Privacy Notice
Version 2026-05-22 · last updated 22 May 2026
Brightspark Prep ("we", "us") is run by Himanshu Kher (sole trader), the data controller for the limited personal data described here. Contact us about privacy or your data rights at himanshu.kher@gmail.com.
The short version: the app is local-first. Brightspark Prep is free to use and needs no account, and if you use it without an account none of your or your child's information ever leaves the device. We only hold a small amount of parent data if you choose to create an optional account.
1. Without an account — nothing is sent to us
Brightspark Prep is free to use, and you can use all of it without creating an account. When you do, your child's progress, settings and an optional first name (used only to personalise greetings and reports) are stored solely in your browser's local storage on your own device. We cannot see, receive or access any of it. Clearing your browser data deletes it. We do not operate child accounts and do not collect children's personal data on our servers.
2. Accounts — what we hold and why
Creating an account is optional and free; it lets your child's progress sync across devices. If you create one, it is held by a parent/guardian and we process:
- Your email address — to create your account and send passwordless "magic link" sign-in links. Lawful basis: performance of a contract.
- A consent record — the date and version of the terms and privacy notice you agreed to. Lawful basis: legal obligation / legitimate interests (record-keeping).
- Sign-in session identifiers — random opaque tokens so you stay signed in across devices. Lawful basis: contract / security legitimate interests.
- Any purchase and entitlement — if you make a payment: which plan, status, expiry, and a Stripe customer reference. Payments are not currently enabled — Brightspark Prep is free during our launch — so this applies only if and when paid plans are introduced. Lawful basis: contract; and legal obligation for tax/accounting records.
We never receive or store card or payment details. Payments are handled entirely by Stripe (see processors below). Sign-in "magic link" tokens are stored only as a hashed value, are single-use, and expire within about 15 minutes.
We do not sell your data, use it for advertising, or carry out any profiling. The only child-related field anywhere in the product is the optional first name described in section 1, which remains on your device and is never transmitted to us.
3. Cookies & analytics
We use no advertising or cross-site tracking cookies. After you sign in, your session token is kept in your browser's local storage (not a cookie). Our usage analytics are cookieless and aggregate — anonymous event counts (e.g. "pricing viewed") with no personal data and no individual tracking; if a privacy-focused analytics provider (such as Plausible) is enabled it remains cookieless and aggregate.
4. Who processes data for us
- GitHub Pages — static website hosting (page delivery, server logs).
- Cloudflare — the accounts/entitlement backend (Workers, D1 database, KV) and content delivery.
- Stripe — payment processing and tax (Stripe Tax), used only if and when paid plans are introduced. Stripe is an independent controller for payment data under its own privacy policy.
- Resend (Resend.com Inc.) — sending sign-in/magic-link emails.
Some processors may handle data outside the UK/EEA; where they do, they rely on appropriate safeguards (such as UK/EU Standard Contractual Clauses or adequacy).
5. How long we keep it
- Local device data (no account): until you clear your browser — we never hold it.
- Magic-link tokens: minutes (single-use, ~15-minute expiry).
- Sign-in sessions: until they expire or you sign out.
- Account & entitlement: while your account exists; any purchase/transaction records are retained for as long as required by UK tax and accounting law (generally up to 6 years).
6. Your rights
Under UK data protection law you have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent at any time. To exercise any of these, email himanshu.kher@gmail.com. We will delete your account and associated server-side data on request, except records we must keep to meet legal obligations (e.g. tax records of a purchase).
You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. Our ICO data-protection registration is currently being completed; we will publish the reference number here once issued.
7. Security & changes
All traffic is encrypted (HTTPS). We store no passwords and no card data; sign-in tokens are hashed. We may update this notice; material changes increment the version shown above and, where they affect an account holder, we will ask you to re-confirm consent.
This notice is provided for transparency and is not legal advice. Children should always use the app with a parent or guardian.