Privacy Policy
Nokuhiro: Kids Habit Quest
Effective Date: May 2, 2026 | Last Updated: May 2, 2026
Introduction
This Privacy Policy describes how Nokuhiro ("the App," "we," "us," or "our") collects, uses, and protects information when you and your family use our mobile application. Nokuhiro is a gamified habit-building app designed for children ages 3 through 12, operated under parental supervision. We are deeply committed to protecting the privacy of children and families, and we have designed the App from the ground up with privacy as a foundational principle.
This Privacy Policy applies to all users of the App, including parents, legal guardians, and children. By downloading, installing, or using Nokuhiro, you acknowledge that you have read and understood this Privacy Policy. If you are a parent or legal guardian setting up the App for your child, you are responsible for reviewing this policy and consenting on behalf of your child.
1. Children's Privacy
Nokuhiro is designed specifically for families with children and complies with the Children's Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation as it applies to children (GDPR-K), and the Swiss Federal Act on Data Protection (nFADP/DSG). We take children's privacy extremely seriously and have implemented the following safeguards.
We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where GDPR-K applies) without verifiable parental consent. The App requires a parent or legal guardian to set up and manage all child profiles. Children cannot create accounts, modify privacy settings, or access parental controls independently. Before any child profile is created, the App presents a dedicated parental consent screen that requires the parent to review and acknowledge our data practices, confirm they are the child's parent or legal guardian, and explicitly grant consent.
All data entered about children — including names, ages, habit completions, companion selections, and progress — is stored exclusively on the parent's device in the App's default local-only mode. This data never leaves the device, is never transmitted to our servers, and is never accessible to us or any third party.
2. Data We Collect
2.1 Local-Only Mode (Default)
In its default configuration, Nokuhiro operates entirely on-device. The following data is created and stored locally using the device's secure storage (AsyncStorage):
| Data Category | Examples | Storage Location |
|---|---|---|
| Child profiles | First name, birthday, gender, avatar | On-device only |
| Habit data | Habit names, completion records, streaks | On-device only |
| Progress data | XP earned, levels, badges, rewards | On-device only |
| Companion data | Selected companion animal, interaction history | On-device only |
| App preferences | Language, notification settings, UI mode | On-device only |
| Parent settings | Parental consent status, tutorial progress | On-device only |
In local-only mode, Nokuhiro collects no data whatsoever. All information remains on the device and is never transmitted, uploaded, or shared. We cannot access, read, retrieve, or reconstruct any of this data.
Static Media Assets. The App downloads static media assets (companion animations, splash screen images, and introductory videos) from a content delivery network (CDN) to display within the App. These are one-directional downloads of pre-made files — no user data, device identifiers, or personal information is sent in these requests. The CDN provider does not receive any information that could identify you or your child.
2.2 Cloud Sync Mode (Optional)
If a parent chooses to sign in and enable family synchronization for cross-device access, the following additional data is processed:
| Data Category | Purpose | Storage Location |
|---|---|---|
| Authentication identity | Account creation and login via OAuth provider | Secure server |
| Family group membership | Linking family members across devices | Secure server |
| Synced habit and progress data | Cross-device synchronization | Secure server |
Cloud sync is entirely optional and requires explicit parental action to enable. Parents can revoke cloud sync at any time, after which all server-side data is scheduled for deletion.
3. Data We Do NOT Collect
Nokuhiro does not collect, access, or process any of the following:
| Data Type | Collected? |
|---|---|
| Location data or GPS coordinates | No |
| Contact lists or address books | No |
| Photos or videos of children | No |
| Browsing history or web activity | No |
| Device identifiers for advertising (IDFA) | No |
| Biometric data (fingerprints, face scans) | No |
| Financial or payment information | No |
| Data from other apps on the device | No |
| Microphone recordings or audio capture | No |
| Health or fitness data | No |
| Email addresses of children | No |
| Phone numbers | No |
Optional Camera and Photo Library Access. Parents may optionally use the device camera or photo library to add a custom photo to a child's reward. This photo is stored exclusively on the device and is never uploaded, transmitted, or shared. The App requests camera or photo library permission only when the parent initiates this action, and the permission can be revoked at any time through the device's system settings.
We do not use any advertising SDKs, analytics trackers, crash reporting tools, or third-party data brokers. The App contains zero advertising frameworks, zero tracking pixels, and zero cross-app tracking mechanisms. We do not request the App Tracking Transparency (ATT) prompt because there is nothing to track.
4. Third-Party Services and SDKs
Nokuhiro integrates only open-source and privacy-respecting SDKs that are essential to the App's functionality. None of these SDKs collect, transmit, or store user data:
| SDK | Purpose | Collects User Data? |
|---|---|---|
| Expo SDK 54 | App framework | No |
| React Native | UI framework | No |
| NativeWind (Tailwind CSS) | Styling | No |
| expo-haptics | Haptic feedback | No |
| expo-audio | Sound playback (companion voices) | No |
| expo-video | Video playback (companion animations) | No |
| expo-notifications | Local notifications only | No |
| expo-image-picker | Optional reward photo (camera/library) | No |
| expo-image | Image display with caching | No |
| expo-speech | Text-to-speech (on-device) | No |
| expo-localization | Device language detection | No |
| expo-sharing | System share sheet | No |
| react-native-reanimated | Animations | No |
| AsyncStorage | Local data persistence | No |
| Zustand | State management (in-memory) | No |
No third-party SDK in Nokuhiro transmits data off the device. We do not integrate any advertising networks, analytics platforms (such as Google Analytics, Firebase Analytics, or Mixpanel), or social media SDKs.
5. How We Protect Your Data
5.1 Local Data Protection
Data stored on your device is protected by your device's built-in security mechanisms, including passcode, biometric authentication (Face ID, Touch ID, fingerprint), and device encryption. We recommend that parents enable a device passcode to protect all locally stored data.
