Sprout Children's Privacy Policy
Effective Date: April 23, 2026 Last Updated: June 2, 2026 Version: 1.3
Introduction
Sprout Good Habits, Inc. ("Sprout," "we," "us," or "our") operates the Sprout mobile application (the "App"), which consists of a Parent App and a Child App. Sprout also operates a web app for parents, app.sproutgoodhabits.com, where parents can register for our service. This Children's Privacy Policy explains how we collect, use, disclose, and protect personal information from children under 13 years of age ("children") through the Sprout App.
We are committed to complying with the Children's Online Privacy Protection Act ("COPPA") and its implementing rules (16 CFR Part 312). Sprout participates in the PRIVO Kids Privacy Assured COPPA safe harbor certification Program.
Important: A parent or legal guardian ("parent") must create and manage the Sprout account. Children cannot create accounts, provide personal information to us, or use the App without verifiable parental consent.
Kids Privacy Assured by PRIVO: COPPA Safe Harbor Certification
Sprout Good Habits, Inc. is a member of the PRIVO Kids Privacy Assured COPPA safe harbor certification Program ("the Program"). The Program certification applies to the digital properties listed on the certification page that is viewable by clicking on the PRIVO Seal. PRIVO is an independent, third-party organization committed to supporting online services to safeguard children's personal information collected online. The PRIVO COPPA safe harbor certification Seal posted on this page indicates Sprout Good Habits, Inc. has established COPPA compliant privacy practices and has agreed to submit to PRIVO's oversight and consumer dispute resolution process. If you have questions or concerns about our privacy practices, please contact us at (989) 476-1994 or privacy@sproutparental.com. If you have further concerns after you have contacted us, you can contact PRIVO directly at privacy@privo.com.
1. Operator Contact Information
Sprout Good Habits, Inc.
1111B S Governors Ave STE 28408
Dover, DE 19904 US
Privacy questions: privacy@sproutparental.com
General support: support@sproutparental.com
Phone: (989) 476-1994
2. Information We Collect From Children
We collect the following categories of personal information from or about children under 13. All information is collected with verifiable parental consent (see Section 6).
Information Provided by Parents on Behalf of Their Child
| Information | Purpose |
|---|---|
| Child's first name or nickname | Display within the family's app experience and AI personalization |
| Date of birth | Age-appropriate content selection (age tiers: 4-6, 7-9, 10-13) |
| Grade level | Educational context for task and content recommendations |
Information Provided by the Child During App Use
| Information | Purpose |
|---|---|
| Text messages in task conversations | Conversational interaction with the Sprout AI assistant to complete tasks |
| Voice recordings | Voice chat with the Sprout AI assistant and voice-based task completion |
| Photographs | Task proof, such as verifying that a task was completed |
| Video recordings | Task proof, such as verifying task completion through video evidence |
Information Collected Automatically
| Information | Purpose |
|---|---|
| Device information (platform, OS version, app version, device model) | App compatibility, debugging, and update management |
| Device identifier | Device management and push notification delivery |
| Push notification token | Delivering push notifications about tasks and rewards |
| IP-derived approximate location (city-level only) | Content localization. Derived from IP address using a local lookup database and not transmitted to any third party. |
| Task completion records, gem balance, reward history | Core app functionality, including task progress and the reward economy |
| Crash reports and error diagnostics | Identifying and fixing bugs. No child media, chat content, or personally identifying information is included in crash reports. Device metadata only (platform, OS version, app version). |
Information We Do NOT Collect From Children
- We do not collect a child's full name, home address, phone number, Social Security number, or any government-issued identifier.
- We do not collect a child's email address. Children do not have accounts; they are profiles within a parent's account.
- We do not use cookies, behavioral tracking, or advertising identifiers in the Child App.
- We do not permit children to make their personal information publicly available.
3. How We Use Children's Information
We use children's personal information only for the following purposes:
| Purpose | Information Used | How It Works |
|---|---|---|
| AI-guided task completion | Text chat, voice recordings, photos, videos | The Sprout AI assistant guides children through tasks, responds to questions, and verifies task completion. |
| Task progress tracking | Task completion records, gem balance | The App tracks which tasks are completed, gems earned, and rewards claimed. This information is visible to the child and their parent. |
| Parent visibility | All child information listed above | Parents can view their child's tasks, conversations, proof submissions, and progress at any time within the Parent App. |
| AI-generated learning insights | Task completion records, scores, streaks | We generate summaries of a child's progress that are shown only to the parent. |
| Push notifications | Device token, push notification token | With parental consent, we send task reminders and reward notifications to the child's device. |
| Bug fixing and reliability | Crash reports, device metadata | We use error reports to identify and fix bugs. No child media or chat content is included. |
We do NOT use children's information for:
- Advertising or marketing to children.
- Behavioral profiling or targeting.
- Training AI models on children's data.
- Any purpose not described in this policy.
3A. Data Protection for Sensitive Data
Sprout treats child data (media, voice, chat) and account authentication data (including data obtained through Google Sign-In or Sign in with Apple) as sensitive and applies the controls described in this section. Additional detail on incident response and vendor posture appears in Section 8 (Security).
Encryption
- In transit: All traffic between the Sprout app, our servers, and every service provider is encrypted using TLS 1.2 or higher, with TLS 1.3 negotiated by default.
- At rest: Child media, voice recordings, chat transcripts, and task records are encrypted with AES-256. Operational data in PostgreSQL is protected by Supabase's transparent disk encryption (AES-256, provider-managed keys). Backups inherit the same encryption.
Access Control
- Access follows the principle of least privilege. Each backend service uses a scoped service account limited to the data categories it needs. No service has blanket database access.
- Administrative access is restricted to the co-founders and is gated by single sign-on plus multi-factor authentication. All administrative actions are audit-logged.
- Row-Level Security policies isolate one family's data from another at the database layer.
Key Management and Rotation
- Encryption keys for data at rest are managed by Google Cloud KMS and Supabase's managed key infrastructure. Provider-managed keys rotate on the provider's schedule.
- API credentials, OAuth client secrets, and database passwords are stored in Google Secret Manager. Production credentials are rotated at least annually and immediately on any suspected exposure.
Audit Logging and Monitoring
- Authentication events, administrative actions, and access to child-data tables are audit-logged in Google Cloud Logging. Security-relevant events are retained beyond the operational 30-day log window.
- Application logs are access-controlled and retained only for operational security and reliability. Personally identifiable information is redacted from logs where appropriate.
Separation Between Parent App and Child App
- The Parent App and Child App are distinct binaries with different App Store identities, store categories, and data-collection profiles.
- The Child App contains no third-party analytics, no advertising SDKs, and no cross-app tracking identifiers. It does not present Apple's App Tracking Transparency prompt because it collects no data used for cross-app tracking.
- Firebase Analytics is not used.
- Data flows between the two apps are mediated by our backend with consent checks on every access.
Third-Party AI Processing
- Google (Vertex AI): Configured for Zero Data Retention on our production Google Cloud project. No child data is retained by Google after the API response returns. Enterprise terms prohibit use of customer data for model training.
- Anthropic (Claude): Configured for Zero Data Retention. No data is retained by Anthropic after the API response returns. Enterprise terms prohibit use of customer data for model training.
- OpenAI (where used): Processed content, including any voice audio and transcripts used in content-safety review, is retained by OpenAI for up to 30 days for abuse monitoring and is then deleted. This is a safety-retention window, not a training corpus. Sprout's enterprise terms with OpenAI prohibit use of customer data for model training, advertising, or resale.
- All other processors (SuperAwesome / KWS, Supabase, Firebase Cloud Messaging, Sentry, Google Cloud Platform, Expo) operate under data-processing agreements that prohibit training, resale, and advertising use of Sprout data.
3B. Data Retention and Deletion Commitments
This section summarizes Sprout's retention and deletion commitments across all user data categories, including data obtained through Google OAuth (Google Sign-In) and Sign in with Apple. The detailed retention table for children's data appears in Section 5; the commitments below apply to all users, including parents who sign in with a third-party identity provider.
Account Lifecycle
- Active account: Parent account data (name, email, password hash, or third-party identifier from Google or Apple) is retained while the account is active and while the parent continues to use Sprout.
