Privacy Policy

Last Updated: May 2, 2026  |  Version: 1.3

1. Introduction

Talk & Play — Speech Flashcards ("the App") is developed by an independent developer ("we", "us", "our") and is designed for children ages 1–6, intended to be used under parental or guardian supervision.

This Privacy Policy explains how the App handles information in compliance with:

• GDPR — General Data Protection Regulation (EU/EEA)
• UK GDPR — United Kingdom data protection law
• COPPA — Children's Online Privacy Protection Act (United States)
• CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act
• Google Play Families Policy
• Apple App Store Kids Category guidelines
• UK Age Appropriate Design Code

2. Data Controller

For the purposes of GDPR and UK GDPR, the data controller is:

Therese O'Carroll
Email: talkandplay.app@gmail.com

Because the App does not collect, transmit, or process any personal data on external servers, no Data Protection Officer (DPO) is required. However, you may contact us at the email above for any privacy-related enquiries.

3. What Data We Collect

We do not collect any personal data.

The App has no user accounts, no login, and no registration. We do not transmit profiles, progress, recordings, or any other personal information to any server, third-party service, or external system. The only outgoing connection the App makes during normal use is a check for app updates — see §7 for full details of what that does and does not include.

The App stores the following data locally on your device only:

Data	Purpose	Stored Where
Child profiles (name, avatar emoji)	Display within the App	Device only
Progress data (words practised, dates)	Track learning progress	Device only
Settings (voice speed, pitch, age group)	Personalise playback	Device only
Favourites (starred words)	Quick access to preferred words	Device only
Temporary pronunciation recording	Played back so the child can hear their own attempt (see §6)	Device only — transient

This data never leaves your device and is not accessible to the developer or any third party.

4. Legal Basis for Processing (GDPR Art. 6)

Because the App does not collect or process personal data on any server, no legal basis under GDPR Article 6 is strictly required. However, for transparency:

• On-device storage: The locally stored preferences and progress are processed under legitimate interest (Art. 6(1)(f)) — solely to provide the App's core functionality.
• Microphone access: Processed under consent (Art. 6(1)(a)) — the device OS requests explicit permission before access is granted. The parent or guardian provides this consent on behalf of the child.

5. Children's Privacy

COPPA Compliance (United States)

The App fully complies with COPPA:

• No personal information is collected from children or any user
• No data is transmitted from the device to any server (other than a metadata-only update check — see §7)
• No data is shared with any third party
• No behavioural tracking or profiling occurs
• No advertisements are displayed
• No analytics or tracking tools are used

GDPR — Children's Data (Art. 8)

Under GDPR Article 8, processing personal data of a child requires parental consent where the child is below the age of digital consent (16 in most EU countries, 13 in some). Because the App does not process any personal data on external servers, this requirement is inherently satisfied. The App is designed to be used by children under direct parental or guardian supervision.

UK Age Appropriate Design Code

The App is designed in the spirit of the UK Children's Code:

• No data collection, profiling, or tracking of children
• No nudge techniques, dark patterns, or engagement-maximising design
• No geolocation or contact features
• Default settings are the most privacy-protective
• Parental controls available via the Parent Dashboard

6. Microphone Usage

The App uses your device's microphone solely to help children practise pronunciation. Audio is handled in three ways, all entirely on your device:

• Speech recognition: Audio is processed using the operating system's built-in on-device speech recognition to detect whether the child said the target word. The App explicitly requires on-device recognition; if it isn't available, the recognition session fails rather than falling back to a cloud recogniser.
• Temporary local recording for playback: So the child can hear themselves, the App briefly saves the recording to the App's private temporary cache. This file is kept only long enough to play it back, is replaced on each new attempt, and is removed when the App moves to the next word, is closed, or is uninstalled.
• Optional "Save" action (parent-initiated): Each playback view has an explicit Save button. Tapping it opens your device's standard system share sheet so a parent can save the recording to their own device storage (Files, Photos, cloud drive, etc.) or share it manually. The App itself never copies, transmits, or stores the audio anywhere outside the temporary cache — any saved copy lives wherever the parent chose to put it, under their control.

