Privacy

Privacy Policy

Effective Date: May 18, 2026

Nyro Quest is a mobile application operated by Nyro Dynamics Ltd ("we," "us," or "our"), located at 3030 Lincoln Ave #211, Coquitlam, BC V3B 2H6, Canada. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use the Nyro Quest mobile application ("App").

Nyro Quest has two modes. In Family Mode, the App is parent-directed: Parents create, choose, review, and assign missions before Children use them. Children do not independently upload photos, audio, PDFs, prompts, or other media; initiate AI requests; make purchases; or communicate with other users. In Self-Learner Mode, the learner manages their own account, missions, AI inputs, purchases, progress, privacy choices, export requests, and deletion requests.

This policy applies to Parents, Self-Learners, and Children. We are committed to complying with COPPA, PIPEDA and applicable Canadian provincial privacy legislation, and to providing privacy rights and disclosures designed to support users in other regions, including the European Economic Area, the United Kingdom, California, and other jurisdictions with similar privacy laws.

1. Information We Collect

From Parents and Self-Learners:

• Name
• Email address. Parent and Self-Learner email addresses are provided during registration and are not automatically verified at signup. We may ask users to verify their email address for account security, account recovery, abuse prevention, or access to certain features.
• Password (stored as a bcrypt hash; we never store or see your actual password)
• Country (optional)
• Timezone (automatically detected)
• Account type: Family Mode or Self-Learner Mode
• Consent records, including the date/time and policy versions accepted

From Children in Family Mode (collected with parental consent):

• First name or nickname
• Year of birth or date of birth if provided by the Parent for age-appropriate content
• Avatar selection
• PIN code (stored on our servers as a bcrypt hash; the parent app may store a device-local copy on the device where the PIN was set so the parent can view it — not uploaded to our servers)
• Learning activity data: lesson progress, quiz answers, game outcomes, quest completion, XP earned, streak days, and parent verification signals
• Session data: session start/end times, duration, slides viewed, quizzes answered, and similar progress signals

Automatically Collected:

• Device type, operating system, and standard HTTP request information
• Push notification token issued by Expo, if notifications are enabled, so we can route account, quest, or generation updates to the right device and profile
• First-party in-app analytics events, such as feature usage and credit-spend events, stored on Nyro Dynamics Ltd's own servers; we do not use a third-party mobile analytics SDK
• API request metrics such as route, timing, status code, and approximate request size; we do not store request bodies, prompts, uploaded content, tokens, emails, or child names in these metrics

From Parent / Self-Learner AI Inputs and Parent-requested Learning Coach summaries (only when you use those AI features):

• The mission brief or topic text you type or paste into the AI mission builder
• PDFs, photos, or worksheet images you choose to attach to a mission
• Voice recordings captured by the in-app microphone for transcription, and the resulting transcripts
• Editing and regeneration prompts you send to refine an AI-generated mission, slide, image, quiz, or game
• For Parent-requested Learning Coach summaries: quest details and learning evidence such as quiz question text, first selected answers, correct answers, game outcomes, effort stats, and progress signals

Children do not initiate AI requests. Only the adult / Parent or Self-Learner account on the device can send AI inputs or request a Learning Coach summary from OpenAI. See Section 10 below for details.

2. How We Use Information

• To provide the App's core functionality: accounts, missions, lessons, progress tracking, verification, and Self-Learner progress
• To allow Parents to monitor and guide their Children's learning
• To generate and review AI-assisted missions only when a Parent or Self-Learner chooses to use AI features
• To process subscriptions, credit top-ups, refunds, fraud checks, and purchase reconciliation through Apple or Google
• To send App notifications such as quest updates, generation updates, verification results, or account messages
• To send transactional emails, such as password reset emails
• To maintain security, prevent abuse, fix bugs, measure feature usage, and improve App stability
• To comply with legal, tax, accounting, consumer protection, and app-store obligations

3. Legal Bases for Processing

Where laws such as the GDPR or UK GDPR apply, we rely on the following legal bases:

• Contract: to create and manage accounts, deliver missions, track progress, process purchases, and provide requested App features.
• Consent: for Family Mode child profile creation, OpenAI data sharing for AI features, device permissions where required by the operating system, and optional choices such as push notifications.
• Legitimate interests: to secure the App, prevent abuse, maintain first-party analytics, debug issues, and improve reliability, balanced against user privacy expectations.
• Legal obligations: to keep purchase, tax, accounting, fraud-prevention, and compliance records where required.

