Sprout Children's Privacy Policy

Effective Date: April 23, 2026 · Last updated: April 23, 2026 · Version 1.2

Introduction

Sprout Good Habits, Inc. (“Sprout,” “we,” “us,” or “our”) operates the Sprout mobile application (the “App”), which consists of a Parent App (“Sprout for Parents”) and a separate Child App (“Sprout for Kids”). Sprout is a coach for the things parents and children want to organize together: routines, calendars, projects, learning, and other parent-led activities. This Children's Privacy Policy explains how we collect, use, disclose, and protect personal information from children under 13 years of age (“children”) through the Sprout App.

We are committed to complying with the Children's Online Privacy Protection Act (“COPPA”) and its implementing rules (16 CFR Part 312). Sprout is currently going through the PRIVO Safe Harbor certification process; we are not yet certified. If you have questions or concerns about our privacy practices, you may contact PRIVO directly at privacy@privo.com.

Important: A parent or legal guardian (“parent”) must create and manage the Sprout account. Children cannot create accounts, provide personal information to us, or use the App without verifiable parental consent.

1. Operator Contact Information

Sprout Good Habits, Inc.
1111B S Governors Ave STE 28408
Dover, DE 19904 US
Email: support@sproutparental.com
Phone: (989) 476-1994

PRIVO Safe Harbor Contact:
Privacy Vaults Online, Inc. (PRIVO)
17949 Main St. #1025
Dumfries, VA 22026
privacy@privo.com

2. Information We Collect From Children

We collect the following categories of personal information from or about children under 13. All information is collected with verifiable parental consent (see Section 6).

Information provided by parents on behalf of their child

  • Child's first name or nickname (for personalization within the family app).
  • Date of birth (for age-appropriate content selection; age tiers 4–6, 7–9, 10–13).
  • Grade level (educational context for task and content recommendations).

Information provided by the child during App use

  • Text messages (conversational interaction with the Sprout coach).
  • Voice recordings (voice exchanges with the Sprout coach).
  • Photographs (capturing what the child is working on).
  • Video recordings (same as photographs).

Information collected automatically

  • Device information (platform, OS version, app version, device model).
  • Device identifier and push notification token.
  • IP-derived approximate location (city-level only, looked up locally, not transmitted to any third party).
  • Task completion records, gem balance, reward history.
  • Crash reports and error diagnostics (device metadata only; no child media, chat content, or personally identifying information).

Information we do NOT collect from children

  • We do not collect a child's full name, home address, phone number, Social Security number, or any government-issued identifier.
  • We do not collect a child's email address. Children do not have accounts; they are profiles within a parent's account.
  • We do not use cookies, behavioral tracking, or advertising identifiers in the Child App.
  • We do not permit children to make their personal information publicly available.

3. How We Use Children's Information

We use children's personal information only for the following purposes:

  • AI-guided task completion. The Sprout AI assistant guides children through tasks, responds to questions, and verifies task completion.
  • Task progress tracking. The App tracks completed tasks, gems earned, and rewards claimed; visible to the child and parent.
  • Parent visibility. Parents can view their child's tasks, conversations, proof submissions, and progress at any time.
  • AI-generated learning insights. We generate summaries of a child's progress that are shown only to the parent.
  • Push notifications. With parental consent, we send task reminders and reward notifications to the child's device.
  • Bug fixing and reliability. Anonymized error reports. No child media or chat content is included.

We do NOT use children's information for advertising or marketing to children, behavioral profiling or targeting, training AI models on children's data, or any purpose not described in this policy.

3A. Data Protection for Sensitive Data

Sprout treats child data (media, voice, chat) and account authentication data (including data obtained through Google Sign-In or Sign in with Apple) as sensitive and applies the controls described in this section. Additional detail on incident response and vendor posture appears in Section 8 (Security).

Encryption

  • In transit: All traffic between the Sprout app, our servers, and every service provider is encrypted using TLS 1.2 or higher, with TLS 1.3 negotiated by default.
  • At rest: Child media, voice recordings, chat transcripts, and task records are encrypted with AES-256. Operational data in PostgreSQL is protected by transparent disk encryption (AES-256, provider-managed keys) on Google Cloud SQL and Supabase. Backups inherit the same encryption.

