Privacy Policy — EduBert.com
Last updated: April 5, 2026
1. Data Controller
The controller of your personal data is PHU MAST Stefan Mazurek, ul. Bolesława Prusa 45A/87, 05-800 Pruszków, Poland, Tax ID (NIP): 9661804059, REGON: 200695125. Contact: hello@edubert.com.
2. Data Collected
Parent/Guardian Data:
Email address, Parent PIN (stored as cryptographic hash), language preferences, subscription and payment data (processed by Stripe, Inc.).Children's Data:
Name (provided by parent), selected avatar, game progress (completed levels, stars, badges, session statistics).Technical Data:
IP address, browser/device type, screen resolution, session duration, pages visited.Communication Data:
history of sent emails (message type, date sent, delivery status),
notification preferences (progress reports, marketing consent),
date of granting and withdrawing marketing consent.3. Purpose and Legal Basis
| Purpose | Legal Basis (GDPR) |
| --------- | ------------------- |
| Service provision — account management, game access | Art. 6(1)(b) — contract performance |
| Payment processing | Art. 6(1)(b) — contract performance |
| Progress monitoring in Parent Panel | Art. 6(1)(b) — contract performance |
| Service security | Art. 6(1)(f) — legitimate interest |
| User communication | Art. 6(1)(f) — legitimate interest |
| Analytics and improvement (own system) | Art. 6(1)(f) — legitimate interest |
| Traffic analysis (Google Analytics, Meta Pixel) | Art. 6(1)(a) — user consent (cookie consent) |
| Sending weekly child progress reports | Art. 6(1)(b) — contract performance |
| Sending account-related emails (verification, password reset) | Art. 6(1)(b) — contract performance |
| Marketing communications (news, promotions) | Art. 6(1)(a) — user consent |
| Legal obligations (accounting, taxes) | Art. 6(1)(c) — legal obligation |
4. Data Recipients
Stripe, Inc. (USA) — payment processing, EU-US Data Privacy Framework certified.
Supabase, Inc. (USA) — database hosting, EU servers (eu-central-1).
Vercel, Inc. (USA) — web application hosting, EU-US Data Privacy Framework.
Resend, Inc. (USA) — email delivery service (account confirmations, progress reports, marketing communications). Resend processes only the recipient's email address and message content. Data processed under the EU-US Data Privacy Framework.
Google Ireland Limited (Ireland) — traffic analytics (Google Analytics 4) and tag management (Google Tag Manager). Data anonymized, processed on EU servers.
Meta Platforms Ireland Limited (Ireland) — campaign effectiveness analysis (Meta Pixel). Data anonymized.
Government authorities — only upon lawful request.We do not sell personal data or share it for third-party marketing.
5. International Data Transfers
In connection with the use of Stripe, Supabase, Vercel, and Resend services, data may be transferred to the United States based on the EU-US Data Privacy Framework or Standard Contractual Clauses (SCC).
6. Data Retention
Account data: duration of account + 30 days after deletion.
Payment data: 5 years from end of tax year.
Technical logs: 90 days.
Anonymized analytics: indefinitely.
Email communication history (email_log): 12 months from the date of sending.
Marketing consents: for the duration of the account plus 30 days after deletion.7. Your Rights
Under GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent — including withdrawal of marketing consent at any time (Parent Panel → Settings → Notifications). Contact: hello@edubert.com.
8. Children's Data Protection
We collect only the child's name (provided by parent) and game progress. Parents may delete a Child Profile at any time.
9. Data Security
SSL/TLS encryption, bcrypt password/PIN hashing, Row Level Security (RLS), regular security reviews.
10. Changes
Material changes communicated via email with at least 14 days' notice.
11. Right to Complain
Polish Data Protection Authority (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl