Privacy Policy

Effective Date: May 24, 2026

Version: 2.0

________________________________________________________________________________

This Privacy Policy describes how Active Minds (“we,” “us,” or “our”), operated by Trueyogi Wellness Teknoloji Ticaret Anonim Şirketi, collects, uses, and protects personal information when you use our website (https://activeminds.ai) and our mobile applications, including our flagship product Hoppy Math (collectively, the “Service”). By accessing or using the Service, you (or your parent/legal guardian, where applicable) agree to the practices described in this Policy. For children’s use of the Service, verifiable parental consent is required. This Policy is designed to comply with applicable laws including COPPA (United States), GDPR and GDPR-K (European Union), KVKK (Türkiye), as well as APPI (Japan), PDPA (Singapore), and PIPA (South Korea).

________________________________________________________________________________

1. Company Information

Company Name: Trueyogi Wellness Teknoloji Ticaret Anonim Şirketi
Trade Name / Brand: Active Minds
Established: 2019
Registered Address: Mustafa Kemal Mahallesi, Dumlupınar Bulvarı No:280G/1260, METU Technopolis, Çankaya, Ankara, TÜRKİYE
Contact Email: hello@activeminds.ai
Privacy Inquiries: hello@activeminds.ai
Website: https://activeminds.ai

The Service is owned and operated solely by the company named above. The company acts as the data controller for all personal data processed through the Service.

________________________________________________________________________________

2. Services and Target Audience

Service Purpose and Core Functions

Active Minds is an AI-powered educational platform designed to make learning interactive, engaging, and movement-based. Our games combine subjects such as mathematics and basic sciences with physical activity through real-time motion tracking and AI-driven personalization. Our flagship game, Hoppy Math, is designed for children aged 5 to 10 to develop math skills, problem-solving abilities, and motor coordination. This Privacy Policy applies to all games and services we publish unless a specific product publishes its own supplemental policy.

Target Audience

Children (ages 5 to 10): the primary users of our learning content, used under parental account and supervision.
Parents and Legal Guardians: the account holders who consent to and oversee the child’s use of the Service.
Educational Institutions and Teachers: for classroom or supplemental learning use.
EdTech Partners: for licensed deployments and integrations.

Regulatory Compliance for Children

Given our focus on children, we adhere to laws and regulations designed to protect minors, including:

COPPA (United States): No personal data is collected from children under 13 without verifiable parental consent.
GDPR-K (European Union): Personal data of children under 16 (or the lower age set by an EU Member State, not below 13) is processed only with the consent of the holder of parental responsibility.
KVKK (Türkiye): Personal data is processed in accordance with the Turkish Personal Data Protection Law No. 6698, with explicit guardian consent for minors.
Other Applicable Laws: We comply with APPI (Japan), PDPA (Singapore), PIPA (South Korea), and similar regulations in markets where the Service is available.

________________________________________________________________________________

3. Information We Collect

To provide and improve the Service, we collect the following categories of data:

Personal Identification Information

Profile Name (chosen by the parent for the child; may be a nickname)
Email Address (parent or guardian only)
IP Address (collected automatically; used for security and regional content delivery)

Authentication and Account Data

Login Credentials: email address and a password set by the parent/guardian.
Social Sign-In: Sign in with Apple, Sign in with Google. We receive only the information you explicitly approve at sign-in (typically a unique identifier and email).

Device and Diagnostic Information

Device model, operating system version, app version
Crash logs, performance metrics, error logs
Anonymous device identifiers (e.g., advertising identifier is NOT collected)

Usage Data

In-game progress: levels completed, achievements, learning milestones
Behavioral data within the app: which mini-games were played, time on task, accuracy, response time
Subscription status (active, inactive, expired)

Camera and Motion Data

The Service uses the device camera to enable motion-based gameplay through our proprietary AuraVision motion-tracking engine.
AuraVision runs entirely on the user’s device (on-device / edge processing). The camera feed is processed locally in real time. Video frames, derived keypoints, skeletal data, and any intermediate signals are NOT recorded, NOT streamed, NOT transmitted to our servers or any third party, and NOT stored beyond the moment of processing.
The camera is activated only during active gameplay and only with the user’s permission granted through the operating system.
If the user explicitly chooses to record a gameplay clip, the recording is saved only to the user’s device and only the user controls it.

Information We Do NOT Collect

We do not collect a child’s date of birth or precise age.
We do not collect a child’s real name or surname (parents may enter any display name).
We do not collect biometric identifiers from the camera (no face recognition, no fingerprint).
We do not collect precise geolocation.
We do not collect contacts, photos library, microphone audio, or messages.
We do not collect advertising identifiers (IDFA / GAID).

________________________________________________________________________________

4. How We Use Your Information

We process collected data for the following purposes:

Service Provision

Personalizing the learning experience and adapting difficulty to each child’s pace.
Tracking progress and providing educational feedback to the child and to parents through the Parent Panel.

