Privacy Policy

1. Introduction

Tapo: Craft Adventures is operated by Linfield Labs AB ("we," "us," "our"). This Privacy Policy explains how we collect, use, store, and protect personal data when parents or guardians use the Tapo World mobile app and related website (the "Service"). We comply with the EU General Data Protection Regulation (GDPR), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws. For privacy questions, contact privacy@linfieldlabs.com.

2. Who Uses the App

The app interface—including account creation, login, and data entry—is intended for parents or guardians. Kids participate in the craft activities offline, guided by the parent. We do not collect personal data directly from children under 13.

3. Data We Collect from Parents

We do not collect precise geolocation, audio recordings, advertising identifiers, or biometric data.

4. How We Use Data

• Provide and maintain the Service (login, progress sync, story audio, journal entries)
• Authenticate parents and secure accounts
• Process purchases and restore entitlements through App Store / RevenueCat
• Improve reliability via crash/usage analytics
• Respond to support requests and protect against fraud
• Comply with legal obligations (tax and audit records)

5. Legal Bases (GDPR)

• Performance of a Contract (Art. 6(1)(b)) – running the app you signed up for
• Consent (Art. 6(1)(a)) – optional marketing or email updates (if ever offered)
• Legitimate Interests (Art. 6(1)(f)) – product analytics, service protection
• Legal Obligations (Art. 6(1)(c)) – accounting and regulatory compliance

6. Sharing & Service Providers

We never sell personal data. We only share what's necessary with trusted processors:

• Supabase (EU hosting) – database, authentication, Maker Journal storage
• RevenueCat & Apple – purchase processing and entitlement syncing
• PostHog – privacy-focused product analytics and diagnostics, configured without directly identifying information or advertising identifiers
• Other analytics/crash services (if used) – aggregated diagnostics used only to improve reliability and performance, never for targeted advertising
• Support Tools – to respond to parent inquiries
• Regulators – if required by law

When data leaves the EU/EEA, we rely on Standard Contractual Clauses or other lawful safeguards.

7. Analytics & PostHog

We use PostHog, a privacy-focused analytics tool, to understand how parents use the app (for example, which screens are opened and which features are used) and to improve performance and stability. We configure PostHog so that it does not receive names, email addresses, or other directly identifying information. We do not use PostHog for advertising, retargeting, or tracking you across apps or websites owned by other companies.

The information sent to PostHog includes non-identifying usage events, coarse technical information (such as device type, operating system version, and app version), and performance or crash diagnostics. This information is used in aggregate to understand app performance and reliability. We do not use PostHog to identify individual users.

For Apple App Store disclosures, the data we collect via analytics is classified as usage data and diagnostics used only for product improvement and app functionality. It is not used to create marketing profiles, to show third-party ads, or to track you across other apps or websites.

If you would like us to disable analytics associated with your account or request deletion of analytics data we control that is linked to your account, you can contact us at privacy@linfieldlabs.com.

8. Children's Privacy & COPPA

• Kids interact with crafts in the real world; they do not create accounts or enter data in the app.
• All content stored in the app (progress, journal photos) is entered by the parent.
• Parents control the account and can delete data at any time (see Section 11).
• Because we do not collect personal data directly from children, COPPA consent requirements are satisfied by limiting access to parents/guardians.

9. Data Retention

• Parent account and progress data remain while the account is active.
• Maker Journal content stays until the parent deletes it or closes the account.
• Purchase records are kept as long as needed for financial/legal compliance.
• Support communications are stored for up to 24 months unless deletion is requested earlier.

10. Your Rights (EEA/GDPR)

Parents can contact privacy@linfieldlabs.com to exercise:

• Access, correction, deletion
• Restriction or objection to processing
• Data portability
• Withdrawal of consent (without affecting prior lawful processing)
• Complaint to a supervisory authority (e.g., Sweden's IMY)

11. How to Delete Your Data

Use the in-app Delete Account option (Profile → Delete Account) to permanently remove your parent account, Maker Journal entries, progress, and purchases stored in Supabase.

Or email privacy@linfieldlabs.com and we will respond within 30 days.

12. Security

We use encrypted transport (HTTPS), hashed passwords, and access controls. While no system is perfectly secure, we take reasonable steps to protect personal data and encourage parents to keep credentials confidential.

13. International Transfers

If data is processed outside the EU/EEA, we rely on Standard Contractual Clauses or equivalent safeguards so that your information receives the same level of protection.

14. Updates

We may update this policy to reflect new features or legal requirements. Significant changes will be communicated in-app or via email. Continued use after the effective date indicates acceptance.

15. Contact Us