Access control

  • Access follows the principle of least privilege. Each backend service uses a scoped service account limited to the data categories it needs. No service has blanket database access.
  • Administrative access is restricted to the co-founders and is gated by single sign-on plus multi-factor authentication. All administrative actions are audit-logged.
  • Row-Level Security policies isolate one family's data from another at the database layer.

Key management and rotation

  • Encryption keys for data at rest are managed by Google Cloud KMS and Supabase's managed key infrastructure. Provider-managed keys rotate on the provider's schedule.
  • API credentials, OAuth client secrets, and database passwords are stored in Google Secret Manager. Production credentials are rotated at least annually and immediately on any suspected exposure.

Audit logging and monitoring

  • Authentication events, administrative actions, and access to child-data tables are audit-logged in Google Cloud Logging. Security-relevant events are retained beyond the operational 30-day log window.
  • Raw child content (media, chat, voice) is never written to application logs. PII is automatically redacted from logs via pre-write filters.

Separation between Parent App and Child App

  • The Parent App and Child App are distinct binaries with different App Store identities, store categories, and data-collection profiles.
  • The Child App contains no third-party analytics, no advertising SDKs, and no cross-app tracking identifiers. It does not present Apple's App Tracking Transparency prompt because it collects no data used for cross-app tracking.
  • Data flows between the two apps are mediated by our backend with consent checks on every access.

Third-party AI processing

  • Google (Vertex AI / Gemini): configured for Zero Data Retention on our production Google Cloud project. No child data is retained by Google after the API response returns. Enterprise terms prohibit use of customer data for model training.
  • OpenAI (where used): processed content (including any voice audio and transcripts used in content-safety review) is retained by OpenAI for up to 30 days for abuse monitoring and is then deleted. This is a safety-retention window, not a training corpus; Sprout's enterprise terms with OpenAI prohibit use of customer data for model training. Sprout is applying for OpenAI Zero Data Retention; we will update this policy and notify parents when that configuration is in place.
  • All other processors (SuperAwesome / KWS, Firebase Cloud Messaging, Sentry, Google Cloud Platform, Expo) operate under data-processing agreements that prohibit training, resale, and advertising use of Sprout data.

3B. Data Retention and Deletion Commitments

This section summarizes Sprout's retention and deletion commitments across all user data categories, including data obtained through Google OAuth (Google Sign-In) and Sign in with Apple. The detailed retention table for children's data appears in Section 5.

Account lifecycle

  • Active account: Parent account data (name, email, password hash, or third-party identifier from Google or Apple) is retained while the account is active.
  • Inactive accounts (family dormancy): After 12 consecutive months of no family activity, all child data is deleted under the family-dormancy policy in Section 5. The parent account is preserved so the parent can return; resumed use requires re-consent.
  • Pending accounts: Accounts created but not completed through KWS verifiable parental consent are held in a non-accessible, hashed form and automatically deleted after 14 days. Pending data cannot be exported, queried internally, or used to send reminder emails.

Safety retention windows for AI processing

  • Google (Vertex AI / Gemini): zero retention. Our production Google Cloud project is configured for Zero Data Retention.
  • OpenAI: up to 30 days of safety retention for voice audio and transcripts processed for content-safety review. This window exists for abuse monitoring, not training; Sprout's enterprise terms prohibit OpenAI from training on customer data. Sprout is applying for OpenAI Zero Data Retention and will update this policy if the window changes.

Deletion on parent request

  • Parents can delete their account, individual child profiles, or specific records directly in the Parent App under Settings → Account → Delete. This in-app flow satisfies App Store and Google Play account-deletion requirements.
  • Deletion is propagated across our operational database, backups, and third-party processors within 30 days. Primary database records and Cloud Storage media are hard-deleted within 24 hours; backup copies age out within 7 days.
  • When a parent signs in with Apple, deletion of the Sprout account also revokes the Sign in with Apple token per Apple's token-revocation requirement. Parents who used Google Sign-In can additionally revoke Sprout's access from their Google Account security settings at any time.
  • Deletion requests by email to support@sproutparental.com are honored on the same timeline.

Google user data and OAuth scopes

All Google OAuth scopes below are requested from the parent only. The Child App never connects to a parent's Google account and never receives Gmail or Calendar data. Integrations are opt-in per parent; declining or disconnecting an integration does not affect any other part of Sprout.

