Privacy Policy
Last updated: 18 May 2026
The 30-second version. We collect your email, your child's first name and age, the goals you set, and how the weekly tasks went. That's what we use to put together your weekly plans. We don't sell your data, and other Summiva users never see it. You can delete everything from inside the app whenever you want. The marketing website (summiva.com) also uses Google Analytics for aggregate visitor stats, separate from anything you do inside the app.
1. Who we are
Summiva is built and run by Anand Yadav, an individual in India. If you have a privacy question, please write to me at hello@summiva.com. That's also the address for any data-protection grievance under India's Digital Personal Data Protection Act (DPDP Act, 2023). I'm the Data Fiduciary and the Grievance Officer; in practice, the same person reads both queues.
2. What we collect
From you (the parent)
- Your email and a hashed password so you can sign in.
- Your first name (optional) if you choose to add it in Settings, so we can greet you in the app and any emails. You can edit or delete it any time.
- Subscription details: which tier you bought, an anonymous purchase identifier from Apple, and renewal dates. We never see your card.
- Push notification token (optional), if you opt in to weekly notifications. Used solely to deliver the Saturday "your weekly plan is ready" push. Cleared when you sign out.
- App usage and crash data: which screens you open, what you tap, and stack traces if something crashes. Tied to a random device identifier, not to your email.
About your child (entered by you)
- First name, so the weekly plan can write tasks like "Practice rook moves with Aanya".
- Date of birth, to compute age and pick the right curriculum stage. Age auto-increments on their birthday.
- Gender (optional), used for activity suggestions only.
- The goals you set: domain (chess, music, etc.), tier, and your "why" note.
- Progress logs: what got done, the rating you gave each item (struggled / okay / crushed it), and any notes you wrote.
What we do NOT collect
- Your child's last name, school, photos, voice recordings, or anything that could re-identify them outside your family.
- Precise location data.
- Your contacts, calendar, microphone, camera, or any other on-device data outside the app.
- Health, medical, or biometric information.
3. Why we collect it
- Your email and password, to sign you in, send password resets, and tell you about important changes.
- Your first name, to make the app feel like it knows you. Optional. We don't share it.
- Your child's first name, age, gender, and goals, so the weekly checklists are actually personal. Without these we can't personalise anything.
- Progress logs, so next week's plan reflects what worked and what didn't this week. This is the whole point of the loop.
- Subscription details, to give you the features you paid for.
- Crash and usage data, to fix bugs and figure out which features matter. We don't use this for advertising.
4. How long we keep it
- Your account, child profile, goals, and progress logs: as long as your account exists, regardless of subscription status. Data created during a paid period is preserved if you later cancel or revert to free — it is not deleted, only hidden in-app until you re-subscribe. When you delete your account, all of the above is gone from our active database within 30 days.
- Subscription / payment records: kept for 7 years to comply with Indian tax law, even if you delete your account. These are anonymous transaction lines (date, amount, product), not personal data tied to your name.
- Crash logs: 90 days, then automatically deleted by Sentry.
- Usage analytics: 12 months, then automatically deleted by PostHog.
5. Who else sees your data
We don't sell your data to anyone. We do rely on a small number of service providers to run the app. Each of them only sees what they need to do their specific job, and none of them is allowed to use your data for anything else:
- Supabase, Inc. (USA) hosts our database and authentication. Everything in sections 2.1 and 2.2 lives on Supabase servers in US-East. Encrypted in transit and at rest.
- Anthropic PBC (USA) generates the weekly plans. We send your child's first name, age, the goal and tier, and the prior week's progress to Claude. Anthropic does not train on this data per their commercial terms.
- Apple Inc. handles in-app purchases and Sign in with Apple ID verification. We never see your card; for Sign in with Apple we receive only a verified email (or relay address if you choose Hide My Email) and your first name on first sign-in.
- Google LLC (USA) handles Continue with Google sign-in if you choose it. We receive only your email address and first name from your Google profile.
- RevenueCat, Inc. (USA) keeps track of who has what subscription. Receives a random user identifier and Apple's purchase identifier.
