Privacy Policy — AlephPlay

AlephPlay is built for Jewish children ages 4–14 and the parents who care for them. We take your family's privacy seriously and have designed this service to collect only what we need to make the app work. This policy explains, in plain language, what we collect, how we use it, who else sees it, and the rights you have over your information.

The short version:

We never show ads. Not now, not ever.
We never sell your data or your child's data to anyone.
We do not use third-party advertising or behavioral tracking.
We collect the minimum information needed to run the app, manage your subscription, and show you usage history for your kids.
You can delete your account and all associated data at any time.

1. Who We Are

"AlephPlay" (also referred to as "we", "us", or "our") is the operator of the AlephPlay mobile app (available on Google Play and the Apple App Store) and the website at alephplay.com. This Privacy Policy applies to all of those surfaces.

For purposes of GDPR and UK data-protection law, AlephPlay is the data controller of personal information collected through our service. You can reach us at support@alephplay.com regarding any privacy matter.

2. Information We Collect

Information you give us when you create an account

When a parent creates an AlephPlay account, we collect:

Email address — used to sign you in, send password reset links, contact you about your subscription, and tie your devices together.
Password — stored only as a one-way hash by our authentication provider; we cannot read your password.

Family profile information

When a parent sets up profiles for their household, we collect:

Profile names you choose (e.g. "Mom", "Avi", "Chaya")
A child's age range (used to filter age-appropriate games)
A randomly assigned avatar color
A hashed parent PIN that locks parental-control settings
Daily screen-time limits and per-game allowlists you configure

You decide what to put here. We recommend nicknames over full legal names.

Usage information

While the app is in use, we record:

Which games were opened, by which profile, and for how long — so the parent dashboard can show this back to you and enforce time limits
Trial start date and remaining trial time, anchored to a random device identifier so reinstalling the app doesn't reset the trial
Subscription status (active, trialing, cancelled, etc.) returned to us by Apple, Google, or our billing partner

Information collected automatically

Basic device information (operating system, app version, language) for diagnostics
A randomly generated device identifier stored on your device
Standard server logs (IP address, request timestamp) when you open our website or our API endpoints, kept for security and abuse prevention only
Crash reports. If the app crashes or hits an unhandled error, we automatically send a stack trace, your device model, operating system version, and app version to our crash-reporting provider (Sentry) so we can fix the bug. No personal identifiers, no screen contents, no user-account information, and no advertising IDs are included.

Information we do not collect

Location, GPS, or precise position data
Contacts, calendar, photos, microphone, or camera data
Advertising identifiers (we do not advertise)
Browsing history outside of AlephPlay
Real names of children (we ask only for a nickname and age range)
Health, biometric, or sensitive personal information

3. How We Use Information

We use the information described above to:

Sign you into your account and keep your subscription synced across devices
Show your child age-appropriate games and remember which ones they've played
Enforce the daily playtime and per-game limits you set
Show parents a usage summary in the parental dashboard
Process subscription payments via Apple, Google, or our payment partner (we do not store credit card details ourselves)
Send transactional emails (password reset, receipt, subscription expiring soon)
Investigate bugs, prevent abuse, and keep the service running
Comply with legal obligations

We do not use information for advertising, profiling, behavioral targeting, sale to data brokers, or any purpose unrelated to operating the app.

4. Legal Basis for Processing (EU/UK Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on these legal bases under GDPR:

Performance of a contract — to provide you the app and your subscription after you sign up.
Legitimate interests — to keep the service secure, prevent fraud, and improve quality. These interests are limited and balanced against your rights.
Consent — for any optional processing where we ask you. You can withdraw consent at any time.
Legal obligation — when we must retain or disclose information to comply with applicable law.

5. Children's Privacy (COPPA)

AlephPlay is intentionally designed for children ages 4–14. We comply with the U.S. Children's Online Privacy Protection Act (COPPA), the EU's GDPR-K provisions for children, and similar laws in other jurisdictions.

