Data Security & Privacy Plan — Puppet Pals 1

1. Overview

Puppet Pals 1 is a creative storytelling app developed by Polished Play LLC and distributed on the Apple App Store. This plan describes how we protect data associated with the app, aligned with the NIST Cybersecurity Framework (CSF). The companion Privacy Policy describes what we collect; this document describes how we protect it.

Puppet Pals 1 (consumer) is for family and home use only. It is not appropriate for classroom or district deployment. The dedicated School Edition has materially stricter data handling (no AI features, no cloud uploads, no subscriptions) and is the only edition appropriate for classroom use.

2. Data Collected

Puppet Pals 1 does not collect personally identifiable information (PII) from children. The app handles:

• Anonymous analytics — aggregate usage data (features used, device type, OS version, country/region) collected by our own first-party system. Cannot be linked to individual users.
• AI image data (transient, subscribers only) — when a subscriber uses an AI feature, the photo or text prompt is sent through our API to fal.ai, which forwards it to the current upstream image model (see the AI Processing details page). EXIF metadata is stripped server-side before forwarding. Generated images are returned through fal's CDN (60-second lifecycle, configured per request). No image bytes are stored on Polished Play servers.
• Shared videos (subscribers only, optional) — opt-in feature behind a parent confirmation. Videos are stored on AWS S3 and automatically deleted after 10 days.
• Subscription identifiers — Apple transaction IDs for verifying subscription status and enforcing fair-use quotas. No payment information is collected.
• Parent email addresses (optional) — provided voluntarily on parent-facing screens for update notifications.
• Feedback (optional) — provided voluntarily on parent-facing screens.

All puppet shows, recordings, and custom drawings are stored on the device only and are never transmitted to our servers unless the user explicitly invokes the optional video-sharing feature.

3. Administrative Safeguards

• All Polished Play employees and contractors with access to any stored data are bound by confidentiality agreements.
• Access to production systems is restricted to authorized personnel on a least-privilege basis.
• Polished Play personnel are trained on applicable privacy laws, including COPPA and GDPR.
• We do not sell, rent, or share user data with third parties for marketing or advertising purposes.

4. Technical Safeguards

• All data in transit between the app, our servers, and our subprocessors is encrypted using TLS 1.2 or higher.
• Server infrastructure is hosted on Vercel and Amazon Web Services (AWS), with industry-standard security controls.
• Server access requires multi-factor authentication.
• Anonymous analytics data is stored in aggregate form and cannot be linked to individual users or devices.
• EXIF and GPS metadata are stripped from uploaded photos before they are forwarded to any AI processing partner, so location data and device identifiers do not leave the device.
• Generated images on fal.ai's CDN are configured per-request to expire after 60 seconds (fal's default is 7 days). This minimizes the window during which generated content lives at a publicly-addressable URL.
• Production AI traffic is routed only through fal.ai. Other AI providers supported in admin tooling (Replicate, OpenAI direct) are not reachable from the consumer app — this is enforced at the API layer, not the client. The upstream model fal.ai routes to at any given time is named on the AI Processing details page. Different upstream models may have different terms regarding training and retention; we do not commit to advance notice of model changes.
• Image bytes (input photos and generated outputs) are never persisted by Polished Play servers. Only request metadata (timestamp, model, success/failure, cost estimate) is logged for billing and reliability monitoring.
• Shared videos are stored temporarily on AWS S3 and automatically purged after 10 days.
• No third-party analytics or tracking SDKs are used in the app.

5. Data Sharing and Subprocessors

The following third-party services are used in the operation of Puppet Pals 1:

• fal.ai — receives EXIF-stripped photos and text prompts from our API at request time, returns generated images. We use the standard fal.ai service tier; the dedicated no-training contractual guarantee that fal.ai offers is part of their enterprise tier and does not currently apply to our account. See the AI Processing details page for the full chain and the current upstream model.
• Upstream image-model provider (reached via fal.ai) — receives the photo or prompt from fal.ai for processing. The current provider and model are named on the AI Processing details page. Today's upstream (Google Gemini paid tier) contractually prohibits training on customer inputs. Different models have different terms; we may change the upstream provider over time without advance notice. See "Changes to the AI Processing Chain" in the Privacy Policy.
• Amazon Web Services (AWS) — server hosting and temporary video storage (10-day retention).
• Apple — App Store distribution and In-App Purchase subscription processing.
• Vercel — hosts our public website and API routes.

No user data is shared with any other third parties.

6. Incident Response

In the event of an unauthorized release, disclosure, or acquisition of data:

• Polished Play will investigate the incident immediately upon discovery.
• Affected parties will be notified within 72 hours of confirmation.
• The notification will include a description of the incident, the types of data involved, and contact information.
• Polished Play will take immediate steps to contain and remediate the incident.

7. Data Retention and Disposal

• Photos and prompts sent for AI processing are not retained by Polished Play; held by fal.ai for up to 60 seconds after response.
• Anonymous analytics are retained in aggregate form indefinitely for product improvement.
• Shared videos are automatically deleted after 10 days.
• Parent email addresses are retained until a deletion request is received.
• Subscription identifiers are retained for the duration of the subscription.
• Deletion requests can be made at any time by contacting privacy@polishedplay.com.

8. NIST Cybersecurity Framework Alignment

Polished Play's security practices are aligned with the NIST Cybersecurity Framework (CSF). Given the minimal data we actually handle, our alignment is summarized below:

Identify (ID)

We maintain an inventory of the limited data we process. Our data collection is minimal by design — no PII from children, no user accounts, no persistent identifiers. Risk assessments are conducted relative to the data we actually hold, with explicit attention to AI-processing data flows.

Protect (PR)

Access to production systems requires multi-factor authentication and is restricted to authorized personnel. All data in transit is encrypted via TLS. EXIF metadata is stripped before forwarding. Generated-content CDN retention is shortened to 60 seconds. The production AI provider chain is restricted at the server to fal.ai as the gateway; the current upstream model is described on the AI Processing details page. No third-party tracking SDKs are embedded in the app.

Detect (DE)

We monitor our server infrastructure for anomalous activity. Vercel and AWS provide logging and alerting for unauthorized access attempts. Per-request analytics on AI usage make it easy to detect abuse patterns.

Respond (RS)

Our incident response process includes identification, containment, notification within 72 hours, and remediation. We cooperate with affected parties and regulatory bodies as required.

Recover (RC)

Given the minimal data we handle, recovery primarily involves restoring service availability. Lessons learned from any incident are incorporated into our security practices.

9. Contact

For questions about this Data Security & Privacy Plan or our data practices, contact us at privacy@polishedplay.com.