- PostHog Inc. (USA) handles usage analytics. Receives a random device identifier plus screen-view events. No personal data.
- Sentry GmbH (Germany) handles crash reporting. Receives crash stack traces and a random device identifier. No personal data.
- Resend (USA) sends our transactional emails (sign-up confirmation, password reset). Receives your email address only when we email you.
- Cloudflare, Inc. (USA) hosts this website and our DNS.
- Google LLC — Google Analytics 4 (USA) is used on the marketing website (summiva.com) only, NOT inside the iOS app. It collects: pages you visit, approximate country and region from your IP address, device type and operating system, browser type, how you arrived (direct, search, referral), and approximate session duration. It sets cookies in your browser. Data is retained for 14 months and then deleted automatically. We use this only to understand which pages are useful and where traffic comes from. No personalised advertising. To opt out: enable "Do Not Track" in your browser, or install Google's official opt-out add-on at tools.google.com/dlpage/gaoptout, or block cookies from summiva.com.
6. Your rights
You can:
- See what we have. Email us and we'll send you a copy of all your data within 30 days.
- Correct it. Anything wrong, we fix.
- Delete it. From inside the app: Settings → Delete account. Or email us. Your data is gone from our active systems within 30 days.
- Take it with you. Request a machine-readable export (JSON) and we'll send it.
- Withdraw consent. At any time. We deactivate your account.
- Raise a grievance. Under DPDP Act §13. We respond within 30 days.
To exercise any of these, email hello@summiva.com with the subject line "Data Request". We'll reply within 30 days, usually faster.
7. About your child specifically
Summiva is for parents and guardians (you must be 18+ to create an account). Your child does not have an account and never interacts with the app directly. The data in section 2 about your child is information that you entered as their parent or guardian, so you're responsible for what you choose to add.
For data about anyone under 18, we follow the principles of the US Children's Online Privacy Protection Act (COPPA), India's DPDP Act, and the EU GDPR:
- We collect the minimum necessary (first name + age) to do the job.
- We never use children's data for advertising or behavioural profiling. There are no ads in the app.
- We never share children's data with third parties except the operational providers in section 5.
- You can delete a child's profile any time from inside the app, which removes goals, progress, and the profile itself.
8. If your data crosses borders
Most of our service providers are based in the United States (Supabase, Anthropic, Apple, RevenueCat, PostHog, Resend, Cloudflare) or Germany (Sentry). Your data therefore moves outside India. We rely on standard contractual clauses with each provider and on each provider's compliance with applicable data-protection rules.
9. Security
We do the things you'd hope for: passwords are hashed (bcrypt), data is encrypted in transit (TLS 1.3) and at rest (AES-256), and access to production systems requires multi-factor authentication. We never store payment-card details, since Apple handles all payment processing.
No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you within 72 hours and report to the Indian Data Protection Board as required by the DPDP Act.
10. About the curriculum frameworks we reference
Summiva's weekly plans draw on publicly available developmental milestones and curriculum frameworks. You'll see names like FIDE youth chess pedagogy, ABRSM and Royal Conservatory grade-level expectations, Lexile reading bands, Singapore Math, Common Core State Standards, Trinity College London grades, CEFR language levels, Toastmasters, and similar. These names appear so parents understand where the structure of our plans comes from. Summiva is not affiliated with, partnered with, certified by, or endorsed by any of these organisations. The frameworks are referenced for educational purposes only.
11. If you live in the EEA, UK, or California
EEA / UK (GDPR)
Our lawful basis for processing your data is your consent (when you sign up) and contract performance (delivering the service you paid for). You have everything in section 6 plus the right to lodge a complaint with your local supervisory authority.
California (CCPA / CPRA)
You have the right to know what data we collect, delete it, correct it, and opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as defined by CCPA.
12. When we change this policy
We update this page when we add features, change service providers, or when laws change. The "Last updated" date at the top reflects the most recent change. For any material change that affects your rights, we'll tell you in-app and by email at least 14 days before it takes effect.
13. Contact
For any privacy question or to exercise your rights:
Anand Yadav (Data Fiduciary & Grievance Officer)
hello@summiva.com