Privacy Policy

Last updated: 2026-06-27

Pictocards is a flashcard app for young children, made to be used together with a parent, teacher, or carer. We’ve tried to keep this policy short and in plain language. It explains what we collect, why, who we work with, and the choices you have.

In short: you need an adult account (just an email) to buy and access decks. We don’t sell your data, we don’t use advertising trackers, and we keep only what we need to run the service and meet our legal obligations.

1. Who we are

Pictocards is created by Pictocards (Jonathan Mathisen), Ärstavägen 10, 633 53 Eskilstuna, Sweden. For any privacy question, contact us at privacy@pictocards.app.

2. Children

Pictocards is designed for children aged 1–6, used with parental or therapist guidance, and the account belongs to an adult. We don’t let children create accounts or make purchases, and the app isn’t designed to collect any information directly from a child. Before reaching the shop, purchases, or settings, the app shows a “parent gate” — a quick interactive checkpoint meant to confirm an adult is present.

Because the app is used by children, we follow children’s-privacy rules including the EU and UK GDPR and the US Children’s Online Privacy Protection Act (COPPA). In practice this is straightforward for us: the app is built so that no personal information is collected from a child, and the only account is the adult’s. We do not knowingly collect personal information from a child under 13. If you believe a child has given us personal information, email us at privacy@pictocards.app and we’ll delete it.

3. What we collect

We only collect what relates to the adult account holder:

  • Email address — to sign you in (we email you a one-time code instead of using a password) and to send service messages like login codes, receipts, and replies.
  • Name — optional, only if you choose to enter one. This is the adult account holder’s name, not a child’s.
  • Language preference — the language you pick for the app.
  • Purchase records — what you bought, the amount, the status, and a payment reference from our payment provider. We never see or store your card or bank details.
  • Consent records — a dated log of what the account has agreed to, so we can show it later.
  • Basic usage — anonymous counts of which cards are tapped and in which language, so we can understand engagement and improve the app. These records contain no account, no identifier, and no timestamp, and cannot be traced back to you or to a child. We don’t use advertising or cross-app tracking.

We do not collect card or bank numbers (these go straight to our payment provider), and we don’t store passwords (there aren’t any — we use one-time email codes).

4. Why we use it

We use your data to create and run your account, give you access to what you’ve bought, take and record payments, send service emails, respond to you, and improve the app. Under the GDPR our legal bases are: providing the service you asked for (contract), meeting legal duties such as keeping tax and accounting records (legal obligation), and our legitimate interest in improving Pictocards and replying to you.

5. Keeping records we’re required to keep

Even though our model is “pay once,” we’re legally required to keep certain purchase and accounting records for a period set by law, even after you delete your account. We keep these for 7 years, as required by the Swedish Bookkeeping Act (Bokföringslagen), and then delete them.

6. Who we share it with

We don’t sell your data. We share it only with the providers that help us run Pictocards, and only as much as they need:

  • Supabase — database, login, and file storage. Hosted in the EU. Holds account and purchase data.
  • Stripe — payment processing. Handles your card details directly; we only receive a payment reference.
  • Resend — sending our emails (login codes, receipts, confirmations).
  • Vercel — hosting and serving the app.
  • Cloudflare — domain, email routing, and basic security.

When you use our mobile apps, Apple’s App Store or Google Play also process purchases and may receive technical information (like your device’s IP address) as a normal part of that; this is handled under their own policies.

7. Sending data outside the EU

Your data is mainly stored in the EU/EEA. Some providers are based in the United States and may process limited data there. Where that happens, we rely on approved transfer safeguards, such as the European Commission’s Standard Contractual Clauses, to protect it.

8. Your rights and choices

You can ask to see, correct, export, or delete your data, and object to or restrict certain uses. Two of these are built into the web app:

  • Export — when signed in on the web, request a machine-readable copy of your data, sent to you by email.
  • Delete — delete your account from the web app. This removes your profile, consent records, and stored files. We keep only the purchase and accounting records the law requires (section 5).

Our anonymous usage counts contain no link to your account, so there is nothing in them to identify or delete.

For anything else, email privacy@pictocards.app. You can also complain to a data protection authority — in Sweden, the Swedish Authority for Privacy Protection (IMY). If you are in the US, certain state laws may give you additional rights; contact us and we’ll help you exercise them.

9. Security

We take the security of your data seriously and use appropriate technical and organisational measures to protect it, including strict access controls so each account can only reach its own data, and EU-region hosting. No system is perfectly secure, but we work to keep risk low and to respond quickly if a problem arises.

10. Cookies and storage

We use only the essential cookies and local storage needed to log you in and keep the app working. We don’t use advertising, analytics, or tracking cookies. See our Cookie Notice for more.

11. Changes

If we make important changes, we’ll update the “Last updated” date above and, where appropriate, let you know by email or in the app.

12. Contact

Questions about your privacy? Email privacy@pictocards.app, or write to us at Ärstavägen 10, 633 53 Eskilstuna, Sweden.