Privacy Policy — Their First Words

⚠ DRAFT — pre-legal-review. Drafted 2026-05-26 by Claude as a structural starting point per docs/decisions/account_deletion_build_2026-05-26.md follow-up. A US/EU privacy attorney should review before this is hosted publicly. Replace every ⬜ BRACKETED_PLACEHOLDER with the actual value before publishing.

Effective date: ⬜ EFFECTIVE_DATE Last updated: ⬜ LAST_UPDATED_DATE

---

Plain-language summary

• Their First Words is a flashcard app that helps parents teach early words to their children. The parent is the user; the child is the end-user.
• The parent creates an account with an email address. Inside that account, the parent adds one or more child profiles (name, birthday, gender, character avatar).
• The app stores what the parent and child do in the app: which words have been practiced, which are marked as learned, which are favorited, and how many sessions have happened.
• We do not sell data. We do not share it with advertisers. There are no ads in the app. We do not track you across other apps or websites.
• The app uses Firebase (Google) for accounts, data storage, and first-party analytics; RevenueCat for in-app subscription management; and an email service for the optional weekly digest. These are processors acting on our behalf — they do not receive child data for their own purposes.
• You can delete your account and all associated data from inside the app at any time (Account → Delete account). Deletion is immediate and permanent.

This summary is informational. The full policy follows.

---

1. Who we are

This Privacy Policy describes how ⬜ OPERATOR_LEGAL_NAME (“we,” “us,” “our”) collects, uses, and shares information through the Their First Words mobile application (the “App”), available on the Apple App Store and Google Play under the bundle identifier com.ggaggoong.theirfirstwords.

Contact:

• Email: ⬜ PRIVACY_EMAIL
• Postal address: ⬜ OPERATOR_POSTAL_ADDRESS

We are the data controller for purposes of GDPR. For users in the United Kingdom, we act as data controller under UK GDPR.

2. Scope

This policy applies to information collected through the App itself. It does not apply to the App Store listing pages (governed by Apple’s and Google’s policies), or to any third-party website you may navigate to from the App.

3. What we collect

3.1 Account information (you give us this)

When the parent creates an account, we collect:

Data	Source	Why we collect it
Email address	You type it during signup	Account identification; password reset; optional weekly digest email
Password	You type it during signup	Account authentication. Stored by Firebase Authentication as a hashed value; we never see the plaintext.
Firebase User ID (UID)	Generated by Firebase on signup	Internal identifier for your account

3.2 Child profile information (you give us this)

When the parent adds a child profile, we collect:

Data	Source	Why we collect it
Child’s first name	You type it	Personalized greeting; display in Progress; weekly digest copy
Child’s birthday	You select it	Calculates the child’s age bucket (0–12 months, 12–24 months, 2–3 years, 3–5 years) so content is age-appropriate
Child’s gender	You select it (Boy / Girl)	Defaults the character avatar gender and voice gender
Selected character (avatar)	You select it from a catalog	Display in the app’s top bar and flashcard screens
Accessory selection (optional)	You select it from a catalog	Display on the character avatar
Content language preference	You select it (English / Spanish / Korean)	Selects the language of flashcard text and audio

We do not collect: the child’s last name, the child’s email, the child’s photo, the child’s voice recordings, the child’s precise location, or any biometric data.

3.3 Learning data (generated as you use the App)

As the parent and child use the App together, we generate and store:

Data	What it is
Word progress	For each word, per language: whether it has been seen, learned, or in-progress
Favorites	Words the parent has marked as favorites
Session events	Timestamps of completed practice sessions; the source category (Today’s Words, Categories, etc.)
Milestone events	When the child crosses 10/25/50/100/etc. learned-words thresholds

This data is tied to the parent’s account and the relevant child profile. It is used to display the Progress screen, populate Today’s Words selection, drive the optional weekly digest, and fire optional in-app milestone notifications.

3.4 Subscription state (from Apple / Google via RevenueCat)

When the parent purchases an in-app subscription, Apple or Google handles the payment. RevenueCat (our subscription-management service) tracks the subscription’s active/canceled/expired state keyed to your Firebase UID.

