Privacy Policy

The short version

Plimmery is a reading app for children. Parents hold the account. We collect the bare minimum needed to teach reading: a parent email for the account, and the child's nickname, age, and lesson progress. Nothing is sold, nothing is shared for advertising, and there are no third-party trackers. You can review, export, correct, or delete your child's data at any time from the Account tab.

• No advertising. No advertising networks. Ever.
• No third-party analytics or trackers.
• We keep a basic, first-party error log to fix crashes and bugs — it's scrubbed of personal details and never shared.
• No voice or video recording of your child.
• No selling, renting, or sharing of personal information.
• No location data. No contact list access.

1. Who we are

Arkira Ventures MB ("Plimmery", "we", "us", "our") — a small partnership (mažoji bendrija) established under the laws of the Republic of Lithuania (company code 306351429, VAT LT100019659116), with its registered office at Smiltelės g. 53-11, LT-94262 Klaipėda, Lithuania — is the operator of the Plimmery reading app and the data controller for the personal information described in this policy. You can reach us about privacy at plimmeryapp@gmail.com. We aim to respond within 7 days, and within 30 days for any formal privacy request.

2. Scope of this policy

This policy describes how Plimmery handles personal information collected through our website and apps. It does not apply to third-party websites you reach via a link from Plimmery. Their practices are governed by their own privacy notices.

3. Information we collect

We've designed Plimmery so almost everything lives on your device. The categories below cover everything we collect about you or your child, even when the data never leaves your browser.

3.1 From the parent (account holder)

• Email address, provided by your identity provider (Google, Apple) or typed by you. Used to identify your account and contact you about service-critical matters.
• Display name (optional, supplied by your identity provider if it sends one). We store it against your account and show it back to you on the data-review page. We do not show it to your child.
• Parental consent record: timestamp, document version, and which affirmations you checked. Required by the U.S. Children's Online Privacy Protection Act (COPPA) to demonstrate verifiable parental consent.
• Account dates: when the account was created.
• Subscription & purchase records (only if you buy a plan): which plan you chose, its status and renewal date, and the customer / subscription / order identifiers our payment processor (Lemon Squeezy) returns. We do not receive or store your full card number — the payment processor handles the card details. Payments are made on the website; see §6.

3.2 From each child profile

You — the parent — create child profiles. We collect only what the app needs to teach reading and to remember progress between sessions:

• Nickname, if you choose to type one. We recommend a short first name or initial, not a full legal name.
• Age, if you choose one (ages 4–9). Used to pick age-appropriate lessons and default time caps.
• Learning progress: which lessons were completed, how many attempts, scores, fastest completion times, and a record of which sounds and letters the child has shown mastery of (so we don't re-teach what they already know).
• Streak data: which dates the child played, used to show streaks and recommend a break.
• Play minutes per day: used by the soft and hard time caps you configure. Not used for any other purpose.
• Per-child preferences: voice on/off, readable-spacing toggle, mascot choice, pronunciation locale (US / UK), and the time caps you set.
• Reward state: coins earned, streak freezes available. Internal game state, never linked to real-world rewards.

3.3 Information we deliberately do not collect

• No full names from children.
• No location data (no GPS, no IP-geolocation, no Wi-Fi triangulation).
• No photos, videos, or screen recordings. Plimmery never opens the camera and never asks the child to upload media.
• No microphone access. Ever.Plimmery never asks for microphone permission and never opens the browser microphone. Some lessons display a small visual hint that says "Read it out loud!" to encourage the child to vocalise, but nothing on the device is listening or recording. (Earlier internal builds used the mic for a volume-based "I heard you" cue — that was removed before launch because it provided no real pedagogical value and added an unnecessary permission surface.)
• No contact list, calendar, or address-book access.
• No device identifiers beyond what your browser exposes for normal operation.
• No biometric data.
• No social-graph or friend-network data.
• No third-party analytics (no Google Analytics, Mixpanel, Amplitude, Segment, Hotjar, Sentry, or similar).

