Privacy Policy

Introduction

This Privacy Policy explains how Built By Bo Ltd (“we”, “us”, “our”) collects, uses, and protects personal information when you and your child use Grammagical (the “Service” or “App”). Grammagical is a children's literacy app aligned to the UK National Curriculum and designed for KS1 learners (ages 5–7) and similar age groups.

If you have any questions about this Policy, please contact us at hello@builtbybo.dev.

Owner and Data Controller

Built By Bo Ltd
3rd Floor, 86–90 Paul Street
London, United Kingdom, EC2A 4NE

Email: hello@builtbybo.dev

Summary of Key Points

We have written this Policy in plain English. To save you reading the full document, here is what you need to know:

• All accounts are created and controlled by a parent or legal guardian. Children do not create accounts.
• We collect a parent's email address and password (or their Google or Apple sign-in) and a small amount of information about each child profile (a first name or nickname, an avatar, and learning progress).
• We do notcollect a child's full name, address, photograph, voice recording, or any other directly identifying information from the child.
• We do not show advertising. We do notsell or rent your or your child's data.
• We use trusted third-party services to operate the app: Google Firebase (authentication and data storage), RevenueCat (subscription management), and Apple (App Store payments and Sign in with Apple).
• You can delete your account and all associated child profiles at any time from within the app at Settings → “Delete account & all data”.
• You have the right to access, correct, delete, or port your data, and to lodge a complaint with a regulator if you have a concern.

Information We Collect

Information you give us

Parent account information:

• Email address
• Password (stored as a secure hash; we never see your plain password)
• Or, if you choose Sign in with Google or Sign in with Apple: your sign-in identifier and email address as provided by Google or Apple

Child profile information (set by the parent):

• A first name or nickname for the child
• A chosen avatar
• An age or year-group selection

We do not ask for, and the app does not provide a way to enter, a child's full name, email, postal address, phone number, photograph, or voice recording.

Information we collect automatically

Usage and device data:

• App session events (start, end, screens visited, time spent)
• A device identifier used for fraud prevention and basic analytics
• Device type, operating system, and app version
• Approximate region (derived from IP address, not precise location)

Learning progress data:

• Scores, levels completed, accuracy, and other gameplay results attached to a child profile

Subscription data:

• Subscription status (trial, active, expired)
• Trial end date
• A pseudonymous identifier used by our subscription provider to track your subscription

Information we do not collect

We do not collect:

• Precise location data (GPS)
• Photographs, videos, or voice recordings
• Contacts, calendar entries, or files from your device
• Health data
• Financial data such as credit card numbers — these are handled by Apple and never reach our systems
• Behavioural advertising identifiers used for ad targeting

How We Use Information

We use the information described above to:

• Provide the Service: authenticate users, save and load child profiles, track learning progress, and personalise the difficulty of content
• Manage your subscription: confirm your trial or active subscription status with RevenueCat and Apple
• Communicate with you: send essential account-related emails, such as password resets or important service notices
• Prevent fraud and abuse: identify suspicious account activity
• Improve the Service: understand how the app is used at an aggregate, non-identifying level so we can fix bugs and improve content
• Comply with legal obligations: respond to lawful requests from regulators or authorities

We do not use information to:

• Display advertising
• Profile users for behavioural advertising
• Sell or rent personal data to third parties

Children's Personal Data

Grammagical is designed for children's literacy learning and we take children's privacy seriously. The Service is built to align with the principles of the Children's Online Privacy Protection Act (COPPA) in the United States and the General Data Protection Regulation's provisions for children (GDPR-K) in the United Kingdom and European Union.

Account ownership

All accounts are created and managed by a parent or legal guardian. Children do not create their own accounts and cannot enter personal information into the Service beyond gameplay interactions.

Child profile data

A parent may create up to four child profiles within their account. Each profile contains a name or nickname (chosen by the parent), a selected avatar, and learning progress. No other personal information about the child is collected.

What children do in the app

Children interact with educational content (text-based gameplay and audio narration) within the parent-managed account. The app does not include:

• Social features, chat, or messaging
• Public profiles or any way for one user to discover another
• User-generated content visible to other users
• External web links accessible to children
• Advertising of any kind

Parental rights

A parent or legal guardian can, at any time:

• Review the information held in their account and each child profile by signing in and visiting the parent dashboard
• Edit child profile names, avatars, or other settings
• Delete any individual child profile
• Delete the entire account and all associated child data, permanently, from Settings → “Delete account & all data”

Account deletion removes the parent account, all associated child profiles, learning progress, and personal data from our active systems immediately. Backups containing this data are retained for up to 30 days for disaster recovery purposes and are then permanently deleted.

