Privacy Policy
This Privacy Policy explains what personal data Maple Mindful Kids collects, how we use and protect it, and the rights you have. We adopt a strictest-wins posture — treating every visitor as if GDPR applies — which automatically satisfies PIPEDA, CCPA, UK GDPR, and similar frameworks worldwide.
1. Who We Are
Maple Mindful Kids (“we”, “us”, “our”) operates the website https://maplemindfulkids.com and the DailyWins mobile application. We are a Canadian digital-product business. Our data controller contact is privacy@maplemindfulkids.com.
We adopt a strictest-wins privacy posture: we treat every visitor as if GDPR (EU) applies, which automatically satisfies PIPEDA (Canada), CCPA (California), UK GDPR, LGPD (Brazil), and similar frameworks.
2. What Data We Collect
a) Information you provide directly
- •Account registration: email address, display name, password hash (we never store plain-text passwords), and optionally an avatar.
- •Purchases: name, billing address, email address for receipt and download delivery. Payment card details are processed and tokenized exclusively by Stripe or PayPal — we never see or store raw card numbers.
- •Contact messages: name, email address, subject, and message text when you use our contact form.
- •Free resource claims: email address and optional newsletter subscription preference.
- •Product reviews: display name (which may be a nickname), star rating, and review text.
- •Newsletter subscription: email address and optional name, language preference, and child age range (used only for segmentation — never sold).
b) Information collected automatically
- •Log data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps. Retained for up to 30 days for security and fraud prevention.
- •Cookies and local storage: session tokens (necessary), currency preference (necessary), language preference (necessary), and — subject to your consent — analytics cookies (GA4) and marketing cookies (Meta Pixel, Pinterest Tag). See Section 6 for full cookie details.
- •Error and performance data: anonymised stack traces and performance timings collected via Sentry. Personal identifiers (email, IP, user agent) are stripped before transmission.
3. How We Use Your Data
| Purpose | Lawful basis |
|---|---|
| Fulfilling your order and delivering downloads | Contract |
| Sending order confirmation and receipts | Contract |
| Sending download links on expiry | Contract |
| Responding to contact form messages | Legitimate interest |
| Sending newsletter emails (opted-in subscribers) | Consent |
| Sending abandoned-cart reminder emails | Legitimate interest |
| Fraud detection and security | Legitimate interest |
| Analytics (aggregate, anonymised) | Consent |
| Targeted advertising on social platforms | Consent |
| Improving our products and website | Legitimate interest |
We never sell, rent, or trade your personal data to third parties for their marketing purposes.
4. Sub-Processors and Third-Party Services
We share data only with the processors necessary to operate our business. The primary processors are:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All account and order data | US / EU |
| Stripe | Card payment processing | Name, billing address, email | US / EU |
| PayPal | Alternative payment processing | Name, email | US |
| Resend | Transactional email delivery | Name, email address | US |
| Vercel | Hosting and edge network | Logs, IP addresses | US / EU |
| Sentry | Error monitoring (PII-stripped) | Anonymised errors | US |
| Upstash | Rate limiting (Redis) | Hashed IP identifiers | US |
| Google Analytics 4 | Website analytics (consent-gated) | Pseudonymous usage data | US |
| Meta Pixel | Advertising attribution (consent-gated) | Pseudonymous ad interaction data | US |
| Pinterest Tag | Advertising attribution (consent-gated) | Pseudonymous ad interaction data | US |
Data Processing Agreements (DPAs) are signed with each processor. Transfers to processors outside the EEA rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.
5. Data Retention
- •Account data: retained while your account is active, and for 3 years after deletion for legal and audit purposes.
- •Order data: retained for 7 years for tax and accounting obligations.
- •Download tokens: deleted automatically after 7 days of expiry.
- •Contact messages: retained for 2 years.
- •Newsletter subscriptions: until you unsubscribe or request deletion.
- •Analytics data: aggregated data only, retained for 26 months in GA4 (as configured).
- •Server logs: 30 days.
7. Your Rights
Depending on your jurisdiction, you have the right to:
- •Access: request a copy of the personal data we hold about you.
- •Rectification: correct inaccurate or incomplete data.
- •Erasure: request deletion of your data (the “right to be forgotten”).
- •Portability: receive your data in a machine-readable format (JSON).
- •Restriction: limit how we process your data while a dispute is resolved.
- •Objection: object to processing based on legitimate interest.
- •Withdraw consent: revoke consent for marketing or analytics at any time.
To exercise your rights, use the self-service tools at https://maplemindfulkids.com/account/privacy or email privacy@maplemindfulkids.com. We respond within 30 days. If you are in the EU, you also have the right to lodge a complaint with your local supervisory authority.
8. Children's Privacy
Our products are designed for children ages 3–12, but our website and accounts are intended for parents and guardians (18+). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@maplemindfulkids.com and we will delete it promptly.
9. Security
We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest (via Supabase), row-level security on all database tables, and server-side secret management. Payment data is handled exclusively by PCI-DSS-compliant processors (Stripe, PayPal). Despite these measures, no transmission over the internet is 100% secure.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email (to registered users) and by updating the “Last updated” date above. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
11. Contact
For privacy questions, data requests, or to withdraw consent, contact us at privacy@maplemindfulkids.com. For general enquiries: contact@maplemindfulkids.com.