Privacy Policy

KefiFam ("we", "us", or "our") is a family task and habit app developed and operated by Hanuly Innovations. It helps parents and legal guardians assign quests to their children and reward them with Kefi Points, building positive daily habits through structured play and a mythology-inspired experience. This Privacy Policy ("Policy") explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all users of the KefiFam iOS application and any related services (collectively, the "Service"). By creating an account, you confirm you have read and agree to this Policy. If you are creating an account on behalf of a child, you confirm that you are that child's parent or legal guardian and that you consent on their behalf to the data practices described here. This Policy was written to comply with: • U.S. Children's Online Privacy Protection Act (COPPA), as amended effective April 22, 2026 • EU General Data Protection Regulation (GDPR) • UK GDPR and the ICO Children's Code (Age Appropriate Design Code) • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) • Brazil Lei Geral de Proteção de Dados (LGPD) • Canada Personal Information Protection and Electronic Documents Act (PIPEDA) • Australia Privacy Act 1988 and Australian Privacy Principles (APPs) • South Korea Personal Information Protection Act (PIPA) • Other applicable national and state/provincial privacy laws

This Policy covers two types of users: Guardians — adults aged 18 or older who create an account, set up and manage child profiles, assign tasks, and oversee the family experience. Guardians are the primary account holders and bear responsibility for how the Service is used within their family. Children — minors whose profiles are created and entirely managed by their Guardian. Children do not independently register, create credentials, or submit personal information directly to us. A child's experience within the app is fully mediated through, and controlled by, the Guardian's account. This app is not directed at children. KefiFam is a parental management tool. Children interact with a limited, Guardian-controlled interface and do not independently communicate with us. If you are a minor and are accessing KefiFam independently, without your parent or guardian's knowledge, please stop and ask them to set up your profile.

Guardians must be at least 18 years old to create an account. By registering, you represent and warrant that you are at least 18 and have the legal authority to accept these terms on behalf of yourself and any child profiles you create. Children under 13 — COPPA (United States): We comply fully with COPPA and the FTC's amended COPPA Rule (effective April 22, 2026). Before any personal information is associated with a child under 13, we obtain verifiable parental consent (VPC) through the Guardian's account creation and explicit in-app confirmation flow. We do not collect personal information from children under 13 beyond what is strictly necessary to provide the Service, and we never condition participation on a child providing more information than is reasonably necessary. Children aged 13–17: We apply the same protective standards to all child profiles regardless of age. Teens are not given direct account access; their profile is managed by the Guardian. Age of Digital Consent by Jurisdiction: • United States: 13 (COPPA) • European Union: 16 (GDPR Art. 8), or as low as 13 where member-state law permits • United Kingdom: 13 (UK GDPR) • Brazil: 12 (LGPD Art. 14) • South Korea: 14 (PIPA) • Australia: 15 (recommended OAIC guidance) • Canada: 13 (PIPEDA guidance) Regardless of the applicable threshold in your jurisdiction, KefiFam does not allow children to register independently. Parental or guardian consent is always required before a child profile is created.

Our consent flow works as follows: Step 1 — Guardian Registration: An adult creates a Guardian account using an email address and password, or via Sign in with Apple / Sign in with Google. We verify the account via email or the social provider's authentication system. Step 2 — Consent Presentation: Before creating a child profile, the Guardian is shown a clear, plain-language summary of what data will be collected about the child, why it is collected, and how it will be used — in accordance with the COPPA "direct notice" requirement. Step 3 — Explicit In-App Confirmation: The Guardian must actively confirm their consent by tapping an explicit "I agree" action. Pre-ticked boxes are never used. Step 4 — Consent Record: We record the timestamp and Guardian account identifier at the point of consent. This record is retained for the life of the child profile. Withdrawal of Consent: A Guardian may withdraw consent at any time by deleting their account (Guardian Settings → Delete Account → type DELETE) or by contacting privacy@kefifam.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Effect of Withdrawal: If consent is withdrawn for a child profile, all data associated with that child profile — including task records, Kefi Points history, achievements, and proof photos — is permanently deleted within 24 hours.