- Inactive accounts (family dormancy): After 12 consecutive months of no family activity, we delete all child data. We may retain the parent account record, including parent contact information, for up to 24 months after dormancy so the parent can return and reactivate the account. If the parent does not return during that period, the parent account record is deleted or de-identified, except for limited records we are legally required to keep.
- Pending accounts: Accounts created but not completed through KWS verifiable parental consent are held in a non-accessible, hashed form and automatically deleted on a regular schedule, no later than 30 days after creation. Pending data cannot be exported, queried internally, or used to send reminder emails.
Safety Retention Windows for AI Processing
- Google (Vertex AI): Zero retention. Our production Google Cloud project is configured for Zero Data Retention.
- Anthropic (Claude): Zero retention. Configured for Zero Data Retention under enterprise terms; no data is retained after the API response returns.
- OpenAI: Up to 30 days of safety retention for voice audio and transcripts processed for content-safety review. This window exists for abuse monitoring, not training; Sprout's enterprise terms prohibit OpenAI from training on customer data.
Deletion on Parent Request
- Parents can delete their account, individual child profiles, or specific records directly in the Parent App under Settings > Account > Delete. This in-app flow satisfies App Store and Google Play account-deletion requirements.
- Deletion is propagated across our operational database, backups, and third-party processors within 30 days. Primary database records and storage media are hard-deleted within 24 hours; backup copies age out within 7 days.
- When a parent signs in with Apple, deletion of the Sprout account also revokes the Sign in with Apple token per Apple's token-revocation requirement. Parents who used Google Sign-In can additionally revoke Sprout's access from their Google Account security settings at any time.
- Deletion requests by email to privacy@sproutparental.com are honored on the same timeline.
Google User Data and OAuth Scopes
All Google OAuth scopes below are requested from the parent only. The Child App never connects to a parent's Google account and never receives Gmail or Calendar data. Integrations are opt-in per parent; declining or disconnecting an integration does not affect any other part of Sprout.
Base authentication (every Google Sign-In):
https://www.googleapis.com/auth/userinfo.email- the parent's Google email address, used only to identify the Sprout account and for support contact.https://www.googleapis.com/auth/userinfo.profile- the parent's name and profile picture, used only to personalize the Parent App.
Google Calendar integration (optional; parent opt-in):
https://www.googleapis.com/auth/calendar.readonly- Sprout reads the parent's calendar to understand the family's schedule when the parent asks Sprout for help coordinating family activities (for example, "what's on my Tuesday evening?").https://www.googleapis.com/auth/calendar.events- Sprout creates, modifies, or removes calendar events only when the parent explicitly asks (for example, "add soccer practice to Thursday at 4pm").
Gmail integration (optional; parent opt-in):
https://www.googleapis.com/auth/gmail.send- Sprout sends email only when the parent explicitly composes or authorizes a reply inside the Sprout Parent App. Sprout does not send email on the parent's behalf without per-message confirmation.
Commitments across all Google Workspace APIs (Gmail, Calendar):
The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
- No AI / ML training. Sprout does not use any data obtained through Google Workspace APIs (Gmail, Calendar) to develop, improve, or train generalized AI or ML models. Workspace API data is processed only by Google Vertex AI and Anthropic Claude, both configured for Zero Data Retention, to fulfill the parent's immediate request, and is not retained for training.
- No advertising, no resale. Data obtained through Workspace APIs is never shared with third-party advertisers, never sold, and never used for any purpose not described in this policy.
- Transient processing, short retention. Data accessed via Workspace APIs is stored only for the duration needed to answer the parent's immediate request and is deleted (or marked for deletion) within 30 days of the parent disconnecting the integration or deleting the Sprout account.
- Encryption and access control as described in Section 3A apply to all Workspace API data handled by Sprout.
- Parent control. Parents can disconnect Gmail or Calendar at any time in the Parent App under Settings > Integrations, or revoke Sprout's access from Google Account security settings (
myaccount.google.com/permissions). Disconnection immediately stops new data retrieval and initiates deletion of any cached Workspace data.
Minimum scope use. Sprout requests only the scopes necessary for each integration's function. We do not request Drive, Photos, Contacts, Tasks, or any other restricted Workspace scope we do not actively use. Adding a new integration that requires additional scopes requires a new parent consent flow and a separate in-app opt-in.
