KorbisPrivacy Policy
Korbis is an educational app for children aged 6–11 focused on practising mathematics and Czech and preparing for school entrance exams. Children's privacy is a core product feature, not a formality: we do not collect children's real names, show no ads, sell no data, and measure nothing we do not need for learning.
1. Data Controller
The data controller is Martin Tříska, natural person, Všerubská 1268/5d, 155 00 Praha 5, Czech Republic. Privacy contact: podpora@korbis.cz.
No Data Protection Officer is appointed – after assessment, we concluded that this obligation under Article 37 GDPR does not arise in our current setup. We review this assessment periodically.
2. What We Process and Why
We obtain data directly from the parent or legal guardian when creating or linking the account, from the child's use of the app, and – when Sign in with Apple is used – from Apple (a technical identifier and an optionally hidden email).
2.1 Account and sign-in
The app can be used without registration – we create an anonymous account containing no contact details. A parent may later link the account to an email address or Apple ID so progress survives a device change.
| Data | Purpose | Legal basis |
|---|---|---|
| Child's nickname (display name) | Addressing the child in the app. We explicitly ask for a nickname, not a real name. | performance of a contract (Art. 6(1)(b)) |
| Child's school grade | Selecting age-appropriate content | performance of a contract |
| Parent's email (linked accounts only) | Sign-in, account recovery, communication | performance of a contract |
| Apple ID identifier (Sign in with Apple only) | Sign-in | performance of a contract |
| Record of granting/withdrawing parental consent (date and time, IP address, user-agent) | Demonstrating that consent was given by a parent or legal guardian, recording its withdrawal, and defending legal claims | compliance with our obligation to be able to demonstrate consent (Art. 7(1) GDPR) and our legitimate interest in documenting compliance and defending legal claims |
If the parent chooses Sign in with Apple, we receive from Apple only the technical identifier needed for sign-in and, where applicable, an email address Apple makes available for this purpose (including a hidden relay email if the parent chooses one). We gain no access to any other data from the Apple account.
2.2 Learning and personalisation
| Data | Purpose | Legal basis |
|---|---|---|
| Exercise answers (correctness, timing) | Progress tracking, spaced repetition | performance of a contract |
| Skill mastery state (mastery, difficulty rating) | Adaptive difficulty – keeping exercises neither too hard nor too easy | performance of a contract |
| Lesson data (duration, completion, day streak) | Progress and motivation features | performance of a contract |
Adaptive personalisation constitutes profiling under the GDPR – it serves exclusively to select exercise difficulty and has no legal or similarly significant effects on the child or parent. Details: How Korbis uses AI.
2.3 Voice and microphone
- Read-aloud (text-to-speech): exercise texts (never data about the child) are converted to speech by ElevenLabs. Generated audio is cached temporarily (~30 days).
- Pronunciation practice (speech-to-text): this is an optional feature. If the parent grants the app microphone access on the device and the child uses this feature, a voice recording is processed temporarily for transcription by ElevenLabs. After transcription we do not store the recording permanently and do not use it for any other purpose. The legal basis is performance of a contract in relation to this specifically chosen feature; without microphone permission, the rest of the app can still be used (the iOS microphone permission is a technical authorisation, not GDPR consent).
2.4 Technical operation
| Data | Purpose | Legal basis |
|---|---|---|
| Minimised technical crash reports (error type, app and iOS version) – configured not to contain a name or a direct account identifier | Fixing crashes and bugs | legitimate interest: ensuring the security, stability and maintainability of the app |
| Checks for unusual answer patterns (processed exclusively server-side) | Protecting the accuracy of adaptive learning against distortion; data never leaves the server and is never displayed | legitimate interest: protecting the validity of the adaptive learning model |
| Optional analytics | Product improvement; off by default | consent |
The check for unusual answer patterns is not used to sanction the child and does not by itself lead to account restrictions or any other decision with legal or similarly significant effects – it only helps the adaptive algorithm estimate difficulty correctly. Because this processing is based on our legitimate interest, a parent may object to it on the child's behalf under Art. 21 GDPR; we will assess the objection with regard to whether compelling legitimate grounds exist for continuing the processing.
