Privacy Policy
Nokuhiro: Kids Habit Quest
Effective Date: May 10, 2026 | Last Updated: May 10, 2026
Introduction
This Privacy Policy describes how Nokuhiro (“the App,” “we,” “us,” or “our”) collects, uses, and protects information when you and your family use our mobile application. Nokuhiro is a gamified habit-building app designed for children ages 3 through 12, operated under parental supervision. We are deeply committed to protecting the privacy of children and families, and we have designed the App from the ground up with privacy as a foundational principle.
This Privacy Policy applies to all users of the App, including parents, legal guardians, and children. By downloading, installing, or using Nokuhiro, you acknowledge that you have read and understood this Privacy Policy. If you are a parent or legal guardian setting up the App for your child, you are responsible for reviewing this policy and consenting on behalf of your child.
1. Children’s Privacy
Nokuhiro is designed specifically for families with children and complies with the Children’s Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation as it applies to children (GDPR-K), and the Swiss Federal Act on Data Protection (nFADP/DSG). We take children’s privacy extremely seriously and have implemented the following safeguards.
We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where GDPR-K applies) without verifiable parental consent. The App requires a parent or legal guardian to set up and manage all child profiles. Children cannot create accounts, modify privacy settings, or access parental controls independently. Before any child profile is created, the App presents a dedicated parental consent screen that requires the parent to review and acknowledge our data practices, confirm they are the child’s parent or legal guardian, and explicitly grant consent.
All data entered about children — including names, ages, habit completions, companion selections, and progress — is stored on our secure servers and cached locally on the parent’s device. This data is encrypted in transit (TLS 1.3) and at rest, and is never shared with or accessible to any third party.
2. Data We Collect
2.1 Account-Based Data Storage
Nokuhiro requires account creation to use the App. When you create an account and set up your family, the following data is collected and stored on our secure servers:
| Data Category | Examples | Storage |
|---|---|---|
| Authentication identity | Email address, OAuth provider token | Secure server |
| Family group membership | Family name, member roles, invite codes | Secure server |
| Child profiles | First name, birthday, gender, avatar configuration | Secure server + local cache |
| Habit data | Habit names, completion records, streaks, mastery scores | Secure server + local cache |
| Progress data | XP earned, levels, badges, rewards | Secure server + local cache |
| Companion data | Selected companion animal, companion name, evolution stage | Secure server + local cache |
| Cooperative quest data | Shared family quests and progress | Secure server + local cache |
| App preferences | Language, notification settings, UI mode | Secure server + local cache |
The server is the source of truth for all family data. A local cache is maintained on your device to enable offline habit tracking. When connectivity is restored, locally completed habits are automatically synchronized with the server.
2.2 Static Media Assets
The App downloads static media assets (companion animations, celebration effects, and introductory videos) from a content delivery network (CDN) to display within the App. These are one-directional downloads of pre-made files — no user data, device identifiers, or personal information is sent in these requests. The CDN provider does not receive any information that could identify you or your child.
3. AI-Powered Features
When you are signed in, certain optional features use artificial intelligence (AI) to generate personalized content for parents. These features are available to all signed-in users and can be disabled in the Parent Dashboard settings.
Progress Summaries. The parent dashboard can generate AI-written summaries of a child’s habit-building journey, including identified strengths and actionable suggestions for parents.
Quest Completion Reports. After a child completes a reward quest, an AI-generated summary highlights achievements and provides developmental insights.
Habit Recommendations. AI-powered suggestions help parents choose which habits to add, keep, or retire for the next quest phase, based on the child’s current progress and behavioral science principles.
To generate these insights, the following data is sent to our AI service provider:
| Data Sent to AI | Not Sent to AI |
|---|---|
| Child’s first name and age | Photos or images |
| Habit names and completion statistics | Device identifiers |
| XP totals, streak counts, mastery status | Location data |
| Companion evolution stage | Browsing history |
| Contact information | |
| Any other sensitive data |
The AI service does not store or retain any data after generating a response. No persistent profile of your child is created by the AI service.
On-Device Adaptive AI Engine. The App also includes an on-device Adaptive AI Engine that dynamically adjusts XP values based on mastery and growth. This engine operates entirely locally on the device and does not transmit any data.
