← Back to home

Privacy Policy

Last updated: June 24, 2026 · Version v2

This policy explains, in plain language, what personal data Sparrow collects, why we collect it, the legal basis for using it, how long we keep it, and the rights you have under the EU/UK General Data Protection Regulation (GDPR). Sparrow is a faith-based learning app for children aged 5–15, always used under the supervision of a parent or legal guardian.

1. Who we are (the data controller)

Sparrow is operated by Sirppi Innovation Hub ("Sparrow", "we", "us"), the data controller responsible for your personal data. For any privacy request — access, correction, deletion, objection, or to withdraw consent — contact our privacy team at support.sparrow@sirppi.ai. We respond to all rights requests within 30 days.

2. Data we collect

We practise data minimisation — we only collect what the lessons genuinely need:
  • Account: parent email, password hash (or OAuth identifier from Google/Apple).
  • Child profile: first name, age/birthdate, preferred language and Bible version.
  • Progress: verses practised, scores, streaks, time on lessons.
  • Voice: short audio samples for pronunciation feedback (processed and discarded; not stored).
  • Contributions: amount, currency, payment-provider transaction IDs.
  • Support: messages you send us.
  • Technical: device type, IP-derived region, error logs.
  • Consent records: which policy version you agreed to, and when, so we can honour your choices.
We do not show advertising, build advertising profiles, or use any automated decision-making or profiling that produces legal or similarly significant effects.

3. Children's data & parental consent

Sparrow is designed for children used under parental supervision. Only a parent or legal guardian may create an account and a child profile, and by doing so you confirm you are the holder of parental responsibility and consent to our processing of your child's data for the purpose of the lessons. The age of digital consent varies by country (13–16 in the EU/UK); because Sparrow accounts are always created and managed by an adult, the lawful basis is the parent's consent and the service contract. We collect the minimum data needed, never show ads, and never sell or share a child's data with third parties for their marketing. You can review, export, or delete your child's data at any time from Profile → Privacy & data.

4. Lawful basis (GDPR)

  • Contract: to provide the service you signed up for.
  • Consent: for marketing emails and non-essential cookies/analytics.
  • Parental consent: for processing a child's data within the lessons.
  • Legitimate interest: to keep the service secure and improve it.
  • Legal obligation: tax/accounting records for contributions.
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Processors we use

These trusted sub-processors act only on our instructions under data-processing agreements:
  • Lovable Cloud / Supabase — database, auth, file storage.
  • Lovable AI Gateway — verse explanations and translations.
  • ElevenLabs — text-to-speech voice readings.
  • Paddle — Merchant of Record for contributions: payment processing, billing, and tax compliance.
  • Cloudflare — hosting and email delivery.

6. Retention

Account data is kept while your account is active. If you delete your account, all child profiles, sessions, and personal data are deleted within 30 days. Contribution amounts are retained for accounting purposes (typically 7 years) but stripped of identifying info.

7. Your rights (GDPR)

You have the right to:
  • Access a copy of your data — Profile → Privacy & data → Download my data.
  • Rectify inaccurate data — Profile → Edit.
  • Erase your account and data — Profile → Privacy & data → Delete my account.
  • Restrict or object to processing, including direct marketing.
  • Portability — your export is provided in machine-readable JSON.
  • Withdraw consent at any time — Profile → Privacy & data.
  • Complain to your local supervisory authority (e.g. the ICO in the UK, or your national EU data-protection authority).

8. Cookies

We use essential cookies to keep you signed in. Analytics cookies are off by default and only enabled with your consent. You can change your cookie choice at any time from the consent banner or Profile → Privacy & data.

9. International transfers

Some processors are located outside the EU/UK. We rely on standard contractual clauses and adequacy decisions where required.

10. How we keep data secure

Data is encrypted in transit (TLS) and at rest. Access is restricted, row-level security isolates each family's data, and voice samples are processed transiently and never stored.

11. Changes

Material changes will be emailed and shown in the app, and we will ask you to re-confirm your agreement where the law requires it. The current version is shown at the top of this page.