# Privacy Policy — Jogg Mini
**Status:** Legal document — implementation-aware
**Effective Date:** April 2026
**Last Updated:** April 2026
**Product:** Jogg Mini
**Operated by:** MokingBird Oy ("Mokingbird")
**Registered in:** Finland, European Union
**Contact:** [email protected]
---
## 1. Who We Are
Jogg Mini is a product of **MokingBird Oy**, a company registered in Finland, European Union, operating under the brand name **Mokingbird**. Sortify is a registered brand of MokingBird Oy. In this Privacy Policy, "Jogg Mini", "we", "our", and "us" refer to MokingBird Oy, referred to in this document as **Mokingbird**.
Jogg Mini is a privacy-focused, gamified AI and machine learning learning application designed for children and young learners ages 5–15, their parents or guardians, and teachers.
---
## 2. Scope and Purpose
This Privacy Policy explains:
- what information we collect and why
- how different user types (children, teens, parents, teachers, guests) are handled
- the legal bases on which we process personal data
- your rights as a user, parent, or guardian
- how we protect data
- how data is shared, retained, and deleted
- how we comply with COPPA and GDPR
This policy applies to data collected through:
- the Jogg Mini mobile app (iOS and Android)
- Jogg Mini web services
- Supabase-backed authentication and data services used by Jogg Mini
If you do not agree with this policy, please do not use Jogg Mini.
---
## 3. Core Privacy Principles
Jogg Mini is built on the following principles:
- **Child safety first** — the most stringent protections apply to children under 13
- **No sale of user data** — we do not sell personal information to any third party, ever
- **No advertising** — the app contains no advertising SDK and shows no ads to any user
- **Data minimisation** — we collect only what is necessary to provide the service
- **Parental control** — parents have full oversight and control over child data
- **Role separation** — children, parents, teachers, and teens have separate, scoped data access
- **COPPA- and GDPR-aware design** — our product and policies are designed to align with applicable child-data and privacy obligations
---
## 4. User Types and Age-Based Handling
### 4.1 Children Under 13 — COPPA Protected
Children under 13 may use portions of Jogg Mini without an authenticated account (guest mode). For account-linked features:
- Children under 13 **cannot create their own account**. A parent or legal guardian must register and create the child's profile.
- All child data is collected and managed through the parent account.
- Parental consent is handled through parent-managed registration and child-profile creation flows.
- The child accesses the app by selecting their profile — no separate login is required.
**Data collected for children under 13 (provided by parent):**
- First name
- Age
- Grade level and education system (US, UK, India, IB)
- Avatar or profile styling choice
- Learning progress: XP, stars, gems, streaks, world completion, quiz history
- Parental control settings linked to the child profile
**We do not collect** from children under 13:
- Last name or surname
- Email address
- Phone number
- Home or postal address
- GPS or network-based location
- Contacts, calendar, photos, camera, or microphone data
- Advertising identifiers
### 4.2 Teens Ages 13–15
Eligible teens may self-register using supported methods available in the active app release (for example Google, Apple, or other enabled methods). COPPA does not apply at age 13+. However, we apply strong privacy protections to this age group.
**Data collected for teens:**
- Name (from sign-in provider)
- Email address (from sign-in provider)
- Age (entered during registration)
- Learning progress: XP, stars, levels, quiz history, streaks
Teens may optionally link a parental oversight account. This is entirely voluntary and can be removed at any time from account settings.
### 4.3 Parents and Guardians (Age 16+)
Parents register using Google, Apple, or email and password.
**Data collected for parents:**
- Full name
- Email address
- Authentication credentials (managed via Supabase Auth)
- 6-digit parent PIN (hashed before storage)
- Subscription status and tier
- Optional phone number
- Notification preferences
- List of linked child profiles
Where a parent purchases a subscription, a Stripe customer ID is associated with the account. We do not store full payment card numbers — Stripe processes all payments under their own PCI-DSS standards.