3.4 Information collected automatically

When you use the Plimmery website or apps, the following is processed automatically:

• Browser local storage: everything described in §3.1 and §3.2 is stored in your browser's local storage under keys prefixed with plimmery:. Clearing your browser data deletes it.
• Hosting-provider request logs: like every website, requests to Plimmery pass through our hosting provider (Netlify). Netlify keeps short-lived request logs (IP address, user-agent, request path) for security and abuse prevention. We do not use those logs to profile users. Netlify's retention is governed by their privacy policy.
• First-party error log: when something breaks — a page crashes, or your child's progress fails to save to the cloud — Plimmery records a diagnostic entry (what went wrong, where it happened, and the browser type) in our own database so we can find and fix it. An entry may include your parent account id, so we can tell whether several errors hit the same account; it never includes your child's name or answers, and email-shaped text is removed before storage. Entries are kept for at most 90 days and then deleted automatically; if you delete your account sooner, entries are unlinked from your account id at that moment (see §9). They are never shared with a third party and are used only to keep the app working reliably. This is first-party only: no Google Analytics, Sentry, or similar service is involved.
• Plimmery cookies: we do not set any user-facing cookies on the main site. The only cookie Plimmery itself sets is an internal admin-auth cookie used to gate the internal admin tooling at /admin/*. It is HTTP-only, secure, scoped to /admin, and is only ever set for authorised administrators — either by visiting the /admin/unlock URL with the correct key, or when an account on our admin allowlist signs in. Regular users will never have this cookie.
• Third-party cookies: if you choose to sign in with Google or Apple, the identity provider may set its own session cookies on its own domain during the sign-in flow. Those cookies are governed by Google's or Apple's privacy notice, not ours.

3.5 Information from third parties

When you sign in with Google or Apple, that provider sends us your email address and a stable identifier we use to recognise you on return. If the provider exposes a display name, we receive that too. We do not request, and do not receive, any of your contacts, calendar, photos, or other Google/Apple account data. (Today you sign in with Google or with a one-time link sent to your email; Apple sign-in is not yet enabled.)

4. How we use information

• Run the app: show lessons, save progress, pick what to teach next, render the parent dashboard.
• Keep you signed in across visits and devices.
• Improve the learning experience for your child by adjusting recommendations to their progress. We do not use progress data to profile children for any purpose other than their own learning.
• Respond to support requests you send us.
• Comply with legal obligations, such as maintaining the parental consent audit trail required by COPPA, and responding to lawful requests from regulators.
• Detect and prevent abuse of the service (fraudulent sign-ups, automated scraping, security incidents).

We do not use any child's information for advertising, behavioural profiling, targeted marketing, building of advertising profiles, or any form of cross-context behavioural advertising — full stop.

5. Legal bases (EU / UK)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with a similar legal framework, we rely on the following legal bases under the EU and UK General Data Protection Regulations (GDPR / UK GDPR):

• Contract (Art. 6(1)(b)): to provide the service you signed up for.
• Consent (Art. 6(1)(a) + Art. 8 for children): for processing your child's data, where you provide consent on behalf of the child.
• Legitimate interests (Art. 6(1)(f)): for security, fraud prevention, and improving the service. We weigh these interests against your privacy and only rely on them where they would not override your rights.
• Legal obligation (Art. 6(1)(c)): where we must process information to comply with law (e.g., consent records).

You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

6. How we share information

We share the minimum needed with vetted service providers under written contracts that prohibit them from using your data for any purpose other than serving Plimmery:

• Identity providers (Google LLC, Apple Inc.): only when you sign in with them. They send us your email and a stable identifier. We send them no information about your child.
• Hosting and infrastructure: our website is hosted on Netlify. Netlify processes requests on our behalf and keeps short request logs for security.
• Cloud database (Supabase): we use Supabase as our backend database to store your account and sync your child's progress across devices. The database is hosted in the European Union (on Amazon Web Services infrastructure) and processes data only under our instructions, governed by a data processing agreement.
• Voice generation: lesson audio is generated at build time from a fixed script of words and sentences, using a text-to-speech provider. The generation never involves your child's data. Only the resulting audio files are shipped to your device.
• Payment processing (Lemon Squeezy): if you buy a plan, the checkout is handled by Lemon Squeezy, which acts as the merchant of record and processes your payment and (where applicable) sales tax / VAT. They receive your email and payment details to complete the purchase; we receive back only the subscription / order records described in §3.1. We send them no information about your child. Buying happens on our website, not inside the Android app.
• Consent confirmation email (Resend): after you give parental consent we send a confirmation email (with a one-tap way to revoke) through the email provider Resend, which processes the recipient address on our behalf to deliver that message. No child data is included.
• Legal compliance: we may disclose information to comply with valid legal process (e.g., subpoenas), to protect Plimmery, our users, or the public, or to enforce our Terms. We will give you notice unless prohibited by law.
• Business transfers: if Plimmery is acquired or undergoes a corporate restructuring, your information may be transferred as part of that transaction. We will give you notice and an opportunity to delete your account before any material change in how your data is handled.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We have not done either of these things in the past 12 months either.

