Wings — Privacy Policy

Effective date: 27 May 2026 Contact: privacy@wings.courses

1. Who we are

Wings is a mobile application for parents of children aged 2–14, helping them spend five meaningful minutes a day with their child. The data controller is the Wings operator (registration details and contact information are listed on our Support page).

We are preparing this policy to comply with GDPR (EU), COPPA (US 13-), and the applicable laws of the pilot markets (Russia, Poland).

2. What data we collect

2.1. About the parent (master or adult account)

• Email — from Google OAuth, used to log in and identify the family account.
• Display name — from the Google profile, optional.
• Google Account ID (sub) — for sign-in verification.
• Technical data: device, OS, app version, request IP addresses (logs of the reverse-proxy on the server). Retained for ≤30 days.

We do not request or store: Google password, phone number, address, or payment credentials. Subscriptions are processed through Apple App Store and Google Play — payment details stay with the stores, Wings only receives the subscription status (active / cancelled / expired).

2.2. About the child

• Name (parent-entered, may be a nickname).
• Date of birth — used to determine the age group.
• Gender (boy / girl / other / prefer not to say) — for tuning the card tone.
• Progress: which cards the child has seen, how the parent rated them («easier», «just right», «harder», «skip»), which cards have been saved to the collection.

Wings does not request photos of the child, voice recordings, geolocation, or any other sensitive personal data.

2.3. About usage of the application

Analytics events (which sections were opened, which buttons were pressed) — without personal identifiers. We use this data to improve the application.

3. Why we collect data

• To deliver the service: pick relevant cards, save progress, sync between devices.
• To improve content: anonymous analytics help us see which cards are popular, which are skipped.
• Account security: detect suspicious sign-ins.
• Mandatory communications: account or subscription changes (we do not send marketing emails without explicit consent).

4. Whom we share data with

• Apple App Store / Google Play — for subscription processing (RevenueCat is the technical intermediary).
• Google Cloud Platform / Hetzner — application and database hosting (servers in the EU).
• Firebase Cloud Messaging — push notifications (no message content stored).
• No third-party advertising.
• We do not sell data.

We may disclose data to law-enforcement authorities if required by law (and will inform the user where legally possible).

5. How long we retain data

• Active account: as long as you use the service.
• Inactive account: 12 months after the last sign-in we send a deletion notice; after 30 days the data is deleted.
• Manual deletion: any time via Settings → «Delete account» — within 30 days we delete all data except items legally required to retain (e.g. invoices for tax purposes).
• Logs: ≤30 days.

6. Your rights (GDPR / COPPA / RF 152-FZ)

• Right of access: get a copy of your data (in JSON).
• Right of rectification: edit data directly in the application.
• Right of erasure: delete the account.
• Right to data portability: download a JSON export.
• Right to withdraw consent: at any time.
• Right to lodge a complaint: to the supervisory authority of your country.

Requests: privacy@wings.courses. Response within 30 days.

7. Children

• We register accounts only for parents aged 18+.
• Children's data is entered by the parent and is not processed for marketing.
• COPPA (US 13-): we do not have direct child accounts. Data about a child under 13 is processed only with verifiable parental consent (which is granted by the parent who created the family account).

8. Cookies and tracking

• No advertising cookies.
• Analytics — anonymous (no third-party trackers).
• Local storage (localStorage) is used only for caching cards on the device.

9. Data security

• All data in transit is encrypted (HTTPS).
• Database backups encrypted at rest.
• Access to production restricted to a small team (the Wings operator).
• Incident-response process: we will notify users within 72 hours of detecting a leak (per GDPR).

10. International transfers

Servers are in the EU. If usage requires data transfer outside the EU (e.g. push notifications via FCM), we apply Standard Contractual Clauses (SCC) to Google.

11. Changes to this policy

We will notify you of substantive changes via email and an in-app banner ≥30 days before they take effect. The full change history is published in our repository.

12. Contact

• General: info@wings.courses
• Privacy / GDPR: privacy@wings.courses
• Support: support@wings.courses

We are not a public company and have no Data Protection Officer (DPO) — for privacy questions, please use the email above.

Русская версия