### 4.4 Teachers and Educators
Teachers register using Google, Apple, or email and password.
**Data collected for teachers:**
- Full name
- Email address
- School or institution name (optional)
- Classroom and quiz organisation data
- Quiz participation and result records
- School subscription metadata where applicable
**Teacher access is limited.** Teachers can access student participation and quiz-performance data within classrooms/quizzes they manage. Teachers do not receive parent account credentials or household-level account management rights.
### 4.5 Guest Users
Users who access Jogg Mini without creating an account are **Guest Users**. No personal information is collected from guests. Guest progress is stored locally on the device in encrypted local storage. It is not transmitted to our servers, and it is not retained if the app is uninstalled.
---
## 5. Information We Collect — Complete Overview
### 5.1 Registration and Account Data
As described per user type in Section 4 above.
### 5.2 Learning and Usage Data
For registered users, we process the following to deliver the educational service:
| Data | Purpose |
|------|---------|
| Questions answered (correct / incorrect) | Progress tracking and educational reporting |
| Time spent per session | Parental controls, usage monitoring |
| XP, levels, stars, gems | Gamification and progression display |
| Streak records | Habit formation features |
| Badges and achievement unlocks | Gamification records |
| Arcade mode progress | Feature state tracking |
| World completion status | Learning journey tracking |
| Daily challenge completion | Daily quest rewards |
| Quiz participation and results | Parent/teacher reporting |
### 5.3 Technical and Diagnostic Data
We collect limited technical data to maintain app quality:
- Crash and error reports (if crash reporting is enabled in the active deployment)
- Feature usage analytics (if analytics is enabled in the active deployment)
- Device-side app state for offline continuity
- Network connectivity state relevant to sync behaviour
### 5.4 Anonymised Analytics
We may collect anonymised, aggregated analytics to improve the app and question quality:
- Question difficulty and accuracy rates (aggregate, not per-user)
- Feature usage patterns (anonymised)
- App session statistics (not linked to individual users)
This data cannot be traced back to individual users and is never sold.
### 5.5 Data We Do Not Collect
Jogg Mini does not collect:
- GPS location or network-based location
- Device contacts or calendar
- Camera or microphone content
- Social media connections
- Advertising identifiers (IDFA, GAID) for ad targeting
- Behavioural data for third-party advertising profiles
- Direct under-13 child email registration data
---
## 6. Authentication and Identity Providers
Jogg Mini uses Supabase-backed authentication. Depending on user type, sign-in may involve:
- Supabase email/password authentication
- Google Sign-In (OAuth 2.0)
- Apple Sign-In (OAuth 2.0)
When a user chooses Google or Apple login, those providers process identity information under their own privacy policies. Jogg Mini receives only the information needed to create and maintain the user's account.
---
## 7. How We Use Your Data
We use collected data for the following purposes:
1. **Service delivery** — providing quiz, world, arcade, streak, and gamification features
2. **Account management** — creating and managing parent, teen, teacher, and child profiles
3. **Parental oversight** — enabling parents to monitor, configure, and control child accounts
4. **Educational reporting** — producing progress reports for parents and teachers
5. **Security** — authenticating users, detecting fraud, protecting account access
6. **Service improvement** — using anonymised analytics to improve question quality and app reliability
7. **Customer support** — responding to enquiries and resolving issues
8. **Legal compliance** — meeting obligations under COPPA, GDPR, and other applicable laws
9. **Payment processing** — managing subscriptions and purchases through app stores and/or payment processors where paid features are offered
We do **not** use data for:
- Targeted or behavioural advertising
- Building user profiles for third-party advertisers
- Sharing with social networks
- Marketing to children
---
## 8. Legal Bases for Processing (GDPR)
Where GDPR applies, we rely on one or more of the following legal bases:
| Legal Basis | When It Applies |
|-------------|----------------|
| **Performance of a contract** | To provide the app and services the user has requested |
| **Legitimate interests** | To secure, maintain, and improve the service; fraud prevention; analytics |
| **Consent** | For parent-managed child data; certain communications; optional features |
| **Legal obligation** | Where processing is required by law (e.g., tax records, legal compliance) |
For under-13 child accounts, parental involvement and parental consent are central to the product design. Parent-managed child profile creation is our in-product consent mechanism for child profile use.
