Privacy Policy
This page is written in English, which is the legally authoritative version.
Last updated: 21 June 2026
This policy explains what personal data SproutKid collects, why we collect it, who we share it with, and the choices you and your child have. Because SproutKid is designed for teenagers aged 13–18, we treat children's data with particular care and minimise what we collect.
1. Who we are
SproutKid (“SproutKid,” “we,” “us,” “our”) is operated by TomicSwissTech, a sole proprietorship (Einzelunternehmen) established in St. Margrethen, Canton of St. Gallen, Switzerland, registered under Swiss business identification number CHE-192.510.580. We are the data controller responsible for the personal data described in this policy. You can reach us about any privacy matter at support@sproutkid.ai; our full postal address is available on request.
2. A note for parents and guardians
3. What we collect
Account & setup data
- The parent/guardian's email address and a password that is stored only as a salted hash — we never store the password itself.
- One or more child profiles under the parent account. For each child we store a first name or chosen nickname, their year of birth only (not the full date of birth), the companion character they design (name, theme, personality, chosen voice), an optional country used only to show the correct local help resources, and — if the parent chooses to set one — a 4-digit profile PIN stored only as a hash.
- Account settings and parental-control preferences.
Conversation data
- The messages your child sends to their SproutKid companion and the responses the companion generates. These are stored per child profile so that conversations can continue across sessions and devices, and so that safety filtering can be applied. A parent can delete a child's conversation history, an entire child profile, or the whole account at any time from inside the app (see Section 9).
- If your child attaches an image or short video to a message, it is sent to our AI provider to generate a response and is not stored on our servers; we retain only a record that a message included an attachment.
Payment data
- Subscription status, a billing reference, and the billing email. Card and payment-method details are entered on the secure pages of our payment provider — we never see or store full card numbers (see Section 7).
- A record of the parental consent given at sign-up (the consent statement, a timestamp, and the IP address it was given from), kept so that we can demonstrate valid consent.
Technical & security data
- The IP address and basic request information needed to keep the account secure, apply rate limits, and prevent abuse; an age-verification record created when a child profile is set up; and server logs. The marketing website and app set no advertising or third-party tracking cookies — see our Cookie Policy.
4. Why we use it, and our legal bases
| Purpose | Legal basis (Swiss FADP / EU GDPR where it applies) |
|---|---|
| Provide the service and answer your child's questions | Performance of a contract |
| Apply safety filtering and moderation on every message, and route to crisis resources where needed | Consent for processing children's data; legitimate interest in protecting children |
| Verify that a profile meets the minimum age of 13 | Legal obligation; legitimate interest |
| Process the subscription and prevent payment fraud | Performance of a contract; legitimate interest |
| Keep the service secure, apply rate limits, and fix problems | Legitimate interest |
| Communicate with the parent about the account | Performance of a contract |
| Keep records required by law (e.g. accounting, consent evidence) | Legal obligation; legitimate interest |
We do not sell personal data, we do not show advertising, and we do not use children's conversations to build advertising or marketing profiles.
5. The AI that powers SproutKid
To generate responses, your child's messages (and any attached image or video) are sent to our AI model provider, Google (Gemini API), acting as our processor. To check the safety of both the incoming message and the outgoing response, message text is also sent to OpenAI's moderation service. We use these providers on their paid/commercial terms, under which your child's conversations are not used to train their models and are processed only to return a response or a safety result to SproutKid. If we change AI providers, we will update this policy.
6. We are not a crisis or medical service
SproutKid is an AI companion for everyday questions, homework help, and conversation. It is not a counselling, medical, or emergency service. If a message suggests a child may be in danger or in crisis, the companion will encourage them to talk to a trusted adult and may show local help-line information. In an emergency, always contact local emergency services.
7. Payments
Subscriptions are handled by Payrexx AG (Switzerland) as an independent payment service provider. When you pay, you are taken to Payrexx's secure payment page; Payrexx processes your payment-method details under its own privacy terms and returns to us only the information we need to activate and manage your subscription, such as confirmation of payment and your billing email. See Payrexx's privacy information at payrexx.com.
8. Who we share data with, and where it is processed
We share personal data only with service providers (“processors”) that help us run SproutKid, under contracts that require them to protect it and use it only on our instructions:
- Google — AI responses (Gemini API). Processed in the United States and other Google regions.
- OpenAI — message safety moderation. Processed in the United States.
- Payrexx AG — payment processing. Processed in Switzerland/EU.
- Replit — application hosting and database. Processed in the United States.
- Google Workspace — the transactional emails we send you (such as the account set-up link).
Because some of these providers process data in the United States, your data may be transferred outside Switzerland and the EU/EEA. Where this happens, we rely on legally recognised safeguards, such as the Swiss–U.S. and EU–U.S. Data Privacy Frameworks and/or the European Commission's Standard Contractual Clauses. We may also disclose data where required by law, or where necessary to protect the safety of a child or others.
9. How long we keep data
- Account and child-profile data: kept while the account is active. When a parent deletes the account, it is removed from our active systems within 30 days (residual copies in routine backups are overwritten on our normal backup cycle).
- Conversation history: kept so conversations can continue. A parent can delete any child's history, a profile, or the whole account at any time; otherwise it is deleted when the account is closed, within the same 30-day window.
- Parental-consent and age-verification records: kept while the account is active and for up to 3 years after closure so that we can evidence valid consent and age-gating, then deleted.
- Billing and accounting records: retained for as long as Swiss accounting and tax law requires (generally 10 years).
10. How we protect data
We use encryption in transit (HTTPS), salted hashing for passwords and profile PINs, server-side access controls, automated safety moderation, and other technical and organisational measures appropriate to the sensitivity of children's data. No system is perfectly secure, but we work to reduce risk and will notify affected users and the relevant authority of a qualifying data breach as required by law.
11. Your rights
Subject to applicable law, you can request to access, correct, delete, or export personal data, object to or restrict certain processing, and withdraw consent at any time (withdrawing consent does not affect processing already carried out). For a child's account, these rights are exercised by the parent or guardian. Many of these actions — deleting a child's history, a profile, or the whole account — can be done immediately inside the app. For anything else, email support@sproutkid.ai; we may need to verify your identity before acting.
If you are in Switzerland, you can also contact the Federal Data Protection and Information Commissioner (FDPIC). If you are in the EU/EEA or the UK, you may lodge a complaint with your local data-protection authority.
12. Cookies
See our Cookie Policy for the limited storage we use and how to control it.
13. Changes to this policy
We may update this policy from time to time. If we make a material change, we will notify the account's parent/guardian. The “last updated” date above always shows the current version.
14. Contact
Questions or requests: support@sproutkid.ai
TomicSwissTech · St. Margrethen, Canton of St. Gallen, Switzerland · CHE-192.510.580