What We Keep After Deletion
Only two categories of data survive deletion:
- Consent audit records required by COPPA (log entries only; no child media, no child content).
- De-identified aggregate statistics with no link to any individual child or family.
4. How We Share Children's Information
We do not sell, rent, or trade children's personal information or amass a profile of a child to advertise to them. We do not share children's information for advertising purposes. We share children's information only with the following service providers, each of which is contractually bound to use the data only for the purposes we specify:
Service Providers That Process Children's Data
1. Supabase Inc. - Authentication, Database, and Storage
What they receive: Parent account records, family records, child profiles, task records, gem balances, chat transcripts, AI-generated insights, and media files needed to operate the service.
What they do: Supabase provides authentication, database, and storage services for the Sprout app. Sprout controls all data, schemas, and access policies.
How long they keep it: Per our retention policy in Section 5. Sprout controls the data lifecycle.
What they cannot do: Supabase may process Sprout data only to provide its hosted backend services and may not sell the data, use it for advertising, or use it to train AI models.
2. Google LLC (Vertex AI) - Child AI Processing
What they receive: Voice recordings, text chat messages, images shared during task conversations, task proof media, and task records for AI processing.
What they do: Sprout uses Google Vertex AI for parts of the coach experience, task guidance, proof verification, and parent-facing insights.
How long they keep it: Zero. Vertex AI is configured for Zero Data Retention. No children's data is retained after the API response is returned.
What they cannot do: Google is contractually prohibited from training AI models on children's data, selling or sharing the data, or using it for advertising or profiling.
3. OpenAI - Child AI Processing
What they receive: Voice recordings, text chat messages, images, task proof media, and task records for AI processing.
What they do: Sprout uses OpenAI models for parts of the coach experience.
How long they keep it: OpenAI retains processed content for up to 30 days for abuse monitoring, then deletes it.
What they cannot do: OpenAI is contractually prohibited from training AI models on children's data, selling or sharing the data, or using it for advertising or profiling.
4. Anthropic, PBC (Claude) - Child AI Processing
What they receive: Conversational text and voice transcripts for parts of the Sprout coach and parent assistant.
What they do: Anthropic powers parts of the coach and parent assistant, including the agent experience that handles Workspace integrations when the parent explicitly invokes them.
How long they keep it: Zero. Anthropic is configured for Zero Data Retention. No children's data is retained after the API response is returned.
What they cannot do: Anthropic's enterprise terms prohibit training on customer data, advertising use, and resale.
5. Google LLC (Firebase Cloud Messaging) - Notifications Only
What they receive: Device tokens for push notification delivery. No child content, names, or personal information is included in notification payloads.
What they do: Deliver push notifications, such as task reminders and reward notifications, to the child's device.
How long they keep it: The device push token is kept only while the device is registered and the account is active. It is deleted when the device is removed, the child's profile or account is deleted, or after 12 consecutive months of family dormancy, and in no case is an unused token kept longer than 180 days of inactivity (see Section 5).
What they cannot do: Google may process device tokens only to deliver notifications and may not sell the data, use it for advertising, or use it to train AI models.
6. Google LLC (Cloud Platform) - Infrastructure
What they receive: API requests and related operational metadata necessary to run Sprout's backend infrastructure and platform services.
What they do: Google Cloud Platform provides infrastructure and platform services for Sprout, including server hosting, logging, secrets management, and related operational services.
How long they keep it: Cloud Run is stateless. Cloud Logging records are retained for 30 days unless they are security-relevant. Other data follows Sprout's retention policy.
What they cannot do: Google may process Sprout data only to provide contracted cloud services and may not sell the data, use it for advertising, or use it to train AI models. Google's Cloud Data Processing Addendum covers compliance obligations.
7. Functional Software Inc. (Sentry) - Error Diagnostics
What they receive: Crash reports and error diagnostics from both the Parent App and Child App. This includes device information such as platform, OS version, app version, and masked session context. Sentry does not receive child media, chat content, photographs, videos, or voice recordings.
What they do: Sentry helps Sprout identify, troubleshoot, and fix app errors, crashes, and reliability issues.
How long they keep it: 90 days, then automatically deleted.
