Data Security & Privacy Plan — Book Builder

1. Overview

Book Builder is an interactive book creation app developed by Polished Play LLC. This plan describes how we protect data associated with the app, aligned with the NIST Cybersecurity Framework (CSF). This plan covers all versions of Book Builder, including the free, paid, and School Edition.

Book Builder does not collect, store, or transmit ANY user data to Polished Play servers. All content is stored locally on the device or in the user's personal iCloud account.

Polished Play complies with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR).

2. Data Collected

None by Polished Play.

Book Builder does not collect any data from users. Specifically:

  • No analytics or usage tracking of any kind
  • No personal information
  • No device information or technical data
  • No cookies or tracking technologies
  • No user accounts or login
  • No network requests that transmit user data to our servers

iCloud Storage

Book Builder uses Apple's iCloud service to store and sync created books across the user's devices. This storage:

  • Is managed entirely by Apple through the user's personal iCloud account
  • Is secured by Apple's privacy and security standards
  • Is not accessible to Polished Play or any third parties
  • Can be controlled through the device's iCloud settings

3. Administrative Safeguards

Because Book Builder collects no user data, administrative safeguards are focused on maintaining this zero-collection posture:

  • Any changes to data collection practices require explicit review and approval, with updates to this plan and our privacy policy prior to implementation.
  • Polished Play personnel are trained on applicable privacy laws including FERPA, COPPA, and GDPR.
  • We do not sell, rent, or share user data with third parties for any purpose.

4. Technical Safeguards

  • The app does not make network requests that transmit user data to Polished Play servers.
  • No third-party analytics, advertising, or tracking SDKs are embedded in the app.
  • iCloud storage is managed by Apple and protected by Apple's industry-standard security measures, including encryption.
  • Polished Play has no access to user content stored in iCloud.

5. Data Sharing and Subprocessors

Book Builder does not share any data with any third party through Polished Play. The only third-party services involved are Apple's iCloud (for user-controlled content storage) and Apple's App Store (for app distribution). Both are governed by Apple's privacy policies and are not acting as subprocessors for Polished Play.

6. Incident Response

Because Book Builder does not collect or store any user data on Polished Play systems, the risk of a data breach involving user information is effectively zero. However, Polished Play maintains an incident response plan:

  • If a vulnerability is discovered in the app, Polished Play will investigate immediately and release a patch through the App Store.
  • If Polished Play becomes aware of any security concern related to the app, affected educational agencies will be notified within 72 hours.
  • Polished Play will cooperate with affected educational agencies and any regulatory bodies as required by law.

7. Data Retention and Disposal

There is no data to retain or dispose of on Polished Play systems. All user-created content resides on the device and in the user's personal iCloud account. Both are fully under the control of the user or the educational agency that manages the device. Schools can manage iCloud storage through Apple School Manager.

8. Data Transition

Since Book Builder does not collect or store any user data on Polished Play systems, there is no data to transition back to an educational agency upon contract termination. All user-created content resides on the device and in the user's iCloud account, both of which are fully under the control of the school and student.

9. NIST Cybersecurity Framework Alignment

Polished Play's security practices are aligned with the NIST Cybersecurity Framework (CSF). Because Book Builder collects no user data, our alignment reflects this zero-collection posture:

Identify (ID)

Book Builder processes no user data through Polished Play systems. Our data inventory for this product is empty by design. User content is stored in iCloud, managed by Apple, and inaccessible to Polished Play.

Protect (PR)

Protection is achieved through the absence of data collection. No network requests transmit user data to our servers. No third-party SDKs that could collect data are embedded. iCloud storage is protected by Apple's security infrastructure.

Detect (DE)

Since no user data flows through our systems, detection focuses on monitoring for unauthorized modifications to the app distribution and ensuring continued compliance with our zero-collection design.

Respond (RS)

In the event of a security concern, our response includes investigation, notification to affected parties within 72 hours, and issuing a corrected version through the App Store.

Recover (RC)

Recovery involves releasing a patched version of the app. Because no user data is stored on our systems, there is no data to restore or recover. Lessons learned are incorporated into development practices.

10. Contact

For questions about this Data Security & Privacy Plan or our data practices, contact us at privacy@polishedplay.com.

Last updated: April 4, 2026