only the data strictly necessary for the service to function (principle of data minimization, Art. 5 GDPR):

Parent data

• Email address (for authentication and daily reports)
• First name and age (for experience personalization)
• Family nickname (for the family's unique link)

Children's data

• First name or nickname (chosen by parent)
• Avatar (chosen by child - emoji or image)
• Daily activities completed and streaks accumulated
• Access PIN (stored encrypted)

Payment data

• Card details are managed entirely by Stripe and are not stored on our servers
• We only retain the transaction reference for subscription management

Technical data

• IP address and browser information (for security and diagnostics)
• Aggregated and anonymized usage data (for service improvement)

We do not collect biometric data, location data, photographs, health data, or other special categories of children's personal data.

3. Legal Basis for Processing

We process your data based on the following legal grounds (Art. 6 GDPR):

• Performance of contract (Art. 6(1)(b)) - for account operation, displaying activities, and processing payments
• Parental consent (Art. 6(1)(a), read in conjunction with Art. 8) - for processing children's data under 16. By creating children's accounts, the parent or legal guardian provides this consent
• Legal obligation (Art. 6(1)(c)) - for compliance with tax and legal requirements
• Legitimate interest (Art. 6(1)(f)) - for service security, fraud prevention, and application improvement

4. Protection of Children's Data

We pay special attention to the protection of children's data, in accordance with Article 8 and Recital 38 of the GDPR:

• Children's accounts are created exclusively by the parent or legal guardian
• Children cannot provide personal data on their own - activities are predefined by the parent
• Children's data is not used for marketing or advertising purposes
• Children's data is not shared with third parties, except for technical services necessary for the application to function
• The child's access to the application is limited to their own activities and achievements - they do not have access to financial or account data
• The parent can view, modify, or delete the child's data at any time

5. How We Use Data

The collected data is used exclusively for:

• Operating the application and displaying children's progress
• Sending daily reports to parents via email
• Processing payments and managing subscriptions
• Account security and preventing unauthorized access
• Improving the service based on aggregated and anonymized data

We do not sell, share, or use data for advertising purposes. We do not engage in automated profiling and do not make automated decisions with significant effects on you or your children (Art. 22 GDPR).

6. Sharing Data with Third Parties

We share data only with the following service providers, strictly for the purpose of operating the application:

• Firebase (Google) - authentication. Privacy policy: firebase.google.com/support/privacy
• Stripe - payment processing (PCI DSS certified). Privacy policy: stripe.com/privacy

These providers act as data processors under data processing agreements (DPAs) compliant with Article 28 of the GDPR.

7. International Data Transfers

Some of our service providers (Firebase, Stripe) may process data outside the European Economic Area (EEA). These transfers are protected by standard contractual clauses approved by the European Commission (Art. 46 GDPR) and/or through the EU-U.S. Data Privacy Framework, as applicable.

8. Data Retention

We retain your data only as long as necessary:

• Account and activity data - for the duration of the active subscription. After account deletion, data is removed within 30 days
• Financial data - in accordance with legal tax obligations (up to 10 years)
• Backups - backups containing deleted data are removed within 90 days
• Technical data (logs) - up to 90 days, then automatically deleted

9. Your Rights

In accordance with the GDPR (Art. 15-22), you have the following rights:

• Right of access (Art. 15) - you can request a copy of all personal data we hold about you and your children
• Right to rectification (Art. 16) - you can correct inaccurate data directly in the application or by contacting us
• Right to erasure (Art. 17) - you can request complete deletion of your family's data from the account settings or by contacting us
• Right to restriction (Art. 18) - you can request limitation of the processing of your data
• Right to data portability (Art. 20) - you can request the export of your data in a structured and easily readable format
• Right to object (Art. 21) - you can object to the processing of data based on legitimate interest
• Right to withdraw consent - you can withdraw consent for the processing of your children's data at any time, which will result in the deletion of the children's accounts

To exercise any of these rights, you can contact us at contact@gritsprout.com. We will respond within 30 days of receiving your request.

10. Security

We use appropriate technical and organizational measures to protect data:

• Encryption in transit (HTTPS/TLS) for all communications
• Children's PINs are stored encrypted (hashing)
• Secure authentication via Firebase Authentication
• Restricted database access following the principle of least privilege
• Payment data is managed entirely by Stripe (PCI DSS certified)
• Regular security monitoring and audits

In the unlikely event of a security breach affecting your data, we will notify you in accordance with Article 34 of the GDPR, within 72 hours of discovery.

11. Cookies

The application uses cookies strictly necessary for the service to function (authentication and session maintenance) and, only with consent, optional analytics/attribution cookies (such as Google Analytics and Meta identifiers used for conversion measurement). Optional cookies can be accepted or declined via the consent banner and can be revoked at any time.

12. Complaints

If you believe that your personal data or your children's data is being processed incorrectly, we encourage you to contact us first to resolve the situation. You also have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP):

• Website: www.dataprotection.ro
• Email: anspdcp@dataprotection.ro
• Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest

13. Changes to This Policy

We reserve the right to update this privacy policy. You will be notified by email of any significant changes at least 30 days before they take effect. The date of the last update is displayed at the top of this page.

14. Contact

For any questions regarding privacy, to exercise your rights, or for any concerns regarding your children's data, you can contact us at contact@gritsprout.com or through the Contact.