User Experience Improvement

Diagnosing technical issues and improving app stability.
Producing aggregate, anonymized statistics about feature use to guide product improvements.

Security and Fraud Prevention

Protecting accounts from unauthorized access.
Preventing abuse, cheating, or misuse of the Service.

Legal Compliance

Meeting obligations under COPPA, GDPR, KVKK, APPI, PDPA, PIPA, and other applicable laws.

Communications (parent-facing only)

Sending account-related transactional emails (e.g., subscription receipts, password reset).
Optional product update emails to parents, only with explicit opt-in. Children never receive marketing emails.

What We Do NOT Use Your Information For

No targeted advertising. We do not run advertising in the Service and do not show any ads to children.
No behavioral profiling for marketing. We do not build advertising or marketing profiles about children.
No data selling. We do not sell personal data to any third party for any purpose.
No cross-site tracking. We do not track users across other apps or websites.

________________________________________________________________________________

5. Legal Basis for Data Processing

We process personal data based on the following legal grounds:

Verifiable Parental Consent: for children’s data, consent is obtained from the parent or legal guardian at account creation. Where the Service is purchased or installed through Apple’s App Store or Google Play, parents may also rely on the platform’s Family Sharing / Ask to Buy and parental control flows as part of the consent mechanism. An additional in-app parental gate is required before any subscription purchase.
Contractual Necessity: processing required to deliver the Service the parent purchased or signed up for.
Legitimate Interest: anonymized analytics to improve the Service. We balance this interest against the privacy expectations of children and apply data minimization.
Legal Obligation: processing required to comply with COPPA, GDPR, KVKK, APPI, PDPA, PIPA, and other applicable laws.

________________________________________________________________________________

6. Verifiable Parental Consent and Parental Gate

For users under the applicable age threshold (13 under COPPA, 16 under GDPR-K, 18 under KVKK guardian-consent practice for minors), the Service operates under verifiable parental consent. We obtain and confirm parental consent through one or more of the following methods:

The parent creates and controls the account using a verified email address.
The parent sets and holds the account password.
For purchases made through Apple’s App Store, Apple’s parental control mechanisms (Screen Time, Family Sharing, Ask to Buy) provide an additional layer of verification.
An in-app parental gate (a math challenge the child is not expected to solve) is presented before any subscription purchase or external link is opened. The parental gate cannot be disabled.

Parents can withdraw consent at any time by deleting the account or by writing to privacy@activeminds.ai.

________________________________________________________________________________

7. Data Sharing and Third-Party Service Providers

We do not share personal data with third parties for advertising or marketing purposes. We do work with a limited number of trusted service providers (data processors) who act on our instructions and under contractual data protection obligations:

Service Provider

Purpose

Data Categories Processed

Storage Location

Firebase (Google LLC) — Authentication, Cloud Firestore, Cloud Storage

Account authentication; storage of profile name, learning progress, subscription status

Email address, profile name, app usage data, device identifiers (non-advertising)

EU users: EU data centers (europe-west). US users: US data centers. Other regions: nearest Google Cloud region.

Firebase Analytics (Google LLC)

App analytics, crash reporting, performance monitoring

Anonymous usage events, crash logs, device model and OS version

Google global infrastructure; data segregated by region where supported.

GameAnalytics

Gameplay funnel analytics and learning outcome aggregation

Anonymous gameplay events, session metadata

EU data centers.

RevenueCat

Subscription entitlement management, receipt validation

App Store / Play Store transaction identifiers, subscription status, anonymous user ID

US data centers (RevenueCat infrastructure).

Apple App Store / Google Play

Payment processing, subscription billing

Payment data handled entirely by Apple or Google; we do not receive credit card numbers

Apple / Google global infrastructure.

Data Sharing Principles

We never share personal data with advertisers.
All data shared with processors is the minimum required for the purpose.
Each processor is bound by a Data Processing Agreement aligned with GDPR, KVKK, and COPPA requirements.
Data shared with educational institutions, where applicable, is limited to anonymized academic performance metrics and only with parental or institutional consent.

________________________________________________________________________________

8. International Data Transfers and Data Residency

Active Minds operates globally. We apply the following data residency principles:

European Union / European Economic Area users: personal data is stored in Google Cloud EU regions (europe-west). Where transfers outside the EEA are necessary (for example, for processing by RevenueCat in the United States), we rely on Standard Contractual Clauses approved by the European Commission and apply supplementary measures.
United States users: personal data is stored in US-based data centers.
Türkiye users: personal data may be stored in Türkiye-based or EU-based data centers. Cross-border transfers comply with KVKK Article 9.
Other regions (Asia, Latin America, etc.): data is stored in the geographically nearest Google Cloud region.

EU / UK Representative

At this time, Active Minds has not appointed a dedicated EU or UK representative under Article 27 of the GDPR / UK GDPR. EU and UK data subjects can contact the company directly using the address and email listed in Section 1, and we will respond within the timeframes required by the GDPR. We monitor our processing volume and risk profile and will appoint a representative if and when triggers under Article 27 are met.

