Tiny Tallies - Privacy Policy
Last updated: March 16, 2026
Magic Mirror Works ("we", "us", or "our") built Tiny Tallies as a free math learning application for children ages 6-9. This page informs you of our policies regarding the collection, use, and disclosure of information when you use Tiny Tallies.
Children's Privacy (COPPA Compliance)
Tiny Tallies is designed for use by children under parental supervision. We take children's privacy seriously:
- The app includes parental controls protected by a PIN that must be set by a parent or guardian
- Account sign-in requires parental PIN verification
- We do not knowingly collect personal information directly from children without parental involvement
- Math performance data is stored locally on the device and synced to our servers only when a parent signs in
- No advertising is displayed in the app
- No behavioral tracking or profiling of children is performed
- No advertising identifiers (IDFA/GAID) are collected
If you believe a child has provided personal information without parental consent, please contact us so we can take appropriate action.
Information We Collect
Account Information (Optional)
If a parent chooses to sign in, we collect:
- Email address - from Google Sign-In or Apple Sign-In (Apple users may use a private relay email)
- User ID - a stable identifier from the sign-in provider
- Display name - if provided by the sign-in provider
This information is used solely for account management and cloud sync. Authentication tokens are stored securely on the device using encrypted storage (expo-secure-store).
Child Profile Information
Parents create child profiles containing:
- First name - used for personalized greetings within the app
- Age and grade - used to calibrate math difficulty and curriculum
- Avatar and theme selections - cosmetic preferences
This data is stored locally and synced to our backend only when a parent signs in.
Learning and Performance Data
As children use the app, the following data is generated and stored locally:
- Skill states - Elo ratings, mastery levels, and attempt counts per math skill
- Session history - questions answered, time spent, and scores
- Badges earned - achievement milestones with timestamps
- XP and level progression - gamification metrics
- Wrong answer patterns - used locally for misconception detection and targeted teaching
When a parent signs in, score deltas (skill performance changes) are synced to our backend to enable cross-device progress. Score deltas are append-only and include: skill ID, rating change, XP change, correct/incorrect count, timestamp, and device ID.
Device Identifier
A random device identifier is generated locally for sync deduplication purposes. This identifier:
- Is randomly generated and not derived from hardware identifiers
- Is not linked to any personal information unless the user signs in
- Is used to deduplicate score submissions during cloud sync
- Is stored in our backend database (Cloudflare D1)
AI Tutor Interactions
Tiny Tallies includes an optional AI tutor that provides hints and explanations. When the tutor is used:
- The current math problem context and the child's previous answer are sent to Google Gemini API for generating age-appropriate explanations
- The AI never computes math answers — it only provides hints and context
- No child names, ages, or other personal information are included in AI requests
- Tutor conversations are stored locally on the device and are not sent to our servers
- Parents must grant tutor consent in the profile setup before the feature is available
Educational Videos
The app may suggest educational math videos from YouTube. Video playback:
- Requires separate parental consent before any videos can be shown
- Uses the
youtube-nocookie.com domain to minimize tracking
- Is embedded within the app — children are never redirected to YouTube or any external browser
- Navigation within the embedded player is restricted to prevent browsing away from the selected video
- Related video suggestions are suppressed
Error and Crash Reports
We use Sentry to collect crash reports and error logs. This helps us fix bugs and improve app stability. Error tracking is enabled by default and can be turned off at any time in parental controls. Sentry may collect:
- Device type and OS version
- App version and build number
- Error stack traces
- General usage breadcrumbs (e.g., which screen was active)
Personal information is automatically scrubbed from all error reports — child names, ages, and emails are redacted before transmission. Session replay and screen recording are completely disabled. Sentry is configured with sendDefaultPii: false. API keys are automatically redacted from all logs.
This data is used solely for error analysis and app improvement. It is never used for advertising, behavioral profiling, or any other purpose.
Benchmark Data (Optional)
Parents may opt in to anonymous benchmarking, which allows comparison of their child's progress against age-appropriate peer groups. If opted in:
- Aggregated skill performance is contributed to cohort statistics grouped by age range and US state
- No individual child data is identifiable within benchmark aggregates
- Participation requires explicit opt-in during profile setup
Data Stored on Your Device
Tiny Tallies stores the following locally on your device:
- Child profiles (name, age, grade, avatar, theme)
- All learning data (skill states, session history, badges, XP)
- Tutor conversation history
- App settings (sound, daily limits, bedtime lockout, break reminders)
- Parental PIN (in encrypted secure storage — never transmitted)
- Authentication tokens (in encrypted secure storage)
- Offline sync queue (pending score deltas)
This data can be cleared by uninstalling the app. The parental PIN and authentication tokens are stored in encrypted device storage and are never transmitted to our servers.
Data Stored on Our Servers
Our backend (hosted on Cloudflare Workers) stores:
- User accounts - authentication provider, provider user ID, email (if provided), display name, timestamps
- Child profiles - name, age, grade, avatar, aggregated stats (XP, level, Elo, sessions completed)
- Score deltas - append-only skill performance changes with timestamps and device ID
- Skill states - current Elo, mastery, attempts, and Leitner box per skill
- Badges earned - badge ID and earned timestamp
- Benchmark aggregates - anonymous cohort percentiles (if opted in)
- Consent records - privacy acknowledgment timestamps
Third-Party Services
Tiny Tallies uses the following third-party services, each with their own privacy policies:
- Google Gemini API - AI tutor hints and explanations (requires parental consent)
- Sentry - Error and crash reporting (opt-out available)
- Google Sign-In - Authentication (optional)
- Apple Sign-In - Authentication (optional, iOS only)
- YouTube - Educational video playback via youtube-nocookie.com (requires separate parental consent)
- Cloudflare - Backend hosting (Workers, D1)
Data We Do NOT Collect
- Location data
- Contact lists or address books
- Photos, camera, or media files
- Microphone or voice recordings
- Advertising identifiers (IDFA/GAID)
- Behavioral analytics or usage profiling
- Payment information (the app is free with no in-app purchases)
Data Retention
- User accounts and child profiles are retained for as long as the account is active. Inactive accounts may be purged after 12 months of no activity.
- Score deltas and skill states are retained for as long as the associated child profile exists.
- Benchmark aggregates are retained indefinitely as they contain no individually identifiable data.
- Consent records are retained as required by law.
- Crash reports are retained by Sentry for 90 days.
- Local device data is retained until the app is uninstalled or data is cleared by the user.
Your Rights
You have the right to:
- Access - Request information about what data we hold about your account and children's profiles
- Deletion - Request deletion of all your data from our servers by contacting us. Our backend provides a complete data deletion endpoint that cascades across all child profiles, score deltas, badges, skill states, and consent records.
- Modification - Edit or delete child profiles directly within the app's parental controls
- Opt out - Use the app without signing in (data stays on-device only), disable error reporting, disable benchmarks, and disable AI tutor and video features independently
To exercise these rights, contact us at the email address below.
Permissions Used
- Notifications - For optional daily practice reminders (scheduled locally, not server-pushed; configurable by parents)
- Internet - For cloud sync, AI tutor, educational videos, error reporting, and authentication
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact Us
If you have any questions about this Privacy Policy, contact us at:
[email protected]