How we handle child data:

Children do not create their own accounts. A parent or guardian creates the household account.
The only "child" data stored is what a parent enters: a nickname, age range, and avatar color — plus the games that profile played and for how long.
We do not ask children for email addresses, phone numbers, real names, photos, locations, or any other contact information.
Children cannot post, message, chat, or share content with anyone inside AlephPlay. There are no social features.
We do not show children advertisements, sponsored content, or marketing of any kind.
We do not use behavioral analytics, retargeting, or third-party trackers in any part of the app a child can reach.

Parental rights regarding child data. A parent or legal guardian may at any time:

Review what child-profile data is stored under their account
Delete a child profile and all associated usage history from inside the app
Request that we delete all data associated with the household account by emailing support@alephplay.com
Refuse further collection by deleting the account

If you believe a child has used AlephPlay without parental consent, contact us at support@alephplay.com and we will delete the data promptly.

6. Child Safety Standards

AlephPlay is built for kids, and we take child safety as seriously as data privacy. This section describes our published standards and our zero-tolerance position on content and behavior that puts children at risk.

Our standards. AlephPlay prohibits, and has no path inside the app or website to publish:

Child Sexual Abuse Material (CSAM) of any kind.
Content that grooms, exploits, sexualizes, or endangers minors.
Content that depicts violence against children, or normalizes harm.
Communication, contact, or content-sharing of any form between users.

How the product is designed to enforce this.

No user-generated content. Children cannot upload images, text, audio, video, or any other content. All in-app content is curated and produced by AlephPlay.
No social features. Children cannot message, chat, friend, follow, or otherwise communicate with any other user inside the app. There are no public profiles, no usernames searchable by strangers, no leaderboards, no comments.
No external links a child can tap. Web links visible inside the app are reachable only from parent-locked screens (the parental dashboard) and are limited to AlephPlay's own domains and store-account-management pages.
No advertising. No third-party ad networks, no sponsored content, no marketing creative reaches a child's screen.
Parent-locked sensitive surfaces. Account settings, subscription management, and any external-link path are gated behind a 4-digit parent PIN.

Reporting a concern. If you encounter anything inside AlephPlay (or on alephplay.com) that you believe puts a child at risk — including suspected CSAM, exploitative content, or any safety issue we have missed — report it immediately:

Email support@alephplay.com with the subject line "Child safety report"
For urgent safety concerns involving an immediate threat, contact local law enforcement first, then us
For suspected CSAM, you may also report directly to the U.S. National Center for Missing & Exploited Children (NCMEC) at report.cybertip.org

We commit to reviewing every child-safety report within 24 hours, removing offending content immediately on confirmation, and reporting verified CSAM to NCMEC and relevant authorities as required by 18 U.S.C. § 2258A.

Compliance. AlephPlay complies with:

U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506)
U.S. Provider Reporting Requirements (18 U.S.C. § 2258A)
EU General Data Protection Regulation, child provisions (GDPR Article 8)
UK Age Appropriate Design Code (Children's Code)
California Age-Appropriate Design Code Act (Cal. Civ. Code § 1798.99.28 et seq.)
Google Play Developer Program Policy — Families Policy and Child Safety Standards (2024)
Apple App Store Review Guidelines — Kids Category (1.3, 5.1.4)

7. Subscriptions and Payments

AlephPlay offers a paid subscription after a free trial.

If you subscribe through the iOS app, your purchase is processed by Apple under their App Store terms. Apple shares with us a transaction identifier and your subscription status. We do not see your card number, billing address, or Apple ID password.
If you subscribe through the Android app, your purchase is processed by Google under their Play Store terms. Google shares with us a purchase token and your subscription status. We do not see your card number or Google account password.
If you subscribe through our website, payment is processed by Stripe Inc. via our subscription-management partner RevenueCat. Stripe handles your payment information directly under PCI-DSS-compliant terms; we receive only your subscription status, plan, and billing email.

To cancel, follow the instructions on our pricing page. Your access continues through the end of your current billing period.

8. Service Providers and Third Parties

We use a small set of carefully chosen vendors to operate the service. They process data only on our behalf, under contractual privacy obligations, and only as needed to provide their service.