7. Children's privacy (COPPA & equivalents)

Plimmery is directed at children. We comply with the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506 and 16 CFR Part 312), the UK Age-Appropriate Design Code, and equivalent rules in the EEA (GDPR Art. 8). The account model is built around parental control:

7.1 Parental consent

Before we collect any personal information from your child, we verify that consent comes from you — the parent or guardian — through layered steps: (1) you sign in with a verified identity (Google or Apple, or a one-time link sent to your email, which confirms you control that email account); (2) you affirm a set of statements that establish your authority to consent on the child's behalf; and (3) we send a confirmation to your email after consent is recorded, with a way to revoke immediately if it wasn't you. Taken together, these steps are reasonably designed to ensure consent is given by the parent, taking into account available technology. We use the data we collect from your child solely for the internal operations of Plimmery and do not disclose that data to third parties for their own purposes (see §6).

7.2 Parental rights

As the parent or legal guardian of a child under 13, you have the right to:

• Review the personal information we hold about your child. The Account tab in the parent dashboard links to a data-review page that shows everything on file.
• Refuse to permit further collection or useof your child's personal information. You can withdraw consent at any time from the Account tab.
• Direct us to deleteyour child's personal information. "Delete account" in the Account tab removes everything on your device immediately and any cloud-side copies within 30 days. The one exception is the parental-consent audit record (date, policy version, affirmations checked), which COPPA requires us to keep as proof that consent was obtained — see §9.
• Have your data exported. The Data tab's "Export" action downloads a machine-readable JSON copy of everything.
• Correct inaccurate information. The Children tab lets you edit your child's nickname and age. The Settings tab lets you edit preferences. Lesson progress can be reset from the Data tab.

7.3 What happens if you refuse

If you refuse to consent or withdraw consent, we will stop collecting and using your child's personal information, and the child profile will be removed from your account. The parent account itself can remain, but lessons will not be available until consent is in place.

7.4 Schools and educators

Plimmery is not currently a classroom product. If a teacher or school wishes to use Plimmery with students, the school must obtain parental consent on our behalf, as permitted by FTC guidance under COPPA. Contact us before deploying Plimmery in an educational setting so we can put a written data-processing agreement in place.

8. Security

We use industry-standard measures to protect personal information, including encrypted connections (HTTPS), modern identity providers (Google, Apple), and limiting access to user data to the small number of people who need it to operate the service. No system is perfectly secure; we cannot guarantee the security of information transmitted to or stored by us. If we ever experience a data breach affecting your personal information, we will notify you as required by applicable law.

9. Data retention and storage

We keep a child's personal information only for as long as it is needed for the purpose it was collected — running Plimmery for that child — and we delete or anonymise it when that purpose ends or when you ask us to. We do not retain children's data indefinitely. The specific timeframes are below.

Your data is stored in two places: your own browser's local storage, and our cloud database, so your child's progress syncs across devices and survives clearing the browser. The cloud database is provided by Supabase and hosted in the European Union (on Amazon Web Services infrastructure). It holds your parent profile, each child's profile and learning progress, and your consent record — every row protected by row-level security so only your account can read it.

• While your account is active: data persists in your browser's local storage until you remove it.
• After you delete the account: everyplimmery: key is removed from your browser's local storage immediately, and your profile and your children's progress are deleted from our cloud database immediately (and in any case within 30 days), except the consent-audit record (date, policy version, affirmations checked — see §3.1), which COPPA, 16 CFR §312.5, requires us to retain as proof that consent was obtained.
• First-party error log: diagnostic entries (see §3.4) are kept for at most 90 days and then deleted automatically. If you delete your account, any entries carrying your account id are unlinked from it immediately — the technical record of the error remains, with no connection to you.
• Withdrawal of consent: removes the child profile(s) and progress from your device and our cloud database immediately and stops further collection. Your parent account and consent-audit record remain so you can re-affirm consent later if you change your mind.
• Inactive accounts: we may delete accounts that have not been used for 24 months, after giving you advance notice at the email on file.
• Hosting-provider request logs: kept by Netlify under their own retention policy. We do not store copies of those logs.