Guardian account data (collected directly from the Guardian): • Email address — required for account authentication and security communications. • Full name — optional, used for in-app display only. • Profile photo — optional, stored in our private bucket. • Guardian PIN — stored exclusively as a bcrypt hash; we cannot read, transmit, or recover the raw PIN. • Authentication session tokens — managed by Supabase Auth, used to maintain your logged-in session. • Sign-in provider identifier — if you use Sign in with Apple or Google, we receive a unique user ID and, for email-based providers, your email address. Child profile data (created and managed entirely by the Guardian): • First name only — no surname required. • Age — used to apply age-appropriate defaults. • Avatar selection — a pre-built illustrated deity character; no photo of a real child is required or requested. • Kefi Point balance and transaction history. Task and activity data: • Task titles and descriptions assigned by the Guardian. • Task completion status and timestamps. • Photo proof images submitted for task verification (see Section 9 for full details). • Achievements, badges, and milestone records. Screen time data (stored entirely on-device): • The list of apps selected by the Guardian for focus-mode blocking is stored locally on the device through Apple Family Controls. This data is never transmitted to our servers. Technical and operational data: • Device push notification token — used solely to deliver notifications requested by the Guardian (e.g., task approvals, screen time alerts). Not used for advertising. • Anonymised crash reports and error logs — used to identify and fix bugs. These are not linked to personal identifiers. • Aggregated usage events (e.g., "task completed," "badge unlocked") — used to operate and improve the Service. We do not collect: • Precise or approximate geolocation data. • Biometric identifiers (facial recognition, fingerprints, voice prints). • Photos of real children (avatars are illustrated characters only). • Financial payment information (processed solely by Apple's App Store). • Persistent advertising identifiers (IDFA or similar) for behavioural advertising. • Social Security numbers or government ID numbers. • Medical, health, or sensitive demographic information.

For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data on the following lawful bases under GDPR Art. 6 and Art. 9:

Where children's data may qualify as sensitive personal data of a minor under applicable national law, we apply the strictest available protections including data minimisation, storage limitation, and role-based access controls restricted to authorised personnel only.

We use personal data only for the following purposes: • Operating the Service: Synchronising tasks, Kefi Points, achievements, and notifications between Guardian and child devices. • Delivering notifications: Sending task approvals, rejections, reminders, and screen time alerts requested by the Guardian. • AI task description suggestions: Guardian-entered task titles (not child data) are sent to Google Gemini to suggest descriptions. The Guardian reviews every suggestion before use. No suggestions are applied automatically. • Customer support: Responding to questions, reports, or requests submitted by Guardians. • Security and fraud prevention: Detecting and preventing unauthorised account access, abuse, or fraud. • Service improvement: Analysing anonymised, aggregated usage patterns to identify bugs, improve features, and plan future development. • Legal compliance: Complying with applicable laws, court orders, or regulatory requirements. Each use is strictly limited to the purpose for which data was collected. We apply the principle of purpose limitation: data collected to operate the Service is not repurposed for analytics, marketing, or other functions without a fresh legal basis.

We make the following binding commitments. If any of these ever change, we will give you advance notice and an opportunity to delete your account before the change takes effect. • We will never sell your personal data to any third party for any purpose. • We will never use your data or your child's data for behavioural advertising or ad targeting. • We will never share child data with advertising networks, data brokers, or marketing companies. • We will never build a behavioural profile of you or your child for commercial purposes. • We will never use persistent advertising identifiers (such as Apple's IDFA) to track users across apps. • We will never use children's data to train AI or machine learning models without explicit, separate parental consent. • We will never condition use of the Service on a child or Guardian providing more personal information than is reasonably necessary. • We will never use fully automated decision-making with legal or similarly significant effects on you or your child. • We will never display third-party advertising to children or within the children's interface. • We will never retain children's data indefinitely or beyond the periods described in our Data Retention Schedule.

