Privacy Policy
This policy explains what we collect, why, how long we keep it, and your choices — including special protections for children.
Overview
Brain Wave Education ("we", "us") operates Brainy Brush at https://brainybrush.app. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and the choices available to parents, guardians, and account holders in the United States and the European Economic Area (EEA), United Kingdom, and Switzerland.
Brainy Brush is designed for children to draw and receive gentle voice guidance under a parent or guardian account. The adult account holder is the data controller for account-level decisions; we process child-created content only to provide the service described below.
Last updated: 2026-06-14. Contact: privacy@bwaveedu.com.
Data we collect
- Account data (parent/guardian): email address, password hash, optional display name and avatar (for example from Google sign-in), country, guardian birth date, consent timestamps, subscription status.
- Child profile data: child birth date (provided by the parent/guardian), drawing interaction mode, and parental consent records when required by law.
- Drawing session data: stroke data, canvas snapshots sent for AI guidance, voice transcripts of what the child says, AI replies, scene summaries, session metadata (duration, mode, timestamps), and optional exported GIF/PDF/video outputs you choose to create.
- Billing data: plan tier, subscription identifiers, payment status, and limited billing events. Card numbers are processed by Authorize.net; we do not store full payment card numbers on our servers.
- Support data: messages you send through Zammad chat or support forms, and related ticket metadata.
- Technical data: authentication cookies, service-worker/PWA state, optional local draft session storage on your device, usage quotas, and server logs (IP address, user agent, error logs) kept for security and operations.
- Push notification data (when enabled): device push token and delivery metadata if you opt in on a supported mobile app via Expo Push Notifications.
Why we use data
- Provide drawing, voice guidance, animation, export, and account features.
- Authenticate users and keep sessions secure.
- Enforce free/premium usage limits and process subscriptions.
- Respond to guardian support requests.
- Meet legal obligations, prevent abuse, and improve reliability.
- Send service emails (signup confirmation, password reset) and, with separate opt-in, product notifications.
Legal bases (EEA/UK)
- Contract: providing the service you signed up for.
- Consent: cookies/localStorage beyond strictly necessary items, optional push notifications, and parental consent for children below the applicable digital consent age.
- Legitimate interests: security, fraud prevention, and aggregated service improvement, balanced against your rights.
- Legal obligation: tax, accounting, and regulatory requirements.
How long we keep data
- Account profile: until you delete your account, then deleted or anonymized within 30 days except where law requires longer retention.
- Drawing sessions & transcripts: while your account is active; deleted with account deletion. You may request earlier deletion via your privacy settings.
- Animation input images: stored in our object storage while a job is processed and for up to 90 days for troubleshooting, unless deleted sooner.
- Billing records: up to 7 years where required for tax/accounting.
- Server logs: typically 30–90 days.
- Local device drafts: remain on your device until cleared by you or when you remove site data; we do not control device storage directly.
- Support tickets: retained per our support platform policy, generally up to 24 months after closure.
Third-party processors
We use vetted service providers only as needed to run Brainy Brush:
- Google Gemini: voice guidance, transcription, multimodal drawing context, and safety filtering. Audio/images/text may be sent to Google for real-time or fallback AI processing.
- Supabase: authentication, PostgreSQL database, and object storage for animation inputs.
- Authorize.net: hosted payment pages and subscription billing.
- WaveSpeed: optional image-to-video animation processing when you request an animation.
- Zammad: guardian support chat and ticket forms hosted at support.bwaveedu.com.
- Expo Push (when enabled): delivery of opt-in mobile push notifications; we send only the device token and message payload required for delivery.
- Strapi (when used): content management for in-app copy, help articles, or marketing pages. We do not route child drawing content through Strapi.
- Email (SMTP): transactional account emails.
- Google OAuth: optional sign-in; governed by Google's policies when you choose that method.
We do not sell personal data. Processors act on our instructions and must protect data under contract.
Children’s privacy (COPPA & GDPR Art. 8)
Brainy Brush is meant to be used by children with a parent or guardian account. We do not knowingly permit children to create their own accounts.
- The guardian must be at least 18 and attest they are the child's parent or legal guardian.
- We ask for the child's birth date to apply the correct digital consent age (for example 13 in the United States, 13–16 in EEA/UK countries depending on local law).
- If the child is below that age, we send a verification email to the parent account and require password confirmation (email plus), or accept a successful Premium payment on the parent account (Authorize.net), before AI voice features process the child's speech or drawings.
- We instruct our AI providers to avoid collecting direct identifiers from children and to use child-safe response policies.
- Guardians can review, export, correct, or delete child-related data through account privacy settings or by emailing privacy@bwaveedu.com.
Your rights
Depending on your location, you may have the right to:
- Access and receive a copy of your data (GDPR Art. 15).
- Correct inaccurate data (Art. 16).
- Delete your account and associated data (Art. 17).
- Restrict or object to certain processing (Arts. 18 & 21).
- Data portability (Art. 20).
- Withdraw consent at any time without affecting prior lawful processing.
- Lodge a complaint with your local supervisory authority (EEA/UK).
US residents may have additional state privacy rights (access, delete, correction). California residents: we do not sell or share personal information for cross-context behavioral advertising.
Use in-app privacy tools or email privacy@bwaveedu.com. We respond within 30 days where required by law.
International transfers
We may process data in the United States and other countries where our providers operate. When transferring data from the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses and provider data protection terms.
Security
We use encryption in transit (HTTPS), row-level database access controls, server-side AI keys, and least-privilege admin access. No method of transmission or storage is 100% secure; report concerns to privacy@bwaveedu.com.
Changes
We may update this policy. Material changes will be announced in the app or by email. Continued use after the effective date constitutes acceptance where permitted by law; otherwise we will request renewed consent.
Contact
Brain Wave Education
Privacy: privacy@bwaveedu.com
Support: support@bwaveedu.com