Base authentication (every Google Sign-In)

  • https://www.googleapis.com/auth/userinfo.email — the parent's Google email address. Used only to identify the Sprout account and for support contact.

Google Calendar integration (optional; parent opt-in)

  • https://www.googleapis.com/auth/calendar.readonly — Sprout reads the parent's calendar to understand the family's schedule when the parent asks Sprout for help coordinating family activities (for example, “what's on my Tuesday evening?”).
  • https://www.googleapis.com/auth/calendar.events — Sprout creates, modifies, or removes calendar events only when the parent explicitly asks (for example, “add ‘soccer practice’ to Thursday at 4pm”).

Gmail integration (optional; parent opt-in)

  • https://www.googleapis.com/auth/gmail.readonly — Sprout reads the parent's email to help parse and summarize school-related messages (field trip permission slips, grade updates, classroom announcements) that parents ask Sprout to help manage.
  • https://www.googleapis.com/auth/gmail.send — Sprout sends email only when the parent explicitly composes or authorizes a reply inside the Sprout Parent App. Sprout does not send email on the parent's behalf without per-message confirmation.

Commitments across all Google Workspace APIs (Gmail, Calendar)

  • No AI / ML training. Sprout does not use any data obtained through Google Workspace APIs (Gmail, Calendar) to develop, improve, or train generalized AI or ML models. Data sent to third-party AI providers to fulfill a parent's immediate request (Google Vertex AI under Zero Data Retention; OpenAI under a 30-day safety retention window without training rights) is not retained for training.
  • No advertising, no resale. Data obtained through Workspace APIs is never shared with third-party advertisers, never sold, and never used for any purpose not described in this policy.
  • Transient processing, short retention. Data accessed via Workspace APIs is stored only for the duration needed to answer the parent's immediate request and is deleted (or marked for deletion) within 30 days of the parent disconnecting the integration or deleting the Sprout account.
  • Encryption and access control as described in Section 3A apply to all Workspace API data handled by Sprout.
  • Parent control. Parents can disconnect Gmail or Calendar at any time in the Parent App under Settings → Integrations, or revoke Sprout's access from Google Account security settings (myaccount.google.com/permissions). Disconnection immediately stops new data retrieval and initiates deletion of any cached Workspace data.

Minimum scope use

Sprout requests only the scopes necessary for each integration's function. We do not request Drive, Photos, Contacts, Tasks, or any other restricted Workspace scope we do not actively use. Adding a new integration that requires additional scopes requires a new parent consent flow and a separate in-app opt-in.

What we keep after deletion

  • Consent audit records required by COPPA (log entries only; no child content).
  • De-identified aggregate statistics with no link to any individual child or family.

4. How We Share Children's Information

We do not sell, rent, or trade children's personal information. We do not share children's information for advertising purposes. We share children's information only with the following service providers, each contractually bound to use the data only for the purposes we specify.

  • SuperAwesome (KWS). Verifiable parental consent and age verification. Sprout only sees the success/fail token; the parent's verification details go directly to KWS. KWS is contractually limited to using the data for verification only.
  • Google LLC (Vertex AI / Gemini). Powers the Sprout coach, verifies activities children share, and generates parent-facing insights. Configured for Zero Data Retention on our Google Cloud project. Enterprise terms prohibit training on customer data.
  • OpenAI (where used). Where Sprout uses OpenAI for parts of the coach experience, processed content is retained for up to 30 days for abuse monitoring and is then deleted. Sprout is applying for Zero Data Retention; if granted, retention becomes zero. No training, no advertising, no resale.
  • Google LLC (Firebase Cloud Messaging). Push notification delivery. Device tokens only; no child content in notification payloads.
  • Google LLC (Cloud Platform). Infrastructure hosting. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Google Cloud is SOC 2/3 and ISO 27001 certified. Google's Cloud Data Processing Addendum covers COPPA compliance obligations.
  • Functional Software Inc. (Sentry). Error diagnostics. Device metadata and masked session context only; no child media, chat, photos, videos, or voice. 90-day auto-deletion.

All service providers that process children's data are bound by data processing agreements that require processor-only use, prohibit training on children's data, prohibit selling or using data for advertising, set retention and deletion procedures, require security controls consistent with or exceeding ours, and require breach notification.

