Data Security & Privacy Plan — Puppet Pals 1 School Edition

1. Overview

Puppet Pals 1 School Edition is a creative animation app developed by Polished Play LLC, designed for use in K-12 educational settings. It can be deployed via Apple School Manager or Mobile Device Management (MDM) solutions.

This plan describes how we protect data associated with the app over the life of any contract with an educational agency, aligned with the NIST Cybersecurity Framework (CSF). Polished Play complies with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR).

Puppet Pals 1 School Edition does not collect any personally identifiable information (PII) from students. All student-created content is stored entirely on-device.

2. Data Collected

The School Edition is designed with minimal data collection. No student PII is collected, stored, or transmitted. The app collects:

• Anonymous analytics — aggregate usage data (features used, device type, OS version, country/region) through our own first-party system. This data cannot be linked to any individual user or device. User ID tracking is disabled in the School Edition.
• Parent email addresses (optional) — behind a parent gate, parents may provide an email for update notifications.
• Feedback (optional) — behind a parent gate, parents may submit feedback.

The School Edition does not include:

• AI image generation features
• Video sharing features
• Subscription or payment features
• User accounts or login
• Any Apple App Store authentication prompts

3. Administrative Safeguards

• All Polished Play employees and contractors with access to any stored data are bound by confidentiality agreements.
• Access to production systems is restricted to authorized personnel on a least-privilege basis.
• Polished Play personnel are trained on applicable privacy laws including FERPA, COPPA, and GDPR.
• We do not sell, rent, or share user data with third parties for marketing or advertising purposes.
• We do not use student data for targeted advertising or to build student profiles for non-educational purposes.

4. Technical Safeguards

• All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher.
• Server infrastructure is hosted on Vercel with industry-standard security controls.
• Server access requires multi-factor authentication.
• Anonymous analytics data is stored in aggregate form and cannot be linked to individual users, devices, or students.
• No third-party analytics or tracking SDKs are used in the app.
• User ID tracking is explicitly disabled in the School Edition to prevent any identification of individual users.

5. Data Sharing and Subprocessors

Puppet Pals 1 School Edition uses the following third-party service:

• Vercel — server hosting for API routes that process anonymous analytics and optional parent email/feedback submissions.

No student data is shared with any third party. No third-party analytics, advertising, or tracking services are used.

6. Incident Response

In the event of an unauthorized release, disclosure, or acquisition of data:

• Polished Play will investigate the incident immediately upon discovery.
• Affected educational agencies will be notified within 72 hours of confirmation of the incident.
• The notification will include a description of the incident, the types of data involved, the date or estimated date of the incident, and contact information.
• Polished Play will take immediate steps to contain and remediate the incident.
• Polished Play will cooperate with affected educational agencies and any regulatory bodies as required by law.
• Polished Play maintains a written incident response plan consistent with industry standards and applicable law, and will provide a summary upon request.

7. Data Retention and Disposal

• Anonymous analytics are retained in aggregate form for product improvement. This data cannot be linked to individual students.
• Parent email addresses are retained until a deletion request is received.
• Upon written request from an educational agency, Polished Play will dispose of or transfer any data associated with the agency within 60 days.
• Upon termination of a data privacy agreement, Polished Play will dispose of all applicable data after providing reasonable prior notice.
• Deletion requests can be made at any time by contacting privacy@polishedplay.com.

8. Data Transition

Since Puppet Pals 1 School Edition does not collect or store student PII, there is no student data to transition back to the educational agency upon contract termination. All student-created content resides on the device and is fully under the control of the school and student at all times.

9. Alignment with Educational Agency Policies

Polished Play is committed to aligning its data security and privacy practices with applicable educational agency policies. Our minimal data collection approach is designed to exceed the requirements of most institutional data privacy policies. We will cooperate with any educational agency to address specific policy requirements.

10. NIST Cybersecurity Framework Alignment

Polished Play's security practices are aligned with the NIST Cybersecurity Framework (CSF). Given that no student PII is collected, our alignment is summarized below:

11. Contact

For questions about this Data Security & Privacy Plan or our data practices, contact us at privacy@polishedplay.com.