What they cannot do: Sentry may process Sprout data only to provide error-monitoring and diagnostics services. Sentry may not sell the data, use it for advertising, or use it to train AI models.
8. SuperAwesome (KWS) - Verifiable Parental Consent
What they receive: Parent identity and age verification information that the parent provides directly to KWS during the consent flow. Sprout does not see this information; only the success/fail token KWS returns.
What they do: Verify that the user creating a Sprout account is an adult and is the child's parent or guardian. This is the verifiable parental consent mechanism Sprout uses to comply with COPPA.
How long they keep it: Per KWS's own retention policy. Sprout does not store or have access to the underlying verification details.
What they cannot do: KWS is contractually limited to using the data for verification purposes only.
How We Protect Data Shared With Service Providers
All service providers that process children's data are bound by data processing agreements that require:
- Using data only for the purposes we specify (processor-only use).
- Prohibition on training AI models on children's data.
- Prohibition on selling, sharing, or using data for advertising.
- Defined retention limits and deletion procedures.
- Security controls consistent with or exceeding our own.
- Breach notification obligations.
If you have any questions or would like more information about the data collected and processed by the service providers used by Sprout, please contact privacy@sproutparental.com.
How We Moderate Input and Output Data To Protect Families
Sprout is committed to creating a safe, age-appropriate environment for children and families. Our content moderation system is designed to help prevent exposure to harmful, inappropriate, or unsafe material across AI-driven experiences and interactive content. Sprout uses automated moderation, real-time AI safety checks, and human review and escalation where appropriate. Our approach evolves to reflect best practices and regulatory standards in child safety, privacy, and digital wellbeing.
5. Data Retention and Deletion
How Long We Keep Children's Data
| Data Type | How Long We Keep It | Automatic Deletion? |
|---|---|---|
| Task proof photographs and videos (one-off, not linked to a specific task) | 14 days | Yes, automatically deleted |
| Task proof photographs and videos (linked to a task) | Until the task is deleted, the child's profile is deleted, or family dormancy | No, deleted on parent action or dormancy |
| Chat transcripts (child-AI conversations) | Until deleted by parent or family dormancy | No, deleted on parent action or dormancy |
| Keepsakes (media the parent explicitly chose to save) | Until the parent deletes them or closes the account | No, parent controls this |
| Child profile (name, age, grade) | Until the child's profile is deleted or family dormancy | No, deleted on parent action or dormancy |
| Task records, gems, scores, rewards | While the account is active; deleted on dormancy | No |
| AI-generated learning analysis | While the account is active; deleted on dormancy | No |
| Crash reports and error diagnostics (device metadata only) | 90 days | Yes, automatically deleted |
| Server logs | 30 days | Yes, automatically deleted |
Family Dormancy
After 12 consecutive months of no family activity, we delete all child data. We may retain the parent account record, including parent contact information, for up to 24 months after dormancy so the parent can return and reactivate the account. If the parent does not return during that period, the parent account record is deleted or de-identified, except for limited records we are legally required to keep.
When a Parent Requests Deletion
When you request deletion (see Section 7 - Your Rights), we:
- Delete data from our primary systems within 24 hours (target).
- Purge backup copies within 7 days.
- Confirm full deletion across all systems and service providers within 30 days.
- Send deletion requests to applicable service providers where needed. Sentry data auto-deletes after 90 days; Google Vertex AI and Anthropic retain zero data under ZDR.
What We Keep After Deletion
After deletion, we retain only:
- Consent audit records: A log that parental consent was obtained, modified, or revoked (legal compliance requirement). These records contain no child media or content.
- De-identified aggregate statistics: Usage metrics with no link to any individual child or family.
6. Parental Consent
How We Obtain Consent
Sprout uses KWS (Kids Web Services) to obtain full Verifiable Parental Consent under COPPA (16 CFR Section 312.5(b)). KWS is an industry-standard children's-privacy verification service that confirms the user is an adult and is the child's parent or guardian.
- Account creation: A parent creates an account using their email address. The information you enter here is held in a non-accessible form until you complete KWS verification (see "Pending Account Information" below).
- In-app disclosure: Before any child data is collected, the parent is presented with a clear, complete disclosure of our data practices within the App. This disclosure describes what information we collect, how we use it, and who we share it with.
