PRIVACY POLICY

Effective date: December 8th 2025

This Privacy Policy explains how Veska Games s.r.o. (“we”, “our”, “us”, “Veska Games”) collects and uses personal data when you use Manabies, an educational game for children, teachers, and parents.

Our goals:

  • be transparent
  • be simple
  • collect only what is necessary
  • protect student data
  • make everything easy for schools

Applicability (EU/EEA/UK, USA, Worldwide): This Privacy Policy applies globally, including in the European Union (EU), European Economic Area (EEA), the United Kingdom (UK), and the United States. For users in the EU/EEA/UK, all processing of personal data is carried out in accordance with the GDPR (General Data Protection Regulation).

1. Who we are

Veska Games s.r.o.
Address: Lidická 700/19, Veveří 60200 Brno, Czech Republic
Company ID: 21401373
VAT ID: CZ21401373
Privacy contact: [email protected]
We do not appoint a Data Protection Officer.
As a company established in the EU, we are not required to appoint an EU or UK representative.

2. Terminology (EU vs. U.S. law)

To avoid confusion:

GDPR (EU/EEA/UK)

The terms “Data Controller” and “Data Processor” used in this Policy follow GDPR definitions:

  • Data Controller (GDPR Art. 4(7)): the entity that determines the purposes and means of processing personal data.
  • Data Processor (GDPR Art. 4(8)): the entity processing personal data on behalf of the controller.

In the EU/EEA, parental consent is required for children under the age defined by national law (usually 13–16; 15 in the Czech Republic). EU users may also lodge a complaint with their local data protection authority.

United States equivalents

The U.S. does not use “controller/processor”. Equivalent roles are:

FERPA:

  • Schools = owners of “education records”
  • Vendors (like Veska Games) = School Officials

COPPA:

  • Veska Games = “Operator”
  • Parent gives consent (or School via the school exception)

State privacy laws (e.g., California CCPA/CPRA):

  • “Business”
  • “Service Provider”

These U.S. concepts apply only to users and Schools located in the United States. Where this Policy uses GDPR terms, they apply specifically to EU/EEA/UK users and are mapped to their U.S. equivalents as described above.

3. How Manabies works

Manabies does not include open text fields or communication tools that would allow children to submit personal information.

Manabies has two legally distinct modes:

A) School Mode (classroom use)

When a teacher or school creates student accounts:

For Schools in the EU/EEA/UK:
School = Data Controller (GDPR)
Veska Games = Data Processor (GDPR)

For Schools in the United States:
Veska Games acts as a “School Official” under FERPA, because it performs institutional services for the School and is under the School’s direct control regarding the use and maintenance of student education records.

We process student data only for educational purposes and only under the School’s instructions. We do not use student data for advertising or marketing purposes.

COPPA School Exception (USA)
In the United States, Schools may authorize the use of Manabies for educational purposes under COPPA’s school exception without collecting parental signatures.
Teachers in the United States do NOT need to gather parent consent when the Service is used strictly for classroom use.
This applies strictly to classroom use in the United States.

B) Home Mode (parent-managed use)

Manabies is free to play. A subscription unlocks optional premium features. When a parent creates a child’s account:

  • Veska Games = Data Controller

Parental consent:

  • Required legally where applicable (for example under COPPA in the United States and under GDPR child-consent rules in the EU/EEA/UK),
  • Free,
  • Not tied to payment.

4. Personal data we collect

We only collect what is necessary for the Service. We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We do not use personal information for targeted or behavioral advertising.

4.1 Data you provide

Teachers

  • Full name
  • Email
  • Class names created in Manabies

Students

  • First name, first name + initial, or a school-assigned pseudonym (as determined by the School)
  • Class / grade
  • School affiliation

Parents

  • Full name
  • Email
  • Subscription status (payment handled by external provider; we do not store card numbers)

4.2 Data created during use

Learning & gameplay:

  • Answers, attempts, results
  • Accuracy
  • Mastery estimates
  • Time spent
  • Session frequency
  • Adaptive learning signals (e.g., spaced repetition intervals)

Classroom context:

  • Class assignment
  • Teacher–student relationships

Technical & device:

  • Device type
  • OS version
  • Browser/app version
  • App language
  • Region-level IP address (for security and localization; we do not collect precise or GPS-level location data)
  • Crash logs (not connected to the student’s name)
  • Error diagnostics
  • Timestamps, performance

We do not collect sensitive data (biometrics, health, religion, precise location).

5. Why we process data

  • Provide and improve gameplay
  • Track learning progress
  • Show results to teachers and parents
  • Ensure safety and security
  • Troubleshoot issues
  • Fulfill legal obligations

6. GDPR Compliance (EU/EEA/UK)

6.1 Legal bases (GDPR Art. 6)

  • Contract necessity
  • Legitimate interests (education, security)
  • Parental consent (Home Mode)
  • Legal obligation

6.2 Rights of EU/EEA/UK users (Art. 15–22)

You may request:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Portability
  • Objection
  • Withdrawal of consent

Requests: [email protected]

6.3 International transfers

Our servers are currently hosted in the European Union (EU). For users in the United States, data may be transferred to and stored in the EU. We rely on Standard Contractual Clauses (SCCs) for such transfers.

