Siraar

Privacy policy

Effective May 1, 2026.

Siraar (“Siraar,” “we,” or “us”) builds a children's reading and discovery experience. This policy explains what we collect, why we collect it, and the choices you have. We treat children's data with extra care: the kid app contains no third-party advertising or tracking SDKs, and we never sell personal information.

Summary (the short version)

  • Parents create the account; children do not register or log in.
  • The only information we keep about a child is a display name, an avatar configuration, and the month and year of birth — never a full date of birth, last name, or photo.
  • Children's display names and avatar config are encrypted at rest.
  • We do not show advertising, run third-party analytics on the kid app, or build behavioral profiles.
  • You can review or delete your child's data at any time from the parent dashboard, or by emailing [email protected].

1. Compliance frameworks

Siraaris designed to comply with the U.S. Children's Online Privacy Protection Act (COPPA) and aligned global child-protection regimes (the UK Age Appropriate Design Code and the EU GDPR-K). Where these regimes diverge we apply the strictest standard.

2. Information we collect

2.1 From parents

  • Name and email address (used for account login and transactional email).
  • Authentication tokens and session metadata (managed by our auth provider, Clerk).
  • Billing information, if you subscribe (processed by Stripe or RevenueCat — we never store card numbers ourselves).
  • Support correspondence you send us.

2.2 From children (only what is strictly necessary)

  • A display name you and your child choose together.
  • An avatar configuration (colors and accessories).
  • Birth month and year — we do not store the day.
  • Reading activity: which topics and entries were opened, and which were marked complete. Used to power the parent dashboard and to help your child resume where they left off.

2.3 What we do NOT collect from children

  • Last name, full date of birth, address, or phone number.
  • Photos uploaded by children, voice recordings, or precise geolocation.
  • Behavioral profiles, device advertising IDs, or third-party tracking events.
  • Any data from third-party social logins. The kid app has no social-sign-in.

3. How we use information

  • To operate the service: render content, sync reading progress across devices, send a transactional email if you reset your password.
  • To keep the service safe: detect abuse, debug issues, comply with legal requests.
  • To improve content: aggregated, de-identified statistics about which topics are popular. Never individual child profiling.

4. How information is shared

We share data only with the service providers we need to operate:

  • Clerk (authentication for parents only).
  • Neon (managed Postgres database).
  • Cloudflare (CDN, content storage, DNS).
  • Fly.io (API hosting).
  • Stripe / RevenueCat (billing, parents only).
  • Resend or equivalent transactional email provider — for parent password resets, never for marketing to children.

We sign data-processing agreements with each provider. We do not sell personal information, and we do not share data with advertising networks.

5. Parental rights

As the parent or legal guardian of a child using Siraar, you have the right to:

  • Review the personal information we have collected about your child.
  • Request that we delete your child's information.
  • Refuse to permit further collection of your child's information.
  • Revoke any consent you previously gave.

You can act on these rights from the parent dashboard, or by emailing [email protected]. We respond within 30 days.

6. Verifiable parental consent

Before we collect any information from a child, the parent who owns the account completes a consent flow. We use email-plus credit-card verification (or an equivalent COPPA-approved method) for any account that adds a child profile.

7. Data security

  • Children's display names and avatar configuration are encrypted at the application layer; database backups carry the same encryption.
  • All traffic is TLS-only.
  • Audit logs reference internal IDs only — never a child's personally identifying information.
  • Access to production systems is restricted by role and logged.

8. Data retention

We keep child data only while the account is active. If you delete a child profile, the row is soft-deleted within minutes and hard-deleted within 30 days. If you close the parent account, we delete or anonymize all associated child data within 30 days, except where law requires us to retain billing records.

9. International users

Siraar is operated from the United States. By using the service outside the U.S. you consent to having your data processed in the U.S. We honor data-subject rights granted by your local law (e.g. GDPR access, rectification, and erasure).

10. Changes to this policy

If we change how we handle children's data, we will notify the parent on file by email at least 14 days before the change takes effect, and we will not use existing data in a materially different way without renewed parental consent.

11. Contact us

Privacy questions, deletion requests, or COPPA inquiries: [email protected]. General support: [email protected].