Privacy Policy — Evovo

Last updated: 17 April 2026 Effective date: 17 April 2026

Important notice for parents and legal guardians. Evovo is a parenting tool that is operated by, and contracted with, the parent or legal guardian — not the child. Accounts can only be created and managed by an adult (18+) who confirms they are the parent or legal guardian of the child(ren) listed on the account. Children do not sign up, log in, or independently interact with Evovo; all use happens with a parent present and under the parent's supervision.

This Privacy Policy explains how Evovo Limited ("Evovo", "we", "us", "our") collects, uses, shares, and protects personal information when you use the Evovo mobile application, website, and related services (together, the "Service"). This policy is designed to comply with, among others, the US Children's Online Privacy Protection Act ("COPPA"), the EU and UK General Data Protection Regulations ("GDPR" / "UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and applicable Hong Kong data-protection law.

By creating an account or otherwise using the Service, you confirm you have read and understood this Privacy Policy and agree to our Terms & Conditions.

1. How to Reach Us

For any question about this Privacy Policy, or to exercise any right described below (access, correction, deletion, export, objection, consent withdrawal), please contact us at hello@evovo.ai from the email address associated with your account.

2. About the Service

Evovo is a parenting app that helps parents guide meaningful conversations with their children (approximately ages 3–12) on topics such as emotional well-being, online safety, resilience, and money smarts. Parents choose topics, browse scenarios, and receive guided follow-up questions; parents may also track their own learning journey with their child.

Evovo is a tool for parents. It is not a child-directed service that children access on their own. Any interaction the child has with Evovo is mediated by, and takes place in the presence of, the parent using the parent's device and account.

3. Who May Use the Service

  • Accounts may be created only by a parent or legal guardian who is at least 18 years old (or the age of majority in their jurisdiction, whichever is higher).
  • By creating an account, you represent and warrant that you are the parent or legal guardian of every child profile added to your account, and that you have full legal authority to provide the information about that child and to consent to its processing as described in this policy.
  • Children may not create accounts. If we learn that a child has created an account without verifiable parental consent, we will delete the account and associated data.

4. Information We Collect

We distinguish between information about the parent/account holder and information about the child (a "child profile"). The account holder enters and controls all information in both categories.

4.1 Parent / Account-Holder Information

  • Identity & contact: name (or display name), email address, profile photo (optional).
  • Authentication data: Apple ID / Google ID token returned by Sign in with Apple or Google. We do not receive or store your Apple/Google password.
  • Billing data: subscription status, purchase receipts, and restore tokens from Apple App Store, Google Play, or RevenueCat. We do not collect or store full payment-card numbers.
  • Communications: messages you send us, support requests, feedback, survey responses.
  • Settings & preferences: language, notification preferences, content/age settings.

4.2 Child-Profile Information (provided by the parent)

Only the minimum information needed to personalise the experience. We intentionally do not collect sensitive identifiers about the child.

  • First name or nickname of the child (may be a nickname).
  • Date of birth of the child (used to select age-appropriate content and to send a birthday message; see §5 for why the full date is collected).
  • Topic progress and usage history (which topics and scenarios have been viewed/completed, answers to in-app reflections, journal entries).
  • Optional voice or text input provided in "Talk to Tovo" style features — see §4.4.

We do not knowingly collect from or about a child:

  • precise geolocation,
  • contact lists,
  • social-media handles,
  • photos or videos of the child,
  • behavioural advertising identifiers,
  • biometric identifiers, or
  • any "special category" data under GDPR (health, race, religion, etc.) beyond the minimum above.

4.3 Information Collected Automatically

When you use the Service we and our processors automatically collect:

  • Device information: device model, operating system and version, app version, language, time zone, crash and diagnostic logs.
  • Usage information: pages or screens viewed, buttons tapped, features used, session duration, and aggregated engagement metrics.
  • Network information: IP address (truncated where feasible), approximate region derived from IP, and basic connection details.
  • Cookies / SDK identifiers: on the website only, first-party cookies and limited local storage. The in-app experience uses SDK identifiers (e.g. OneSignal push tokens, PostHog anonymous IDs) — see §7.