4. Information Sharing

We do not sell, rent, or trade personal information. We do not share Children's information with third parties for marketing, advertising, or behavioral profiling. Information may be disclosed only:

• To the Parent who created the Child's profile (progress, quiz answers, session data, game outcomes, and verification signals)
• To the third-party service providers listed in Section 9, each only for the limited purpose described there and subject to confidentiality or data-protection obligations
• To OpenAI, when a Parent or Self-Learner explicitly uses AI features and agrees to send the relevant data
• To Apple or Google for in-app purchase and subscription processing
• When required by law, court order, app-store process, tax/accounting rule, or to protect our legal rights, users, or systems

5. Device Permissions and Biometrics

The App may ask for microphone, camera, photo library, push notification, and local biometric/passcode permissions. Microphone, camera, and photo library access are used only when a Parent or Self-Learner chooses to dictate, attach, or upload content for a mission or feedback. When a Parent is already signed in, starting Kid Mode on a shared device switches to the selected child's profile without re-entering the child's PIN; the child's PIN is still required when the child signs in on their own (for example via "I'm a Kid"). Face ID, Touch ID, or device passcode may be used to let a Parent securely return from Kid Mode to the parent dashboard. Biometric templates stay on your device and are handled by Apple, Google, or the device operating system; Nyro Dynamics Ltd does not receive or store biometric templates.

6. Data Storage, Security, and International Transfers

Data is stored on secure servers. Passwords and child PINs are hashed using bcrypt and cannot be recovered in plaintext from our databases. The parent app may optionally store a child PIN copy in the device's secure storage (e.g. Keychain) when the parent creates or resets the PIN, so the parent can view it on that device only; that copy is not synced to our servers. Authentication tokens are stored using secure device storage where supported. We use HTTPS for data transmission. While no system is perfectly secure, we implement reasonable safeguards to protect personal information.

Nyro Dynamics Ltd is based in Canada. Our service providers, including OpenAI, Expo, Apple, Google, and email providers, may process information in Canada, the United States, or other countries where they operate. Where required, we rely on contractual, organizational, and technical safeguards such as data-processing terms, confidentiality obligations, and appropriate transfer mechanisms.

7. Data Retention

We keep personal information only as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law.

• Account and child profile data: retained while the account or child profile is active.
• Learning progress, quiz answers, game outcomes, quests, and sessions: retained while the relevant account or child profile is active, then deleted or anonymized during account/profile deletion.
• AI drafts, attachments, generated missions, and transcripts: retained while needed to provide the mission builder, review, and published mission features, then deleted or anonymized when drafts or accounts are deleted unless retention is required for security, billing, or legal reasons.
• Push tokens: retained while needed to deliver notifications and removed when the account is deleted, the token is replaced, or it is no longer valid.
• Analytics and API metrics: retained in aggregated or account-deidentified form where possible; account-linked records are deleted or de-linked when an account is deleted unless a documented legal or security reason requires retention.
• Purchase, subscription, tax, credit, and anti-fraud records: retained as long as necessary for store reconciliation, tax, accounting, dispute, fraud-prevention, and legal obligations.

Upon account deletion, we delete or anonymize personal profile data and associated child data within 30 days, except limited records we must retain for legal, accounting, fraud-prevention, dispute, or app-store reconciliation purposes.

8. Your Privacy Rights

Depending on where you live, you may have the right to access, correct, delete, export, restrict, or object to processing of your personal information; withdraw consent; appeal a privacy decision; or complain to a privacy regulator. Parents may exercise these rights for Children they manage in Family Mode. Self-Learners may exercise these rights for their own account.

You can delete your account in the App. You can request an export of your data from Account / Profile. You can also contact us at info@nyroquest.com. We may need to verify your identity or your authority over a Child profile before responding. We will not discriminate against you for exercising privacy rights.