We never see your credit card number, expiration date, CVV, or any other payment information. Those are handled entirely by Apple or Google.

3.5 Technical data (collected automatically)

Data	Source	Purpose
Firebase installation ID	Firebase SDK	Crash diagnostics; first-party analytics
Device language	Device	Future localization fallback (currently unused at launch)
Time zone	Device (Intl.DateTimeFormat)	Scheduling weekly digest email at 8am local; milestone push at 9am local
App version	App	Diagnostics
First-party analytics events	Firebase Analytics in restricted mode	App usage analysis (see §4.3)

3.6 Push-notification token (only if you opt in)

If the parent grants push-notification permission, the OS issues an opaque token (Expo / APNs / FCM) that we store. We use it to send optional milestone notifications and streak reminders. It is not a tracking identifier and is not shared with any third party.

3.7 What we explicitly do not collect

• Advertising ID (IDFA on iOS, AAID on Android) — disabled by configuration in Firebase Analytics
• Precise location or coarse location — not requested
• Contacts list — not requested
• Photos or camera roll — not requested
• Microphone — not requested
• Audio recordings of you or your child — the App plays audio TO the child; it never records
• Browsing history across other apps or websites — not collected
• Social media identifiers — not collected

4. How we use information

4.1 To provide the App

To create and maintain your account, store and display child profiles, track learning progress, present Today’s Words and Categories, manage favorites, and run flashcard sessions.

4.2 Subscription management

To verify whether your account has an active subscription (so paid content is available), via RevenueCat.

4.3 First-party analytics (Firebase Analytics, restricted mode)

We use Firebase Analytics in “restricted” configuration:

• google_analytics_adid_collection_enabled: false — advertising ID collection is disabled
• google_analytics_default_allow_ad_storage: false
• google_analytics_default_allow_ad_user_data: false
• google_analytics_default_allow_ad_personalization_signals: false
• Google Signals are disabled at the Firebase project level
• No Audiences are exported to Google Ads or other advertising platforms

We track in-app events such as session_started, session_completed, paywall_viewed, purchase_started, and purchase_completed to understand how the App is used in aggregate. The Firebase User ID we set is the same UID that identifies your account — which means you can delete it via in-app account deletion (see §8).

We do not track: child_name, child_birthday, child_age, or any other child-identifying property as an Analytics user property or event parameter.

4.4 Communications

• Account emails (email verification, password reset, account-related notices) — operational; cannot be opted out.
• Weekly digest email (Sunday 8am local, Pro / digest-enabled accounts) — optional. Default OFF. Opt in via Account → Notifications → “Weekly progress email.” Sent via ⬜ EMAIL_PROVIDER].
• In-app push notifications — milestone moments (default ON) and streak reminders (default ON). Manage via Account → Notifications. You can also revoke push permission via your device’s OS settings.

4.5 Legal compliance and safety

To comply with legal obligations, respond to lawful requests from public authorities, and detect, prevent, or address fraud or abuse.

5. Who we share information with

We do not sell your data. We do not share it with advertising networks. We do share information with the following service providers (“processors”), who act on our behalf under contractual privacy obligations:

Processor	What they receive	Purpose	Contractual basis
Google (Firebase)	All account data, child profile data, learning data, first-party analytics events, push tokens	Authentication; database; analytics; push delivery infrastructure	Firebase Data Processing and Security Terms
RevenueCat	Parent’s Firebase UID; subscription state from Apple/Google IAP	In-app subscription management	RevenueCat DPA
Apple / Google (IAP)	Payment information you provide directly to them; transaction state shared back to RevenueCat	In-app purchase processing	Apple Privacy Policy / Google Play Terms
⬜ EMAIL_PROVIDER (weekly digest only)	Your email address; digest content (child’s first name + counts)	Sending the optional weekly digest email	⬜ EMAIL_PROVIDER_DPA_URL

Each processor is bound by contract to use the data only to provide the specific service we engage them for, not for their own purposes, and not to combine it with data from other sources for profiling.