Children may submit photos as proof of completed tasks ("proof photos") through a device managed by the Guardian. These photos are handled with the highest level of care: Storage: Proof photos are stored in a private, encrypted storage bucket (Supabase Storage, EU-Frankfurt region). They are never stored in a publicly accessible location. Access control: Photos can only be accessed via signed, time-limited URLs that expire automatically. No other user, third party, or member of our team can access them outside of a security audit or legal obligation. Purpose limitation: Proof photos are used solely for task verification by the Guardian. They are never used for: • Advertising or marketing • Facial recognition, biometric analysis, or identity verification • AI or machine learning training • Any purpose other than the Guardian reviewing the submitted task Retention: Proof photos are permanently deleted when: (a) the associated task is deleted by the Guardian; (b) the child profile is deleted; or (c) the Guardian account is deleted. Guidance for Guardians: We recommend instructing children not to include third parties' faces or identifying information in proof photos. As the account holder, you are responsible for the content submitted under your account. If a proof photo is reported as harmful or inappropriate, we may review it for compliance with our Terms of Service and delete it if required.

Protecting children's privacy is the foundation of everything we build. The following protections apply to all child profiles on KefiFam, regardless of the user's jurisdiction. No independent registration: Children cannot create accounts, set passwords, or register independently. Every child profile is created exclusively by a verified adult Guardian. Data minimisation: For child profiles, we collect only a first name, an age, and a pre-built avatar selection. No surname, email address, phone number, school name, or physical address is required or requested for child profiles. No direct data collection from children: We do not knowingly collect personal information directly from children. All data associated with a child's profile is entered and controlled by the Guardian. No behavioural advertising to children: We do not serve any advertising to children and do not share child data with advertising or data brokerage networks under any circumstances. No third-party behavioural tracking of children: We do not integrate third-party analytics or tracking SDKs that monitor children's behaviour across apps or websites. No AI profiling of children: Children's data is not used to train, fine-tune, or evaluate AI or machine learning models. The AI task suggestion feature uses only Guardian-entered task titles. Parental rights — COPPA (United States): Parents and legal guardians have the right to: • Review all personal information collected about their child by emailing privacy@kefifam.com (subject: "COPPA Review Request"). • Request correction of inaccurate information directly within the app or by contacting us. • Request deletion of their child's information by deleting their account (Guardian Settings → Delete Account → type DELETE) or by emailing us (subject: "COPPA Delete Request"). We will delete within 24 hours of confirming your identity. • Withdraw consent and refuse further collection at any time by deleting their account. • Request that we do not disclose their child's information to third parties beyond those necessary to operate the Service. We will not require parents to provide more information than necessary to respond to a COPPA request. ICO Children's Code (UK): We apply the principle of "best interests of the child" in our data design. We have conducted a Data Protection Impact Assessment (DPIA) covering children's data processing. Children's data is not used for any commercial purpose beyond operating the Service. If you believe a child has registered without parental consent, email us immediately at privacy@kefifam.com with the subject "Unauthorised Child Account." We will investigate and, where confirmed, delete all associated data within 72 hours.

COPPA's 2025 amended rule requires operators to inventory and disclose third-party SDKs that interact with children's data. The following is our complete inventory of active SDKs and technologies:

No advertising SDKs, analytics SDKs, or social media SDKs are integrated. We do not use Facebook SDK, Google Analytics, Crashlytics, Amplitude, Mixpanel, or any similar third-party analytics or advertising tool that would track individual users or children across apps.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. This applies to data about Guardians and children alike. This commitment applies to all users including: • California residents under the CCPA/CPRA — no opt-out is required because we do not sell or share. • Virginia residents under the Virginia Consumer Data Protection Act (VCDPA). • Colorado residents under the Colorado Privacy Act (CPA). • Connecticut residents under the Connecticut Data Privacy Act (CTDPA). • Texas, Florida, and Oregon residents under their respective state privacy laws. • All EU/UK/EEA residents — no data is used for behavioural advertising. No sponsored content targeting children: We do not display sponsored content, affiliate promotions, or brand-partner advertising within the children's interface. Any future sponsored content for Guardians (not children) would be clearly labelled, non-behavioural, and subject to a separate consent process with advance notice. If this practice ever changes, we will update this Policy, notify you by email and in-app notification, and give you the opportunity to delete your account before the change takes effect.