Where consent is the basis for processing, users may withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal.
---
## 9. Advertising and Commercial Use of Data
Jogg Mini is an **ad-free product**. We do not:
- Display advertisements to any user
- Include mobile advertising SDKs
- Use child data to serve third-party ads
- Sell user information to data brokers or advertisers
- Build advertising profiles based on user behaviour
Monetisation of Jogg Mini is based solely on voluntary subscriptions and one-time purchases.
---
## 10. COPPA Compliance (Children Under 13)
Jogg Mini is designed with COPPA-oriented principles:
- No direct under-13 self-registration as an account model
- Parent-managed child profiles with parental consent controls
- Child data minimisation — first name, age, grade level, and progress only
- Parental control over child profile data, settings, and access
- No sale of child data
- No child-targeted advertising or profiling
- Parents may access, correct, and delete all child data at any time
---
## 11. Parent Rights Over Child Data
Parents may:
- **Access** — view all data collected about their child through the parent dashboard
- **Rectify** — edit the child's profile, name, age, grade, and settings
- **Delete** — request deletion of the child's profile and associated data (subject to operational timelines and legal retention requirements)
- **Restrict** — limit what data is generated by adjusting parental controls, time limits, and topic settings
- **Withdraw consent** — delete the child profile, which removes all associated data and consent
To exercise rights, use available in-app account/settings controls or contact: [email protected].
---
## 12. Your Rights Under GDPR
All users (regardless of location) may exercise the following rights:
| Right | Description | How to Exercise |
|-------|-------------|----------------|
| **Access** | Receive a copy of personal data we hold, where required by law | In-app tools where available, or email [email protected] |
| **Rectification** | Correct inaccurate personal data | In-app profile controls where available, or email us |
| **Erasure** | Request deletion of your account and associated personal data | In-app delete controls where available, or email us |
| **Restriction** | Request restriction of certain processing | Contact [email protected] |
| **Data portability** | Request portable data where legally applicable | In-app export tools where available, or email us |
| **Object** | Object to processing on legitimate interests grounds | Contact [email protected] |
| **Withdraw consent** | Withdraw consent at any time where consent is the legal basis | Contact [email protected] |
| **Lodge a complaint** | Complain to a supervisory authority | Contact your national Data Protection Authority |
Parents may also exercise applicable rights on behalf of child profiles under their control.
---
## 13. Data Sharing and Third Parties
**We do not sell personal data to third parties.**
We share limited data only with service providers needed to operate Jogg Mini. Active integrations can vary by platform, environment, and release:
| Provider | Purpose | Data Shared |
|----------|---------|-------------|
| **Supabase** | Database and authentication (EU-hosted) | All account data |
| **Stripe or app-store billing partners** | Payment/subscription processing where paid features are offered | Billing-related account metadata (card details are not stored by us) |
| **Analytics providers (if enabled)** | Product analytics | Usage events configured to avoid unnecessary personal data |
| **Crash-reporting providers (if enabled)** | Reliability and error diagnostics | Error/diagnostic payloads configured to minimise personal data |
| **Google (OAuth)** | Sign-in authentication | OAuth token only |
| **Apple (OAuth)** | Sign-in authentication | OAuth token only |
We may also disclose personal data:
- If required by applicable law, regulation, court order, or legal process
- In connection with a corporate restructuring, acquisition, or merger, subject to the receiving party maintaining equivalent data protections and applicable law
- To protect the safety, rights, or property of MokingBird Oy, users, or the public where required
All service providers are bound by data processing agreements and are prohibited from using data for any purpose other than the stated service.
