Privacy Policy

Last updated: 17 April 2026

This Privacy Policy describes how [Legal entity name] (“WorldWhiz,” “we,” “us,” or “our”) collects, uses, stores, and shares information when you use the WorldWhiz web application and related services (the “Service”). The Service is used by families and learners; it is designed so that parents manage accounts and child profiles hold learning progress.

Important: Fill in [Legal entity name], [Privacy contact email], [Data protection contact if different], and [Postal address] before publishing. This document is not legal advice; have it reviewed by counsel, especially for children’s privacy and international transfers.

1. Who this policy applies to

Visitors browsing the public map without an account;
Parents or guardians who register an account, manage settings, and create child profiles;
Learners (often children) who use the Service through a parent-selected profile on a device—we do not provide separate child logins.

If you do not agree with this policy, please do not use the Service (and do not create an account).

2. Information we collect

We minimise what we collect. The categories below reflect how the Service actually operates.

2.1 Parent account (authenticated users)

Data	Purpose
Email address	Account identifier, login, magic-link authentication, password reset, and service-related notices
Hashed password	Secure authentication (we do not store plaintext passwords)
Session and security tokens	Keeping you logged in and protecting your account
Account timestamps	Operation and security of the Service

2.2 Child profiles (stored under the parent account)

Each profile may include:

Data	Purpose
Display name (e.g. nickname)	Showing who is learning in the UI
Avatar emoji	Personalisation
UI language and display preferences	Localisation and accessibility (e.g. map view mode, visited trail, text-to-speech on/off)
Learning data	Visited countries and quiz results so progress can continue across sessions and devices

We do not ask children to provide their own email address or real name as a condition of using a profile. Parents should choose display names that avoid unnecessary personal information.

2.3 Anonymous use of the public map

If you open the map without logging in, we do not persist your visited countries or identity on our servers for that session. Interaction may be held in memory only for the current visit (for example, to show a temporary count). We do not use that ephemeral state for marketing profiles.

2.4 Technical and usage data

Server logs: Our hosting environment may automatically log information such as IP address, user agent, request path, and timestamps for security, debugging, and reliability.
Cookies: We use essential cookies (and similar technologies) to maintain your session, protect against forgery, and—if you choose “remember me”—keep you signed in for a limited period. See Section 7.
Browser storage: The Service may store theme preference (light/dark/system) in your browser’s localStorage so the UI matches your choice. This is not used to identify you across sites.
Telemetry: Our application stack may emit internal operational metrics (for example, performance and health) that do not identify individual children for advertising.

We do not sell your personal information as defined under U.S. state privacy laws, and we do not use third-party advertising or behavioural profiling networks in the Service as described in our documentation.

2.5 Email delivery

When we send transactional email (confirmation, magic link, password reset), our email provider processes the recipient address and message content as a processor on our instructions.

3. Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR or the UK GDPR applies, we rely on:

Performance of a contract — providing the Service you request (account, profiles, progress sync);
Legitimate interests — securing the Service, preventing abuse, improving reliability, and internal analytics that do not override your rights;
Legal obligation — where we must retain or disclose information to comply with law;
Consent — where required (for example, non-essential cookies or marketing, if we ever introduce them with clear opt-in).

For child profile data, we treat the parent account as the decision-maker for creating and managing profiles, consistent with how the Service is built.

4. How we use information

We use information to:

Provide, secure, and improve the Service;
Authenticate users and maintain sessions;
Store and sync learning progress for the active child profile;
Send service-related emails (authentication, security, and important changes);
Comply with law and respond to lawful requests;
Protect users and the Service from fraud and abuse.

We do not use child profile data to build advertising profiles or to sell personal information.

5. How we share information

We share information only as needed:

Recipient	Why
Hosting / infrastructure providers	Running the Service and storing the database
Email delivery provider	Sending transactional messages you trigger
Professional advisers	Legal, accounting, or security advisers when required
Authorities	When required by law or to protect rights and safety

We use written agreements (including standard contractual clauses where appropriate) with processors who handle personal data on our behalf.

6. International transfers

Your information may be processed in [describe primary region, e.g. European Economic Area / United Kingdom / United States] and other countries where we or our providers operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards (such as Standard Contractual Clauses) as required by applicable law.

7. Cookies and similar technologies

Essential cookies are required for login sessions, security (for example CSRF protection), and optional “remember me” functionality. We do not use non-essential analytics or advertising cookies in the current product design; if that changes, we will update this policy and, where required, obtain consent before setting non-essential cookies.

