Surprise Button

Privacy Policy

Last updated: October 22, 2025

Surprise Button provides curated activities for children and nightly conversation starters for their families. We respect your privacy and follow applicable U.S. federal and state privacy requirements, including the Children’s Online Privacy Protection Act (COPPA). This policy explains what information we collect, how we use it, and the choices available to parents and guardians.

1. Information We Collect

Account & Profile Data

  • Parent contact details: Email address and Apple ID identifier collected through Sign in with Apple when an adult creates an account.
  • Child profile details: First name or nickname, selected age band, and a profile UUID created when the parent sets up explorers in the app. Parents can create up to five child profiles per household account.
  • Schedule preferences: Daily report time and the timezone of the device.

Usage & Device Data

  • A device identifier generated by the app (rotated every 90 days) so we can group activity for nightly summaries.
  • Content interactions such as the surprise URL, topic, age band, time spent, and the active child profile when a child browses new pages.
  • Basic technical details like app version, iPad model, and iOS version for troubleshooting and product analytics.
  • Purchase history returned by Apple’s StoreKit when a parent activates or restores the annual subscription.

Information Not Collected

We do not ask children for email addresses, phone numbers, precise location, photos, or payment information. Parents control the only path to submit data to Surprise Button.

2. How We Use Information

  • Deliver nightly summary emails that list the surprise pages each child viewed, along with suggested conversation starters.
  • Personalize the surprise feed for each age band and avoid repeating recent content.
  • Maintain account security, restore profiles on new devices, and honour subscription status.
  • Evaluate product performance, fix crashes, and plan new features using aggregated analytics (Umami delivered via Cloudflare Zaraz, and PostHog for website analytics).
  • Comply with legal obligations and respond to parental requests about stored information.

We do not sell or rent personal information, and we do not use third-party advertising SDKs.

3. Parental Consent & Control

Surprise Button is intended for children but accounts are owned and managed by parents or legal guardians. By completing Sign in with Apple and starting the free trial or subscription, the parent grants us permission to collect and process the child profile and activity data described above. Parents can withdraw consent at any time by:

  • Opening Parent Settings in the app and choosing “Delete Account.”
  • Requesting data deletion or export via hi@surprisebutton.com.

When consent is revoked we stop sending reports, clear child profiles from the device, and instruct our servers to remove the associated viewing history.

4. Data Sharing & Service Providers

We share personal data only with trusted processors who help us deliver the service:

  • Apple, Inc. for authentication (Sign in with Apple), subscriptions, and in-app purchases.
  • Twilio SendGrid for sending nightly summaries, onboarding emails, and account notices.
  • Cloudflare, Inc. for edge hosting, caching, and Cloudflare Workers that power the Surprise API.
  • Cloudflare, Inc. (Zaraz) for managing client-side analytics tags. We deploy Umami (product analytics) and Google Analytics 4 (web traffic measurement) through Zaraz, which ensures scripts run only when appropriate and receive pseudonymous usage data.
  • PostHog, Inc. for website analytics on surprisebutton.com. PostHog collects page views and user interactions on our marketing website to help us understand how visitors use the site and improve the user experience. PostHog is configured to only create user profiles for identified users (identified_only mode), ensuring privacy-focused analytics. Data is hosted on PostHog's US servers and is not shared with third parties for advertising purposes.

These partners act on our instructions, use strong security safeguards, and may not use the data for their own marketing.

5. Data Retention

  • Child profile details and parent contact information remain active until the parent deletes their account or 24 months of inactivity, whichever comes first.
  • Viewing history that powers nightly emails is retained for 30 days, then trimmed to aggregated metrics.
  • Device identifiers rotate every 90 days; older identifiers are purged from analytics once replaced.

6. Your Rights & Choices

Parents can exercise the following rights in-app or by email:

  • Access & export: Review the latest nightly summary or request a full export of stored child activity.
  • Correction: Update child names, age bands, and report schedules from the Parent Settings screen.
  • Deletion: Use the “Delete Account” option or contact us to remove all associated profiles and viewing data.
  • Restriction: Pause nightly emails in Parent Settings to keep the app local-only without sending data to our servers.

We respond to verified parent requests within 48 hours and complete account deletion within 30 days.

7. Security

We secure personal information using encrypted connections (HTTPS), access controls, and auditing of server access. Although no system is perfectly secure, we monitor for unusual activity and rotate keys and credentials when appropriate.

8. Changes to This Policy

We may update this policy to reflect new features or legal requirements. We will post the revised date at the top of the page and, for significant changes, notify parents by email or in-app notification before they take effect.

9. Contact Us

For questions about this policy or your family’s data, contact us at:

Email: hi@surprisebutton.com

Response Time: Within 48 hours