Privacy Policy

Last Updated: January 18, 2026

1. Introduction

Tiny Bits ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our mobile applications.

Company Registration: Tiny Bits is registered in the United Kingdom (Companies House Registration Number: 16882060). We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable, the US Children's Online Privacy Protection Act (COPPA) for our children-directed applications.

2. Our Applications and Data Collection

We offer different applications with distinct data collection practices. Please read the section relevant to the application you are using.

2.1 Math Practice App (Children's Educational App)

Age Range: Designed for children to learn mathematics (addition, subtraction, multiplication, division)

Data Collection: This application collects NO data whatsoever. The app:

  • Operates completely offline with no internet connectivity
  • Does not collect, transmit, or store any personal information
  • Does not use analytics, crash reporting, or any third-party services
  • Stores all practice data locally on your device only
  • Does not require account registration or parental consent (as no data is collected)

This app is COPPA-compliant as it collects no personal information from children.

2.2 Stash List App

Age Range: General audience (13 years and older)

Account Requirement: No account registration required. Lists are associated with your device.

Data We Collect:

Device Information (Automatically Collected):

When you use the Stash List app, we automatically collect the following technical device information to enable functionality and identify your device for syncing purposes:

  • Unique device identifier (Sync ID, Vendor ID)
  • Device specifications (type, brand, model, manufacturer)
  • Operating system (name and version)
  • App version and build number
  • Screen specifications (width, height, density, resolution)
  • Device settings (language code, timezone)
  • Browser information (name, version, user agent) for web version
  • Device status (whether physical device, rooted status)

Important: While we do not require you to provide your name or email, the combination of device information we collect constitutes personal data under GDPR as it can be used to identify your specific device and indirectly identify you.

How Device Identification Works:

  • New Installation: Each time you install the Stash List app, a new unique device identifier is generated for that installation
  • Reinstallation Effect: If you uninstall the app and reinstall it later, a NEW device identifier will be generated. This means you will not be able to access stash lists associated with your previous installation, as they are linked to the old device identifier
  • Data Persistence: Your stash lists remain on our servers for 365 days of inactivity (see Section 7 for retention details), but become inaccessible once you uninstall the app and the device identifier is lost
  • No Account Recovery: Because the app does not use email-based accounts, there is no way to "recover" or "log back into" your previous stash lists after reinstalling. Each installation is treated as a new, separate device

Stash List Content:

  • Your stash lists, tasks, and associated content that you create
  • Sharing settings when you generate shareable links

How We Use This Data:

  • Device identification to associate your stash lists with your device
  • Syncing your stash lists across app sessions
  • Enabling the sharing feature when you generate links to share lists
  • Technical optimization (ensuring app compatibility with your device specifications)
  • Crash reporting and debugging through Firebase Crashlytics (see Section 5)

2.3 Website

Our website (tiny-bits.com) does not use cookies or tracking technologies. We do not collect personal information through the website unless you contact us via email, in which case we collect only the information you provide (name, email address, message content).

3. Why We Collect This Data (Purpose Limitation)

Math Practice App: No data is collected.

Stash List App: We collect device information solely for the following specific purposes:

  • Device Association: To link your stash lists to your specific device (as the app does not use user accounts)
  • Content Storage: To store and retrieve your stash lists on our servers
  • Sharing Functionality: To enable you to share your stash lists with others via links when you choose to do so
  • Technical Compatibility: To ensure the app functions correctly on your device type and configuration
  • Crash Prevention: To identify and fix crashes via Firebase Crashlytics (no crash data is collected from the Math Practice app)

Website: Email communications you initiate are used solely to respond to your inquiries.

What We Do NOT Do:

  • We do not use your data for advertising or marketing purposes
  • We do not sell, rent, or trade your personal information to third parties
  • We do not track you across other websites or apps
  • We do not create user profiles for commercial purposes
  • We do not use your data for automated decision-making or profiling

4. Legal Basis for Processing (UK GDPR)

Math Practice App: No personal data is processed.