5.2 Cloud Data Protection (When Enabled)
If cloud sync is enabled, data in transit is encrypted using TLS 1.3 (Transport Layer Security). Data at rest is stored in encrypted databases with industry-standard encryption. Authentication is handled via OAuth 2.0 through established identity providers, meaning we never store or have access to your password. We implement the principle of minimal data collection, storing only what is strictly necessary to provide the synchronization service.
5.3 Security Practices
- Encrypted data transmission (HTTPS/TLS) for all network communication
- Secure authentication via OAuth 2.0 with established identity providers
- No storage of passwords or authentication credentials on our servers
- Minimal data collection and retention principles
- No data sharing with third parties for any purpose
- Regular review of security practices and SDK dependencies
6. Parental Rights and Controls
As a parent or legal guardian, you have the following rights regarding your child's data:
Right to Review. You may review all data associated with your child at any time directly within the App. The Parent Dashboard provides full visibility into habit records, progress, badges, and companion data.
Right to Deletion. You may delete all of your child's data at any time using the "Delete Child Data" function in the Parent Dashboard settings. In local-only mode, this permanently removes all data from the device. If cloud sync is enabled, server-side data is permanently deleted within 30 days of the deletion request.
Right to Refuse Collection. You may refuse further collection of your child's data by discontinuing use of the App or by resetting the App's data through the settings.
Right to Revoke Consent. You may revoke your parental consent at any time. If cloud sync is enabled, you may disable it, which will stop all data transmission and schedule server-side data for deletion.
Right to Export. You may export your family's data in a portable format using the data export function available in the Parent Dashboard.
Right to Restrict Processing. You may restrict how the App processes your child's data by adjusting settings, disabling notifications, or limiting features.
To exercise any of these rights, you can act directly within the App or contact us using the information provided in Section 12 of this policy.
7. Data Retention
Local data remains on your device until you delete it, reset the App, or uninstall the App. Uninstalling the App permanently removes all locally stored data.
Cloud-synced data (if enabled) is retained as long as your account remains active. Upon account deletion or revocation of cloud sync consent, all associated data is permanently and irreversibly removed from our servers within 30 calendar days. We do not retain backups of deleted data beyond this period.
We do not retain children's data longer than is reasonably necessary to provide the App's services. We do not archive, sell, or repurpose any user data after deletion.
8. Data Sharing
We do not sell, trade, rent, or share your personal information or your child's personal information with any third party. This is an absolute commitment with no exceptions for marketing, advertising, analytics, or data brokerage.
We may disclose data only in the following strictly limited circumstances:
- With your explicit, informed consent — for example, if you request a data export to a specific service.
- To comply with legal obligations — if required by a valid court order, subpoena, or other binding legal process in a jurisdiction with authority over us.
- To protect safety — if we believe in good faith that disclosure is necessary to prevent imminent harm to the safety of a child, user, or the public.
We have never received a government request for user data, and in any case, we hold no user data in local-only mode to disclose.
9. International Users and GDPR Rights
Nokuhiro is available in multiple languages (English, German, Spanish, Italian, and French) and may be used internationally. If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with comprehensive data protection laws, you have additional rights under the GDPR and the Swiss nFADP:
| Right | Description |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you |
| Right to Rectification | Request correction of inaccurate personal data |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing of your personal data |
| Right to Restrict Processing | Request limitation of how your data is processed |
| Right to Lodge a Complaint | File a complaint with your local data protection authority |
In practice, because Nokuhiro's default mode collects no data and stores everything on-device, most of these rights are automatically satisfied. You have full control over all data at all times through the App's built-in data management features.
Legal Basis for Processing (GDPR Article 6). Where cloud sync is enabled, our legal basis for processing is explicit consent (Article 6(1)(a)), which you provide when enabling the feature and which you may withdraw at any time.
Data Protection Authority. If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For users in Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).
10. Notifications
Nokuhiro uses local notifications only to provide daily habit reminders, motivational messages, and companion greetings. These notifications are generated and scheduled entirely on your device. No notification data is sent to or processed by our servers. Push notification permissions are requested through the standard operating system prompt, and you may disable notifications at any time through your device's settings or within the App's settings.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or App features. When we make changes, we will update the "Last Updated" date at the top of this policy and, where appropriate, notify you through the App.
For any material changes that affect how children's data is handled, we will seek renewed parental consent where required by applicable law (including COPPA and GDPR-K). We will not retroactively apply less protective practices to data collected under a prior version of this policy.
Your continued use of the App after changes are posted constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your parental rights, need to report a privacy concern, or want to request deletion of your data, please contact us:
We aim to respond to all privacy-related inquiries within 30 calendar days. For urgent matters involving children's safety or data breaches, we will respond as quickly as possible and no later than 72 hours.
13. Summary
| Aspect | Nokuhiro's Practice |
|---|---|
| Data collected (default mode) | None (static media assets downloaded from CDN) |
| Data stored on device | Yes (locally only) |
| Data transmitted to servers | No (unless cloud sync is enabled) |
| Third-party analytics | None |
| Advertising | None |
| Cross-app tracking | None |
| COPPA compliant | Yes |
| GDPR-K compliant | Yes |
| Swiss nFADP compliant | Yes |
| Parental consent required | Yes (before child profile creation) |
| Data deletion available | Yes (in-app, immediate) |
| Data export available | Yes (in-app) |
| Minimum age without parental consent | 13 (US) / 16 (EU) |
References
- Children's Online Privacy Protection Rule (COPPA) — Federal Trade Commission
- General Data Protection Regulation (GDPR) — Rights of the Data Subject
- Swiss Federal Act on Data Protection (nFADP/DSG) — Fedlex