XP Quests

๐Ÿ”’ Privacy Policy

Last updated: [LAST UPDATED] ยท Version privacy-2026-07

โš–๏ธ Draft โ€” not yet legal advice This policy is a careful first draft written to match how XP Quests actually handles data. Have a children's-privacy lawyer review it before you launch to the public. Fill in every [BRACKETED] placeholder first.
๐Ÿง’ The short version (for kids and busy parents)

1. Who we are

[COMPANY LEGAL NAME] ("XP Quests", "we", "us") operates the XP Quests learning app at xpquests.com. For privacy questions, data requests, or to delete an account, contact [CONTACT EMAIL].

XP Quests is designed for children (around ages 8โ€“14). We take children's privacy seriously and have built the product to collect as little as possible โ€” often nothing at all.

2. What runs on your device

XP Quests is used with a free family account that a parent creates. The lessons themselves run in your browser, and your child's progress (XP, quiz results, coding tasks, streaks, notebook writing) is saved in your browser's local storage and synced to your family account so it is available on your other devices. We collect only what is described below, we minimise it deliberately, and we never sell it, use it for advertising, or track your child around the internet.

3. What we collect (only if you opt in)

3a. Optional family account (for cross-device sync + the parent dashboard)

A parent or guardian creates the account. When they do, we collect and store:

WhatWhyWhere
Parent email + password (hashed)To sign in and secure the accountSupabase (auth)
Child nickname + emoji (chosen by you; a real name is not required)To label each child's profileSupabase (database)
Learning progress: XP, lessons completed, quiz results, coding-task state, streaks, time-on-task, mistake logTo sync progress across devices and show the parent dashboardSupabase (database)
The free-text notebook (what the child writes they learned) and the certificate namePart of the child's saved progressSupabase (database)
A record of parental consent (method + timestamp + policy version)To prove we obtained valid consent, as the law requiresSupabase (database)

We do not collect a child's real name (unless a parent types one into the certificate or notebook), home address, phone number, child email, date of birth, or photos.

3b. Optional AI tutor (premium)

If a parent turns on the AI tutor, when the child asks a question we send that typed question and, optionally, a screenshot of the lesson page to our AI provider (Anthropic) to generate a hint. This content is processed transiently and is not stored on our servers. We keep only a counter of how many questions were asked (to enforce fair-use limits).

3c. Optional premium voice

If a parent turns on premium narration, we send the lesson text (course content โ€” not information about your child) to our voice provider (ElevenLabs) to generate audio.

3d. Optional email notifications & payments

If a parent enables email alerts, we send them to the parent's email via our email provider. If a parent buys a subscription, payment is handled entirely by Stripe โ€” card details never touch our servers; we store only Stripe's customer/subscription IDs.

3e. Technical data

Like any website, our hosting provider (Cloudflare) processes IP addresses and basic request information to serve pages and protect against attacks. We run no analytics, no advertising trackers, and no third-party tracking cookies.

4. Cookies & local storage

XP Quests sets no advertising, analytics, or tracking cookies. We store data in your browser's localStorage only for things you asked for: your course progress, and (if you sign in) your login session. Our hosting provider may set strictly-necessary security cookies (e.g. bot protection). Because all of this is strictly necessary or explicitly requested, no cookie-consent banner is legally required โ€” but we disclose it here for transparency.

5. Our sub-processors

We use a small number of trusted service providers. Each optional one only receives data when a parent turns on that specific feature.

ProviderPurposeLocationEngaged when
SupabaseAccount login + database[SUPABASE REGION] (choose EU/Frankfurt for EU users)A parent creates an account
CloudflareWebsite hosting + securityGlobal / USAlways (online site)
AnthropicAI tutor hintsUSPremium AI tutor is on and the child asks
ElevenLabsPremium voice narrationUSPremium voice is on
ResendParent notification emailsUSEmail alerts are on
StripePaymentsUS / globalA parent buys a paid plan

We will keep this list current and note changes here. We do not use any advertising, analytics, or data-broker companies.

6. International data transfers

Some providers are located in the United States. Where we transfer data about EU/UK children, we rely on approved safeguards (EU-US Data Privacy Framework certification where available, otherwise Standard Contractual Clauses). For EU/German users we can set our database region to the EU (Frankfurt) so data stays in the EU. [Confirm your chosen region and transfer mechanism before launch โ€” see docs/legal/subprocessors.md.]

7. How long we keep data

We keep account data only as long as needed to provide the service. If you delete a child profile or your whole family account, the associated learning data is permanently erased. If an account is inactive for [RETENTION PERIOD], we will notify the parent and then delete it. We keep a minimal, non-identifying record that a valid consent once existed (no child data) for as long as legally required to demonstrate compliance.

8. Parents' rights & choices

To exercise any right, use the dashboard controls or email [CONTACT EMAIL]. Depending on where you live, you may also have the right to complain to your data protection authority.

9. How we protect data

We maintain a written information-security program appropriate to the sensitivity of children's data: encryption in transit, database row-level security so each family can only access its own data, secrets stored server-side only (never in the browser), signed data-processing agreements with our providers, and least-data-necessary design. No system is perfectly secure, but we work to protect your family's information.

10. Legal compliance

We design XP Quests to meet the U.S. Children's Online Privacy Protection Act (COPPA), the EU/UK General Data Protection Regulation including its child-specific rules, and the UK Age Appropriate Design Code ("Children's Code"). We seek verifiable parental consent before collecting personal information from a child through an account or a premium feature. Schools may consent on behalf of parents for authorized, non-commercial educational use under a separate agreement.

11. Changes to this policy

If we make material changes, we will update the version and date above and, where required, ask parents to agree again before continuing to use account features.

โ† Back to XP Quests