Stash List App: We process your device information and stash list content under the following legal bases:

  • Contractual Necessity: Processing is necessary to provide you with the stash list service you have requested. Without device identification, we cannot store or retrieve your stash lists.
  • Legitimate Interests: We have a legitimate interest in:
    • Ensuring technical compatibility and optimal performance of the app on your device (device specifications)
    • Identifying and fixing crashes to maintain service quality (crash reporting via Firebase Crashlytics)
    We have conducted a Legitimate Interest Assessment (LIA) and determined that these interests are not overridden by your rights and freedoms, as the data is used solely for technical purposes and not for marketing or profiling.
  • Consent: When you choose to share a stash list via a link, you provide explicit consent for that specific list to be shared with the recipients you choose.

Website Email Contact: When you email us, we process your contact information based on consent (you voluntarily provide it) and our legitimate interest in responding to inquiries.

5. Third-Party Service Providers and Data Sharing

We do not sell, trade, or rent your personal information to third parties for their own marketing purposes.

Math Practice App: No third-party services are used. No data is shared.

Stash List App - Third-Party Service Providers:

  • Amazon Web Services (AWS)
    • Purpose: Cloud hosting and data storage for your stash lists and device information
    • Data Shared: All stash list content and device information
    • Location: AWS servers may be located in various regions globally. We use Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) for data transfers outside the UK.
    • Privacy Policy: https://aws.amazon.com/privacy/
  • Google Firebase Crashlytics
    • Purpose: Crash reporting and diagnostics to identify and fix app crashes
    • Data Shared: Device information, crash logs, app state at time of crash
    • Location: Google servers in the United States and other countries
    • Privacy Policy: https://firebase.google.com/support/privacy
    • Data Processing Terms: We have data processing agreements in place with Google that include Standard Contractual Clauses for international data transfers

User-Initiated Sharing: When you generate a shareable link for a stash list, the recipients you choose to share with will be able to access that specific list's content.

Other Circumstances Where We May Share Data:

  • Legal Obligations: When required by law, court order, subpoena, or government regulation
  • Protection of Rights: To protect our rights, privacy, safety, or property, and that of our users or the public, including fraud prevention
  • Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business (you will be notified via email and/or prominent notice in the app)

6. Data Security

Math Practice App: All data remains on your device only. We recommend you use device-level security features (passcode, biometric authentication) to protect your device.

Stash List App: We implement the following security measures to protect your data:

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS/HTTPS encryption
  • Encryption at Rest: Data stored on AWS servers is encrypted using industry-standard encryption
  • Access Controls: Access to backend systems and databases is restricted to authorized personnel only on a need-to-know basis
  • Secure Infrastructure: We use AWS's secure cloud infrastructure with regular security updates and patches
  • Monitoring: We monitor for security vulnerabilities and unauthorized access attempts

Security Limitations: No method of transmission over the Internet or electronic storage is 100% secure. While we implement industry-standard security measures to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your device and any shareable links you generate.

7. Data Retention Periods

Math Practice App: Data is stored locally on your device indefinitely until you delete the app or clear app data.

Stash List App:

  • Active Devices: Your stash lists and device information are retained for as long as you actively use the app (defined as opening the app at least once within 365 days)
  • Inactive Devices: If a device has not accessed the app for 365 consecutive days, we may delete the associated stash lists and device information after providing 30 days' notice to the last known device
  • Uninstalled App (Orphaned Data): If you uninstall the app, the data associated with that installation becomes inaccessible to you because a new device identifier will be generated if you reinstall. This "orphaned" data will be automatically and permanently deleted after 365 days of inactivity, as it will be treated as an inactive device. There is no way to recover or access this data after uninstalling.
  • Shared Lists: Shared lists remain accessible via their shareable links for as long as the owner's device remains active
  • Deleted Data: When you delete a stash list or when we delete inactive data, it is permanently deleted from our servers within 30 days (including backups)
  • Crash Logs: Firebase Crashlytics retains crash data for 90 days as per Google's data retention policy

Legal Retention: In some cases, we may be required to retain data for longer periods to comply with legal obligations (e.g., tax records, legal disputes). In such cases, data will be retained only for the minimum period required by law.

