Privacy Policy for TicPop
Effective date: May 20, 2026 · Last updated: May 20, 2026
1. Who we are
TicPop is operated by Velynq, Inc., a Delaware corporation.
- Company: Velynq, Inc.
- Registered office (Delaware, USA): 131 Continental Dr, Suite 305, Newark, DE 19713
- Mailing address: 221 W 9th Street, PMB 858, Wilmington, DE 19801, USA
- Privacy contact: privacy@ticpop.app
- General contact: support@ticpop.app
- Data controller representatives:
- EU / EEA: Not yet appointed. TicPop is not yet available in EU markets. We will appoint a representative under GDPR Article 27 and update this policy before launching in the EU.
- UK: Not yet appointed. Same status as above, under UK GDPR Article 27, before launching in the UK.
2. Who this Privacy Policy applies to
TicPop is designed to be set up and managed by parents and legal guardians for use by their children aged approximately 4–12. Only a parent or legal guardian may create a TicPop account. By creating an account, you confirm that you are the parent or legal guardian of any child profile you add.
This policy explains what information we collect from you (the parent) and about your child, how we use it, who we share it with, and your rights. It is written to comply with:
- The Children's Online Privacy Protection Act (COPPA) (United States, for users under 13)
- The EU General Data Protection Regulation (GDPR) and its rules for children (commonly referred to as GDPR-K, governing users under 16 in most EU member states)
- The UK Age Appropriate Design Code
- The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
- Other applicable privacy and children's rights laws worldwide
3. Information we collect
3.1 Information from the parent (you)
When you create a TicPop account, we collect:
- Email address (used to log in, send important notices, and contact you)
- Password (stored only in hashed form; we never see the plaintext password)
- Subscription status (if you subscribe) — processed by Apple or Google through their in-app purchase systems. We never see or store your card or bank details. We receive only a subscription status and an anonymized customer ID from RevenueCat.
- Device information about your device — operating system, app version, approximate region (derived from IP), device model, and a device-scoped authentication token.
3.2 Information about your child (entered by you)
When you create a child profile, you enter:
- A nickname for the child (you choose what to enter — a real first name, a nickname, or any made-up label). We do not require a real name and we do not verify it.
- A preset avatar — you choose from a library of preset illustrated avatars (animals, kids, fantasy characters). We do not allow user-uploaded photos. TicPop does not request camera or photo-library permission.
We do not collect:
- The child's date of birth or age
- The child's real name (unless you choose to enter it as the nickname)
- The child's gender
- The child's location
- The child's photo
- Any other identifying information about the child
3.3 Information generated as your child uses the app
- Routines your child completes or misses
- Stars earned, rewards chosen, certificates earned
- Rough timestamps (to track streaks and progress)
- Scheduled local alarm settings (so the device can remind your child at the times you choose — these alarms run entirely on the device)
3.4 Technical information
- IP address (used to route requests; not stored long-term)
- App crash reports (via Sentry — used to fix bugs; we strip personal data from reports before they leave your device)
3.5 Information we explicitly do NOT collect
- No precise location (we don't request GPS)
- No contacts, photos, camera, microphone, messages, or gallery access — we do not request these permissions at all
- No advertising identifiers — we explicitly block the Android
AD_IDpermission and the equivalent iOS flags - No cross-app tracking — we do not use Apple's App Tracking Transparency prompt because we do not track users across apps
- No third-party analytics — we do not use Firebase Analytics, Google Analytics, Mixpanel, Amplitude, the Facebook SDK, or any similar tool
- No cloud push notifications — TicPop only schedules local on-device alarms. We do not send push tokens to Apple, Google, or any server, and we do not store any push token on our backend
- No artificial-intelligence features — TicPop does not send any data to any AI provider and does not infer or label anything about your child
4. How we use the information
We use the information listed above only for these purposes:
- Operating the app — showing your routines, tracking your child's progress, displaying certificates and rewards, syncing data across your devices.
- Parental controls — allowing you to manage child profiles, review progress, and mark rewards as fulfilled.
- Subscriptions — activating premium features when you subscribe through Apple or Google, and checking subscription status at app launch.
- Support and communication — responding when you contact us, notifying you about important changes (security incidents, policy updates).
- Improving the app — diagnosing crashes and fixing bugs via Sentry. These logs are stripped of personal data before they leave your device.
- Legal compliance — meeting tax, fraud-prevention, and other legal obligations.
We do not use your or your child's information for behavioral advertising, profiling, AI training, or any form of marketing targeting.
5. Children's privacy — COPPA, GDPR-K, and how parental consent works
TicPop is designed for families. Only a parent or legal guardian can create an account. The child does not create their own account. All information about a child is entered by the parent and attached to the parent's account.
Consent
By creating a TicPop account and setting up a child profile, you (the parent) provide verifiable parental consent under COPPA for us to collect and use the information described in Section 3 for the purposes described in Section 4. You can withdraw consent at any time by deleting the child profile (Section 10) or deleting your account (Section 11).
What we do not do with children's data
- We do not share or sell children's data with third parties for marketing.
- We do not show advertisements to children.
- We do not use children's data for profiling, behavioral targeting, or AI training.