5. Data Retention and Deletion

How long we keep children's data

  • Task proof photos or videos not linked to a task: 14 days (automatic deletion).
  • Task proof photos or videos linked to a task: until the task is deleted, the child's profile is deleted, or family dormancy.
  • Chat transcripts (child–AI conversations): until deleted by parent or family dormancy.
  • Keepsakes (media the parent explicitly saved): until the parent deletes them.
  • Child profile (name, age, grade): until deletion or family dormancy.
  • Task records, gems, scores, rewards: while the account is active.
  • AI-generated learning analysis: while the account is active.
  • Crash reports (device metadata only): 90 days (automatic deletion).
  • Server logs (no child content): 30 days (automatic deletion).

Family dormancy

If no member of a family uses Sprout for 12 consecutive months, we consider the family dormant. All children's data is deleted. The parent account is preserved so the parent can return. Keepsakes the parent explicitly saved are preserved. Returning requires re-consent and re-creating child profiles.

When a parent requests deletion

  • Delete data from our primary systems within 24 hours (target).
  • Purge backup copies within 7 days.
  • Confirm full deletion across all systems and service providers within 30 days.
  • Send deletion requests to applicable service providers.

What we keep after deletion

  • Consent audit records (legal compliance requirement; no child media or content).
  • De-identified aggregate statistics with no link to any individual.

6. Parental Consent

How we obtain consent

Sprout uses KWS (Kids Web Services) to obtain full Verifiable Parental Consent under COPPA (16 CFR Section 312.5(b)). KWS is an industry-standard children's-privacy verification service that confirms the user is an adult and is the child's parent or guardian. The parent creates an account, reviews a clear disclosure, affirmatively consents, and completes KWS verification. Sprout never sees the documents or details shared with KWS; only the success/fail confirmation. No child data is collected before this step completes.

Pending account information

If you create an account but do not complete KWS verification, the personal information you entered is held in a non-accessible, hashed form. We cannot access it, use it, or share it. We do not use it to send you reminder emails. If KWS is not completed within 14 days, the pending account information is automatically and permanently deleted.

Fallback: Email Plus

If KWS is unavailable for any reason, Sprout falls back to the Email Plus method of verifiable parental consent (16 CFR Section 312.5(b)(2)): the same in-app disclosure followed by an email containing a verification link and a summary of data practices.

Withdrawing consent

Parents may withdraw or modify consent at any time in the App (Settings → Privacy → Manage Consent) or by emailing support@sproutparental.com. When consent for a capability is withdrawn, that feature is immediately disabled and no further data is collected for that purpose. Previously collected data under that scope can be deleted on request.

7. Your Rights as a Parent

Under COPPA, you have the following rights regarding your child's personal information:

  • Review. View all personal information collected from your child within the Parent App.
  • Export. Request a complete download of all your family's data (JSON plus original media) by emailing support@sproutparental.com.
  • Delete. Remove individual items, a child's profile, or the entire family account from within the App.
  • Refuse further collection. Withdraw consent for specific capabilities or delete the child's profile.

We will respond to all requests within 48 hours and complete the requested action within 30 days.

8. Security

  • Encryption in transit: TLS 1.3 on all external connections.
  • Encryption at rest: AES-256 across database, file storage, and backups.
  • Access controls: Role-based access with multi-factor authentication.
  • Network security: Database is not publicly accessible. WAF and DDoS mitigation at the edge.
  • Data isolation: Families' data isolated at the database level using Row-Level Security.
  • Logging controls: Raw child content is never written to logs; PII is redacted automatically.
  • Consent enforcement: Three independent layers prevent data collection without consent (client gating, server validation, storage-level controls).
  • No tracking in the Child App: No third-party analytics, advertising SDKs, or behavioral tracking.

9. Changes to this Policy

We may update this Children's Privacy Policy from time to time. If we make material changes to how we collect, use, or share children's personal information, we will notify parents via email and in-app notification before the changes take effect, obtain new consent where required, and update the “Last updated” date above.

10. Contact

Questions about privacy? Contact us at support@sproutparental.com or call (989) 476-1994. You may also contact the PRIVO Safe Harbor program at privacy@privo.com.