Privacy Policy

Arthur Okeoghene Ajatuaewo, an individual sole proprietor trading as BecArt FuturePath, based in British Columbia, Canada, is the controller of personal information collected through the Service. Contact: ajatuaewoarthur@live.com.

From the parent (account owner):

• name and email address (required for sign-in);
• authentication metadata (e.g. Google account ID if you sign in with Google);
• billing information processed by our payment provider (we do not see your full card number);
• basic device and log data (IP address, browser type, pages viewed, error reports) for security and reliability.

About the child, only what you enter:

• nickname (we explicitly recommend not using full real name);
• age (number, not date of birth);
• interests, hobbies, and short text “moments” you choose to log;
• assessment answers and results.

We do not ask for, and you should not upload, full names, addresses, photos, videos, voice recordings, school name, government IDs, or medical/psychological records. If you enter such information in a free-text field, we will treat it under this policy but strongly discourage doing so.

• Provide the Service — operate accounts, save profiles and moments, generate the dashboard. Legal basis: performance of contract with you.
• Personalise AI suggestions — send relevant context (e.g. age band, top strengths) to our AI provider so the coach’s replies are useful. Legal basis: performance of contract / legitimate interest.
• Service emails (sign-up confirmations, security alerts, weekly Spark if you opt in). Legal basis: contract / consent for marketing items.
• Security, fraud prevention, debugging. Legal basis: legitimate interest.
• Comply with the law. Legal basis: legal obligation.

The Service is designed for parents to use on behalf of their child. Children do not create accounts. A child may use the Service in “supervised” mode under your account; in that case the parent remains the data subject for billing and account purposes, and the child’s information is treated as the limited data described in section 2.

We aim to comply with applicable children’s privacy laws including, where relevant, the U.S. Children’s Online Privacy Protection Act (COPPA), the EU/UK GDPR rules on processing of children’s data, Canada’s PIPEDA, and British Columbia’s PIPA. If you believe a child’s data has been entered without proper parental consent, contact us and we will delete it.

We do not sell your or your child’s personal information. We share limited data with the following service providers (“sub-processors”), under contract, only to run the Service:

• Hosting & database (Lovable Cloud / Supabase) — stores your account, profiles, and moments.
• AI provider (Google Gemini, via the Lovable AI Gateway) — receives your messages and relevant context to generate coach replies. We have configured the gateway so that your inputs are not used to train the underlying models.
• Authentication provider (Google, when you choose Google sign-in) — authenticates the account owner only.
• Payment processor and Merchant of Record (Paddle.com Market Limited) — handles paid subscriptions, processes card data, and is the seller of record for tax and invoicing purposes. Paddle processes billing data under its own privacy notice.
• Email delivery provider — sends transactional and (if you opt in) Spark emails.

We may also share information when required by law, to enforce our Terms, or to protect our or another person’s rights, property, or safety.

Our providers may process your data in Canada, the United States, and the European Union. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

• Account data — until you delete your account.
• Child profiles, moments, assessment results — until you delete them, or 30 days after you delete the account.
• Billing records — up to 7 years where required for tax law.
• Server logs — up to 90 days.

Depending on where you live you may have the right to:

• access the personal information we hold about you and your child;
• correct it;
• delete it;
• export it in a portable format;
• object to or restrict certain processing;
• withdraw consent at any time (without affecting earlier processing);
• complain to your local data-protection authority.

To exercise any of these rights, email ajatuaewoarthur@live.com. We will respond within 30 days.

We use TLS in transit, encryption at rest, role-based access, and database row-level security so that you only see your own family’s data. No system is perfectly secure; if a breach affects your data we will notify you and the relevant authority as required by law.

We use only the cookies necessary to keep you signed in and the Service running. We do not currently use third-party advertising or behavioural analytics cookies. If we add privacy-respecting analytics later, we will update this policy and ask for consent where required.

We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. The version and effective date appear at the top of this page.