4. Data We Do NOT Collect
Nokuhiro does not collect, access, or process any of the following:
| Data Type | Collected? |
|---|---|
| Location data or GPS coordinates | No |
| Contact lists or address books | No |
| Photos or videos of children | No |
| Browsing history or web activity | No |
| Device identifiers for advertising (IDFA) | No |
| Biometric data (fingerprints, face scans) | No |
| Financial or payment information | No |
| Data from other apps on the device | No |
| Microphone recordings or audio capture | No |
| Health or fitness data | No |
| Email addresses of children | No |
| Phone numbers | No |
Optional Camera and Photo Library Access. Parents may optionally use the device camera or photo library to add a custom photo to a child’s reward. This photo is stored exclusively on the device and is never uploaded, transmitted, or shared — even when cloud sync is enabled. The App requests camera or photo library permission only when the parent initiates this action, and the permission can be revoked at any time through the device’s system settings.
We do not use any advertising SDKs, analytics trackers, crash reporting tools, or third-party data brokers. The App contains zero advertising frameworks, zero tracking pixels, and zero cross-app tracking mechanisms. We do not request the App Tracking Transparency (ATT) prompt because there is nothing to track.
5. Third-Party Services and SDKs
Nokuhiro integrates only open-source and privacy-respecting SDKs that are essential to the App’s functionality. None of these SDKs collect, transmit, or store user data:
| SDK | Purpose | Collects User Data? |
|---|---|---|
| Expo SDK 54 | App framework | No |
| React Native | UI framework | No |
| NativeWind (Tailwind CSS) | Styling | No |
| expo-haptics | Haptic feedback | No |
| expo-audio | Celebration sounds, ambient effects | No |
| expo-video | Companion greetings, intro video | No |
| expo-notifications | Local notifications only | No |
| expo-image-picker | Optional reward photo (camera/library) | No |
| expo-image | Image display with caching | No |
| expo-localization | Device language detection | No |
| expo-sharing | System share sheet | No |
| react-native-reanimated | Animations | No |
| AsyncStorage | Local data persistence | No |
| Zustand | State management (in-memory) | No |
No third-party SDK in Nokuhiro transmits data off the device. We do not integrate any advertising networks, analytics platforms (such as Google Analytics, Firebase Analytics, or Mixpanel), or social media SDKs.
Cloud Sync Third-Party Services (when enabled)
| Service | Purpose | Data Received |
|---|---|---|
| OAuth identity provider | User authentication | Email/identity token only |
| AI service provider | Parent-facing insights generation | Child name, age, habit stats (see Section 3) |
Both services process data only in the context of authenticated sessions and do not retain data beyond what is needed to fulfill the immediate request.
6. How We Protect Your Data
6.1 Server-Side Data Protection
All data in transit is encrypted using TLS 1.3 (Transport Layer Security). Data at rest is stored in encrypted databases with industry-standard encryption. Authentication is handled via OAuth 2.0 through established identity providers, meaning we never store or have access to your password. We implement the principle of minimal data collection, storing only what is strictly necessary to provide the service.
6.2 Local Cache Protection
The local cache on your device is protected by your device’s built-in security mechanisms, including passcode, biometric authentication (Face ID, Touch ID, fingerprint), and device encryption. We recommend that parents enable a device passcode to protect locally cached data.
6.3 Security Practices
- Encrypted data transmission (HTTPS/TLS) for all network communication
- Secure authentication via OAuth 2.0 with established identity providers
- No storage of passwords or authentication credentials on our servers
- Minimal data collection and retention principles
- No data sharing with third parties for any purpose
- Regular review of security practices and SDK dependencies
7. Parental Rights and Controls
As a parent or legal guardian, you have the following rights regarding your child’s data:
Right to Review. You may review all data associated with your child at any time directly within the App. The Parent Dashboard provides full visibility into habit records, progress, badges, and companion data.
Right to Deletion. You may delete all of your child’s data at any time using the “Delete Child Data” or “Delete Account” function in the Parent Dashboard settings. Server-side data is permanently deleted within 30 days of the deletion request, and the local cache is cleared immediately.
Right to Refuse Collection. You may refuse further collection of your child’s data by deleting your account and discontinuing use of the App.