We use a minimal set of third-party services to operate KefiFam. Each receives only the data necessary for its specific function and is contractually prohibited from using that data for any other purpose. Supabase Role: Backend database, authentication, and file storage. Data received: Guardian account data, child profile data (first name, age, avatar), task records, proof photos, achievement data. Storage location: EU (Frankfurt, Germany — AWS eu-central-1). Sub-processor status: Yes, a data processor acting on our instructions. Privacy policy: supabase.com/privacy Firebase — Google Role: Push notification delivery. Data received: Device push notification tokens only. No profile data, names, or child data is shared. Privacy policy: firebase.google.com/support/privacy Google Gemini Role: AI-generated task description suggestions. Data received: Task titles entered by the Guardian (e.g., "Clean your room"). No child names, ages, photos, or profile data are ever sent. Privacy policy: ai.google.dev/terms Apple Role: Sign in with Apple (Guardian authentication), App Store (in-app purchases), Apple Family Controls (on-device screen time management). Data received by Apple: Authentication tokens and App Store purchase receipts for Guardians. Screen time / Family Controls data is processed entirely on-device. Privacy policy: apple.com/legal/privacy Google (Sign in with Google) Role: Optional Guardian authentication. Data received: Guardian Google account ID token and email address only. Privacy policy: policies.google.com/privacy RevenueCat Role: In-app subscription and purchase receipt management. Data received: Guardian account identifier and App Store purchase receipt. No child data. Privacy policy: revenuecat.com/privacy We do not use: advertising networks, data brokers, social media tracking SDKs, or any service that would profile users for commercial purposes.

KefiFam is operated by Hanuly Innovations. Data may be processed in countries other than your own. Here is where each service operates: • Supabase database and file storage: EU (Frankfurt, Germany). Data stored in the EU. • Firebase (push notifications): United States (Google infrastructure). • Google Gemini (AI suggestions): United States (Google infrastructure). • RevenueCat: United States. For EEA and UK users (GDPR / UK GDPR): Transfers to third countries outside the EEA/UK are made using appropriate safeguards: • Google and Firebase: Google LLC participates in the EU-U.S. Data Privacy Framework and offers Standard Contractual Clauses (SCCs). • RevenueCat: Standard Contractual Clauses apply. • All sub-processors are required to process data only on our documented instructions and to maintain security standards equivalent to those described in this Policy. For all users: Regardless of where you are located, we require every third-party sub-processor to: (a) use data only for the purpose we specify; (b) not sell or further share data; and (c) maintain appropriate technical and organisational security measures. To request more information about international transfer safeguards, or to obtain a copy of the applicable SCCs, contact privacy@kefifam.com.

We retain personal data only for as long as necessary for the purpose it was collected, in accordance with COPPA's requirement for short and enforceable retention periods. The following schedule applies:

Complete account deletion: When a Guardian deletes their account via Settings → Delete Account, all data listed above (except consent records and rights request records, which are retained as compliance evidence) is permanently and irreversibly deleted within 24 hours. Deleted data cannot be recovered. Legal hold exception: In rare circumstances, we may be required by law, court order, or regulatory authority to retain certain data beyond these periods. If this applies to you, we will notify you to the extent permitted by law.

We do not use fully automated decision-making — including profiling — to make decisions that produce legal effects or similarly significant effects on you or your child. No account suspensions, access restrictions, or similar decisions are made by automated systems without human review. AI Task Suggestions (Google Gemini): When a Guardian types a task title in the app, they may optionally request an AI-generated description suggestion. This works as follows: • Only the task title (e.g., "Tidy your room") is sent to Google Gemini. No child name, age, profile, or any personal data is included. • The suggestion is displayed for the Guardian to review. The Guardian decides whether to use it, edit it, or discard it. • No suggestion is applied automatically. The Guardian retains full control. • This feature does not profile children or make any decisions about them. This feature is subject to Google Gemini's terms and privacy policy at ai.google.dev/terms. Guardian-entered task titles are subject to Google's data processing terms. If you prefer not to use this feature, you may type task descriptions manually — the AI suggestion is always optional.

