Privacy Policy

Finn Learns (“Finn Learns,” “we,” “us,” or “our”) operates the Finn Learns website, iOS app, and Android app (together, the “Service”). The Service is designed for children in kindergarten through grade 5, used under parental supervision.

You can reach us at multiclassai.adm@gmail.com.

From the parent (account holder):

• Email address — to create and recover your account, send essential service messages, and verify parental consent.
• Password — stored only as a hash by our auth provider; we never see it.

About the child (entered by the parent or chosen in-app under parent supervision):

• First name or nickname (e.g. “Mia”).
• Age or grade level (e.g. “1st grade”).
• Favorite character (so the app can pick stories featuring them).
• Reading progress, math progress, quiz results, reading minutes, and paintings the child creates inside the app.

We use this information only to run the Service: pick age-appropriate books and math levels, show progress to the parent, and let the child pick up where they left off. We do not use any of it for advertising, profiling, or any unrelated purpose.

We deliberately do not collect, and never ask the child for, any of the following:

• Email address, phone number, or any contact info from the child.
• The child’s last name, full legal name, or home/postal address.
• Precise geolocation (no GPS, no fine location).
• Photos, video, or voice recordings of the child.
• Behavioral advertising profiles, ad IDs, or third-party ad tracking.
• Cross-app or cross-site tracking. We don’t track kids around the internet.
• Persistent device identifiers tied to the child for advertising.
• Social-graph data, contacts, or any data from other apps.

Finn Learns has no chat, no messaging, no public profiles, no user-to-user features, and no third-party advertising.

Finn Learns complies with the U.S. Children’s Online Privacy Protection Act (“COPPA”). Children never create accounts directly. The flow is:

1. A parent or legal guardian creates the account using their own email and password.
2. During sign-up, the parent confirms they are 18+ and the child’s parent or legal guardian, and agrees to this Privacy Policy and our Terms of Service. This is the parent’s verifiable consent for us to collect the limited child data described in section 2.
3. The parent enters the child’s first name, age/grade, and favorite character. The child does not type any personal info.
4. Anywhere the app exposes settings, billing, account changes, or push-notification opt-in, we gate it behind a parent gate (a multi-step arithmetic challenge that a young child cannot easily solve).

We collect the minimum information necessary to provide the educational Service, and we do not condition a child’s participation on the disclosure of more information than is reasonably necessary.

The Service relies on a small set of infrastructure providers, each acting as a processor that handles data only on our instructions:

• Supabase— authentication, Postgres database, and file storage. Data is stored in the United States. Supabase processes data on our behalf and does not use it for their own purposes. See supabase.com/privacy.
• Expo Push Notifications— if the parent enables notifications, Expo’s push service routes the message to Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). The push token is a random device token; it is not the child’s name or email. See expo.dev/privacy.

We do not share, sell, or rent personal information to third parties for advertising or marketing. We do not use third-party analytics SDKs in the kid-facing app.

We may disclose information if required by valid legal process (e.g., a subpoena), or if necessary to protect the safety of a child or our users.

We keep account data for as long as the parent maintains an active account. Reading and math progress is retained so the child can pick up where they left off.

How to delete your account: open Parent Settings → Delete Account (in the app or on the web), confirm twice, and re-type your parent email. We delete the parent account, every kid profile, and all reading progress, math progress, quiz results, and paintings immediately. Encrypted backups containing deleted data are purged within 30 days.

You can also request deletion by emailing multiclassai.adm@gmail.com from the address on file. We respond to verified requests within 30 days.

Under COPPA and similar laws, parents and legal guardians have the right to:

• Review the personal information we have collected about their child.
• Export a machine-readable copy of that information.
• Correct or update information about their child.
• Delete their child’s information and refuse further collection.

Most of these you can do yourself in Parent Settings. For a full export or anything you can’t do in-app, email multiclassai.adm@gmail.com from the parent address on file.

If the parent or child is located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (“GDPR”), including its provisions on children (“GDPR-K,” Article 8), applies.

Legal basis.Our legal basis for processing the child’s personal data is the parent or legal guardian’s consent, given at sign-up (Article 6(1)(a) and Article 8 GDPR). For the parent’s own account data, our legal basis is performance of a contract (Article 6(1)(b)) and our legitimate interest in operating a secure service (Article 6(1)(f)).

Your rights.You have the right to access, rectify, erase, restrict, port, and object to processing of personal data, and to withdraw consent at any time without affecting prior processing. To exercise these rights (a “Data Subject Access Request”), email multiclassai.adm@gmail.com. You can also lodge a complaint with your local supervisory authority.

International transfers.Our infrastructure is hosted in the United States. When data is transferred from the EEA, UK, or Switzerland to the U.S., we rely on the European Commission’s Standard Contractual Clauses (SCCs) and our providers’ equivalent safeguards.

EU representative. An EU/UK representative under Article 27 GDPR will be named here before we make the Service available to users in the EU or UK.

If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act gives you certain rights regarding your personal information.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We have not sold or shared the personal information of any user, including any user under 16, in the past 12 months, and we do not intend to.

Your rights include the right to know what personal information we have collected, the right to delete it, the right to correct it, and the right not to be discriminated against for exercising these rights. To exercise any of these rights, email multiclassai.adm@gmail.com. We will verify the request using the parent email on file before acting.

Push notifications are opt-in. The parent must pass the parent gate and explicitly enable notifications before any are sent. We use them for things like reading-streak reminders and new-content alerts — never for advertising.

You can revoke this at any time in two places:

• In the app: open Parent Settings and toggle notifications off.
• On your device: iOS Settings → Notifications → Finn Learns, or Android Settings → Apps → Finn Learns → Notifications.

We protect data with reasonable, modern safeguards:

• All traffic is encrypted in transit using HTTPS / TLS.
• Passwords are hashed by our authentication provider (we never store cleartext).
• Database access is restricted by Supabase Row Level Security policies — only the parent account that owns a kid profile can read or modify it.
• Audio and image content is served via short-lived signed URLs.
• Production access is limited to a small set of authorized engineers.

No system is perfectly secure. If we ever experience a security incident affecting your data, we will notify you in line with applicable law.

We may update this Privacy Policy from time to time. If we make material changes — especially to how we handle children’s information — we will notify parents via the email associated with the account and via an in-app banner before the changes take effect, and where required by law we will obtain renewed parental consent.

The “Effective date” at the top of this page reflects the most recent revision.

If you have any questions or concerns about this Privacy Policy or our data practices, or if you want to exercise any of the rights described above, please contact us:

• Email: multiclassai.adm@gmail.com
• Web: finnlearns.com