________________________________________________________________________________

9. Cookies and Tracking Technologies

We use cookies and similar technologies only in a limited, responsible manner:

Essential Cookies: required for session management and account security.
Analytics Cookies (anonymous): used to improve the user experience and measure aggregate performance.
Marketing Cookies: not used. We do not deploy advertising or behavioral cookies targeted at children.
Third-Party Trackers: not embedded in the mobile app. The website may use Google Analytics for aggregate website traffic analytics only.

Parents can manage cookie preferences through their browser settings.

________________________________________________________________________________

10. Data Retention

We retain personal data for as long as necessary to provide the Service and meet legal obligations:

Account data: retained while the account is active. Deleted within 30 days of account deletion request.
In-game progress data: retained for the duration of the active account. May be deleted upon parental request at any time.
Analytics data: anonymized and retained for up to 12 months.
Crash and diagnostic logs: retained for up to 90 days.
Subscription records: retained as required by tax, accounting, and consumer protection laws (typically 5 to 10 years depending on jurisdiction), in a minimized form.
Camera and motion data: never retained. Processed locally on the device and discarded in real time.

________________________________________________________________________________

11. Data Security Measures

Active Minds applies the following safeguards to protect personal data:

Encryption in Transit: all communication between the app and our servers uses TLS 1.2 or higher.
Encryption at Rest: stored personal data is encrypted using AES-256 at the database layer.
Access Control: strict role-based access control. Only authorized personnel can access production data.
On-Device Processing: all camera-based motion tracking is performed on the device through the AuraVision engine. The camera feed never leaves the device.
Anonymization: analytics datasets are anonymized to prevent identification of individual children.
Vulnerability Management: regular dependency updates, code review, and platform security best practices.
Incident Response: breach notifications, where required, are issued to affected users and regulators within 72 hours of becoming aware of the incident, per GDPR Article 33.

________________________________________________________________________________

12. Your Rights

Parents and guardians (on behalf of their children) have the following rights, subject to applicable law:

Right of Access: to receive a copy of the personal data we hold.
Right to Rectification: to correct inaccurate or incomplete data.
Right to Erasure (“Right to be Forgotten”): to request deletion of the account and associated data.
Right to Restriction of Processing.
Right to Data Portability.
Right to Object to processing based on legitimate interest.
Right to Withdraw Consent at any time.
Right to Lodge a Complaint with a supervisory authority (e.g., the data protection authority in your country of residence, or the Turkish Data Protection Authority, KVKK Kurumu).

How to Exercise Your Rights

Contact privacy@activeminds.ai. We respond within 30 days. For COPPA-related requests from parents in the United States, we respond within 30 days. For GDPR requests, we respond within 30 days (extendable to 60 days for complex requests).

________________________________________________________________________________

13. Compliance with Laws and Regulations

Active Minds is committed to compliance with all applicable data protection laws, including:

COPPA (United States): Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506.
GDPR (European Union): Regulation (EU) 2016/679, including Article 8 (child consent).
KVKK (Türkiye): Law No. 6698 on the Protection of Personal Data.
APPI (Japan): Act on the Protection of Personal Information.
PDPA (Singapore): Personal Data Protection Act 2012.
PIPA (South Korea): Personal Information Protection Act.
UK GDPR and Data Protection Act 2018.
California Consumer Privacy Act / CPRA (United States, California residents).

If you are a California resident, you have additional rights under the CCPA / CPRA, including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA / CPRA.

________________________________________________________________________________

14. Children’s Privacy Statement (Section Specifically for Parents)

We design the Service with children’s privacy as a first principle:

We collect only the minimum data needed to deliver the Service.
We never show advertising to children.
We never sell or share children’s data for marketing.
The camera is used only for on-device gameplay; nothing leaves the device.
A parent or guardian must create and control the account.
A parental gate protects all purchases.
Parents can review, correct, or delete their child’s data at any time by contacting privacy@activeminds.ai.

________________________________________________________________________________

15. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

General contact: hello@activeminds.ai
Privacy and data rights: privacy@activeminds.ai
Postal Mail:

Trueyogi Wellness Teknoloji Ticaret Anonim Şirketi

Mustafa Kemal Mahallesi, Dumlupınar Bulvarı No:280G/1260

METU Technopolis, Çankaya

Ankara, TÜRKİYE

________________________________________________________________________________

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this Policy and, for material changes, notify parents through the app or by email. Continued use of the Service after the Effective Date constitutes acceptance of the updated Policy.

________________________________________________________________________________

17. Consent and Agreement

By accessing or using the Service, you (or your parent/legal guardian, where applicable) confirm that you have read, understood, and agree to this Privacy Policy and consent to the collection and use of personal data as described.

This Privacy Policy is intended to provide a safe, secure, and educational experience for children while respecting and protecting the privacy rights of all users. We are committed to the highest standards of data protection and transparency in every region where the Service is available.