Privacy Policy

Nubsoft
Email: alphaexplorer@nubtech.org
Subject line: "Privacy / Data Protection"

If you have any questions or requests regarding your personal data, please contact us at the address above.

When a child uses Alphiox, we collect the following data:

• User ID: A randomly generated identifier assigned on first launch. No name, email, or personal information is required to use the app.
• Display name / avatar: A nickname and emoji avatar chosen by the child — no real names are required.
• Game progress: Words learned, stars earned, streak count, games played, and accuracy data.
• App settings: Language preference, selected theme, and game configuration.
• Session data: Game session summaries including word practiced, stars earned, and duration.
• Device locale: Used to set the default language. Not stored permanently.

We do not collect: real names, email addresses (of children), photos, location data, contacts, or advertising identifiers.

• Google account information: Display name and email address, obtained via Google Sign-In (OAuth 2.0). Used solely for authentication.
• Parent profile: Display name, selected avatar, Hub ID, and language preference.
• Linked child data: Access to the linked child's progress, settings, and game history, as described above.
• Subscription status: Whether the parent holds a free or paid subscription tier.

• Precise geographic location
• Device contacts or address book
• Camera or microphone data
• Advertising IDs or cross-app tracking data
• Any biometric information
• Children's email addresses or phone numbers

• To operate the service: Provide the spelling game, word curriculum, progress tracking, and parental controls.
• To sync progress: Allow a child's progress to be restored after reinstallation or device change.
• To personalise the experience: Remember game settings, language, theme, and avatar preferences.
• To enable parental oversight: Allow linked parent accounts to view progress, schedule words, and adjust game settings.
• To improve the app: Aggregated, anonymised usage patterns are used to improve game design and content.
• To manage subscriptions: Track subscription tier and apply the appropriate feature set.

• Contractual necessity (Art. 6(1)(b)): Processing required to provide the app and its features.
• Legitimate interest (Art. 6(1)(f)): App improvement through aggregated, anonymised analytics; fraud prevention.
• Consent (Art. 6(1)(a)): Where optional data processing is involved, we obtain explicit consent.
• Legal obligation (Art. 6(1)(c)): Where required by applicable law.

For children under 16, we rely on parental consent as required by GDPR Art. 8 and § 8 TDDDG. The parent app (Alphiox Hub) is the mechanism by which parental consent and oversight are exercised.

• No advertising is shown to children within the app.
• No social features, chat, or public profiles are available to children.
• Children cannot independently create accounts — the child app generates an anonymous ID only.
• Parents link their account to the child via QR code and can view, modify, or delete all child data at any time.
• All child data can be deleted on request by the parent or by the child (via "Delete Account" in the app).

• No advertising to children: Alphiox shows absolutely no advertisements — interest-based, contextual, or otherwise — to child users. No advertising SDKs of any kind are embedded in the children's app.
• No data collected for advertising: We do not collect, share, or sell any personal data from child users for advertising, profiling, or marketing purposes.
• No third-party analytics on child data: Game data from the children's app is processed solely on our own servers. No third-party analytics frameworks are embedded in the children's app.
• Parental consent mechanism: The Alphiox Hub parent app is the consent and oversight mechanism. A parent must actively link their account via QR code before any child data is associated with a parent profile. Children cannot independently register or share personal information.
• Age-appropriate content: All content within Alphiox — games, vocabulary, themes, badges, and reward games — is fully appropriate for children of all ages. Content is reviewed to ensure it is free from violence, adult language, and inappropriate themes.
• No social features exposing children to strangers: Children have no public profile, chat function, or ability to be discovered. The only connection mechanism is a private QR-code link initiated and controlled by the parent.
• Data deletion on request: Parents and children can delete all associated data at any time via the app's settings or by contacting us at alphaexplorer@nubtech.org. We will complete deletion within 30 days.
• No purchase flow within the children's app: All subscription purchases are made exclusively in the Alphiox Hub (parent app). Children cannot make or trigger any in-app purchases.

We do not sell personal data to third parties. We share data only with the following service providers, acting as data processors under GDPR. None of these providers receive child data for advertising purposes.

• Google (Google Sign-In): Authentication for parent accounts only. No child data is passed to Google Sign-In. Governed by Google's Privacy Policy.
• RevenueCat: Subscription management for the Alphiox Hub (parent app) only. RevenueCat processes the parent's subscription status and purchase history. No child data is shared with RevenueCat. See RevenueCat's Privacy Policy at revenuecat.com/privacy.
• Google Cloud / Vertex AI (Gemini): AI-powered learning analysis in the Alphiox Hub (parent app) for Master plan and above. Only anonymised, aggregated game statistics are sent — no names, emails, or identifiable child information. Governed by Google Cloud's Data Processing Addendum.
• Cloud hosting provider: Our backend servers are hosted on secure, GDPR-compliant cloud infrastructure within the EU or with appropriate data transfer safeguards.
• Google Play Store: App distribution and in-app purchase management for the parent app.

All third-party processors are bound by data processing agreements ensuring GDPR compliance. No third-party processor receives child data for advertising, profiling, or marketing purposes.

• Child progress data: Retained as long as the account is active, or until a deletion request is made.
• Parent account data: Retained as long as the parent account exists.
• Anonymised analytics: Retained for up to 24 months for product improvement purposes.
• Backup data: Securely deleted within 30 days of account deletion.

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"). Children can delete their account directly in the Alphiox app (Profile → Delete Account). Parents can delete their Alphiox Hub account directly in the app (Profile → Delete Account), which permanently removes all associated data.
• Right to restriction (Art. 18): Request that we limit how we use your data.
• Right to data portability (Art. 20): Request your data in a machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at alphaexplorer@nubtech.org. We will respond within 30 days.

• All data in transit is encrypted using TLS 1.2 or higher.
• Authentication tokens are securely stored using industry-standard practices.
• Access to production data is restricted to authorised personnel only.
• We conduct regular security reviews of our services.