Supabase — account authentication, profile storage, subscription cache. Hosted in the United States.
RevenueCat — subscription management across Apple, Google, and web billing. Hosted in the United States.
Stripe — payment processing for web subscriptions, via RevenueCat. Hosted in the United States.
Apple App Store and Google Play — mobile subscription billing and receipt verification.
Vercel — hosting for our website and API endpoints.
Google Cloud Pub/Sub — transport layer for subscription event notifications between Google Play and our backend.
Google Analytics 4 — basic usage analytics on our website only (not in the iOS or Android apps). Records anonymized IP address, page views, and time spent per page. IP is anonymized at collection per Google's default settings, and GA4 is configured with no advertising features. Used to understand which pages visitors land on so we can improve the site. Google Analytics is not active when a child uses our mobile apps — only adult-targeted website pages.
Sentry — crash and diagnostic reporting for our mobile apps. Receives only stack traces, device model, OS version, and app version when the app errors. Configured with no user IDs, no advertising IDs, no session replay, and no performance/transaction capture. Hosted in the United States. Sentry's privacy policy: sentry.io/privacy.

We do not sell, rent, or trade personal information to third parties. We do not share information with advertisers, data brokers, or analytics resellers.

We may disclose information when legally required (e.g. valid court order, subpoena), or to protect the rights, property, or safety of our users or the public.

9. Data Security

We protect information using industry-standard measures, including:

HTTPS/TLS encryption for all data in transit
Encryption at rest in our database
Hashed (non-reversible) password and PIN storage
Restricted internal access on a need-to-know basis
Vendor security reviews for the providers listed above

No system is perfectly secure. If we ever experience a data incident affecting you, we will notify you as required by law.

10. Data Retention

We retain personal information only for as long as it is needed for the purposes described in this policy:

Account and profile data — until you delete your account
Subscription records — for as long as your subscription is active and for up to 7 years after for tax and legal purposes
Usage history — rolling 90 days for the parent dashboard, then aggregated or deleted
Server logs — up to 30 days for security and abuse prevention

When the retention period ends, we delete or anonymize the data.

11. Your Rights and Choices

Subject to applicable law, you have the right to:

Access a copy of the personal information we hold about you
Correct inaccurate information
Delete your account and personal information
Restrict or object to certain processing
Receive a portable copy of your information
Withdraw consent where we relied on consent
Lodge a complaint with your local data protection authority

To exercise any of these rights, email support@alephplay.com. We will respond within 30 days. We will not discriminate against you for exercising these rights.

12. Account and Data Deletion

You can delete your AlephPlay account at any time. Two options:

From inside the app — open the profile menu → Sign in / Account → Delete account.
By email — write to support@alephplay.com from the email address on the account, asking us to delete your account. We will confirm receipt and complete deletion within 30 days.

Deletion removes your email, password hash, profiles, child usage history, and any non-financial data we hold. Records we are legally required to keep (such as subscription receipts for tax purposes) are retained per Section 9.

If you cancel your subscription, your account is not automatically deleted — you keep access until your billing period ends, and we keep your account data so you can resubscribe later. To fully delete, follow the steps above.

13. International Data Transfers

AlephPlay is based in the United States, and our service providers (Supabase, RevenueCat, Stripe, Vercel, Apple, Google) are also primarily based in the United States. If you use AlephPlay from outside the U.S., your information will be transferred to and processed in the U.S. or other countries where our providers operate.

For transfers from the EU/UK/Switzerland to the U.S., we and our providers rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the rights described in Section 10 above, plus:

The right to know what categories of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it — described in Sections 2, 3, and 7 of this policy.
The right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
The right to limit the use of sensitive personal information. We do not collect sensitive personal information as defined under California law.
The right to non-discrimination for exercising any of these rights.

To exercise these rights, email support@alephplay.com. We may verify your identity before fulfilling the request.

15. Do Not Track

Our website does not respond to "Do Not Track" browser signals because we do not engage in cross-site tracking in the first place.

16. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify account holders by email if the change is significant
Post a prominent notice on our website for at least 30 days

If you continue to use AlephPlay after changes take effect, you accept the updated policy. If you do not agree, you may delete your account.

17. Contact Us

Questions, requests, or concerns about this Privacy Policy or your data should go to:

Email: support@alephplay.com
Web: our contact page

We aim to respond to all privacy inquiries within 7 business days.