Your Right to Request Deletion: You can delete your data at any time using the in-app deletion feature (Settings → Delete All My Information in the Stash List app). Deletion is immediate and permanent. See Section 8 for full details on exercising your right to erasure.

8. Your Rights Under UK GDPR and How to Exercise Them

If you are in the UK, European Economic Area (EEA), or any jurisdiction with similar data protection laws, you have the following rights regarding your personal data:

Right of Access (Subject Access Request):

  • You can request a copy of all personal data we hold about you
  • How to exercise: For security reasons and to protect your privacy, data access requests can only be processed through the app itself. This ensures we provide your data only to you and not to unauthorized parties.
    • Math Practice App: All data is stored locally on your device only. You already have full access to all your data.
    • Stash List App: Contact us at contact@tiny-bits.com with subject line "Data Export Feature Request" and we will prioritize adding an in-app data export feature. In the meantime, all your stash lists are visible within the app.
  • Why In-App Only: The Stash List app does not collect user accounts, names, or email addresses. Having the app installed on your device serves as verification of device ownership (equivalent to being "logged in"), which is required under UK GDPR Article 12(6) to prevent unauthorized data disclosure.
  • Response time: For feature requests, we will respond within 30 days

Right to Rectification:

  • You can request correction of inaccurate or incomplete data
  • How to exercise: For the Stash List app, you can edit your stash lists directly in the app. For device information corrections, email contact@tiny-bits.com

Right to Erasure ("Right to be Forgotten"):

  • You can delete your personal data at any time
  • How to exercise:
    • Math Practice App: Simply delete the app from your device to remove all locally stored data. No data is stored on our servers.
    • Stash List App: In the app, go to Settings → Delete All My Information. This will immediately and permanently delete all your stash lists and device data from our servers.
  • Why In-App Only: For security reasons and to comply with UK GDPR Article 12(6) identity verification requirements, deletion can only be performed through the app. Having the app installed on your device serves as verification of device ownership (equivalent to being "logged in"). This protects against unauthorized deletion of your data by malicious actors.
  • If You No Longer Have the App: If you've uninstalled the app or lost access to your device, your data will be automatically and permanently deleted after 365 days of inactivity. Important: You cannot reinstall the app to delete your old data, because reinstalling generates a new device identifier and you will not have access to the data from your previous installation. Simply uninstalling the app starts the 365-day countdown to automatic deletion.
  • Effect of Uninstalling: When you uninstall the Stash List app, the data associated with that installation becomes immediately inaccessible to you (as the device identifier is lost). The data remains on our servers for up to 365 days of inactivity before being automatically and permanently deleted. This fulfills your right to erasure, though with a delay for inactive data rather than immediate deletion.
  • Important: Manual deletion via the in-app feature is permanent and immediate. Automatic deletion after uninstalling takes up to 365 days. All stash lists and device data will be removed. Shared lists will become inaccessible to anyone you shared them with.

Right to Restrict Processing:

  • You can request that we temporarily stop processing your data while we investigate a dispute
  • How to exercise: Email contact@tiny-bits.com explaining your concern

Right to Data Portability:

  • You can request your data in a machine-readable format (JSON) to transfer to another service
  • How to exercise: Contact us at contact@tiny-bits.com with subject line "Data Export Feature Request" and we will prioritize adding an in-app data export feature that allows you to download your stash lists in JSON format.
  • Current Status: We are planning to add this feature in a future update. In the meantime, all your stash lists are accessible within the app.
  • Why In-App Only: Same identity verification requirements apply as with access requests - in-app features ensure we provide data only to verified device owners.

Right to Object:

  • You can object to processing based on legitimate interests (e.g., crash reporting)
  • How to exercise: Email contact@tiny-bits.com. Note that objecting to device identification may make the app unusable as we cannot associate lists with your device.

