Privacy Policy

1. Information we collect

Parent account information. When you create an account, we collect your name, email address, and authentication provider details (Apple or Google). This information is necessary to provide and secure the Service.

Child profile information. For each child profile, the parent enters only the child’s first name and grade level. We do not ask for and do not collect a child’s date of birth, last name, photograph, voice recording, geolocation, or contact information. This information is collected by the parent on the child’s behalf, with the parent’s verifiable consent (see Section 3).

Usage data. We collect aggregated and pseudonymized usage data such as which math skills are practiced, episodes completed, and learning progress. This data is associated with an internal account identifier rather than with a child’s name, and is used to operate and improve the educational experience.

Purchase data. In-app purchases are processed by Apple or Google. We receive transaction confirmations but do not store credit card numbers or payment details.

2. How we use your information

We use collected information to:

Provide and personalize the Wondika learning experience
Generate age-appropriate stories and math challenges
Track your child’s learning progress within the parent dashboard
Process and manage episode pack purchases
Communicate important updates about the Service (e.g., security notices, terms changes)
Improve the quality of our AI-generated content and educational approach

We do not use your information for advertising, behavioural profiling, or any purpose unrelated to delivering and improving the Service.

3. Children’s privacy (COPPA)

Wondika is designed for children in the early-elementary to upper-elementary grade range, used under parental supervision. We comply with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and its implementing regulations at 16 C.F.R. Part 312.

Verifiable parental consent. Before any child profile is created, the parent must (a) authenticate to the parent account using Apple or Google sign-in, (b) confirm in-app that they are the parent or legal guardian of the child, and (c) acknowledge this Privacy Policy. We then send a confirmation email to the parent account address with a link the parent must click to activate the child profile. This “email plus” mechanism, together with the parent’s authenticated session, constitutes verifiable parental consent under 16 C.F.R. § 312.5(b) for the limited internal uses described in this Policy.

What we do and do not do.

We collect only a child’s first name and grade level, entered by the parent
Children cannot enter free-text personal information, photos, or audio recordings
All accounts are created and managed by parents or legal guardians
We do not serve advertisements of any kind to children
We do not share children’s data with third parties for marketing purposes
We do not condition a child’s participation in any activity on the disclosure of more personal information than is reasonably necessary

Parental rights. Parents may, at any time and without giving a reason:

Review the personal information we hold about their child by visiting account settings or emailing privacy@wondika.com
Refuse to permit further collection or use of their child’s personal information (without deleting the account) by writing to privacy@wondika.com; in that case the child profile will be paused
Delete a child profile and all associated personal information at any time

If you believe we have inadvertently collected personal information from a child without proper parental consent, please contact us at privacy@wondika.com and we will delete it promptly.

4. European users (GDPR & GDPR-K)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation applies to you. For children under the age of 16 (or the lower age threshold set by your member state), we additionally apply GDPR-K protections.

We process personal data only with a lawful basis under Article 6 of the GDPR — typically the performance of a contract with the parent account holder or the parent’s explicit consent
A parent or legal guardian must consent before any data is collected for a child under 16
You may exercise your rights of access, rectification, erasure, restriction, portability, and objection at any time by contacting privacy@wondika.com
You have the right to lodge a complaint with your local data protection authority

International transfers. Wondika operates from outside the European Economic Area. Where personal data is transferred to our infrastructure or to a service provider in a country that has not received an EU adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and conduct a Transfer Impact Assessment in line with the EDPB’s post-Schrems II recommendations. We apply supplementary technical and organisational measures — including encryption in transit and at rest, access controls, and contractual audit rights — to ensure a level of protection essentially equivalent to that guaranteed within the EEA.

EU and UK representatives. Where required by Article 27 of the GDPR or Article 27 of the UK GDPR, we appoint a representative in the EU and the UK. The representative’s contact details are available on request from privacy@wondika.com.

5. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), gives you specific rights regarding your personal information. This section is provided pursuant to Cal. Civ. Code § 1798.100 et seq. and § 1798.130.

Categories of personal information collected in the past 12 months.

Identifiers — parent name, email address, authentication provider ID, internal account ID; child first name. Source: directly from the parent. Purpose: account creation, authentication, service delivery. Retention: for the life of the account.
Commercial information — record of episode pack purchases. Source: Apple App Store or Google Play. Purpose: granting purchased content, customer support. Retention: seven years for tax and accounting purposes.
Internet or other electronic network activity — pseudonymized learning progress and episode completion events. Source: device. Purpose: service operation and improvement. Retention: for the life of the account.
Inferences — math skill mastery estimates derived from learning progress. Source: derived. Purpose: personalising the educational experience. Retention: for the life of the account.

We do not collect any of the following CCPA categories: precise geolocation, biometric information, sensory data (audio, electronic, visual), professional or employment information, education records as defined under FERPA, sensitive personal information as defined in § 1798.140(ae), or characteristics of protected classifications.

