Data Security & Privacy Plan — Puppet Pals

1. Overview

Puppet Pals is a creative animation app developed by Polished Play LLC. This plan describes how we protect the limited data associated with the app, aligned with the NIST Cybersecurity Framework (CSF).

Puppet Pals is a free version of the app and is not yet released. When released, it will include features such as AI image generation and optional video sharing (behind a parent gate), which involve limited data transmission as described below.

This plan covers the consumer (non-school) edition. For the School Edition, see the School Edition Data Security & Privacy Plan.

2. Data Collected

Puppet Pals does not collect any personally identifiable information (PII) from children. The app collects:

  • Anonymous analytics — aggregate usage data (features used, device type, OS version, country/region) through our own first-party system. This data cannot be linked to any individual user.
  • AI image data (transient) — when users create AI characters or backgrounds, photos or text descriptions are sent to third-party AI providers (Google and OpenAI via FAL) for processing. These are not stored on our servers.
  • Shared videos (optional, temporary) — behind a parent gate, users may share recordings. Videos are hosted on AWS and automatically deleted after 10 days.
  • Subscription identifiers — Apple transaction IDs for verifying subscription status. No payment information is collected.
  • Parent email addresses (optional) — behind a parent gate, parents may provide an email for update notifications.
  • Feedback (optional) — behind a parent gate, parents may submit feedback.

All student-created content (puppet shows, recordings, custom images) is stored on-device only and is never transmitted to our servers unless the user explicitly uses the sharing feature.

3. Administrative Safeguards

  • All Polished Play employees and contractors with access to any stored data are bound by confidentiality agreements.
  • Access to production systems is restricted to authorized personnel on a least-privilege basis.
  • Polished Play personnel are trained on applicable privacy laws including COPPA and GDPR.
  • We do not sell, rent, or share user data with third parties for marketing or advertising purposes.

4. Technical Safeguards

  • All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher.
  • Server infrastructure is hosted on Vercel and Amazon Web Services (AWS), with industry-standard security controls.
  • Server access requires multi-factor authentication.
  • Anonymous analytics data is stored in aggregate form and cannot be linked to individual users or devices.
  • Shared videos are stored temporarily and automatically purged after 10 days.
  • No third-party analytics or tracking SDKs are used in the app.

5. Data Sharing and Subprocessors

The following third-party services are used in the operation of Puppet Pals:

  • Google and OpenAI (via FAL) — AI image generation. Photos and text descriptions are sent for processing only and are not stored by Polished Play.
  • Amazon Web Services (AWS) — server hosting and temporary video storage.
  • Apple — subscription payment processing and app distribution.

No user data is shared with any other third parties.

6. Incident Response

In the event of an unauthorized release, disclosure, or acquisition of data:

  • Polished Play will investigate the incident immediately upon discovery.
  • Affected parties will be notified within 72 hours of confirmation.
  • The notification will include a description of the incident, the types of data involved, and contact information.
  • Polished Play will take immediate steps to contain and remediate the incident.

7. Data Retention and Disposal

  • Anonymous analytics are retained in aggregate form indefinitely for product improvement.
  • Shared videos are automatically deleted after 10 days.
  • Parent email addresses are retained until a deletion request is received.
  • Subscription identifiers are retained for the duration of the subscription.
  • Deletion requests can be made at any time by contacting privacy@polishedplay.com.

8. NIST Cybersecurity Framework Alignment

Polished Play's security practices are aligned with the NIST Cybersecurity Framework (CSF). Given the minimal data collected by Puppet Pals, our alignment is summarized below:

Identify (ID)

We maintain an inventory of the limited data we process. Our data collection is minimal by design — no PII from children, no user accounts, and no persistent identifiers. Risk assessments are conducted relative to the data we hold.

Protect (PR)

Access to production systems requires authentication and is restricted to authorized personnel. All data in transit is encrypted via TLS. No third-party tracking SDKs are embedded in the app. Parent-facing features are gated behind age verification.

Detect (DE)

We monitor our server infrastructure for anomalous activity. AWS provides logging and alerting for unauthorized access attempts.

Respond (RS)

Our incident response process includes identification, containment, notification within 72 hours, and remediation. We will cooperate with any affected parties or regulatory bodies as required.

Recover (RC)

Given the minimal data collected, recovery primarily involves restoring service availability. Lessons learned from any incident are incorporated into our security practices.

9. Contact

For questions about this Data Security & Privacy Plan or our data practices, contact us at privacy@polishedplay.com.

Last updated: April 4, 2026