Optional analytics serves solely internal product improvement. It is off by default and is enabled by the parent. We process only aggregate usage data (e.g. session counts, lesson completions and aggregate completion rates) – never answer content and never advertising identifiers; we do not use it for advertising, third-party marketing, or tracking across apps and websites.
2.5 The korbis.cz website and waitlist
The korbis.cz website uses optional anonymous visit statistics via Google Analytics 4. Measurement starts only with your consent (a banner on your first visit); you can change your choice at any time via the "Cookie settings" link in the footer. Without consent, no analytics cookies are set and no measurement code is loaded.
- What we measure: aggregate data about website visits (pages viewed, approximate traffic source, device type). Measurement concerns this website only; no such measurement takes place in the kids app.
- Cookies: _ga and _ga_* (recognising a returning visit), lifetime at most 13 months.
- Legal basis: consent under Art. 6(1)(a) GDPR; you can withdraw it at any time via "Cookie settings" in the footer.
- Recipient: Google Ireland Ltd. as a processor; data may be transferred to the USA under the conditions of Chapter V GDPR (EU–US Data Privacy Framework). Google Analytics advertising features are disabled and we do not use the data for advertising.
- Retention: Google Analytics reports for at most 14 months.
Ordinary technical hosting logs may arise to the extent necessary for the operation and security of the site.
If you leave us your email on the website waitlist, we use it solely to inform you about testing and the launch of the app (legal basis: consent, confirmed by clicking the link in the verification email). The email is stored with our processor Supabase in the EU and kept until consent is withdrawn or the waitlist ends. You can unsubscribe with one click in every email; deletion can be requested at any time at podpora@korbis.cz.
2.6 What we do NOT process
- the child's real name, photos, location, contacts, biometric or health data,
- no advertising data – the app contains no ads and no technologies for advertising tracking across apps and websites,
- children's drawings are evaluated on-device and never uploaded.
3. Children and Parental Consent
The app is intended for children aged 6–11. For a child of this age, the parent or legal guardian acts towards us and approves the use of the app and any optional processing.
For data necessary to provide the app's core functions, we rely on the legal basis of performance of a contract. However, because the app is an information society service intended for children and a child in the Czech Republic under 15 cannot give the relevant approval alone (Section 7 of Czech Act No. 110/2019 Coll., Art. 8 GDPR), we require approval by a parent or legal guardian (a screen behind a parental gate) before those functions are enabled. This parental approval does not by itself constitute the legal basis of all processing – the legal bases of the individual purposes are listed in the tables above. We keep records allowing us to demonstrate when and how the approval was given or withdrawn; it can be withdrawn at any time via podpora@korbis.cz or by deleting the account.
Optional processing that is not necessary for the app to function (e.g. optional analytics) is separate, rests on actual consent under Art. 6(1)(a) GDPR, and not granting it has no effect on the ability to use the app's core features.
The parental gate separates parental actions (consent, account management, account linking and any future purchases) from the child-facing part of the app.
4. Recipients
We never sell data and never share it with third parties for their own marketing purposes. We use these recipients:
| Recipient | Role | Data it may receive | Location / transfer | Safeguards |
|---|---|---|---|---|
| Supabase | processor (Art. 28) – database, authentication, storage | account, progress, consents, technical data, waitlist emails | EU (AWS Dublin, Ireland) | data stays in the EU |
| ElevenLabs | processor – text-to-speech and speech-to-text | exercise texts for read-aloud; for pronunciation practice, temporarily the voice recording and its transcript | USA (processing may also occur outside the EU/EEA) | DPA with EU Standard Contractual Clauses (part of ElevenLabs' contractual terms) |
| Sentry | processor – crash reporting | minimised technical crash data (no direct account identifiers) | USA | DPA – EU–US Data Privacy Framework with Standard Contractual Clauses as a fallback mechanism |
| Google Ireland Ltd. | processor – anonymous visit statistics for korbis.cz (Google Analytics 4), only with consent | aggregate website visit data (pages viewed, traffic source, device type); never data from the app | EU; transfer to the USA possible | DPA – EU–US Data Privacy Framework with Standard Contractual Clauses as a fallback mechanism |
| Apple | independent controller / recipient under its own terms | data necessary for app distribution, Sign in with Apple and any App Store purchases | per Apple's infrastructure (may include the EU and other countries) | Apple's terms and privacy information; any international transfers are governed by the mechanisms used by Apple |
We use OpenAI only for internal quality checks of exercise content – outside user data; no personal data of users is ever sent to this service.
