Privacy Policy
Last updated: 22 June 2026 · Version 1.1
Bunny Rewards (“Bunny”, “we”) is a family chores-and-rewards app operated by BYTE BUNNY S.L.U. (CIF B22465694), Avda. Tres de Mayo 30, Planta 1, Edif. Ahlers, 38005 Santa Cruz de Tenerife, Spain. This policy explains what we collect, why, the legal bases we rely on, and the choices and rights you have. Bunny is set up and managed by a parent or guardian and is subject to children's- privacy laws including the US COPPA and EU/UK GDPR-K.
Our privacy principles
- Parent first. A parent creates the family — that is the verifiable parental consent. Children never register on their own.
- Collect little. Children give no email, phone, or real-world identifiers.
- No tracking. No third-party advertising or analytics SDKs, and no behavioural profiling. We do not sell data.
- Keep it briefly, isolate it. Private media storage with short retention; each family's data is isolated.
Who Bunny is for & ages
The account holder must be a parent or legal guardian aged 18 or over. Children take part only through a profile created and supervised by their parent — they do not create accounts or give consent themselves. Because all processing of a child's data rests on parental consent / parental responsibility, Bunny meets the US COPPA standard (children under 13) and the strictest EU/UK digital-consent thresholds (13–16; in Spain, 14).
What we collect
From the parent (account holder)
- Name and email address (for the account and sign-in, via our self-hosted identity service).
- Billing data if you subscribe to Premium — handled by Stripe on the web; we do not store card numbers.
- Device push token (if you enable notifications) and basic app/device info needed to run the service.
- Record of parental consent (timestamp + policy version).
About each child (entered by the parent)
- A first name or nickname, an emoji avatar, and an optional profile PIN (stored hashed).
- Chore/task activity, star balances, and rewards.
- Evidence and chat media (photos, videos, voice messages) the child or parent uploads.
Proof & chat media (photos, video, voice)
Some features let a child or parent upload a photo, video, or voice message as proof of a task or inside a task chat. Under the 2025 update to COPPA, media that contains a child's image or voice is treated as the child's personal information. We collect it only with parental consent, use it solely to operate the chores and chat features, store it in a private bucket, and delete it on the retention schedule below. We do not use this media for biometric identification, profiling, advertising, or to train any AI model.
We do notcollect a child's email, phone number, precise location, or persistent advertising identifiers, and we do not knowingly collect more than is needed for the chores/rewards features.
How we use data & our legal bases
| Purpose | Legal basis (GDPR Art. 6/8) |
|---|---|
| Provide the app — tasks, approvals, points, rewards, chat, reminders | Performance of a contract with the parent |
| Create & manage child profiles and their proof/chat media | Parental consent / parental responsibility |
| Send push notifications you ask for | Consent |
| Secure the service — anti-abuse, rate-limiting, fraud prevention | Legitimate interests |
| Process Premium billing; keep accounting/tax records | Contract & legal obligation |
Children's privacy (COPPA & GDPR-K)
How we verify parental consent. A parent registers a verified email account (through our self-hosted identity service), confirms they are the parent or guardian, and creates the family. We record that consent with a timestamp and the policy version. The parent then adds each child's minimal profile.
No third-party disclosure.We do not disclose a child's personal information to third parties for those parties' own purposes. Our service providers (below) act only on our instructions under a data-processing agreement. We do not show children third-party ads or behavioural tracking.
Parental choices. At any time a parent can reviewthe child's information (in the app and via export), refuse further collection or use(by deleting the child or closing the account), and direct deletionof the child's data. If you believe a child's data was provided without proper consent, contact us at info [at] bytebunny [dot] com and we will delete it.
Cookies & local storage
The website uses your browser's local storage to remember your language and theme, and a host-only session cookie to keep you signed in when you manage your account. We use no advertising, analytics, or cross-site tracking cookies.
Sharing & subprocessors
We do not sell personal data. We use a small set of service providers (subprocessors), each under a data-processing agreement:
| Provider | Purpose | Region |
|---|---|---|
| Hetzner | App hosting & database | EU |
| Cloudflare R2 | Private media storage | EU |
| Stripe | Web billing (Premium) | Global |
| Google FCM / Apple APNs | Push notifications | Global |
| Resend | Transactional email | Global |
Data retention
We keep data only as long as needed, and we maintain a written data-retention policy. In summary:
- Account & profile data — kept while your account is active; deleted when you delete your family.
- Proof & chat media — auto-deleted after 30 days by default on the Basic plan (configurable per family); on Premium, kept for the life of the account until you delete it.
- Consent records — kept as proof of compliance while the account is active and for a reasonable period afterwards.
- Billing & tax records — kept for the period required by law.
- Backups — held on a short rolling cycle, then overwritten.
When you delete your family, all associated data — including media objects — is removed.
Your rights
You can, from within the app or by contacting us:
- Access / export — download all of your family's data.
- Erasure — delete your family and all associated data.
- Correction — edit names, tasks, and profiles at any time.
Under GDPR you also have rights to restriction, objection, and portability, and to lodge a complaint with your supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD). To exercise any right, email info [at] bytebunny [dot] com.
Security, breaches & international transfers
We maintain a written information-security program with safeguards appropriate to the data: encrypted transport (HTTPS), hashed PINs, a private media bucket, access controls and least-privilege, and rate-limiting. Data is hosted in the EU, and children's proof/chat media stays in our EU storage. Where a provider (e.g., Stripe, Apple, Google, Resend) processes some data outside the EU, it is under appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.
If a personal-data breach occurs, we will assess it and, where required, notify the competent supervisory authority within 72 hours and affected users where the risk is high.
Changes
We will post any changes here and update the date and version above; material changes will be notified in-app.
Contact
BYTE BUNNY S.L.U. (CIF B22465694), Avda. Tres de Mayo 30, Planta 1, Edif. Ahlers, 38005 Santa Cruz de Tenerife, Spain · Privacy contact: info [at] bytebunny [dot] com.