- Affirmative consent: The parent reviews the disclosure and affirmatively consents.
- KWS verification: The parent is handed off to the KWS service, which verifies their identity and adulthood. The exact verification method is chosen by KWS and may include credit card authorization, government-issued ID, or knowledge-based verification. Sprout never sees the documents or details you share with KWS; only the success/fail confirmation.
- Activation: Only after KWS confirms is consent recorded, the pending account information promoted to active, and child features unlocked. No child data is collected before this step is complete.
Sprout uses KWS under its standard Data Processing Addendum.
Pending Account Information
If you create an account but do not complete KWS verification, the personal information you entered is held in a non-accessible, hashed form. We cannot access it, use it, or share it. We do not use it to send you reminder emails. Pending account information is automatically and permanently deleted on a regular schedule, no later than 30 days after account creation.
What Consent Covers
Consent is requested for the following capabilities:
| Capability | What It Enables |
|---|---|
| Account and profile | Creating a child profile with name, age, and grade |
| Media capture and storage | Photo, video, and audio recording for task proofs |
| AI processing | Sending child data to our AI service providers for task guidance, completion verification, and parent insights. Google Vertex AI and Anthropic are configured for Zero Data Retention; OpenAI retains processed content for up to 30 days for abuse monitoring, then deletes it. |
| Parent review | Storing task proofs and conversations so the parent can review them |
| Push notifications | Sending task reminders and reward notifications to the child's device |
| Operational metrics | Collecting limited operational data for service improvement, debugging, and reliability |
| Learning analysis | Using task records to generate AI-powered learning insights for the parent |
Withdrawing or Modifying Consent
Parents may withdraw or modify consent at any time:
- In the App: Settings > Privacy > Manage Consent. Individual capabilities can be disabled independently.
- By contacting us: Email privacy@sproutparental.com.
- Effect: When consent for a capability is withdrawn, that feature is immediately disabled and no further data is collected for that purpose. Previously collected data under that consent scope can be deleted on request.
7. Your Rights as a Parent
Under COPPA, you have the following rights regarding your child's personal information:
Review
You may review all personal information we have collected from your child at any time. Within the Sprout Parent App, you can view:
- Your child's profile information (name, age, grade).
- All task records, gem balances, and reward history.
- All chat transcripts between your child and the Sprout AI assistant.
- All photographs, videos, and audio recordings submitted as task proofs.
- AI-generated learning insights about your child.
Export
You may request a complete download of all your family's data, including all child data, in a portable format (JSON data files plus original media files). To request an export, contact privacy@sproutparental.com.
Delete
You may delete your child's personal information at any time:
- Delete specific items: Remove individual photos, videos, chat messages, or task records within the App.
- Delete a child's profile: Remove all data associated with a specific child (profile, tasks, conversations, media, gems, AI analysis). This is permanent and cannot be undone.
- Delete your family account: Remove all family data, including all child profiles and parent data.
Deletion requests are processed within 24 hours for primary systems and confirmed complete within 30 days across all systems and service providers.
Refuse Further Collection
You may refuse to permit further collection of your child's personal information at any time by:
- Withdrawing consent for specific capabilities (Settings > Privacy > Manage Consent).
- Deleting your child's profile.
- Contacting us at privacy@sproutparental.com.
If you refuse further collection and do not delete the account, existing data will be retained per our retention policy (Section 5) unless you also request deletion.
How to Exercise Your Rights
- In the App: Settings > Privacy > Manage Consent, or Settings > Account > Delete.
- By email: privacy@sproutparental.com.
- Through PRIVO: privacy@privo.com.
We will respond to all requests within 48 hours and complete the requested action within 30 days.
8. Security
We protect children's personal information using the following measures:
- Encryption in transit: All data transmitted between the App and our servers, and between our servers and service providers, is encrypted using TLS 1.3.
- Encryption at rest: All stored data (database, file storage, backups) is encrypted using AES-256.
- Access controls: Access to children's data is restricted to authorized systems and personnel using role-based access controls with multi-factor authentication.
- Network security: Our database is not publicly accessible. All infrastructure is protected by firewalls, Web Application Firewalls (WAF), and DDoS mitigation.