We use these only for Service operation, security, diagnostics, and aggregated analytics. We do not use them for third-party behavioural advertising or cross-app tracking of children.

4.4 AI Conversation Inputs

Certain features (e.g. guided follow-up questions, "Talk to Tovo") process text and/or voice inputs that the parent (or the child with the parent) provides. For voice:

  • Audio is captured only when the microphone button is explicitly activated.
  • Audio may be transcribed by a speech-to-text provider (see §7); we retain transcripts only as long as necessary to operate the feature and improve Service quality, then delete or de-identify them per §9.
  • We do not use voice biometrics to identify any individual, and we do not build voiceprints.

4.5 Information We Do Not Knowingly Collect

We do not sell personal information, we do not knowingly collect personal information from children without verifiable parental consent, and we do not build advertising profiles of children.

5. Legal Bases & Why We Use Your Information

Under GDPR/UK GDPR we rely on the following bases:

| Purpose | Categories Used | Legal Basis | |---|---|---| | Create and operate your account, authenticate you, deliver the Service | Parent identity, auth tokens | Performance of a contract (Art. 6(1)(b)) | | Create and manage child profiles, personalise topic and scenario recommendations, show age-appropriate content | Child profile data | Parental consent on behalf of the child (Art. 6(1)(a) + Art. 8); contract performance with parent | | Send a personalised birthday message to the child once per year | Child date of birth | Parental consent | | Process subscriptions and payments | Billing data | Contract performance; legal obligation (tax) | | Security, fraud prevention, abuse detection, service integrity | Usage logs, device/network data | Legitimate interests (Art. 6(1)(f)) | | Diagnostics and crash analysis | Crash logs, device info | Legitimate interests | | Aggregated, de-identified product analytics and research | De-identified usage data | Legitimate interests | | Customer support and responding to you | Communications, account info | Contract performance; legitimate interests | | Sending service emails (receipts, important changes) | Email address | Contract performance; legal obligation | | Sending marketing emails or push notifications to the parent | Email, device token | Consent (may be withdrawn at any time) | | Legal compliance, defending claims, enforcing our Terms | All categories as needed | Legal obligation; legitimate interests |

Where we rely on consent (including parental consent for a child), you may withdraw consent at any time without affecting the lawfulness of prior processing.

6. How We Obtain Parental Consent (COPPA)

For users who identify the account or a child profile as being located in the United States, or where a child is under the applicable digital-consent age, we obtain verifiable parental consent before processing any personal information about the child. Our current method is:

  1. Account creation is gated behind Sign in with Apple or Google, which authenticates an adult account holder.
  2. The parent affirmatively declares that they are the parent or legal guardian of the child and accepts this Privacy Policy and the Terms & Conditions.
  3. For payment-based features we verify the account holder via Apple/Google/RevenueCat billing (monetary transaction check).
  4. Parents may review, delete, or refuse further collection of their child's information at any time from Settings → Profile or by contacting hello@evovo.ai.

We may update our consent method as permitted by the US Federal Trade Commission.

7. Service Providers and Sub-Processors

We share personal information only with vetted service providers acting as our processors / sub-processors under written data-processing agreements, and only to the extent needed to operate the Service. Current categories include:

| Category | Representative Provider | Purpose | |---|---|---| | Cloud hosting & database | Supabase / AWS | Hosting, auth, storage | | Crash & error monitoring | Sentry | Diagnostics | | Product analytics | PostHog | De-identified usage analytics | | Push notifications | OneSignal | Deliver in-app and push notifications | | In-app subscriptions | RevenueCat, Apple, Google | Billing, entitlement management | | AI / LLM providers | OpenAI, Anthropic, Google (as applicable) | Generate guided questions, responses | | Speech-to-text (if used) | Provider appropriate at the time | Transcribe voice input | | Email delivery | Transactional email provider | Send service and support emails |

These providers process data only on our instructions. They may be located outside your country (see §10). We do not authorise any provider to use child-profile data for their own marketing, advertising, or model-training purposes; where a provider would otherwise reserve such rights, we rely on its enterprise / business / zero-retention settings and contractual prohibitions.

We do not sell personal information and we do not share personal information for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA.

