Privacy Policy
Last updated: 4 May 2026
Plain-English summary: We collect your email, your child's first name + age, and the goals you set. We use that to generate weekly checklists via Claude (Anthropic). We don't sell your data. You can delete your account from inside the app at any time.
1. Who we are
"Summiva" (the "Service", "we", "our") is operated by Anand Yadav, an individual based in India. You can reach us at anandyadav.bn@hotmail.com. For any data-protection grievance you can write to the same address — Anand Yadav serves as the Data Fiduciary and Grievance Officer under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").
2. What data we collect
2.1 From you (the parent/account holder)
- Email address and a hashed password — to create and authenticate your account.
- Subscription state — the tier you purchased (monthly, annual, or lifetime), purchase identifiers from Apple, and renewal/expiry timestamps.
- Device + diagnostic data — crash reports and app-performance metrics via Sentry; analytics events (which screens you visited, which buttons you tapped) via PostHog. These are tied to a randomly-generated device identifier, not to your email.
2.2 About your child (entered by you)
- First name — used by the AI to personalise weekly tasks ("Practice rook moves with Aanya…").
- Date of birth — used to compute age and pick the appropriate curriculum stage.
- Gender (optional) — used by the AI for activity recommendations.
- Goals you set — the domain (chess, music, etc.), tier, and your "why" note.
- Progress logs — completion status, ratings (😓 / 👍 / ✨), and notes you write each week.
2.3 We do NOT collect
- Your child's last name, school, address, photos, voice recordings, or contact information.
- Precise location data.
- Your contacts, calendar, or any other on-device data outside the app.
- Health or medical information.
3. Why we collect each piece of data
- Email + password: account authentication, password resets, important service emails.
- Child's first name, age, gender, goals: to generate personalised weekly checklists. Without these, the AI cannot personalise.
- Progress logs (status, ratings, notes): so the AI can adapt next week's plan based on what worked last week.
- Subscription state: to grant access to paid features.
- Crash reports + analytics: to fix bugs and understand which features are useful.
4. How long we keep your data
- Account data + child data + goals + progress logs: for as long as your account exists. When you delete your account, all of the above is deleted from our active database within 30 days.
- Subscription/payment records: retained for 7 years to comply with Indian tax and audit law, even if you delete your account. We retain only the transaction record (date, amount, product), not the personal data.
- Crash logs: 90 days, then automatically purged by Sentry.
- Analytics events: 12 months, then automatically purged by PostHog.
5. Third parties we share data with
We do not sell your data to anyone. We use the following service providers ("data processors") to operate Summiva:
- Supabase, Inc. (USA) — hosts our database and authentication. All data described in section 2.1 and 2.2 is stored on Supabase servers in US-East. Encrypted at rest and in transit.
- Anthropic PBC (USA) — generates weekly checklists. We send your child's first name, age, the goal/tier, and the prior week's progress log to Anthropic's Claude API. Anthropic does not retain or train on this data per their Commercial Terms.
- Apple Inc. — processes in-app purchases. We never see your full payment information. Apple shares only an anonymous purchase identifier with us.
- RevenueCat, Inc. (USA) — manages subscription state. Receives a randomly-assigned user identifier and your purchase identifier from Apple.
- PostHog Inc. (USA) — analytics. Receives a random device identifier + which screens were viewed and which actions taken. No personal data is sent.
- Sentry GmbH (Germany) — crash reporting. Receives crash stack traces + a random device identifier. No personal data is sent.
6. Your rights
You have the following rights regarding your personal data:
- Access — request a copy of all data we hold about you.
- Correction — fix anything inaccurate.
- Deletion ("right to be forgotten") — delete your account and all data; we will action this within 30 days.
- Portability — receive your data in a machine-readable format (JSON).
- Withdraw consent — at any time. Withdrawing consent means we will deactivate your account.
- Grievance redressal — under DPDP Act §13, you can file a grievance with us. We will respond within 30 days.
To exercise any of these rights, email anandyadav.bn@hotmail.com with the subject line "Data Request". We will respond within 30 days.
7. Children's data
Summiva is designed for parents and adult guardians (you must be 18+ to create an account). Children do not have accounts and never interact with the Service directly. The data described in section 2.2 is information about your child that you entered as their parent or guardian. You are responsible for any data you choose to enter.
We follow the principles of the US Children's Online Privacy Protection Act (COPPA), India's DPDP Act, and the EU GDPR for any data concerning persons under 18:
- We collect the minimum necessary (first name + age) to deliver the service.
- We never use children's data for advertising or behavioural profiling.
- We never share children's data with third parties except as described in section 5.
- You can delete your child's profile at any time from inside the app.
8. Data transfers outside India
Most of our data processors are based in the United States (Supabase, Anthropic, Apple, RevenueCat, PostHog) or Germany (Sentry). Your data is therefore transferred outside India. We rely on the standard contractual clauses with each processor and on each provider's own compliance with applicable data-protection regimes.
9. Security
We use industry-standard practices: passwords are hashed using bcrypt; data is encrypted in transit (TLS 1.3) and at rest (AES-256); access to production systems requires multi-factor authentication. We do not store payment card details — Apple handles all payment processing.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours and report to the Indian Data Protection Board as required by the DPDP Act.
10. Region-specific rights
10.1 If you live in the European Economic Area (GDPR)
Our lawful basis for processing your data is your consent (when you sign up) and contract performance (to deliver the service you paid for). You have all rights described in section 6 plus the right to lodge a complaint with your local supervisory authority.
10.2 If you live in California (CCPA / CPRA)
You have the right to know what data we collect, delete your data, correct inaccurate data, and opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as defined by the CCPA.
11. Changes to this policy
We may update this policy when we add new features or processors, or when laws change. The "Last updated" date at the top of this page reflects the most recent change. For material changes that affect your rights, we will notify you in-app and by email at least 14 days before the change takes effect.
12. Contact
For any privacy questions or to exercise your rights:
Anand Yadav (Data Fiduciary & Grievance Officer)
anandyadav.bn@hotmail.com