We do not engage advertising networks, attribution SDKs (Branch, Adjust, AppsFlyer, etc.), third-party analytics services (Mixpanel, Amplitude, PostHog, etc.), session replay tools (FullStory, LogRocket), or any other data-broker-adjacent service.

6. Children’s privacy

Their First Words is parent-led: the App is intended for parents to use with their child. The child does not create an account, sign in, type, or make any choices that send data to us — every piece of information about the child is entered by the parent.

We design and operate as if the Children’s Online Privacy Protection Act (COPPA), the GDPR’s protections for children (Article 8 / GDPR-K), and the UK Children’s Code (Age Appropriate Design Code) all apply, because the data we hold is about an identifiable child.

6.1 United States (COPPA)

Verifiable Parental Consent (VPC). The parent creates an account using their own email address and receives a verification email. The parent’s authenticated account is the consent transaction; child profiles are created under that account. This corresponds to the FTC’s “email plus” VPC method.

No third-party disclosures of child data. As noted in §5, every processor that handles child-related data is bound by a data processing agreement to act only on our behalf. We disclose no child data to third parties for their own use. We therefore do not need to obtain a separate, more rigorous VPC tier (credit card / video / ID upload).

Retention. See §7.

Parental rights. Parents may, at any time:

• Review the child’s information stored under their account (visible in-App on the Progress screen and Account → Personalize)
• Refuse further collection by deleting the child profile or the entire account in-App (see §8)
• Receive a copy of all child data on request (email ⬜ PRIVACY_EMAIL)

6.2 European Union and United Kingdom (GDPR / UK GDPR / Children’s Code)

Legal basis. Processing of parent account data is under contract (GDPR Article 6(1)(b)). Processing of child profile data is under the parent’s verified parental consent (Article 6(1)(a) and Article 8 for the child’s data) given via account creation. Optional analytics and digest email are processed under the parent’s separate, granular consent settings managed in-App.

Child’s age threshold. We treat every account as if the most restrictive EU member-state threshold (age 16) applied. Because the parent is always the account holder and always provides consent on the child’s behalf, the per-country variance does not change our flow.

UK Children’s Code. We have completed a Data Protection Impact Assessment (DPIA) covering all 15 standards; the DPIA is available on request to ⬜ PRIVACY_EMAIL. Notable defaults:

• Geolocation: not collected.
• Profiling: none. We do not infer behaviour or build advertising profiles of children.
• Nudge techniques: we explicitly avoid them. There are no streak guilt prompts, no manipulative reminders, no rewards for engagement.
• Default privacy settings: weekly digest defaults OFF (so there is no silent opt-in to email).
• Connected toys / devices: not applicable.

Data Protection Officer. We have not appointed a Data Protection Officer because we do not meet the GDPR Article 37 thresholds (no large-scale systematic monitoring; no large-scale special-category data). Privacy inquiries are handled by ⬜ PRIVACY_CONTACT_PERSON at ⬜ PRIVACY_EMAIL.

7. How long we keep information

Category	Retention
Active accounts (signed in within the last 24 months OR active subscription)	For as long as the account is active.
Inactive accounts (no sign-in for 24 months and no active subscription)	30-day warning email, then automated deletion of all child profile data (name, birthday, gender, progress, favorites). The parent’s Firebase Auth record remains so the parent can sign back in to a fresh slate. (Automated deletion process ships post-launch; will begin running from 2028 once the first 24-month windows begin to mature. Until then, no account meets the criterion.)
Parent-initiated deletion	Immediate, irreversible. See §8.
First-party analytics events	Up to 14 months at the Firebase Analytics retention limit (the most privacy-protective non-default setting), then automatically purged.
Server-side logs (Cloud Function execution logs)	30 days, then automatically purged by Google Cloud Logging defaults.

We do not maintain backups of deleted user data beyond the standard transient cloud-platform replication window (typically a few days), after which the deletion is fully propagated.