8. AI Features — How We Use and Limit LLM Processing

To power the guided-question experience we send content to third-party large-language-model ("LLM") providers. We limit this as follows:

  • Input to the LLM is typically the currently selected topic, scenario, and the parent's/child's short text input.
  • Where feasible we strip direct identifiers (first name, date of birth) before sending text to the LLM.
  • We contractually require LLM providers not to use inputs or outputs to train their general foundation models.
  • LLM outputs are suggestions to help parents guide a conversation; they are not professional advice, clinical guidance, medical, mental-health, legal, or educational diagnosis. Parents must exercise judgement before relying on any AI-generated content.
  • LLM outputs may be inaccurate, incomplete, or inappropriate despite our safeguards. You can report a concern at hello@evovo.ai.

9. Data Retention

We retain personal information only for as long as needed for the purposes listed in §5, or as required by law:

  • Active account data — for the life of your account.
  • Child profile data — until you delete the child profile or close the account.
  • Billing records — up to 7 years where required by tax / accounting law.
  • Support communications — up to 3 years after resolution.
  • Security and fraud logs — up to 24 months.
  • Crash / diagnostic logs — up to 90 days.
  • AI conversation inputs — typically up to 30 days in operational stores, then deleted or de-identified unless required for safety review.

On account deletion we will delete or de-identify personal information within 30 days, except where retention is required by law or necessary to establish, exercise, or defend legal claims.

10. International Data Transfers

Evovo operates globally. Your information may be transferred to, stored in, and processed in countries other than your own, including the United States, the United Kingdom, the European Union, and Hong Kong.

Where we transfer personal information out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or your explicit consent where applicable.

11. Your Rights

Subject to applicable law you have the right to:

  • Access the personal information we hold about you or your child.
  • Correct inaccurate data.
  • Delete your account, a child profile, or specific data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where we rely on consent.
  • Lodge a complaint with your local data-protection authority (e.g. UK ICO, Ireland DPC, Hong Kong PCPD, your US state AG, California Privacy Protection Agency).

California residents additionally have the rights to know, delete, correct, limit the use of sensitive personal information, and not be discriminated against for exercising these rights. We do not sell or share personal information as defined under the CCPA/CPRA.

To exercise any right, email hello@evovo.ai from the address on file. We will respond within the timeframe required by applicable law (typically 30 days, extendable by 60 days where permitted). We may need to verify your identity and may decline requests that are unfounded, excessive, or that would compromise another person's rights.

12. Security

We use technical and organisational safeguards appropriate to the sensitivity of the data we handle: encryption in transit (TLS 1.2+), encryption at rest for database-stored personal information, role-based access controls, audit logging, least-privilege production access, regular vulnerability scans, and vendor due diligence.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in risk to you, we will notify you and the competent supervisory authorities within the timelines required by applicable law.

13. Children's Privacy (Additional Notice)

Because Evovo is parent-operated, all processing of child data happens under parental consent and parental control. In addition to the rights above, parents may at any time:

  • review the personal information we hold about their child,
  • refuse further collection or use of their child's information,
  • delete a child profile or the entire account.

To do so, contact hello@evovo.ai or use Settings → Profile in the app. We do not condition a child's participation in any part of the Service on the parent disclosing more information than is reasonably necessary.

14. Marketing Communications

We will send service-related messages (receipts, security notices, legal updates) as long as you have an account. We will send marketing emails, in-app messages, or push notifications only to the parent, and only with your consent or on a soft opt-in permitted by applicable law. You may opt out at any time from the unsubscribe link in any email, from your device's notification settings, or by contacting hello@evovo.ai. We do not target marketing at children.

15. Third-Party Links and Content

The Service may include links to or integrations with third-party websites, tools, or content (for example, an App Store, educational resources, or social platforms). We are not responsible for the privacy practices or content of those third parties. Please read their policies before interacting with them.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, we will give you reasonable prior notice by email, in-app notice, or other appropriate means. Continued use of the Service after an update constitutes acceptance of the revised policy, except where additional consent is required by law.

17. Contact

Questions, complaints, or requests relating to this Privacy Policy may be sent to hello@evovo.ai.

Evovo — 100 Guided Conversations for Parents & Kids