Right to Revoke Consent. You may revoke your parental consent at any time by deleting your account, which will stop all data processing and schedule server-side data for permanent deletion.
Right to Export. You may export your family’s data in a portable format using the data export function available in the Parent Dashboard.
Right to Restrict Processing. You may restrict how the App processes your child’s data by adjusting settings, disabling notifications, or limiting features.
To exercise any of these rights, you can act directly within the App or contact us using the information provided in Section 13 of this policy.
8. Data Retention
Your data is retained on our servers as long as your account remains active. The local cache on your device is cleared when you uninstall the App or log out.
Upon account deletion, all associated data is permanently and irreversibly removed from our servers within 30 calendar days. We do not retain backups of deleted data beyond this period.
We do not retain children’s data longer than is reasonably necessary to provide the App’s services. We do not archive, sell, or repurpose any user data after deletion.
9. Data Sharing
We do not sell, trade, rent, or share your personal information or your child’s personal information with any third party. This is an absolute commitment with no exceptions for marketing, advertising, analytics, or data brokerage.
We may disclose data only in the following strictly limited circumstances:
- With your explicit, informed consent — for example, if you request a data export to a specific service.
- To comply with legal obligations — if required by a valid court order, subpoena, or other binding legal process in a jurisdiction with authority over us.
- To protect safety — if we believe in good faith that disclosure is necessary to prevent imminent harm to the safety of a child, user, or the public.
We have never received a government request for user data.
10. International Users and GDPR Rights
Nokuhiro is available in multiple languages (English, German, Spanish, Italian, and French) and may be used internationally. If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with comprehensive data protection laws, you have additional rights under the GDPR and the Swiss nFADP:
| Right | Description |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you |
| Right to Rectification | Request correction of inaccurate personal data |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing of your personal data |
| Right to Restrict Processing | Request limitation of how your data is processed |
| Right to Lodge a Complaint | File a complaint with your local data protection authority |
You can exercise these rights at any time through the App’s built-in data management features in the Parent Dashboard, or by contacting us directly.
Legal Basis for Processing (GDPR Article 6). Our legal basis for processing is explicit consent (Article 6(1)(a)), which you provide when creating your account and setting up child profiles, and which you may withdraw at any time by deleting your account.
Data Protection Authority. If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For users in Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).
11. Notifications
Nokuhiro uses local notifications only to provide daily habit reminders, motivational messages, and companion greetings. These notifications are generated and scheduled entirely on your device. No notification data is sent to or processed by our servers. Push notification permissions are requested through the standard operating system prompt, and you may disable notifications at any time through your device’s settings or within the App’s settings.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or App features. When we make changes, we will update the “Last Updated” date at the top of this policy and, where appropriate, notify you through the App.
For significant changes affecting children’s data, we will seek renewed parental consent where required by law.
Your continued use of the App after changes are posted constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your parental rights, need to report a privacy concern, or want to request deletion of your data, please contact us:
Privacy inquiries: privacy@nokuhiro.com
General inquiries: hello@nokuhiro.com
Support: support@nokuhiro.com
We aim to respond to all privacy-related inquiries within 30 calendar days. For urgent matters involving children’s safety or data breaches, we will respond as quickly as possible and no later than 72 hours.
14. Summary
| Aspect | Nokuhiro’s Practice |
|---|---|
| Account required | Yes (parent creates account to use the App) |
| Data stored on server | Yes (encrypted, server is source of truth) |
| Local cache on device | Yes (for offline habit tracking) |
| Data transmitted to servers | Yes (encrypted via TLS 1.3) |
| AI features | Optional, requires sign-in (see Section 3) |
| Third-party analytics | None |
| Advertising | None |
| Cross-app tracking | None |
| COPPA compliant | Yes |
| GDPR-K compliant | Yes |
| Swiss nFADP compliant | Yes |
| Parental consent required | Yes (before child profile creation) |
| Data deletion available | Yes (in-app, within 30 days) |
| Data export available | Yes (in-app) |
| Minimum age without parental consent | 13 (US) / 16 (EU) |
References
- Children’s Online Privacy Protection Rule (COPPA) — Federal Trade Commission
- General Data Protection Regulation (GDPR) — Rights of the Data Subject
- Swiss Federal Act on Data Protection (nFADP/DSG) — Fedlex