KefiFam is a native iOS application and does not use browser cookies or tracking pixels. On-device local storage: The app uses Flutter secure storage to store: • Your authentication session token — so you remain logged in between sessions. • App preferences and UI settings — for performance and personalisation. This data is stored securely on your device using iOS Keychain (for sensitive data) or standard app storage (for preferences). It is not transmitted to third parties and cannot be read by other apps. No persistent advertising identifiers: We do not access Apple's Identifier for Advertisers (IDFA) or any equivalent persistent cross-app tracking identifier. We do not use it, request it, or share it. Clearing local data: You can clear all locally stored data by signing out of the app or deleting the app from your device.

We take security incidents seriously. In the event of a personal data breach, we will follow these steps: Internal detection and containment: We aim to identify and contain breaches within 24 hours of detection. Regulatory notification: • EU/UK: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms, as required by GDPR Art. 33 and UK GDPR. • US (COPPA-specific): We will notify the FTC and affected parents promptly following any breach involving children's personal information, consistent with COPPA requirements. • Other jurisdictions: We will comply with applicable breach notification laws in each jurisdiction. Individual notification: Where a breach is likely to result in a high risk to your rights and freedoms (e.g., unauthorised access to account data or proof photos), we will notify you without undue delay via in-app notification and/or email, describing: what happened, what data was affected, what we are doing, and what you can do to protect yourself. Child data breaches: Any breach involving children's personal data is treated as the highest priority. We will notify affected Guardians individually as quickly as possible. To report a suspected security vulnerability: privacy@kefifam.com (subject: "Security Vulnerability Report").

We maintain a written information security program (WISP) appropriate to our size and the sensitivity of the data we hold. Key measures include: In transit: All data between the app and our servers is encrypted using TLS 1.2 or higher (HTTPS). We do not support insecure HTTP connections. At rest: All data stored in Supabase is encrypted at rest using AES-256. Proof photos are stored in a private, encrypted storage bucket. Guardian PIN: PINs are hashed using bcrypt with a high work factor before storage. We cannot read, recover, or transmit your raw PIN under any circumstances. Proof photos: Accessible only via signed, time-limited URLs generated server-side. URLs expire automatically and cannot be shared or accessed by the public. Access controls: Access to our production database is restricted to authorised personnel only, using role-based access control. No team member has blanket access to all user data. Authentication: Guardian accounts use industry-standard session token management via Supabase Auth. Sessions expire after a period of inactivity. Biometric authentication (Face ID / Touch ID) is available to Guardians as an additional layer of protection. Subprocessor security: We conduct due diligence on all sub-processors and require them to maintain security standards consistent with industry best practices. No method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@kefifam.com and change your account password immediately.