Your CCPA rights. You have the right to know, right to delete, right to correct, right to opt out of the sale or sharing of personal information, right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. To exercise any of these rights, contact us at privacy@wondika.com. We will verify your request using your account credentials and respond within 45 days.

We do not sell or share personal information as those terms are defined under the CCPA, and we have not done so in the preceding 12 months. For consumers under 16, California law requires opt-in consent before any such sale or sharing could occur — and we do not sell.

6. Vietnamese users (PDPD)

Wondika is operated from Vietnam and complies with Decree No. 13/2023/NĐ-CP on Personal Data Protection (the “PDPD”). If you are located in Vietnam, the PDPD applies to our processing of your personal data in addition to any other applicable laws.

We process personal data only with the data subject’s consent or another lawful basis recognised under Article 17 of the PDPD, including the performance of a contract for the parent account holder
For children under 16, we obtain the consent of a parent or legal guardian before processing personal data, in accordance with Article 20 of the PDPD
You may exercise your rights of access, correction, deletion, restriction, objection, and withdrawal of consent at any time by contacting privacy@wondika.com
We notify the Department of Cybersecurity and High-Tech Crime Prevention (A05) of personal data breaches and cross-border transfers as required by the PDPD
You have the right to lodge a complaint with A05 if you believe our processing of your personal data infringes the PDPD

7. AI-generated content

Wondika uses artificial intelligence to generate stories, illustrations, and audio. To generate this content, we send non-personal contextual information (such as selected math skill, story world, and difficulty level) to third-party AI providers. We do not send children’s names, grade levels, or any personally identifiable information to AI providers.

Sub-processors. A current list of the AI providers and other sub-processors that may process personal data on our behalf is published at wondika.com/subprocessors. We will update that page when sub-processors change. EEA, UK, and Vietnamese users may subscribe to be notified of material changes by writing to privacy@wondika.com.

8. Analytics and tracking

We use Cloudflare Web Analytics on our marketing pages to understand aggregated traffic patterns. Cloudflare Web Analytics is privacy-first: it does not use cookies, does not fingerprint visitors, and does not collect personal information.

Inside the Wondika app itself, we do not use third-party analytics, advertising SDKs, or behavioural tracking. We do not embed any third-party trackers on pages that children may interact with.

Diagnostic error reporting (Sentry). We use Sentry (Functional Software, Inc.) solely for diagnostic crash and error reporting across our backend, mobile app, and website. When our software encounters an error, Sentry receives the stack trace, anonymised device model, OS version, and app version. We have configured Sentry to not store IP addresses, not record user identifiers, not capture screenshots or session replays, and not capture the contents of in-app interactions. Data is processed in the European Union (Frankfurt). Sentry is a diagnostic processor, not an analytics or advertising service.

9. Data sharing

We do not sell, trade, or share your personal information with third parties for marketing purposes. We may share data with trusted service providers who assist in operating our platform, including:

Cloud hosting — for storing account data and generated content
Payment processing — Apple and Google handle all payment transactions
AI content generation — for creating stories, images, and audio (no personal data is shared)
Email delivery — for transactional emails such as security notices
Diagnostic error reporting — Sentry (Functional Software, Inc.) receives stack traces and anonymised device metadata when our software encounters an error, with strict scrubbing applied (no IP addresses, no user identifiers, no screenshots, no in-app content). EU data residency.

All service providers are bound by contractual obligations to protect your data and use it only for the purposes we specify. We may also disclose information when required by law, subpoena, or to protect the safety of our users.

10. Data security

We implement industry-standard security measures to protect your data, including:

Encryption of data in transit (TLS 1.2 or higher)
Encryption of data at rest
Authentication via secure third-party providers (Apple, Google)
Role-based access controls and least-privilege engineering access
Regular security reviews and updates

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure and we cannot guarantee absolute security.

Breach notification. In the event of a personal data breach, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by Article 33 of the GDPR and Article 23 of Vietnam’s PDPD). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay (Article 34 of the GDPR).

11. Data retention and deletion

We retain your account data for as long as your account is active. When you delete your account:

Your parent profile, child profiles, and associated learning data are permanently deleted from our live systems within 30 days of your deletion request
Generated story content linked to your account is removed from our live systems on the same timeline
Backup snapshots containing your data are purged on our standard backup rotation, which fully overwrites within 90 days of deletion
Aggregated and pseudonymized usage statistics that cannot be re-associated with you or your child may be retained indefinitely to improve the Service
Records that we are required to keep by law (for example, transaction records for tax and accounting) are retained for the period required by that law (typically seven years) and then deleted

You can delete your account at any time through the app settings or by contacting us.

12. Your rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate personal data
Delete your personal data
Export your data in a portable format
Withdraw consent for data processing

To exercise any of these rights, contact us at privacy@wondika.com. We will respond within 30 days.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or via the email address associated with your account. The “Last updated” date at the top indicates when this policy was most recently revised.

14. Contact us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@wondika.com
General contact: hello@wondika.com or via our contact form
Location: Ho Chi Minh City, Vietnam