Privacy Policy

Spotto is a children's vocabulary and speech development app. The data controller is based in Belgium. If you have any privacy questions, contact us at carlos.almeida.spotto@gmail.com.

Spotto is designed to be used by toddlers and young children under the direct supervision of a parent or guardian. Parents set up the app and manage the child's profile. We do not knowingly allow children to use the app without parental involvement.

Information you provide during setup:

• Your child's first name — used to generate personalised audio greetings
• Your child's date of birth — used to calculate developmental stage
• Speech level preference (early, developing, or confident)

This information is stored locally on your device only. It is never sent to our servers.

Device information we collect on our servers:

• A device identifier derived from Apple's App Attest service (a cryptographic key, not linked to your Apple ID)
• Platform, app version, and request timestamps

We use this solely to authenticate your device and protect the app from abuse.

Subscription information:

• Subscription status (active, expired, cancelled) managed by RevenueCat
• Purchase dates — we do not store payment card details; these are handled entirely by Apple

Spotto uses your device's camera so your child can point it at objects during learning games. Images captured during gameplay are sent to Google Gemini for analysis and are immediately discarded — they are never stored by us or by Google.

Microphone access may be requested as part of camera session permissions on some devices. We do not record or process audio from your child.

We use the following third-party services:

• Google Gemini — analyses camera images to identify objects and generates spoken feedback audio. Images are transient and not retained. Google Privacy Policy
• Firebase Analytics (Google) — collects anonymised in-app events such as which game modes are played and whether challenges succeed or fail. No child name or personal identifier is included in analytics events. Google Privacy Policy
• Firebase Storage (Google) — temporarily caches generated audio files. Cached files expire and are deleted automatically.
• RevenueCat — manages in-app subscriptions. RevenueCat Privacy Policy
• Apple App Store — handles all payment processing. We never see your card details.

As we are based in Belgium, we process data in accordance with the EU General Data Protection Regulation (GDPR). Our legal bases are:

• Contractual necessity — to provide the app service (device authentication, subscription management)
• Legitimate interest — to protect the security and integrity of our service
• Consent — for analytics, which you can opt out of by contacting us

We take children's privacy seriously. In line with GDPR Article 8 and the GDPR's special protections for children:

• All child profile data (name, birthday, learning history) is stored only on your device
• Learning events are never sent to our servers
• No child data is used for advertising or profiling
• Your child's name is used only to generate personalised audio — it is never shared with third parties for marketing purposes
• You can delete all child data at any time from the app's dashboard using the “Reset Data” option

• Local device data — retained until you delete the app or use “Reset Data”
• Device authentication records — retained while the app is in use; we may purge inactive device records after 12 months
• Subscription records — retained for as long as required for billing and legal obligations
• Analytics events — subject to Google Firebase's retention policy (14 months by default)

As an EU resident you have the following rights:

• Access — request a copy of the data we hold about your device
• Rectification — correct inaccurate data
• Erasure — request deletion of your data
• Restriction — ask us to limit processing
• Objection — object to processing based on legitimate interest
• Portability — receive your data in a machine-readable format

To exercise any of these rights, email carlos.almeida.spotto@gmail.com. You also have the right to lodge a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be).

Some third-party services (Google, RevenueCat) may process data outside the EU. These transfers are covered by Standard Contractual Clauses or other adequacy mechanisms as required by GDPR.

We may update this policy from time to time. Material changes will be communicated via an in-app notice. Continued use of the app after changes constitutes acceptance of the updated policy.

For any privacy questions or requests: carlos.almeida.spotto@gmail.com