Privacy policy

What we do with your data, in plain English.

We collect what we need to run the app — your account, your family, your stars. We don't sell data and we don't run advertising. This page tells you exactly what's collected, why, and how to delete it.

Policy details

Last updated: 1 May 2026

The short version

  • We collect what's needed for the app to work — nothing else
  • We don't sell your data and we don't show ads
  • Children's profiles are added by you, the parent — not by children
  • You can export or delete everything by emailing us
  • We use a small number of trusted providers (listed below) — no third-party trackers or analytics

Who we are

Little Stars is operated by [YOUR LEGAL NAME OR TRADING NAME], based in the United Kingdom. We're the data controller for the data described on this page.

How to reach us about privacy: privacy@littlestarsapp.co.uk

Note for the operator: replace [YOUR LEGAL NAME OR TRADING NAME] above with your registered business name (sole trader, Ltd, etc.) and add your registered address before going live. If you're an ICO-registered controller, add your registration number too.

What we collect

Information you give us

  • Email address and password — when you sign up. The password is hashed; we never see it in plain text.
  • Family details — the family name and a short family code generated for you.
  • Children's profiles — first name (or nickname), avatar, colour, and any settings you choose. We recommend first name or nickname only — there's no need for a full real name.
  • Chore, reward, and mood data — what you create in the app: chore titles and descriptions, reward titles and costs, completion records, mood log entries.
  • Photos (optional) — if you upload a photo as proof of a completed chore. Photos are stored privately and only visible to people in your family.

Information collected automatically

  • Sign-in events and timestamps — when you signed in and from what device, used for security.
  • Diagnostic logs — if the app encounters an error, we log details to help us fix it (no personal content is included).
  • Cloudflare bot protection — Cloudflare may set a __cf_bm cookie on your browser to distinguish humans from bots. This is a strictly-necessary cookie required for the site to work.

What we don't collect

  • Your real address, phone number, or government ID
  • Any tracking or fingerprinting across other websites
  • Marketing or analytics cookies
  • Behavioural data about children for any commercial purpose

Why we collect it (purposes and legal basis)

DataWhyLegal basis (UK GDPR)
Email + passwordLets you sign inContract
Family + child profilesRun the chart for your familyContract
Chores, rewards, photos, moodsSave what you create so you can come back to itContract
Sign-in logsAccount security and fraud preventionLegitimate interest
GoCardless customer & mandate IDProcess Premium subscription paymentsContract
Diagnostic error logsFix bugsLegitimate interest

Children's data

Little Stars is designed for parents (or other trusted adults) to use with their children. Some important points:

  • The parent creates the account — children don't sign up directly.
  • The parent enters all profile information for each child, choosing what to share. We strongly recommend first names or nicknames only.
  • We never ask a child for personal information directly — children only see and interact with what their parent has set up.
  • Children under 13 should not create accounts themselves (the UK age of digital consent for personal data is 13).
  • If a child's profile contains data you didn't intend to provide — for example, you suspect another adult shared something — email privacy@littlestarsapp.co.uk and we'll investigate within 7 days.

Who we share data with

We use a small number of trusted service providers ("processors") to run Little Stars. They process data only on our instructions and only for the purposes listed.

ProviderWhat it doesWhere data sits
Supabase Hosts the database, authentication, and photo storage The Supabase region you chose at project creation. [OPERATOR — confirm region, e.g. eu-west-2 (London)]
Cloudflare Hosts the marketing site and the billing API worker Cloudflare's global edge network
GoCardless Subscription billing for Premium users (only) GoCardless (UK / EU)
Resend Transactional emails — sign-up confirmations, password resets, etc. Resend (USA / EU)

We don't share your data with anyone for marketing, advertising, or analytics. We don't run third-party analytics tools.

International data transfers

Some of our providers process data outside the United Kingdom. Where they do, the transfer is governed by either:

  • UK adequacy regulations (where the country is on the UK's adequacy list), or
  • The UK International Data Transfer Agreement, or the UK Addendum to EU Standard Contractual Clauses (where it isn't).

How long we keep data

  • Account and family data — while your account is active, plus 30 days after deletion (so we can recover from accidental deletion).
  • Photos — until you delete them, or 30 days after account deletion.
  • Sign-in logs — 90 days.
  • Subscription and payment records — 6 years after the subscription ends (UK financial-records requirement).

Your rights

Under UK GDPR you have the right to:

  • Access the data we hold about you
  • Correct anything that's wrong
  • Delete your data ("right to be forgotten")
  • Export your data in a portable format
  • Withdraw consent for any processing based on consent
  • Object to processing for direct marketing (we don't do any, but the right exists)
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these, email privacy@littlestarsapp.co.uk from the address on your account. We'll respond within 30 days (usually much sooner).

Deleting your account

Email privacy@littlestarsapp.co.uk from the address on your account, and we'll permanently delete your account and all associated family data within 7 days. There's no in-app self-service deletion button yet — that's on our roadmap.

Cookies and similar tech

Little Stars uses localStorage in your browser to remember your sign-in and preferences. localStorage is not a cookie and is not transmitted to our servers automatically.

The only cookies you may encounter on our site are:

  • __cf_bm — set by Cloudflare for bot protection. Strictly necessary; lasts 30 minutes.

GoCardless sets its own cookies on its hosted payment pages (a separate domain) when you subscribe to Premium. See GoCardless's privacy policy for details.

We do not use any third-party tracking, advertising, or analytics cookies.

Security

We take reasonable technical and organisational measures to protect your data: encrypted connections (HTTPS), strict database access controls, and regular reviews. No system is 100% secure, but we work hard to make a breach unlikely. If a breach affects your data, we'll notify you and the ICO as required by law.

Changes to this policy

If we make a meaningful change, we'll bump the "last updated" date at the top of this page and notify you by email. Continued use of Little Stars after the change means you accept the new version.

Contact

Privacy or data questions: privacy@littlestarsapp.co.uk

You can also lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

A note from the team: this policy was drafted by us in plain English to be useful, not to hide things in legalese. If anything is unclear or you'd like a section explained, email and we'll respond.