Privacy Policy

Effective Date: 13 May 2026

Stimul8 EdTech Limited ("Stimul8", "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our services through the Stimul8 app, website, and related platforms.

If you have questions or concerns, please contact us at info@stimul8.app.

1. Data We Collect

We may collect the following types of information:

• Account Information (parents): name, email address, family group name, role (e.g. Mum / Dad / Guardian), avatar.
• Account Information (children, set up by parents): first name, nickname, date of birth, avatar. Children are not asked for an email address or phone number directly.
• Device Information: device identifier used to authenticate child accounts (children are not asked for personal contact details); device type; operating system version.
• Payment Information: when in-app purchases are used, payment details are processed via secure third-party providers (currently Stripe and Apple). Stimul8 does not store full card numbers.
• Usage Data: information about how you use the app — completed tasks, points earned, app preferences, session duration.
• Marketing Source: during parent onboarding, parents are asked "How did you hear about Stimul8?" — this answer is collected to help us understand which channels reach families.
• Waiting-list Email: on certain feature waiting lists on stimul8.app (e.g. for upcoming features such as screen-time controls), we collect parent email addresses with their consent so we can notify them when the feature becomes available.
• Health & Fitness Data (with explicit consent): if you choose to connect Apple HealthKit, we access step count to enable activity-based tasks and rewards.
• Educational Progress Data (with explicit consent): if you choose to connect Duolingo, we retrieve Duolingo experience points (XP) to enable language-learning tasks and associated rewards.
• Profile Photo (Avatar): you may upload a profile photo for your account; uploaded avatars are stored securely on our servers and used solely for display within your profile and family pages.
• Cookies & Analytics: data about your interactions with our website, gathered via cookies and analytics tools (see Section 10).

2. How We Use Your Data

We use your information for:

• Creating and managing user accounts.
• Personalising the user experience, including tasks, rewards, and learning content.
• Communicating with users — service updates, important account messages, and (with consent) marketing communications.
• Improving our app via analytics and feedback.
• Ensuring compliance with legal obligations.
• Personalised tasks and rewards: step count and Duolingo XP data, where you have connected those services, are utilised to create personalised tasks and to award points upon task completion.
• Progress monitoring: to help track user progress and enhance the motivational aspects of the app.
• Marketing attribution: to measure app installs, session performance, and user engagement trends, and to attribute installs to advertising campaigns for internal analytics — not to serve personalised ads.

3. Sharing Your Data

We may share your data with:

Service providers and processors, who process data on our behalf under written agreements:

• Cloud infrastructure & storage — Google Cloud Platform (Compute Engine, Cloud Storage, BigQuery for analytics warehousing).
• Authentication — Auth0 (identity and session management).
• Mobile analytics & engagement — Firebase (Google Firebase Analytics).
• Marketing attribution — Adjust (mobile install attribution).
• Product analytics — PostHog (in-app usage analytics).
• Web analytics — Google Analytics (GA4) and Google Tag Manager.
• Email — Mailgun (transactional notifications) and MailerLite (marketing email).
• Error and uptime monitoring — Sentry and Better Stack.

Payment processors — Stripe (in-app top-ups) and Apple (in-app purchases on iOS).

Reward partners — companies that fulfil gift cards and rewards earned through Stimul8 (currently including GiftBit and partner integrations such as Greenlight and Revolut).

AI service providers (see Section 11 for detail on data flow and child-data safeguards) — OpenAI, Google (Gemini), OpenRouter, ElevenLabs.

Legal authorities — when required to comply with applicable laws or respond to legitimate legal requests.

We never sell your personal data to third parties.

The list of vendors above is current as of the effective date of this policy. We may add or change vendors as our services evolve; material changes affecting how children's data is shared will be communicated to parents in advance.

4. Third-Party SDKs & Integrations

We use third-party software development kits (SDKs) within the Stimul8 mobile app to support core functionality and operations. The principal SDKs in use are:

• Adjust — install attribution and engagement measurement. Adjust privacy practices.
• Firebase Analytics — automatic mobile-app event tracking; in line with Section 5 below, we limit Firebase user-property collection for accounts identified as children.
• PostHog — product analytics within the app.
• Auth0 — authentication and session management.
• Apple HealthKit and Duolingo — opt-in integrations only, activated by user consent.

5. Children's Privacy and COPPA Compliance

Stimul8 is a service used by families that includes children. We take particular care with children's data, in line with the U.S. Children's Online Privacy Protection Act (COPPA), the UK Children's Code (Age-Appropriate Design Code), and the GDPR's Article 8 standards.

What we do today to protect children:

• Children do not provide email addresses or phone numbers. Child accounts are authenticated using a device identifier; no personal contact details are collected directly from minors.
• Limited data collection. We collect only the data necessary to provide the service: first name, nickname, date of birth, avatar, and in-app activity. We do not collect full legal name, address, or contact details from children.
• Parents control child accounts. Children's accounts are set up by, and operate under the supervision of, a parent or guardian. Parents can review, request deletion of, or refuse further collection of their child's data by contacting us at info@stimul8.app.
• No targeted advertising to children. We do not use child data for behavioural or targeted advertising; we do not serve ads within the app.
• No third-party data sales. We never sell children's data to third parties.

