Privacy Notice
Version 2026-05-19 · last updated 19 May 2026
Brightspark Prep ("we", "us") is run by Himanshu Kher (sole trader), the data controller for the limited personal data described here. Contact us about privacy or your data rights at himanshu.kher@gmail.com.
The short version: the app is local-first. Practising is free and needs no account, and on the free tier none of your or your child's information ever leaves the device. We only hold a small amount of parent data when you choose to buy paid access.
1. Free tier — no account, nothing sent to us
When you use the free app, your child's progress, settings and an optional first name (used only to personalise greetings and reports) are stored solely in your browser's local storage on your own device. We cannot see, receive or access any of it. Clearing your browser data deletes it. We do not operate child accounts and do not collect children's personal data on our servers.
2. Paid accounts — what we hold and why
If you buy paid access, the account is held by a parent/guardian and we process:
- Your email address — to create your account and send passwordless "magic link" sign-in links. Lawful basis: performance of a contract.
- A consent record — the date and version of the terms and privacy notice you agreed to. Lawful basis: legal obligation / legitimate interests (record-keeping).
- Sign-in session identifiers — random opaque tokens so you stay signed in across devices. Lawful basis: contract / security legitimate interests.
- Your purchase and entitlement — which plan, status, expiry, and a Stripe customer reference. Lawful basis: contract; and legal obligation for tax/accounting records.
We never receive or store card or payment details. Payments are handled entirely by Stripe (see processors below). Sign-in "magic link" tokens are stored only as a hashed value, are single-use, and expire within about 15 minutes.
We do not sell your data, use it for advertising, or carry out any profiling. The only child-related field anywhere in the product is the optional first name described in section 1, which remains on your device and is never transmitted to us.
3. Cookies & analytics
We use no advertising or cross-site tracking cookies. After you sign in, your session token is kept in your browser's local storage (not a cookie). Our usage analytics are cookieless and aggregate — anonymous event counts (e.g. "pricing viewed") with no personal data and no individual tracking; if a privacy-focused analytics provider (such as Plausible) is enabled it remains cookieless and aggregate.
4. Who processes data for us
- GitHub Pages — static website hosting (page delivery, server logs).
- Cloudflare — the accounts/entitlement backend (Workers, D1 database, KV) and content delivery.
- Stripe — payment processing and tax (Stripe Tax). Stripe is an independent controller for payment data under its own privacy policy.
- Resend (Resend.com Inc.) — sending sign-in/magic-link emails.
Some processors may handle data outside the UK/EEA; where they do, they rely on appropriate safeguards (such as UK/EU Standard Contractual Clauses or adequacy).
5. How long we keep it
- Local device data (free tier): until you clear your browser — we never hold it.
- Magic-link tokens: minutes (single-use, ~15-minute expiry).
- Sign-in sessions: until they expire or you sign out.
- Account & entitlement: while your access is valid; purchase/transaction records are retained for as long as required by UK tax and accounting law (generally up to 6 years).
6. Your rights
Under UK data protection law you have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent at any time. To exercise any of these, email himanshu.kher@gmail.com. We will delete your account and associated server-side data on request, except records we must keep to meet legal obligations (e.g. tax records of a purchase).
You can also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. Our ICO data-protection registration is currently being completed; we will publish the reference number here once issued.
7. Security & changes
All traffic is encrypted (HTTPS). We store no passwords and no card data; sign-in tokens are hashed. We may update this notice; material changes increment the version shown above and, where they affect a paid account, we will ask you to re-confirm consent.
This notice is provided for transparency and is not legal advice. Children should always use the app with a parent or guardian.