In all cases:

• Audio is processed and stored entirely on your device
• Audio is never transmitted to any server, developer, or third party by the App
• Recordings are never shared, synced, or backed up to the cloud by the App without an explicit, parent-initiated "Save" action
• Microphone access requires explicit OS-level permission and can be revoked at any time through your device settings

7. Third-Party Services and Network Activity

The App does not use any of the following:

• Analytics or tracking services (no Google Analytics, Firebase, Amplitude, etc.)
• Advertising networks
• Social media integrations
• Cloud storage services for user content
• Push notification services
• Content delivery networks for user content
• Behavioural profiling or personalisation engines

Over-the-air app updates

The App uses Expo's update service (expo-updates / u.expo.dev) to check for newer versions of the app bundle on launch. This is the only outgoing network request the App makes during normal use. The update check:

• Does not send any personal information, child data, profiles, progress, settings, recordings, or device identifiers beyond what the operating system itself reveals to any network service (e.g. IP address, user-agent).
• Does not receive any advertising, tracking, or profiling payload — only the newer JavaScript / assets bundle if one exists.
• Is skipped in development and preview builds.

Expo, as the infrastructure provider, operates under its own privacy policy: expo.dev/privacy

Crash reporting (not enabled in this release)

The App contains crash-reporting plumbing (Sentry) that is disabled in the current release — no crash reports are sent. Should crash reporting be enabled in a future release, this policy will be updated accordingly with a version bump, and the stores' data-safety disclosures will be updated to match. If enabled, reports would:

• Contain only technical context (stack traces, device model, OS version, app version) — no child profiles, names, recordings, progress data, or screen contents.
• Be skipped in development mode.
• Be subject to Sentry's privacy policy: sentry.io/privacy

Microphone / speech recognition

Speech recognition is performed by the operating system's built-in engine (Apple's on-device Speech framework on iOS, Google's on-device engine on Android). The App explicitly requests on-device recognition and sets the EXTRA_PREFER_OFFLINE intent flag on Android, so audio is processed locally on your device. If on-device recognition is not available on the device for the current locale, the recognition session will fail rather than fall back to a cloud recogniser — your child's voice is never transmitted. See §6.

Sharing (user-initiated only)

If you tap Export Progress (CSV), Print Coloring Pages, or the Save button on a recording in the Parent Dashboard or playback view, your device's system share sheet or print dialog opens. Any transmission at that point is user-initiated and handled by the app or service you choose (email, messages, AirPrint, Files, Drive, etc.) — the App itself does not transmit the data.

8. International Data Transfers

The App does not transfer any personal data internationally. The only outgoing connection is the over-the-air update check (§7), which sends no personal data — only the standard metadata any HTTPS connection reveals (IP address, approximate location inferred from IP, user-agent). Expo's update service is hosted on Cloudflare's global edge network; see Expo's privacy policy for their sub-processor list.

9. Data Retention

All data is stored locally on your device for as long as the App is installed. The App does not impose any retention period — you have full control.

10. Your Rights

Under GDPR, UK GDPR, and CCPA / CPRA, you have the following rights. Because no personal data is collected or processed on any server, most of these are inherently satisfied:

Right	How It Applies
Access (GDPR Art. 15)	All data is on your device — you already have full access
Rectification (Art. 16)	Edit profiles and settings directly in the App
Erasure / Right to be Forgotten (Art. 17)	Delete profiles in-app, clear app data via device settings, or uninstall the App
Data Portability (Art. 20)	Data is stored in standard device storage — accessible via device backup mechanisms; the Parent Dashboard's CSV export covers progress data
Restriction of Processing (Art. 18)	Revoke microphone permission via device settings at any time
Object (Art. 21)	No profiling, automated decision-making, or direct marketing occurs
Withdraw Consent (Art. 7(3))	Revoke microphone permission at any time; uninstall to remove all data
Lodge a Complaint	You may lodge a complaint with your local Data Protection Authority (see §13)
CCPA: Do Not Sell or Share	We do not sell, share, or disclose personal information to any party

11. Data Deletion

Since all data is stored locally on your device, you have full control:

• Uninstall the App — removes all associated data from your device
• Clear App Data — use your device's settings to clear stored data without uninstalling
• In-App — delete individual child profiles and progress data within the App

No data remains on any server after deletion because no data is ever sent to a server.

12. Data Security

The App protects your data by design:

• The only outgoing network connection is the update check (§7), which uses HTTPS end-to-end and carries no personal data.
• Data is stored using the platform's standard secure storage mechanisms (iOS keychain-backed, Android internal storage).
• No external dependencies process or access child profiles, progress, recordings, or settings.

13. Supervisory Authorities

If you are in the EU/EEA or UK and wish to lodge a complaint about data protection, you may contact your local supervisory authority. A list of EU data protection authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en

For the UK: Information Commissioner's Office (ico.org.uk)

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last Updated" date and version number at the top. Substantive changes (e.g. enabling a previously inert third-party service) will trigger an in-app notification on the next launch. We encourage you to review this policy periodically.

Continued use of the App after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or data protection requests, please contact us:

Email: talkandplay.app@gmail.com

We are committed to responding to all privacy enquiries within 30 days, as required by GDPR.