Right to Withdraw Consent:

  • Where processing is based on consent, you can withdraw it at any time
  • How to exercise: Delete shared links by removing them in the app, or stop using the app to withdraw consent for data collection

Right to Lodge a Complaint:

  • If you are not satisfied with how we handle your data or our response to your requests, you can file a complaint with the UK's supervisory authority
  • UK Supervisory Authority: Information Commissioner's Office (ICO) - https://ico.org.uk/make-a-complaint/
  • Other Jurisdictions: Contact your local data protection authority

Automated Decision-Making: We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Identity Verification for Data Requests: Under UK GDPR Article 12(6), we are required to verify the identity of people making data requests before processing them. This protects your privacy by ensuring we don't disclose your data to unauthorized parties or delete the wrong person's data.

  • Our Approach: Since the Stash List app does not use user accounts, names, or email addresses, we use app access as identity verification. Having the app installed and functional on your device serves as proof of device ownership, equivalent to being "logged in" to an account-based service.
  • Why This Is Secure: Only someone with physical access to your device (or your device backup) can install and access the app, making this a robust verification method.
  • Industry Standard: This approach is similar to how many messaging and privacy-focused apps work - you must have the app installed to manage your data.
If you no longer have access to your device, your data will be automatically deleted after 365 days of inactivity, ensuring your right to erasure is ultimately fulfilled even without app access.

9. International Data Transfers

Our apps are available in multiple countries including the UK, United States, and other English, Spanish, Portuguese, French, and German-speaking countries. As a result, your personal data may be transferred to and processed in countries outside your country of residence.

Math Practice App: No data is transferred as all data remains on your device.

Stash List App: Your data may be transferred internationally through our use of AWS and Google Firebase:

  • AWS Hosting: Data is stored on Amazon Web Services servers, which may be located in the United States, European Union, or other AWS regions globally. AWS complies with international data protection frameworks.
  • Google Firebase Crashlytics: Crash data may be transferred to Google's servers in the United States and other countries where Google operates.

Safeguards for International Transfers:

When your data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use the UK International Data Transfer Agreement (IDTA) and European Commission's Standard Contractual Clauses, which are legally approved mechanisms for international data transfers
  • AWS Data Processing Agreement: AWS has committed to UK GDPR compliance and uses SCCs for international transfers. Details: https://aws.amazon.com/compliance/gdpr-center/
  • Google Data Processing Terms: Google Firebase operates under Google's Data Processing and Security Terms which include SCCs. Details: https://firebase.google.com/support/privacy
  • Additional Safeguards: We use encryption in transit and at rest to protect data regardless of location

Your Rights: You have the right to request information about the safeguards we use for international transfers by contacting us at contact@tiny-bits.com.

10. Children's Privacy (COPPA and UK GDPR Compliance)

We take children's privacy seriously and comply with the US Children's Online Privacy Protection Act (COPPA) and UK GDPR requirements for processing children's data.

Math Practice App (Child-Directed Application):

  • Age Range: Designed for children of all ages to learn mathematics
  • COPPA Compliance: This app is fully COPPA-compliant because it collects NO personal information from children or anyone else
  • No Parental Consent Required: Since zero data is collected, transmitted, or stored by us, parental consent is not required under COPPA
  • Offline Only: The app has no internet connectivity and cannot transmit any data
  • No Third Parties: No third-party services, analytics, or advertising are present in this app
  • Local Storage Only: All practice progress is stored locally on the device and never leaves the device

Stash List App (General Audience - Ages 13+):

  • Age Restriction: This app is intended for users aged 13 years and older
  • Not Child-Directed: This app is not designed or intended for children under 13
  • No Knowing Collection from Children: We do not knowingly collect personal information from children under 13 through this app
  • Parental Notice: If we discover that we have inadvertently collected personal information from a child under 13, we will delete that information immediately
  • Parental Action: If you are a parent or guardian and believe your child under 13 has provided personal information through the Stash List app, please contact us immediately at contact@tiny-bits.com with subject line "Child Privacy Concern" and we will delete the information within 48 hours

UK GDPR - Special Protection for Children:

For users in the UK and EEA, children's personal data receives special protection under GDPR. For the Stash List app, users should be at least 13 years old. Users between 13-16 years old should have parental consent to use the app where required by local law.

Age Verification: Our apps do not include age verification mechanisms. Parents and guardians are responsible for monitoring their children's app usage and ensuring age-appropriate use.