10. International data transfers

Your child's stored profile and learning progress live in our cloud database in the European Union (Supabase, on Amazon Web Services infrastructure in the EU), so that data does not leave the EEA in normal operation. Some providers we rely on are US-based: Netlify (website hosting and short-lived request logs), your chosen sign-in provider (Google or Apple), Lemon Squeezy (payment processing, only if you buy a plan), and Resend (the consent-confirmation email). For any personal data those providers process outside the EEA / UK, we rely on the European Commission's Standard Contractual Clauses and the EU-US / UK Data Privacy Framework (and equivalent safeguards). We do not transfer your child's stored profile or progress out of the EU.

11. Your privacy rights

Depending on where you live, you may have one or more of the rights below. To exercise any of them, use the controls in your Account tab or email us at the address in §1.

• Access: see what we hold about you and your child.
• Correction: have inaccurate information fixed.
• Deletion: have your personal information erased.
• Portability: receive a copy of your data in a machine-readable format.
• Restriction: ask us to limit how we use your information.
• Objection: object to processing based on legitimate interests.
• Withdrawal of consent: where processing is based on consent, withdraw it at any time.
• Lodge a complaint with your supervisory authority (e.g., the UK ICO, or the data-protection authority in your EU member state).

We will not discriminate against you for exercising any of these rights.

12. California residents (CCPA / CPRA)

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"), California residents have specific rights:

• Right to know what personal information we collect, use, disclose, and share.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not engage in either, so there is nothing to opt out of.
• Right to limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the service.
• Right to non-discrimination for exercising any of these rights.

Categories collected (CCPA §1798.130)

• Identifiers: parent email, account id.
• Internet activity: browser-local-storage interactions with the app; short-lived server logs (IP, user-agent) for security.
• Education information: child's lesson progress and learning preferences.
• Inferences: lesson recommendations derived from progress. Not shared.

We do not collect or use the other CCPA categories (commercial information, biometric, geolocation, sensory, professional, etc.).

Sources and purposes

We collect this information directly from you and your child (via you) when you use the service, and from the identity provider you choose to sign in with. We use it for the purposes described in §4. We retain it for the periods described in §9. We do not knowingly sell or share the personal information of any consumer under 16.

Exercising California rights

California residents (and authorised agents acting on their behalf) can exercise these rights through the Account tab or by emailing us at the address in §1. We will verify your identity using your account sign-in. If we need additional information, we will request only what is necessary.

13. EU / UK users — GDPR & Children's Code

If you or your child are located in the European Economic Area or the United Kingdom, you have the rights described in §11 under the GDPR and UK GDPR. We apply the UK Information Commissioner's Age-Appropriate Design Code (Children's Code) principles to our service:

• Best interests of the child drives every product decision.
• Data minimisation: we collect only what is strictly necessary to teach reading.
• Default privacy settings: voice is on by default to enable lessons; everything beyond that is opt-in.
• No profiling for advertising or commercial purposes.
• No nudges against the child's privacy interest.
• Transparency: this policy and any notices are written in plain language a non-specialist parent can understand.
• Detrimental use: we do not use child data in ways that have been shown to be detrimental to their wellbeing.

14. Other jurisdictions

If you are in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. If you are elsewhere and your local law provides specific rights or stricter rules, we will honour the stricter standard. Contact us at the address in §1 and we will do our best to address your request promptly.

15. Cookies and similar technologies

Plimmery does not use any cookies for analytics, advertising, or behavioural tracking. We do not set any user-facing cookies on the main site at all. We keep you signed in via your browser's local storage (not a cookie). The one cookie Plimmery itself sets is the internal admin-auth cookie scoped to the/admin route — see §3.4 for details. If you sign in with Google or Apple, those identity providers may set their own cookies on their own domains during the sign-in flow; please refer to their privacy notices. We do not respond to a browser's "Do Not Track" signal because we do not engage in tracking that the signal is designed to prevent.

16. Third-party links and services

Plimmery may link to third-party websites (for example, the sign-in pages of Google or Apple). We are not responsible for those websites' privacy practices. Their handling of your information is governed by their own policies.

17. Changes to this policy

We may update this policy from time to time. If we make a material change — for example, a new category of data, a new processor, or a new purpose for processing — we will ask you to re-affirm parental consent before you continue to use the service. The "effective date" below tracks the current version.

18. Contact us

Privacy questions, requests, or complaints can be sent to plimmeryapp@gmail.com. For COPPA-specific inquiries, please write "COPPA request" in the subject line so we can route it appropriately. We aim to acknowledge within 7 days and resolve within 30 days.