Privacy Policy

ReadLab is an educational application for children aged 6 to 12, focused on improving reading skills. ReadLab is published by Gymspiratie B.V. (Dutch Chamber of Commerce 90564480), based in the Netherlands (hereinafter: "we", "us" or "ReadLab").

We process the following data:

• Parents/guardians (account): email address, language preference, consent date and policy version. When you use Apple Sign-In we additionally receive an Apple identifier (provider_id and sub), your email address (which may be an Apple private-relay address) and optionally your name when you choose to share it during sign-in. These fields are needed to create and recognise your account.
• Children (child profile): nickname (entered by the parent; we explicitly ask you not to use a real name - we save whatever you type), age, chosen avatar, reading level, progress data and gamification figures (XP, streak). We do not collect advertising IDs, location data or cross-app tracking data from children.
• Subscription (RevenueCat): subscription status, purchase history and an anonymous app identifier. The RevenueCat SDK generates this identifier at first app launch, so before you create an account or grant consent. The identifier does not contain personal data; we link it to your account only after registration.
• Technical usage data (analytics): per session we log anonymously which exercise was started or completed, at what level, how many questions were correct/incorrect, app version and platform. This data does not contain a child profile id or account id and cannot be linked to a specific user. Purpose: progress improvement, debugging and product improvement. Retention: 90 days.
• Technical security data: IP address, device type, browser type - solely for security and debugging during an active session.

We do notcollect sensitive personal data such as social security numbers, health data or financial information. We never sell your child's data and don't share it for ads or profiling.

We only process personal data for the purposes for which it is needed. For each purpose we identify the legal basis.

• Operating the app and saving progress. Without this data we cannot provide the service you signed up for (legal basis: performance of the contract, GDPR Art. 6(1)(b)).
• Giving parents insight into their child's progress. A core promise of the product that falls within the user's reasonable expectations (legal basis: legitimate interest, GDPR Art. 6(1)(f)).
• Complying with legal obligations, including COPPA, GDPR and tax retention requirements (legal basis: legal obligation, GDPR Art. 6(1)(c)).

Because our app is aimed at children under 16 years of age, we require explicit prior consent from a parent or legal guardian before a child can use the app (in accordance with GDPR Art. 8 and COPPA). We do this via a mandatory consent checkbox in the app when the parent creates a child profile. The parent explicitly confirms which data is stored and which is not.

Without consent, no child data is stored. For completeness: as described in section 2, the RevenueCat SDK generates an anonymous app identifier at first app launch and the app logs anonymised session usage data. Neither contains child data and neither is linked to a specific user.

Verifiable parental consent (Art. 8 GDPR & COPPA §312.5): We combine Apple Sign-In (authentication via a verified Apple ID) with an explicit consent checkbox when creating a child profile, server-side logging of the consent timestamp and policy version, and a parental PIN gate for destructive actions. This combination constitutes our “reasonable effort” under Art. 8 GDPR. We collect minimal data (no tracking SDKs, no advertising ID, no photo or video recordings) and do not share any child data with third parties for advertising or profiling purposes. For US users (COPPA): see also section 10 below.

Pausing or withdrawing consent: You can pauseyour consent at any time (child profile stays intact, no new progress is saved and the child can't practice until you resume), or permanently withdraw (child profile and all progress data are deleted). Both options are available via the parent dashboard in the app (child profile → Pause consent / Delete child profile). Alternatively, you can send an email to privacy@readlab.app.

Deleting data:You can delete the child's profile and all associated data directly via the parent dashboard in the app. Alternatively, you can send an email to privacy@readlab.app.

We never sell your data. We only share data with:

• Supabase (database hosting, based in the EU) - privacy policy.
• Vercel (web hosting for the website, based in the US - EU-US Data Privacy Framework + SCCs apply; DPA via Vercel's standard agreement) - privacy policy.
• Brevo (based in the EU) - for authentication, processing waitlist sign-ups, and sending newsletters (both via the website and the app) - privacy policy.
• RevenueCat (in-app purchases and subscriptions, based in the US - SCCs apply) - privacy policy.