Parental consent. Stimul8 currently relies on parents creating and supervising the family account, including any child profiles within it. We are actively implementing additional verifiable parental consent mechanisms (consistent with the FTC's approved methods under COPPA) and will update this policy when those mechanisms are live.

6. User Consent and Control

• Opt-in access: access to Apple HealthKit and Duolingo data requires your explicit consent.
• Revocation: you can revoke access at any time through your device settings or within the respective third-party apps.
• Marketing communications: you can unsubscribe from marketing emails at any time using the link in any marketing message; transactional and account messages will continue.
• Parental controls over child data: parents can review, correct, or request deletion of any child's data by contacting us at info@stimul8.app.

7. Data Retention

We retain your data only as long as necessary:

• Account information: until your account is deleted (see Section 13).
• Payment information: in line with legal and tax requirements applicable to UK-incorporated companies.
• Analytics data: aggregated and anonymised where reasonably practicable.
• Health and educational data: retained only for as long as necessary to provide the connected features. You may request deletion at any time by contacting us at info@stimul8.app.

8. Your Rights

If you are a UK or EU/EEA user, you have rights under the UK GDPR and EU GDPR, including:

• Access: request a copy of your personal data.
• Rectification: update incomplete or inaccurate information.
• Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
• Restriction and objection: restrict or object to certain processing activities.
• Data portability: receive your data in a structured, commonly used format.
• Children's data: parents may exercise these rights on behalf of their children.

To exercise these rights, email us at info@stimul8.app. We aim to respond within 30 days.

9. Tracking, Advertising Data, and ATT

• Device identifiers (IDFA, IDFV): we may collect device identifiers (such as IDFA and IDFV) solely for analytics and attribution purposes, primarily through our integration with the Adjust SDK.
• App Tracking Transparency (ATT): in line with Apple's App Tracking Transparency requirements, we ask for your explicit permission before accessing IDFA. For users identified as children, the ATT prompt is suppressed and IDFA is not collected, regardless of any device-level setting.
• No personalised advertising to children. Even where IDFA is collected from adult users, we do not use it to serve personalised advertising to children, and we do not provide children's identifiers to third-party advertising networks.
• No cross-app behavioural advertising. Stimul8 does not engage in cross-app behavioural advertising of children.

10. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience. Tracking technologies in use include Google Tag Manager and Google Analytics. Pixels (such as Meta Pixel and TikTok Pixel) may be active for marketing measurement on website pages targeted at adult parent audiences; they are not deployed within the in-app experience or on landing pages targeted at children.

You can manage or disable cookies in your browser settings. For more information, please refer to our Cookie Policy.

11. AI Services and Children's Data

Stimul8 uses artificial-intelligence services to power certain learning features, including AI-generated lessons, AI-generated cover images for the lesson library, and AI voice synthesis for read-along audio. Where AI services process data, we do so under the following safeguards:

• AI service providers used: OpenAI (text generation), Google Gemini (text generation), OpenRouter (model routing), ElevenLabs (voice synthesis). All providers operate under data-processing agreements.
• What's sent to AI providers: lesson topic prompts and (for read-along audio) the lesson text. Where a child's response or interaction is processed, it is sent in a form that minimises identifiers — Stimul8 does not send a child's full name, date of birth, or device identifier with AI requests.
• No training on children's data: under our agreements with these providers, content sent for processing is not used to train the providers' general AI models.
• Output review: AI-generated content used in features that reach children is reviewed against age-appropriateness criteria before publication.

If you have questions about how AI is used in Stimul8, contact us at info@stimul8.app.

12. Security Measures

We implement security measures appropriate to the nature and volume of the data we hold, including:

• Encryption of sensitive data in transit and at rest where technically appropriate.
• Secure third-party payment gateways (Stripe, Apple).
• Controlled access to personal information on a need-to-know basis among the Stimul8 team and authorised processors.
• Mobile authentication tokens stored using platform-secure keychain mechanisms.

If you believe your data has been compromised, please contact us immediately at info@stimul8.app.

13. Account Deletion and Data Removal

You may request deletion of your account and data by contacting us at info@stimul8.app. We process account deletion requests within 30 days. Where data must be retained for legal or accounting purposes (e.g. transaction records), the relevant retention period and basis are explained in the deletion confirmation we send you.

Parents may request deletion of a child's account and data by the same process; we treat such requests with priority.

14. International Data Transfers

Stimul8 EdTech Limited is incorporated in the United Kingdom. Some of our service providers (including those listed in Section 3) are based outside the UK and EEA, principally in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards required by the UK GDPR and EU GDPR, including:

• The European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum.
• Adequacy decisions where applicable.
• Vendor-specific data-processing agreements binding our processors to UK/EU GDPR-equivalent standards.

You can request a copy of the relevant transfer mechanism for any specific vendor by contacting us at info@stimul8.app.

15. Updates to this Policy

We may update this Privacy Policy periodically. The latest version will always be available at stimul8.app/privacy-policy. Material changes affecting how children's data is collected, used, or shared will be communicated to parents in advance via email and an in-app notice. We encourage you to review this policy periodically.

For further details, contact info@stimul8.app.