- We do not allow children to contact other users, post content publicly, or share data outside the parent's account.
Schools and organizations
TicPop is designed for individual family use. If you are a school, therapist, or organization considering deployment, contact us at support@ticpop.app — we may require additional agreements.
6. Who we share information with
We share information only in the limited cases listed below, and only with service providers bound by data protection agreements.
| Third party | What they receive | Why |
|---|---|---|
| Supabase, Inc. (data stored in EU — Ireland, eu-west-1) | All account and app data (database & file storage) | Storing your account data securely in the EU |
| PowerSync / JourneyApps (US) | Synced account and app data, in transit, between your devices and Supabase | Keeping your data in sync across the family's devices, offline-first |
| Apple, Inc. (US) | In-app purchase information | Processing iOS subscriptions |
| Google LLC (US) | In-app purchase information | Processing Android subscriptions |
| RevenueCat, Inc. (US) | Subscription status and an anonymized customer ID | Managing subscriptions across platforms |
| Functional Software, Inc. d/b/a Sentry (EU region) | App crash reports with personal data stripped | Diagnosing and fixing bugs |
| Expo, Inc. (US) | App version information for delivering over-the-air updates | Shipping bug fixes without a full store update |
| Law enforcement, courts, regulators | Only when legally compelled | Legal compliance |
We do not sell or rent personal information to any third party. We do not use children's data for third-party advertising or profiling.
7. International data transfers
Velynq, Inc. is based in the United States. Your account and app data are stored on Supabase in the EU (Ireland). Some of our other service providers (PowerSync, RevenueCat, Expo) are US-based.
Where data is transferred out of the EU, EEA, or UK to the United States or another country, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK's International Data Transfer Agreement, and we apply supplementary technical measures (encryption in transit and at rest). A copy of the SCCs we use with each service provider is available by request at privacy@ticpop.app.
8. How long we keep information
- Your account data is kept as long as your account is active.
- Child profile data (nickname, chosen avatar, routine history, rewards, certificates) is kept as long as the child profile exists in your account.
- Day-by-day routine details are kept for a rolling 7-day window and then automatically deleted. Longer-term progress is kept as monthly and yearly totals only.
- Backups may retain data for up to 30 days after deletion, after which it is permanently purged.
- Support communications are kept for up to 3 years.
- Payment records are kept for up to 7 years for tax and fraud-prevention purposes, as required by law.
If you delete your account (see Section 11), all non-legally-required data is removed within 30 days.
9. How we protect information
- All data is encrypted in transit (HTTPS / TLS 1.2+) and at rest.
- Passwords are stored only as salted cryptographic hashes.
- Row-level security rules in our database ensure each family's data is isolated from every other family's data.
- Access to production systems is restricted to authorized personnel with multi-factor authentication.
- We conduct periodic security reviews.
No security system is perfect. If we ever learn of a security incident affecting your information, we will notify affected users promptly as required by law (typically within 72 hours of becoming aware, under GDPR).
10. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — Ask us what information we hold about you or your child.
- Correction — Ask us to correct information that is wrong.
- Deletion — Ask us to delete your account and all associated data (see Section 11).
- Portability — Ask us to send you a copy of your data in a machine-readable format.
- Restriction or objection — Ask us to stop or limit how we use certain information.
- Withdraw consent — You can withdraw your consent at any time (this will typically require deleting your account or child profile).
- Lodge a complaint — You can complain to the data protection authority in your country.
For California residents (CCPA/CPRA): you also have the right to know what personal information we have collected, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information. You may also designate an authorized agent to make these requests on your behalf.
To exercise any of these rights, email us at privacy@ticpop.app. We will respond within 30 days (or sooner if required by law).
11. How to delete your account and all your data
You have three ways to delete your account:
- In the app — Settings → Account → Delete Account. This triggers full deletion within 30 days.
- On our website — visit https://ticpop.app/delete-my-data and follow the instructions. Available without reinstalling the app.
- By email — write to privacy@ticpop.app from the email address on your account.
When you delete your account, we remove:
- All child profiles (nicknames and chosen avatars)
- All routine, reward, and progress data
- Your email address and password hash
- Any data in Supabase, PowerSync, RevenueCat, or Sentry tied to your account
What we must keep (for legal reasons):
- Tax and payment records for up to 7 years (US IRS requirement; similar in most countries)
- Security/audit logs in minimized form
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Notify you by email (to the address on your account), and
- Show a notice inside the app on next launch, and
- Update the "Last updated" date at the top of this page.
Where local law requires, we will obtain your renewed consent before the changes take effect. If you do not agree to the changes, you can delete your account (Section 11).
13. Contact us
For any privacy question, request, or complaint:
- Email: privacy@ticpop.app
- Postal mail: Velynq, Inc., 221 W 9th Street, PMB 858, Wilmington, DE 19801, USA
For EU / EEA / UK residents, you also have the right to lodge a complaint with your national data protection authority. A list is available at edpb.europa.eu (EU) and ico.org.uk (UK).
14. Governing law
This Privacy Policy and any dispute relating to it are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law rules. This does not deprive you of the protections you are entitled to under the mandatory laws of your country of residence.
The canonical version of this policy is available at https://ticpop.app/privacy.