9. Third-Party Services

The App relies on the following third-party services. Each receives only the data needed for its specific function and is bound by its own privacy policy and confidentiality or data-protection obligations:

• OpenAI (AI generation, Learning Coach summaries, and transcription): Receives the mission brief or topic text, attached PDFs / photos, voice recordings for transcription, editing or regeneration prompts, and parent-requested Learning Coach evidence when a Parent or Self-Learner uses those AI features.
• Google Gemini / Vertex AI (operator-generated media): Used by Nyro Dynamics Ltd staff for internal media-generation workflows such as map scenes, character scene videos, and background music assets. The mobile App consumes the resulting assets; Child profiles do not initiate Gemini / Vertex requests.
• Expo (push notifications): Issues push notification tokens and delivers push notifications on our behalf.
• Apple and Google (sign-in, in-app purchases, subscriptions, and app distribution): Process store purchases and provide receipts or purchase tokens we verify with the relevant store.
• Apple SMTP service via PHPMailer (email delivery): Used only to send transactional emails such as password reset emails and quest-completion notifications.

We do not use advertising networks, social media trackers, or third-party behavioral analytics SDKs.

10. AI Generation, Learning Coach, and Transcription (OpenAI)

The "Build with AI" features in the App (mission generation, regeneration of slides / images / quizzes / games, and voice-brief transcription) and the parent-requested "Nyro AI Learning Coach" summary are powered by OpenAI, a third-party AI service.

Who initiates the sharing. Only the adult account on the device — a Parent or a Self-Learner — can use these features. Children do not initiate AI requests. A Parent may choose to send learning evidence to OpenAI when they tap "Ask Nyro AI Coach" during quest verification.

What is sent to OpenAI. Only the content needed for that AI request:

• Mission brief or topic text you type or paste
• PDFs, photos, or worksheet images you choose to attach to a mission
• Voice recordings you make with the in-app microphone for transcription
• Editing or regeneration prompts you send to refine generated content
• The minimum context needed to fulfil the request, such as the slide or block being regenerated
• For the Learning Coach only: quest title / description, lesson or slide context, quiz question text, first selected answers, correct answers, game outcomes, progress and effort statistics, and derived mastery signals used to create a parent-only coaching summary

What is NOT sent to OpenAI. Account credentials, payment information, store receipts, push tokens, PIN hashes, login codes, and biometric information are never sent to OpenAI.

How we obtain permission. Before the App sends any of the data above to OpenAI for the first time, we display an in-app disclosure that names OpenAI, explains what categories of data will be sent, and asks for explicit permission. The user must tap "I agree, send to OpenAI" before any AI request runs. Learning Coach requests show a specific disclosure explaining that quest details, learning progress, quiz answers, and game outcomes will be sent to OpenAI for the parent-only summary. Permission can be revoked from Account → Privacy → Build with AI, and the next AI action will ask again before sending data.

OpenAI's protections. OpenAI is bound by its own privacy policy and data-processing terms, including obligations not to use API content to train its public foundation models. You can review OpenAI's privacy practices at openai.com/policies/privacy-policy.

11. Children's Privacy

We do not knowingly collect personal information from children without parental consent where consent is required. A Parent must create an account and explicitly agree to this Privacy Policy and our Children's Privacy Notice before any Child profile can be created. Children cannot create accounts independently. Local laws may define child consent ages differently; where required, the Parent or legal guardian must provide consent and manage the Child's use of the App. For more details, see our Children's Privacy Notice.

12. California and Similar U.S. State Notices

We collect the categories described above: identifiers, account information, child profile information, learning activity, commercial information, user content submitted by Parents or Self-Learners, device and usage information, and inferences derived from learning progress for parent-only summaries. We disclose these categories to service providers for the purposes described in this policy. We do not sell personal information or share it for cross-context behavioral advertising. We do not use sensitive personal information to infer characteristics or for purposes other than providing, securing, and improving the App.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Parents and Self-Learners via the App or email where appropriate. Continued use of the App after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

• Email: info@nyroquest.com
• Phone: (778) 775-4535
• Address: 3030 Lincoln Ave #211, Coquitlam, BC V3B 2H6, Canada