Privacy Policy

At Surprise Button, we are committed to protecting your privacy and ensuring compliance with applicable privacy laws, including the Children's Online Privacy Protection Act (COPPA). This Privacy Policy explains how we collect, use, and disclose information about you when you use our service designed for children aged 4-13 and their parents.

1. Information We Collect

From Parents

We collect the following information from parents when they register for our service:

• Parent email address (required for account creation and communications)
• Child's first name (for personalization purposes only)
• Child's age range (to ensure age-appropriate content)
• Account preferences and settings

From Children

We do not collect any personally identifiable information directly from children. All data collection is done through parental accounts. Children's activities and progress are stored locally on the device and aggregated anonymously for reporting purposes.

Technical Information

We may collect non-personal technical information such as browser type, operating system, and device information to improve our service performance and user experience.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our educational services
• Send parents activity summaries and progress reports
• Personalize the learning experience for children
• Communicate with parents about their account and service updates
• Improve our service quality and user experience
• Ensure compliance with applicable laws and regulations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. COPPA Compliance and Children's Privacy

Surprise Button is designed specifically for children aged 4-13 and complies with the Children's Online Privacy Protection Act (COPPA). We are committed to protecting children's privacy and providing a safe, educational environment.

Clear Statement About Children Under 13

Our service is intended for children under 13 years of age, and we comply with COPPA requirements for the collection, use, and disclosure of personal information from children under 13.

Parental Consent Requirements

Before collecting any information from or about children under 13, we require verifiable parental consent through our registration process. Parents must:

• Provide their own email address for account verification
• Acknowledge and agree to this Privacy Policy
• Confirm their consent for their child to use our service
• Agree to receive communications about their child's activities

What Data Is/Isn't Collected from Children

We DO NOT collect from children:

• Email addresses or contact information
• Full names or last names
• Home addresses or location data
• Phone numbers
• Social security numbers or other government IDs
• Photographs or videos of the child
• Any other personally identifiable information

We DO collect (with parental consent):

• Child's first name only (for personalization)
• Age range (to provide age-appropriate content)
• Anonymous activity data and learning progress (stored locally on device)
• General usage statistics (aggregated and anonymized)

How Parents Can Review/Delete Child Data

Parents have the right to:

• Review: Access all information we have collected about their child by contacting us at [email protected]
• Delete: Request deletion of their child's information at any time
• Refuse further collection: Withdraw consent for further data collection
• Correct information: Update or correct any information about their child

We will respond to all parental requests within 48 hours and complete data deletion within 30 days of the request.

Contact Information for COPPA Inquiries

For all COPPA-related questions, concerns, or requests regarding your child's privacy, please contact us at:

No Child PII in Emails

We do not include any personally identifiable information about children in our email communications. All emails sent to parents contain only:

• Aggregated, anonymous activity summaries
• General progress indicators
• Educational tips and suggestions
• Service announcements and updates

Local Data Storage (COPPA Compliant)

Children's detailed activity data and progress information is stored locally on the device using COPPA-compliant methods:

• No transmission of detailed child data to external servers
• Parents maintain control over local data storage
• Data can be deleted by clearing browser data or app storage
• Only anonymized, aggregated statistics are transmitted for reporting

4. Email Communications

We provide parents with regular updates about their child's learning progress and activities through carefully designed email communications that respect privacy and comply with all applicable regulations.

Types of Email Communications

Daily Activity Summaries:

• Sent to parents daily (when activity occurs)
• Contains aggregated, anonymous activity data
• Includes general learning progress indicators
• No personally identifiable information about the child
• Educational tips and encouragement for continued learning

Weekly Progress Reports (Sundays):

• Comprehensive weekly summary sent every Sunday
• Aggregated learning milestones and achievements
• Recommendations for upcoming week
• General developmental insights (age-appropriate)
• No specific personal details about the child

Email Communication Policies

No Marketing Emails to Children:

• We never send marketing communications directly to children
• All communications go exclusively to verified parent email addresses
• Content is educational and informational, not promotional
• No third-party marketing or advertising content

Easy Unsubscribe Options:

• One-click unsubscribe link in every email
• Option to customize email frequency preferences
• Separate controls for daily summaries vs. weekly reports
• Account settings allow granular email preferences
• Email preferences can be updated at any time

Email Content Standards

All our email communications adhere to strict content standards:

• Child-safe, educational content only
• No tracking pixels or invasive analytics
• Clear, transparent communication about service updates
• Respectful of family privacy and values
• Compliant with CAN-SPAM Act and international email regulations

5. Data Security

We implement comprehensive security measures to protect your information and ensure the safety of children using our service:

• Industry-standard encryption for all data transmission
• Secure servers with regular security audits and updates
• Limited access controls - only authorized personnel can access data
• Regular security training for all team members
• Compliance with SOC 2 Type II security standards
• Automated threat detection and response systems
• Regular data backups with encrypted storage

We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. However, no internet transmission is ever fully secure, and we cannot guarantee absolute security.

6. Data Retention and Deletion

We retain personal information only as long as necessary to provide our services and comply with legal obligations:

• Parent account information: Retained while the account is active and for 30 days after account closure
• Child information: Deleted immediately upon parent request or account closure
• Local device data: Under parent control and can be deleted at any time
• Email communications: Parents can unsubscribe at any time, and we retain unsubscribe preferences permanently
• Aggregated analytics: Anonymous, non-personally identifiable data may be retained for service improvement

7. Third-Party Services and Sharing

We are committed to protecting your privacy and limiting data sharing:

Limited Third-Party Services

• Email delivery: We use Amazon SES (Simple Email Service) to send parent communications
• Website Analytics: We use Umami Analytics (umami.is) to collect anonymous, privacy-focused website usage statistics. Umami does not use cookies, does not track users across websites, and collects no personally identifiable information. All data is aggregated and anonymized.
• Security services: Fraud detection and security monitoring (no child data)

No Data Selling or Marketing

We do not:

• Sell any personal information to third parties
• Share child information with advertisers or marketers
• Use child data for behavioral advertising
• Allow third-party tracking on our platform
• Share information with social media platforms

8. International Users and Data Transfers

Surprise Button serves families globally while maintaining strict privacy protections:

• Data is processed and stored in secure, COPPA-compliant facilities
• We comply with applicable international privacy laws (GDPR, PIPEDA, etc.)
• Cross-border data transfers use appropriate safeguards and encryption
• Parents can request data localization where legally required

9. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make changes:

• We will post the updated policy on this page with a new "Last updated" date
• For material changes affecting children's privacy, we will obtain renewed parental consent
• We will notify parents via email of significant policy updates
• Parents will have the opportunity to review changes before they take effect
• Continued use of our service after policy updates constitutes acceptance of the changes

10. Contact Us

If you have any questions about this Privacy Policy, COPPA compliance, or your privacy rights, please contact us through any of the following methods: