Data Security & Privacy Plan — Puppet Pals 2

1. Overview

Puppet Pals 2 is a creative animation app developed by Polished Play LLC. This plan describes how we protect data associated with the app, aligned with the NIST Cybersecurity Framework (CSF). This plan covers both the free and paid versions of Puppet Pals 2, including the School Edition.

Puppet Pals 2 does not collect, store, or transmit ANY user data. All content is stored locally on the device.

Polished Play complies with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR).

If we introduce analytics, email collection, or any other data practices in a future version, we will update this plan and our privacy policy before those features ship.

2. Data Collected

None.

Puppet Pals 2 does not collect any data from users. Specifically:

• No analytics or usage tracking of any kind
• No personal information
• No email addresses or contact information
• No device information or technical data
• No cookies or tracking technologies
• No user accounts or login
• No network requests that transmit user data

All content created in the app (movie recordings, custom faces) is stored locally on the device only. This content is never transmitted to Polished Play servers or any third party.

3. Administrative Safeguards

Because Puppet Pals 2 collects no user data, administrative safeguards are focused on maintaining this zero-collection posture:

• Any changes to data collection practices require explicit review and approval, with updates to this plan and our privacy policy prior to implementation.
• Polished Play personnel are trained on applicable privacy laws including FERPA, COPPA, and GDPR.
• We do not sell, rent, or share user data with third parties for any purpose.

4. Technical Safeguards

• The app does not make network requests that transmit user data.
• No third-party analytics, advertising, or tracking SDKs are embedded in the app.
• No third-party services that could collect user information are integrated.
• The app operates entirely offline in terms of data handling.

5. Data Sharing and Subprocessors

Puppet Pals 2 does not share any data with any third party. No subprocessors are used for data collection, analytics, or storage. The only third-party involvement is Apple for app distribution through the App Store.

6. Incident Response

Because Puppet Pals 2 does not collect or store any user data, the risk of a data breach involving user information is effectively zero. However, Polished Play maintains an incident response plan:

• If a vulnerability is discovered in the app, Polished Play will investigate immediately and release a patch through the App Store.
• If Polished Play becomes aware of any security concern related to the app, affected educational agencies will be notified within 72 hours.
• Polished Play will cooperate with affected educational agencies and any regulatory bodies as required by law.

7. Data Retention and Disposal

There is no data to retain or dispose of. Puppet Pals 2 does not collect or store any user data on Polished Play servers. All user-created content resides on the device and is fully under the control of the user or the educational agency that manages the device.

8. Data Transition

Since Puppet Pals 2 does not collect or store any user data, there is no data to transition back to an educational agency upon contract termination. All user-created content resides on the device and is fully under the control of the school and student at all times.

9. NIST Cybersecurity Framework Alignment

Polished Play's security practices are aligned with the NIST Cybersecurity Framework (CSF). Because Puppet Pals 2 collects no user data, our alignment reflects this zero-collection posture:

10. Contact

For questions about this Data Security & Privacy Plan or our data practices, contact us at privacy@polishedplay.com.