Subscription management

Subscription purchases are handled by Apple through the App Store. Apple sees the transaction details — we do not. Deleting your Grammagical account does not automatically cancel your App Store subscription. To stop further charges, please cancel through Settings → Apple ID → Subscriptions on the parent's device.

Contact about a child's data

If you are a parent or guardian and have questions about your child's data, or wish to exercise any of the rights described above, please contact us at hello@builtbybo.dev. We respond within 30 days.

Third-Party Services We Use

We rely on the following trusted third-party services to operate the Service. Each is subject to its own privacy policy.

Google Firebase (Google Ireland Limited)

Purpose: User authentication, secure data storage (Cloud Firestore), serverless functions (Cloud Functions), and basic usage analytics.
Place of processing: Ireland and the United States.
Data processed: Email, password (as a hash), child profile information, learning progress, usage data, device data.
Privacy policy: policies.google.com/privacy

RevenueCat (RevenueCat, Inc.)

Purpose: Subscription management, trial tracking, and Restore Purchases.
Place of processing: United States.
Data processed: Pseudonymous user identifier, subscription status, purchase history, device data.
Privacy policy: revenuecat.com/privacy

Apple (Apple Inc.)

Purpose: App distribution, App Store payments, Sign in with Apple, and StoreKit subscription infrastructure.
Place of processing: United States.
Data processed: Apple ID identifier (for Sign in with Apple), purchase transactions.
Privacy policy: apple.com/legal/privacy

Google (Google Ireland Limited)

Purpose: Sign in with Google authentication.
Place of processing: Ireland.
Data processed: Google account identifier and email address.
Privacy policy: policies.google.com/privacy

We do not include any third-party advertising networks, behavioural advertising SDKs, or analytics services that build profiles of individual users.

How We Protect Your Information

We take reasonable technical and organisational measures to protect personal information:

• All data is transmitted over HTTPS encryption between your device and our services
• Stored passwords are hashed using industry-standard cryptographic functions and are never stored or visible in plain text
• Access to user data is restricted to authorised personnel and protected by strong authentication
• Our service providers (listed above) maintain their own security certifications (Google: ISO 27001, SOC 2; RevenueCat: SOC 2; Apple: ISO 27001) and are contractually required to protect your data

No system is perfectly secure. If we ever become aware of a data breach affecting your personal information, we will notify affected users and the relevant regulator as required by applicable law.

Where Your Data Is Processed

Personal information may be processed in the United Kingdom, the European Union (Ireland), and the United States, depending on the third-party service involved.

When data is transferred outside the UK or EEA, we rely on appropriate safeguards as defined by the UK GDPR and EU GDPR, such as Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

How Long We Keep Your Data

We keep personal information only for as long as necessary for the purposes described in this Policy:

• Active accounts: for as long as the account remains active.
• Inactive accounts: if you do not use the Service for 24 months, we may delete your account and associated child data after notifying you.
• Deleted accounts: removed from active systems immediately upon account deletion. Backups containing this data are retained for up to 30 days for disaster recovery and are then permanently deleted.
• Transaction records: records required by tax and consumer protection law are retained for up to 7 years.
• Diagnostic logs: retained for up to 90 days for debugging purposes.

Your Rights

You have the following rights regarding your personal information, in line with the UK GDPR and EU GDPR:

• Right of access— request a copy of the personal information we hold about you
• Right to rectification— ask us to correct inaccurate information
• Right to erasure— ask us to delete your information; you can do this yourself in-app at any time
• Right to restrict processing— ask us to limit how we use your information
• Right to data portability— receive your information in a machine-readable format
• Right to object— object to certain types of processing
• Right to withdraw consent— where processing relies on your consent
• Right to lodge a complaint— contact the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority

To exercise any of these rights, contact us at hello@builtbybo.dev. We respond within 30 days.

You also have rights under the California Consumer Privacy Act (CCPA) if you are a California resident, including the right to know, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination.

Legal Basis for Processing (EU/UK Users)

We process personal information on the following legal bases:

• Contractual necessity: to provide the Service you have signed up for
• Legitimate interests: to operate, secure, and improve the Service, prevent fraud, and communicate essential service information
• Legal obligation: where we are required to retain or share information by law
• Consent: where applicable, for any processing that is not covered by the bases above; you may withdraw consent at any time

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If the changes are significant, we will notify you by email (where we have your address) or by a notice within the app.

We recommend reviewing this Policy periodically.

Contact

For any questions about this Privacy Policy, or to exercise any of your rights, please contact us:

Built By Bo Ltd
3rd Floor, 86–90 Paul Street
London, United Kingdom, EC2A 4NE

Email: hello@builtbybo.dev

We respond to privacy enquiries within 30 days.