11. Cookies and Tracking Technologies

Website (tiny-bits.com):

  • Our website does NOT use cookies or any tracking technologies
  • We do not use analytics, advertising pixels, or third-party tracking scripts on our website
  • No cookie consent banner is required as we do not set any cookies

Math Practice App:

  • No cookies or tracking technologies are used (app is completely offline)

Stash List App:

  • The app does not use browser cookies
  • Device identification is done through device-specific identifiers (Sync ID, Vendor ID) stored locally on your device, not through cookies
  • We do not use tracking technologies for advertising or cross-site tracking

Third-Party Tracking: While we do not use tracking technologies ourselves, Firebase Crashlytics may use device identifiers for crash reporting purposes. This is detailed in Google's privacy policy.

12. Data Breach Notification

We take data security seriously. In the event of a data breach that affects your personal information, we will:

  • Assessment: Assess the breach within 24 hours of discovery to determine the scope and impact
  • Regulatory Notification: Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms, as required by UK GDPR
  • User Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via:
    • In-app notification (for Stash List app users)
    • Email (if we have your email address from previous contact)
    • Notice on our website (tiny-bits.com)
  • Breach Details: Notification will include:
    • Nature of the breach and data affected
    • Likely consequences of the breach
    • Measures taken to address the breach
    • Recommended actions for affected users
  • Remediation: Take immediate steps to contain the breach, recover data where possible, and prevent future breaches

Reporting Security Concerns: If you discover a security vulnerability or potential breach, please report it immediately to contact@tiny-bits.com with subject line "SECURITY ISSUE" and we will investigate promptly.

13. Third-Party Links

Our website or applications may contain links to third-party websites or services (such as AWS and Firebase privacy policies linked in this document). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information to them.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applications, legal requirements, or for other operational, legal, or regulatory reasons.

How We Notify You of Changes:

  • Minor Changes: We will update the "Last Updated" date at the top of this page
  • Material Changes: For significant changes that affect how we collect or use personal data, we will:
    • Update the "Last Updated" date
    • Provide in-app notification in the Stash List app
    • Post a prominent notice on our website for at least 30 days
    • For changes that expand data collection, we will seek your consent where required by law

Your Responsibility: We encourage you to review this Privacy Policy periodically. Your continued use of our apps after changes have been posted constitutes your acceptance of the updated Privacy Policy.

Version History: Previous versions of this Privacy Policy are available upon request by emailing contact@tiny-bits.com.

15. Contact Information and Data Controller Details

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Controller:
Tiny Bits
Companies House Registration Number: 16882060
Registered Office: 61 Bridge Street, Kington, HR5 3DJ, United Kingdom

Email: contact@tiny-bits.com
Subject Line Guidelines: Please use the following subject lines for faster processing:

  • "Data Export Feature Request" - to request in-app data export functionality
  • "Child Privacy Concern" - for children's privacy issues
  • "SECURITY ISSUE" - for security vulnerability reports
  • "Privacy Question" - for general privacy inquiries

Important: For data deletion, access, or portability requests, please use the in-app features (or planned in-app features) as described in Section 8. Email-based data requests cannot be processed due to identity verification requirements.

Response Time: We aim to respond to all privacy-related inquiries within 30 days. For urgent security issues, we will respond within 48 hours.

Note: We do not have a designated Data Protection Officer (DPO) as we do not meet the GDPR threshold requiring mandatory DPO appointment. All data protection inquiries should be directed to the email address above.

16. Supervisory Authority and Complaints

If you are not satisfied with our response to your privacy concerns or believe we are not complying with data protection laws, you have the right to lodge a complaint with the relevant supervisory authority:

United Kingdom:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Complaint Form: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113

European Union/EEA:
Contact your local Data Protection Authority. Find your authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

United States (for COPPA-related concerns):
Federal Trade Commission (FTC)
Website: https://www.ftc.gov/complaint

Other Jurisdictions: Contact your local data protection or privacy authority.

We Encourage Direct Contact First: While you have the right to lodge a complaint with a supervisory authority at any time, we encourage you to contact us first at contact@tiny-bits.com so we can try to resolve your concern directly.