Transfers outside the EU/EEA: where our suppliers process data outside the European Economic Area, this happens only under the conditions of Chapter V GDPR – in particular the European Commission's Standard Contractual Clauses, or an adequacy decision where available (the EU–US Data Privacy Framework for certified US recipients). A copy of information about the safeguards used is available on request at podpora@korbis.cz.
5. Retention
| Data | Period |
|---|---|
| Account and profile | for the lifetime of the account; upon a deletion request we erase without undue delay, except data we must temporarily retain for legal obligations or demonstrability |
| Detailed exercise answers | only as long as needed for aggregation into summary learning statistics; detail then deleted automatically by the retention pipeline per the current system configuration |
| Aggregate learning statistics | as long as needed for adaptive learning, at most until account deletion |
| Parental consent records | 3 years from granting (to demonstrate compliance) |
| Crash reports | 90 days |
| Text-to-speech audio cache | 30 days |
| Optional analytics (aggregate usage data) | at most 24 months from recording, or shorter per the current retention configuration |
| Waitlist email (website) | until consent is withdrawn or the waitlist ends |
After deletion, data may briefly persist in database provider backups (7–30 days), after which it is gone there as well.
6. Your Rights
- right of access (Art. 15) – a copy of the data,
- right to rectification (Art. 16),
- right to erasure (Art. 17) – deletion of the account and of data we no longer need to retain; some data may remain for a limited period in backups or in records required for legal obligations,
- right to restriction of processing (Art. 18),
- right to data portability (Art. 20) – machine-readable export,
- right to object (Art. 21) to processing based on legitimate interest,
- right to withdraw consent at any time, with future effect.
No decision-making based solely on automated processing that would produce legal or similarly significant effects for the child or parent within the meaning of Art. 22 GDPR takes place in the app. Should this ever change, we would separately inform you about the related rights.
Given the age of the app's target group, these rights are typically exercised by a parent or legal guardian on the child's behalf.
How: write to podpora@korbis.cz from the email linked to the account (or with details allowing us to locate it). To protect the child's account from unauthorised access, we may reasonably verify that the request comes from a parent or legal guardian authorised to manage the account. For an anonymous account without a linked email or Apple sign-in, locating the specific account may be limited unless the parent provides enough details to identify it; in that case we may be unable to fully process some requests until the account is reliably identified. We respond without undue delay and at the latest within one month of receiving the request; in complex cases this period may be extended as permitted by the GDPR (we would inform you). Export and account deletion will progressively also be available directly in the app's parent section.
You also have the right to lodge a complaint with the supervisory authority: Úřad pro ochranu osobních údajů (Czech DPA), Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz. This does not affect your right to seek judicial protection.
7. Security
We use encryption in transit (TLS) and, for the main data stores, encryption at rest as configured by our infrastructure providers. Access is controlled at the database-row level (each account sees only its own data); correct exercise answers and internal flags are not accessible to the client app at all. We maintain documented incident-response procedures; a personal data breach would be assessed under the GDPR and, where notification obligations arise, reported to the Czech DPA within 72 hours and – in the cases set out in Art. 34 GDPR – notified to affected parents without undue delay.
8. Changes
We announce material changes in the app and on this page. The version and date of the last change appear in the header.
Contact: podpora@korbis.cz
← Zpět na hlavní stránku