Privacy Policy

Lootli ("we", "us", or "our") operates the Lootli mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App and website at lootli.app.

Please read this policy carefully. If you disagree with its terms, please discontinue use of the App.

We collect the following categories of information:

Account Information
• Parent/guardian email address and password (used for authentication)
• Parent name (optional)

Child Profile Data
• Child's first name or nickname
• Child's age or birth year (used for COPPA compliance verification)
• Activity completions and earning history

App Usage Data
• Activities and chores created by the parent
• Goal amounts and completion records
• Device type and operating system version
• App crash reports and error logs (via Sentry)

We do NOT collect:
• Full legal names of children
• Children's email addresses
• Payment or financial account information
• Precise GPS location

We use the information we collect to:

• Create and manage your family account
• Enable the core features of Lootli (activity tracking, wallet balance, goal setting)
• Sync data across parent and child devices in real time
• Send transactional notifications (e.g., activity approvals)
• Diagnose and fix technical issues
• Improve and develop new features based on aggregate usage patterns
• Comply with legal obligations

We do not use your data for:
• Behavioral advertising
• Selling or sharing your data with third-party advertisers
• Profiling children for any commercial purpose

Storage Provider: We use Supabase (supabase.com) as our database and authentication provider. Supabase stores data on Amazon Web Services (AWS) infrastructure in the United States.

Encryption: All data is encrypted in transit using TLS/HTTPS. Data at rest is encrypted using AES-256.

Access Control: Database access is protected by row-level security policies. Only authenticated users can access their own family's data.

Security Measures:
• Secure authentication with bcrypt password hashing
• Two-factor authentication available for parent accounts
• Regular security audits of our codebase
• Monitoring via Sentry for anomalous behavior

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Lootli is designed as a family app where parents manage all account creation. We comply with the Children's Online Privacy Protection Act (COPPA):

Parental Consent
• All accounts are created by a parent or legal guardian (age 18+)
• Children do not create their own accounts and do not directly provide personal information to us
• The parent's account controls all child profile data

What We Collect from Children
• Only first name/nickname and age (provided by the parent)
• Activity completion actions within the app

No Advertising to Children
• We do not serve behavioral advertising to children
• We do not share children's information with advertising networks
• We do not allow children to make purchases or share data publicly

Parental Rights Parents can at any time:
• Review the personal information collected about their child
• Request deletion of their child's data
• Revoke consent by deleting the child's profile or the family account

To exercise these rights, email us at hello@lootli.app.

Lootli complies with Brazil's Lei Geral de Proteção de Dados (LGPD — Law 13.709/2018).

Legal Basis for Processing We process your personal data under the following legal bases (Art. 7 LGPD):
• Contract performance: Processing necessary to provide the Lootli service
• Legitimate interest: Improving app performance, preventing fraud, ensuring security
• Consent: For any optional communications such as newsletters

Your Rights Under LGPD (Art. 18) As a data subject, you have the right to:
• Access — Confirm whether we process your data and receive a copy
• Correction — Request correction of inaccurate or incomplete data
• Anonymization / Blocking / Deletion — Of unnecessary or excessive data
• Data portability — Receive your data in a structured, machine-readable format
• Deletion — Of data processed with your consent
• Information — About which entities we share data with
• Revocation of consent — At any time, free of charge

Data Protection Officer (DPO) Our DPO can be reached at: hello@lootli.app

Data Transfers Your data may be stored on servers located in the United States (AWS). Such transfers occur under appropriate safeguards consistent with LGPD requirements.

We use the following third-party services to operate Lootli:

Supabase (supabase.com)
• Purpose: Database, authentication, and real-time data sync
• Data shared: Account information, child profiles, activity data
• Privacy policy: supabase.com/privacy

Sentry (sentry.io)
• Purpose: Error tracking and crash reporting
• Data shared: Device type, OS version, anonymized stack traces
• Privacy policy: sentry.io/privacy

Firebase Analytics (Google)
• Purpose: Aggregate app usage analytics
• Data shared: Anonymized usage events (screen views, feature usage)
• No personal identifiers are sent to Firebase
• Privacy policy: policies.google.com/privacy

We do not sell your personal information to any third party.

Retention Period We retain your personal data for as long as your account remains active, plus up to 90 days following account deletion (to allow recovery from accidental deletion).

Deleting Your Account You can delete your Lootli account at any time from the app's Settings → Account → Delete Account. This will:
• Permanently delete all family member profiles
• Remove all activity and earning history
• Delete your email and authentication credentials

Data Export Before deleting, you can export your data from Settings → Account → Export Data.

Requests To request data deletion manually, contact us at hello@lootli.app. We will process your request within 30 days.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: hello@lootli.app Response time: We aim to respond within 5 business days.

For legal notices or formal LGPD requests, use the same email with the subject line "LGPD Request" or "Legal Notice".