Third parties may not use your data for their own purposes.

No ad networks: we do not share any personal data with advertising networks such as Meta or Google.

International transfers: Supabase and Brevo process data within the EU. Vercel and RevenueCat are based in the US; for these parties, Standard Contractual Clauses (SCCs) apply to ensure an adequate level of protection.

All data is stored and transmitted with encryption (HTTPS/TLS). Access to personal data is restricted to authorised personnel.

• Waitlist email addresses: up to 6 months after launch or upon unsubscription.
• Account data and progress: for as long as the account is active + maximum 1 year after termination.

Under the GDPR, you have the following rights:

• Right of access (Art. 15): You can request which data we process about you.
• Right to rectification (Art. 16): You can have incorrect data corrected.
• Right to erasure (Art. 17): You can request deletion of your data.
• Right to restriction (Art. 18): You can have the processing of your data restricted.
• Right to data portability (Art. 20): You can receive your data in a structured format.
• Right to object (Art. 21): You can object to processing based on legitimate interest.
• Automated decision-making (Art. 22): We do not make decisions based solely on automated processing that have legal effects on you.

Many of these rights can be exercised directly in the app via the parent dashboard:

• Access: export all your account data as a JSON file.
• Rectification:edit a child's name or age directly.
• Erasure: delete a child profile including all progress data.
• Withdraw consent: pause or revoke parental consent per child profile.

What does the JSON export contain?Per parent: email address, account creation date, language preference, consent timestamp and policy version, subscription status (Pro/Free), and all account metadata you've provided (such as your name). Per child profile: name, nickname, avatar choice, age, current level, creation date, soft-delete status, complete practice history (exercise id, score, timestamp), total XP, streak, last practice date, screen time settings, consent status, and any pause timestamp. Additionally - if you've ever made a purchase - the export contains your complete subscription history from RevenueCat: purchases, renewals, entitlements, and the management URL for your App Store / Play Store subscription.

For other requests, send an email to privacy@readlab.app. We will respond within 30 days.

Right to complain: You have the right to lodge a complaint with the relevant data protection authority. In the Netherlands, this is the Autoriteit Persoonsgegevens ( autoriteitpersoonsgegevens.nl).

ReadLab
Email: privacy@readlab.app

ReadLab is aimed at children aged 6-12. In the United States, this group falls under the Children's Online Privacy Protection Act (COPPA) - specifically children under 13. This section explains how we comply with COPPA.

Operator & contact: ReadLab is published by Gymspiratie B.V. (Chamber of Commerce 90564480), based in The Hague, The Netherlands. Questions, requests or complaints can be directed to privacy@readlab.app. We respond within 30 days.

What we collect about children: first name, optional nickname, age, avatar choice, learning progress (exercise ID, score, timestamp), XP and streak. We do not collect date of birth, location, photo, video, audio, social-media data, or child contact information. See section 2 for the complete data inventory.

How we verify parental consent (COPPA §312.5): See section 4. We use Apple Sign-In + an explicit consent checkbox + parental PIN as our “reasonable effort”. This method is documented in our internal DPIA (Data Protection Impact Assessment) and is periodically reviewed.

Parental rights under COPPA:

• Review:you can request the data we hold about your child via the “Export my data” button in the app (JSON file) or by emailing privacy@readlab.app.
• Refusal of further collection: you can pause consent or permanently withdraw it. Pausing immediately stops all new data collection; permanent withdrawal also deletes existing data.
• Deletion:you can have your child's profile and all associated data deleted at any time via the app or by email.

No third-party data sharing for advertising: We do not share any child data with third parties for advertising, profiling, or analytics purposes. This is in line with the FTC COPPA update of 2025 (effective April 22, 2026), which explicitly tightens third-party data sharing for children's apps.

Safe Harbor program: ReadLab is currently not enrolled in an FTC-approved COPPA Safe Harbor program. However, we follow the COPPA Rule (16 CFR Part 312) directly.

FTC complaint: if you believe we are not complying with COPPA, you can file a complaint with the U.S. Federal Trade Commission at reportfraud.ftc.gov.