You can control cookies through your browser settings; disabling essential cookies may prevent sign-in or break parts of the Service.

8. Retention

We retain information only as long as needed for the purposes above:

Account data — while your account is active and for a short period afterwards to recover accounts or meet legal obligations;
Child profile and learning data — until the parent deletes the profile or account, or we delete data in line with our retention schedule;
Server logs — typically rotated or aggregated on a limited schedule for security and operations;
Tokens — magic links and email-change tokens expire per their technical design.

Account closure (in-product). If you use Delete account (with confirmation) in Account settings, we close your account by revoking access: we invalidate sign-in tokens and mark your account as closed in our systems. We may retain certain information — including identifiers and data linked to child profiles — for security, fraud prevention, dispute resolution, or where required or permitted by law. Where we no longer need personal data for providing the Service, we will delete or anonymise it in line with our retention schedule and applicable law.

You may request deletion or other rights as described in Section 9.

9. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing, and to withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority.

In-product closure. Parents can close an account from Account → Delete account (with confirmation). That flow ends access to the Service under that account; it does not replace statutory rights (for example, to request full erasure or access). For requests that go beyond the in-product control, contact [Privacy contact email].

How to exercise rights: Contact [Privacy contact email]. We may need to verify your identity (and parental authority where child data is involved). We will respond within the timeframes required by applicable law.

9.1 European Economic Area, United Kingdom, Switzerland

You may have the rights above under GDPR / UK GDPR. Supervisory authorities include your local Data Protection Authority (EEA), the ICO (UK), and the FDPIC (Switzerland) where applicable.

9.2 United States — California and other states

If you are a resident of California, Colorado, Connecticut, Virginia, or other U.S. states with comprehensive privacy laws, you may have rights including access, deletion, correction, and opt-out of certain processing. We do not “sell” personal information or share it for cross-context behavioural advertising as part of the current Service; if practices change, we will provide the legally required mechanisms (including a “Do Not Sell or Share” link if applicable).

California minors: We do not knowingly sell or share the personal information of users under 16 for behavioural advertising.

9.3 Australia

You may request access to or correction of personal information we hold about you under the Privacy Act 1988 (Cth). You may complain to the Office of the Australian Information Commissioner (OAIC) if you are unsatisfied with our response.

9.4 Canada

Subject to exceptions under PIPEDA or applicable provincial law (including Law 25 in Quebec), you may have rights to access, rectification, and withdrawal of consent where processing is consent-based.

9.5 Japan

Under the Act on the Protection of Personal Information (APPI), you may request disclosure, correction, cessation of use, or cessation of third-party provision, subject to statutory exceptions. We will verify requests as appropriate.

10. Children’s privacy

Design. Children typically use the Service under a parent-managed account. We do not knowingly allow children to register their own independent accounts.

Parental control. Parents create, edit, and delete child profiles and can clear learning data from settings where the product allows.

United States (COPPA). We collect personal information from children only as reasonably necessary to provide the Service and consistent with parental involvement through the parent account. Parents may review, delete, or refuse further collection of child profile information by contacting [Privacy contact email] or using in-product controls.

UK Age-appropriate design and children’s standards. We aim to apply high-privacy defaults and data minimisation (for example, nicknames and emoji avatars rather than real names; optional features clearly described).

11. Security

We use industry-standard measures appropriate to the risk, including encryption in transit (HTTPS), hashed passwords, and access controls on servers. No method of transmission or storage is 100% secure; we encourage you to use strong passwords and keep devices updated.

12. Third-party links

The Service may reference or link to third-party sites. We are not responsible for their privacy practices. Review their policies before providing information.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version with an updated date. For material changes, we will provide additional notice where required by law (for example, by email or a prominent banner).

14. Contact

Privacy questions and requests: [Privacy contact email]
Postal address: [Address]
Data protection representative (EEA/UK if required): [If applicable]

15. Summary (non-binding)

This summary is for convenience only and does not replace the full policy above.

Parents hold accounts; child profiles store learning progress under parental control.
The public map can be used without an account; we don’t persist anonymous exploration on our servers the same way as profile progress.
We use essential cookies for login and security; theme may be stored in the browser.
We use processors (for example hosting and email) under contracts.
You have privacy rights that vary by country; contact us to exercise them.
You can close your account in Account settings; we may retain some data as described in the policy.