To exercise any right below, email privacy@kefifam.com. We may ask you to verify your identity before processing the request. We will respond within 30 days, or within any shorter period required by applicable law. We will not charge a fee for reasonable requests. Rights available to all users: • Access: Request a copy of the personal data we hold about you or your child. • Correction: Update inaccurate or incomplete information within the app or by contacting us. • Deletion: Delete your account and all associated data at any time (Settings → Delete Account) or by emailing us. • Withdraw consent: Where processing is based on consent, withdraw it at any time. This does not affect past lawful processing. EEA, UK & Switzerland (GDPR / UK GDPR / nFADP): • Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON). • Restriction (Art. 18): Request that we restrict processing in certain circumstances (e.g., while you contest accuracy). • Object (Art. 21): Object to processing based on legitimate interests. • Automated decision-making: You have the right not to be subject to solely automated decisions — we do not make any such decisions. • Lodge a complaint: EEA residents: edpb.europa.eu. UK residents: ico.org.uk. Swiss residents: edoeb.admin.ch. California (CCPA / CPRA): • Right to know what personal information is collected, used, and disclosed. • Right to delete personal information (with limited exceptions). • Right to correct inaccurate personal information. • Right to opt out of sale or sharing — we do not sell or share personal information, so this right is already satisfied. • Right to limit use of sensitive personal information — we collect no sensitive personal information as defined by CPRA beyond what is necessary for the Service. • Right to non-discrimination for exercising any privacy right. • To submit a request: email privacy@kefifam.com (subject: "California Privacy Request") or delete your account in-app. • Authorised agents may submit requests on your behalf with written authorisation. Brazil (LGPD): • Confirmation of existence of processing; access to data; correction; anonymisation or deletion of unnecessary data; portability; deletion of data processed with consent; information about third-party sharing; right to revoke consent; right not to be subject to automated decisions without review. • Lodge a complaint with the ANPD: gov.br/anpd. Canada (PIPEDA / Provincial Laws): • Right to access personal information and understand how it is used. • Right to correct inaccurate information. • Right to withdraw consent for non-essential processing. • Lodge a complaint with the Office of the Privacy Commissioner: priv.gc.ca. Australia (Privacy Act 1988 / APPs): • Right to access and correct personal information held about you. • Lodge a complaint with the Office of the Australian Information Commissioner: oaic.gov.au. South Korea (PIPA): • Right to access, correct, delete, and suspend processing of your personal data. • Right to object to processing and withdraw consent. • Lodge a complaint with the Personal Information Protection Commission (PIPC): pipc.go.kr.

As the account holder, Guardians are responsible for: • Ensuring that child profiles are only created for children in their own care. • Supervising the content of task titles, descriptions, and proof photos submitted through their account. • Keeping account credentials (email, password) and the Guardian PIN confidential and not sharing them with children. • Ensuring the Service is used in compliance with applicable laws in their jurisdiction. • Promptly notifying us at privacy@kefifam.com if they believe their account has been compromised or that a child has gained unauthorised access. Content you submit: We are not responsible for personal data voluntarily included in task titles, descriptions, or proof photos (e.g., third-party names, locations, or sensitive information). Please do not include: other people's personal information, sensitive health or financial information, or any content that is harmful, illegal, or violates our Terms of Service. Custody and access disputes: Where a Guardian account involves a custody dispute or court order affecting a child's data, it is the Guardian's responsibility to inform us. We will not adjudicate custody disputes but may place a temporary hold on data deletion requests where a court order is in place, if required by law. Account transfer: Guardian accounts may not be transferred to another person. If a change of guardianship occurs, the new guardian should create their own account and contact us to manage data appropriately.

We may update this Privacy Policy from time to time as our practices evolve or as required by law. When we make changes, we will: • Update the "Last updated" date at the top of this page. • For material changes — meaning changes that affect how we collect, use, or share your data — we will notify you by in-app notification and email at least 14 days before the change takes effect. • For changes that materially affect how we process children's personal data, we will treat this as requiring fresh parental consent where required by COPPA or applicable law, and will re-present the consent flow before the change takes effect. Your continued use of KefiFam after a change takes effect constitutes your acceptance of the updated Policy. If you do not agree with the changes, you may delete your account before they take effect at no penalty. We will not retroactively apply changes to reduce your rights with respect to data we have already collected.

For all privacy-related questions, data subject requests, COPPA parental requests, or concerns about how we handle children's data, contact us at: Hanuly Innovations — Privacy Team Email: privacy@kefifam.com Response times: • Standard requests: within 30 days • COPPA parental requests (child data review, correction, deletion): within 30 days; deletion executed within 24 hours of identity verification • Urgent child data incidents (subject: "URGENT — Child Data"): prioritised, target response within 72 hours • Data breach reports (subject: "Security Vulnerability Report"): investigated immediately What to include in your request: • Your full name and the email address associated with your account • The nature and scope of your request • Your jurisdiction (country/state) • For COPPA requests: confirmation that you are the parent or legal guardian We may ask you to verify your identity before processing access, correction, or deletion requests. This is to protect the security of your account and your child's data.