- Data isolation: Families' data is isolated from one another at the database level using Row-Level Security policies.
- Logging controls: Application logs are access-controlled and retained only for operational security and reliability. Personally identifiable information is redacted where appropriate.
- Consent enforcement: Three independent layers prevent data collection without consent: client-side feature gating, server-side token validation, and storage-level write controls.
- No tracking in child experience: No third-party analytics SDKs, advertising networks, behavioral tracking tools, or Firebase Analytics are used in the Child App.
- Security reviews: Sprout reviews its security policies, technical safeguards, and incident-response procedures at least annually and after material system changes to keep protections current.
9. Changes to This Policy
We may update this Children's Privacy Policy from time to time. If we make material changes to how we collect, use, or share children's personal information, we will:
- Notify parents via email and in-app notification before the changes take effect.
- Obtain new consent if the changes involve collecting new categories of personal information, sharing information with new service providers, or using information for new purposes not covered by the original consent.
- Update this document with a new "Last Updated" date.
Non-material changes (clarifications, formatting, updated contact information) may be made without advance notice but will always be reflected in the "Last Updated" date.
10. Contact Us
If you have questions or concerns about this privacy policy or our data practices:
Sprout Good Habits, Inc.
1111B S Governors Ave STE 28408
Dover, DE 19904 US
Email: privacy@sproutparental.com
General support: support@sproutparental.com
Phone: (989) 476-1994
PRIVO Safe Harbor Program
Privacy Vaults Online, Inc.
17949 Main St. #1025
Dumfries, VA 22026
Email: privacy@privo.com
Addendum A: European Economic Area and United Kingdom
This section applies if you or your child are located in the EEA or UK. Where this addendum conflicts with the main policy, this addendum controls.
Data controller. Sprout Good Habits, Inc. is the data controller.
Legal basis. We process your child's personal data on the basis of your consent as the holder of parental responsibility (GDPR Article 6(1)(a), Article 8). For crash reports and security logging, we rely on our legitimate interest in maintaining a safe and functional service (Article 6(1)(f)), balanced against the limited nature of the data involved.
Age of consent. GDPR member states set the age of digital consent between 13 and 16. Where you live may affect when your child can manage their own consent. Until then, parental consent governs.
Your additional rights under GDPR. In addition to the rights described in Section 7, you have the right to request erasure, receive your child's data in a structured and machine-readable format, restrict processing, object to processing based on legitimate interest, and lodge a complaint with your local data protection authority.
International transfers. Your child's data is processed by service providers in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or by the EU-US Data Privacy Framework where the provider is certified.
Automated decision-making. The Sprout AI coach processes your child's inputs to guide activities and verify completions. These are assistive, not autonomous decisions: the AI suggests and responds, but does not make decisions with legal or similarly significant effects on your child. No automated decision solely determines access to features or content without parental configuration.
UK Children's Code. Sprout is designed in accordance with the UK Age Appropriate Design Code (Children's Code). Privacy settings default to their most protective level. We do not use nudge techniques, dark patterns, or design elements that encourage children to weaken their privacy protections.
Addendum B: California Residents
This section applies if you are a California resident.
CCPA/CPRA categories. The categories of personal information we collect are described in Section 2. We collect identifiers (name, device ID), internet activity (activity records, chat transcripts), audio/visual information (voice recordings, photos, videos), geolocation (city level), and inferences (AI-generated learning insights). Sources: directly from parents, directly from children during app use, and automatically from devices.
No sale or sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. This applies to all users, including minors under 16.
Sensitive personal information. Children's personal data is treated as sensitive personal information under CPRA. We use it only as described in this policy and do not use it for purposes beyond what is necessary to provide the service.
Your California rights. You have the right to know what personal information we collect, disclose, and sell (we sell none). You have the right to delete, correct, and limit the use of sensitive personal information. You have the right to not be discriminated against for exercising these rights. To submit a request, email privacy@sproutparental.com or use the in-app controls described in Section 7.
California Age-Appropriate Design Code. Sprout complies with California's AADC (AB 2273). We conduct data protection impact assessments for features likely accessed by children, default to high-privacy settings, and do not use dark patterns.