8. Your rights and how to exercise them

8.1 In-App account deletion (recommended)

Inside the App: Account → Delete account. A confirmation modal will ask you to type “DELETE” to proceed. After re-authentication, the App will:

1. Delete your account record (users/{your UID}) and all child profiles, progress, and milestone events from our database
2. Delete any per-user content in Storage
3. Revoke your subscription’s link to our records on RevenueCat (your subscription itself continues to bill via Apple/Google until you cancel it in your device’s subscription settings — see §9)
4. Remove your email from the weekly digest queue
5. Delete your Firebase Authentication record

This deletion is immediate, irreversible, and complete. There is no soft-delete, no grace period, and no undelete option.

8.2 Other rights

You may also exercise the following rights by emailing ⬜ PRIVACY_EMAIL:

• Access. Request a copy of the personal data we hold about you and your child.
• Rectification. Ask us to correct inaccurate data. (Most child profile data can be edited in-App via Account → Personalize.)
• Erasure (“right to be forgotten”). Same effect as in-App deletion; we provide this manual route in case in-App deletion is for some reason unavailable.
• Restriction. Ask us to temporarily stop processing your data while a dispute is resolved.
• Portability. Request a copy of your data in a machine-readable format (JSON).
• Objection. Object to processing based on legitimate interest. (We do not currently use legitimate-interest as a legal basis; this is included for completeness.)
• Withdraw consent. For analytics or weekly digest specifically, change the toggle in Account → Notifications. To withdraw consent for the underlying account, use account deletion.

We will respond within 30 days. If we need to extend that window for complex requests, we will tell you why.

8.3 Right to lodge a complaint

If you are in the EU/UK and believe we have mishandled your data, you may complain to your national data protection authority. The UK’s authority is the Information Commissioner’s Office (https://ico.org.uk). A list of EU authorities is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9. Subscriptions and billing

In-app subscriptions are processed by Apple (App Store) or Google (Play Store), not by us. We never receive your payment card information.

To cancel a subscription, you must do so via your device’s subscription settings — Settings → Apple ID → Subscriptions on iOS, or Play Store → Profile icon → Payments & subscriptions → Subscriptions on Android. The App cannot cancel an active subscription on your behalf.

Deleting your account does not automatically cancel an active subscription. You must cancel separately via Apple or Google.

10. International data transfers

Our data is processed on Google Cloud / Firebase infrastructure, which may operate in multiple regions. Where data is transferred outside your country (notably from the EU/UK to the United States, where Google’s primary infrastructure is located), the transfer is governed by:

• For EU/UK transfers: the European Commission’s Standard Contractual Clauses as incorporated into Firebase’s Data Processing Terms.
• Google’s certifications under the EU–US Data Privacy Framework (DPF) and UK Extension.

You may request a copy of the relevant safeguards by emailing ⬜ PRIVACY_EMAIL.

11. Security

We implement industry-standard security practices, including:

• All network traffic between the App and our servers is encrypted via TLS 1.2+
• Database access is restricted via Firebase Security Rules so that each parent can only read and write their own account data and that of their own children
• Storage access is restricted via Storage Security Rules requiring authentication
• Passwords are stored as Firebase-managed hashes; we never see the plaintext
• Cloud Functions secrets (e.g., the RevenueCat API key) are stored via Google Secret Manager and accessed only by authorized server-side code
• We maintain a documented data-protection compliance baseline (available on request)

No system is perfectly secure. If we ever become aware of a security incident that compromises your data, we will notify you and any required regulator within the timeframes prescribed by applicable law (72 hours for GDPR; without unreasonable delay for COPPA / state laws).

12. Changes to this policy

We may update this policy from time to time. When we do, we will:

1. Update the “Last updated” date at the top.
2. If the change is material (for example: a new category of data, a new processor, or a new purpose of processing), notify you in-App and/or by email at least 30 days before the change takes effect.
3. Maintain a change log at ⬜ CHANGE_LOG_URL for transparency.

Continued use of the App after a non-material change indicates acceptance of the updated policy. For material changes, we will obtain renewed parental consent where required.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your data:

• Email: ⬜ PRIVACY_EMAIL
• Postal: ⬜ OPERATOR_POSTAL_ADDRESS

For users in the EU/UK, you may also lodge a complaint with your national supervisory authority as described in §8.3.