Privacy Policy

1. Introduction

Spell & Grow (“the App”) is a children’s spelling application operated by Igloo Labs (“we”, “us”, “our”). We are committed to protecting the privacy of all our users, especially children. This policy explains what data we collect, why, how we use it, and what rights you have.

Spell & Grow is designed for children aged 4–13 and is intended to be used under the supervision of a parent or guardian. We comply with the UK General Data Protection Regulation (UK GDPR), the Children’s Online Privacy Protection Act (COPPA), and the EU GDPR (including provisions for children’s data, commonly referred to as “GDPR-K”).

2. Our Privacy Principles

• No advertisements. The App contains no ads of any kind — no banners, video ads, or sponsored content.
• No tracking or profiling. We do not use analytics SDKs that track children. We do not build behavioural profiles or share data with advertisers.
• Data minimisation. We collect the minimum data necessary for the App to function. Most data stays on the device.
• No account required for children. Children never create accounts. Profiles are created locally on the device by a parent or guardian.
• Encryption. All data transmitted to our servers is encrypted in transit (TLS) and at rest.

3. Data We Collect

3.1 Data stored on the device only

By default, all spelling data is stored locally on the child’s device using encrypted on-device storage. This includes:

• Child’s first name (chosen by the parent)
• Profile settings (difficulty tier, avatar)
• Spelling progress (words attempted, accuracy, streaks)
• Practice Boost queue (spaced repetition data)
• App preferences (sound, animations)

This data does not leave the device unless cloud sync is explicitly enabled by the parent.

3.2 Cloud sync (optional, parent-controlled)

Parents may optionally enable cloud sync to back up and synchronise data across devices:

• On iOS: Data is synced to the parent’s own iCloud account. We have no access to this data.
• On Android: Data is synced to the parent’s own Google Drive account. We have no access to this data.
• On web: Data is synced to our servers (Supabase, hosted in the EU) and requires a parent account.

3.3 Parent accounts (optional)

Parents may create an account (using Google, Apple, or email) to access the web version, view progress, or manage subscriptions. We collect:

• Email address
• Display name (if provided by the sign-in provider)
• Authentication tokens (managed by Supabase Auth)

Parent accounts are never required to use the App on mobile devices.

3.4 School-linked data (if applicable)

If a parent links their child’s profile to a school using a join code, the following data is shared with the school:

• Child’s first name
• Anonymous device-generated identifier
• Spelling progress and accuracy scores

No surname, date of birth, email address, or device identifier is shared. Parents can unlink from a school at any time. Schools’ use of this data is governed by a separate Data Processing Agreement.

3.5 Subscription data

Subscriptions are managed by RevenueCat (on mobile) and Stripe (for schools). We receive anonymous purchase receipts and subscription status. We never see or store payment card details.

3.6 Error monitoring

We use Sentry for crash reporting. All personal data is automatically stripped before transmission. Error reports contain only technical information (stack traces, OS version, app version). No child data reaches Sentry.

3.7 Audio generation

Word and sentence audio is generated using ElevenLabs text-to-speech during development. Only plain text words and sentences are sent to ElevenLabs — no personal data of any kind. This is a batch process, not triggered by end users.

4. How We Use Data

We use the data described above solely to:

• Provide spelling practice and track progress within the App
• Sync data across devices when cloud sync is enabled
• Manage parent accounts and subscriptions
• Share progress with linked schools (when opted in by parents)
• Monitor and fix application errors

We do not use data for advertising, marketing, profiling, or any purpose unrelated to the App’s core functionality.

5. Data Sharing

We do not sell, rent, or share personal data with third parties for their own purposes. Data is only processed by our sub-processors as necessary to provide the service:

• Supabase (EU, London) — database, authentication, audio storage
• Sentry (EU) — error monitoring (anonymised data only)
• RevenueCat (US, with EU SCCs) — subscription management (anonymous IDs only)
• Stripe (EU) — school subscription billing (no child data)
• Vercel (EU) — website hosting (server logs only)
• ElevenLabs (US, with EU SCCs) — audio generation (word text only, no personal data)

6. Data Retention

• On-device data is retained until the profile is deleted by the parent or the App is uninstalled.
• Cloud sync data stored in the parent’s iCloud or Google Drive is managed by the parent.
• Server-side data (web sync, school data) is retained while the account or school link is active. Parents can request deletion at any time.
• Error logs are automatically purged by Sentry after 90 days.

7. Children’s Privacy (COPPA & GDPR-K)

Spell & Grow is designed specifically for children and takes the following measures:

• Children never create accounts or provide personal information directly.
• All profile creation and settings changes are performed by a parent or guardian through the PIN-protected Parent Area.
• The App contains no external links (except this privacy policy), no social features accessible to children under 7, and no mechanisms for children to disclose personal information.
• Sharing features (e.g. progress cards) are COPPA-gated: only available for children aged 7+ in-app, and always available in the Parent Area for younger children.
• We do not knowingly collect personal information from children without parental consent.

8. Your Rights

Under UK GDPR and EU GDPR, you have the right to:

• Access your data (or your child’s data)
• Rectify inaccurate data
• Erase your data (“right to be forgotten”)
• Export your data in a portable format
• Object to processing
• Withdraw consent at any time

On-device data can be deleted by removing the profile in the Parent Area. For server-side data, contact us at the address below.

9. Data Security

We protect data using industry-standard measures including:

• TLS encryption for all data in transit
• Encryption at rest for server-side databases
• Row-Level Security (RLS) on Supabase to prevent cross-account data access
• PII sanitisation in application code before any data reaches error monitoring services
• Regular security reviews and dependency updates

10. Third-Party Links

The App does not contain links to third-party websites or services (except this privacy policy, as required by law). We do not embed third-party content in the child-facing experience.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the App or via email to registered parent accounts. The “last updated” date at the top of this page will always reflect the most recent revision.

12. Contact Us

If you have questions about this privacy policy, your data, or your child’s privacy, please contact us:

• Email: privacy@spellandgrow.app
• Data Protection Officer: privacy@spellandgrow.app
• Postal address: Igloo Labs, London, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data protection rights have not been respected.