---
## 14. Data Storage and Security
### Storage Location
All user data is stored on **Supabase** infrastructure hosted in the **European Union**. Supabase has a Data Processing Agreement (DPA) with MokingBird Oy ensuring GDPR-compliant data handling.
Local device data (offline progress, cached questions, and app state) is stored on-device. Sensitive secrets (for example lock/auth secrets) are handled with secure-storage mechanisms where implemented.
### Security Measures
Our security approach includes:
**Device layer:**
- Optional biometric authentication for app access
- 4-digit app PIN (optional, device-side)
- Parent account PIN features where configured in-app
- Session timeout and auto-lock
**Data encryption:**
- PIN and credential hashing for relevant backend-stored secrets
- Secure local storage for sensitive local lock/auth secrets where applicable
**Transmission:**
- Encrypted HTTPS/TLS transport provided by client platform and backend endpoints
- JWT tokens with automatic refresh (PKCE OAuth flow where configured)
**Cloud:**
- PostgreSQL Row-Level Security (RLS) — each user sees only their own data
- Role-separated access controls (parent, teacher, child-profile scopes)
- Managed infrastructure controls provided by backend/cloud providers
### Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours where required by GDPR Article 33
- Notify affected users without undue delay where the breach is likely to result in high risk to their rights and freedoms
- Provide information on the breach, its likely consequences, and measures taken
---
## 15. Data Retention
We retain personal data for as long as reasonably necessary to:
- operate the service and maintain account functionality
- meet legal obligations
- resolve disputes and enforce agreements
- support accounting and tax record requirements
When an account or child profile is deleted:
- Personal data is deleted according to operational deletion workflows and legal retention constraints
- Anonymised, aggregated data (not traceable to individuals) may be retained indefinitely for quality improvement
- Billing records may be retained as required by accounting/tax law
---
## 16. International Transfers
MokingBird Oy is registered in Finland and primarily operates EU infrastructure. If your data is processed outside the European Economic Area (EEA), we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with providers certified for cross-border transfers
---
## 17. Children's Safety — Additional Measures
Given that Jogg Mini primarily serves children, we implement protections beyond standard privacy practices:
- No child-targeted advertising SDK usage
- No social features or direct messaging between users
- No public user profiles
- Parental PIN gate for all child account settings changes
- One-click deletion of child profile and all data by parent
---
## 18. Changes to This Policy
We may update this Privacy Policy to reflect product changes, legal requirements, or security improvements. When we do:
- We will update the "Last Updated" date
- We will notify registered users via in-app notification for material changes
- For changes that materially affect how we handle children's data or parental consent, we may require re-consent before continuing to provide the service
---
## 19. Contact
**MokingBird Oy**
Privacy Officer
Email: [email protected]
Website: https://joggmini.mokingbird.xyz
For EU data protection enquiries or to lodge a complaint, you may also contact your national **Data Protection Authority (DPA)**. In Finland, the supervisory authority is the **Office of the Data Protection Ombudsman** (tietosuoja.fi).
---
## Summary: Data Collected by User Type
| | Child <13 | Teen 13–15 | Parent | Teacher | Guest |
|---|---|---|---|---|---|
| First name | ✅ (via parent) | ✅ | ✅ | ✅ | ⌠|
| Email | ⌠| ✅ | ✅ | ✅ | ⌠|
| Age | ✅ (via parent) | ✅ | ⌠| ⌠| ⌠|
| Grade level | ✅ (via parent) | ✅ | ⌠| ⌠| ⌠|
| Quiz progress | ✅ | ✅ | ⌠| Quiz results only | Local only |
| Location | ⌠| ⌠| ⌠| ⌠| ⌠|
| Ads shown | ⌠| ⌠| ⌠| ⌠| ⌠|
| Data sold | ⌠| ⌠| ⌠| ⌠| ⌠|
---
*MokingBird (MokingBird Oy) — Privacy Policy v1.2 — April 2026*
Jogg Mini Blog