6.4 Security

We apply appropriate administrative, technical, and physical safeguards to protect personal data, including encryption, access controls, and continuous monitoring.

In School Mode, our processing of student data is governed by the Data Processing Agreement (DPA) included in this Privacy Policy.

6.5 Retention

  • Active accounts: retained while active
  • Inactive > 24 months: deleted or anonymized
  • Backups: rolling ~35 days
  • Schools/parents may request deletion anytime

We respond to deletion requests within 30 days.

If no teacher account associated with a School logs in for 12 months, we will notify the School. If the School does not respond within 30 days, the School’s workspace will be considered inactive and all student personal data will be deleted or anonymized within 60 days, except for encrypted rolling backups.

7. How we share data

Automatic access (core educational logic)

Teachers
Teachers automatically see learning data of all students assigned to their class.

Parents
Parents may see their own child’s basic learning data. A subscription may unlock extended parent features.

Service providers (subprocessors)

Trusted vendors (hosting, email, crash reporting), bound by contracts and confidentiality, are listed in Annex A.

Legal and safety

We may disclose information if required by law or needed to protect users.

8. Cookies

  • Essential cookies only (login, security)
  • Optional analytics only with consent (EU/UK)
  • No advertising cookies
  • No social media pixels

9. Automated decisions

Adaptive learning adjusts difficulty. We do not make automated decisions with significant effects on users.

10. Changes

We may update this Policy and notify users of significant changes.

ANNEX A – SUB-PROCESSORS AND THIRD-PARTY SERVICE PROVIDERS

To deliver the Manabies service, we use trusted third parties (“Sub-processors” or “Service Providers”) who may process personal data on our behalf. We have a Data Processing Agreement (DPA) with each Sub-processor in accordance with the GDPR.

In the context of school use, we ensure that all data processing in Manabies is carried out in compliance with COPPA and FERPA. These obligations apply primarily to our relationship with the School as the data controller; our Sub-processors act on our documented instructions and are bound by contractual confidentiality and data protection commitments.

Current Sub-processors / Service Providers

Heroku (Salesforce, Inc.)

Entity: Salesforce, Inc., 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Purpose: Application hosting, databases, backend infrastructure
Data processed: Account data, gameplay progress, technical logs
Privacy Policy: https://www.salesforce.com/company/privacy/

MailerLite

Entity: MailerLite, 548 Market St PMB 98152, San Francisco, CA 94104-5401, USA
Purpose: Email delivery to teachers, parents, and users
Data processed: Name, email address, communication preferences, data created during use of Manabies
Note: Student accounts are never added to MailerLite.
Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

Google Workspace (Google Drive)

Entity: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Purpose: Internal documents, anonymized datasets, administrative files
Data processed: Typically anonymized or pseudonymized data; internal documentation
Note: We do not store non-anonymized student personal data in Google Drive. If this changes, this section will be updated.
Privacy Policy: https://policies.google.com/privacy

Independent Third-Party Data Controllers (Apple & Google)

Some companies process certain categories of data as independent data controllers, not as our Sub-processors.

This applies in situations such as:

  • installing the app through the App Store or Google Play
  • making in-app purchases or handling billing
  • submitting crash reports from your device

These entities determine the purposes and means of processing independently.

Apple

Entity: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA
Role: Independent controller for:
crash reports submitted via iOS
App Store purchases and billing
device identifiers
Privacy Policy: https://www.apple.com/privacy/

Google Play / Google Firebase

Entity: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Role: Independent controller for:
crash reports through Google Play / Firebase Crashlytics
Google Play billing and purchase data
Privacy Policy: https://policies.google.com/privacy

ANNEX B – DATA PROCESSING AGREEMENT (DPA)

This DPA applies only in School Mode.

1. Parties

Controller: School / Educational Institution
Processor / School Official: Veska Games s.r.o.

2. Purpose

Processing student data only for educational purposes.

3. Duration

Processing continues while the School uses Manabies.

4. Data types

  • Student name
  • Class / grade
  • School
  • Learning results, mastery, time spent
  • Device info
  • Logs
  • Teacher name & email

5. Obligations

Veska Games will:

  • Act only under School instructions
  • Maintain confidentiality
  • Use appropriate security
  • Assist with data requests
  • Notify the School without unreasonable delay, and in all cases consistent with applicable law, after becoming aware of a security incident involving student personal data.
  • Use subprocessors under equivalent safeguards
  • Delete/return data at termination
  • Provide compliance documentation
  • Provide reasonable assistance with Data Protection Impact Assessments (DPIAs).

6. Transfers

SCCs and equivalent safeguards apply.

7. Termination

Data is deleted or returned upon the School’s request, unless legal retention is required.

END OF PRIVACY POLICY