Privacy Policy

Last updated: 14 April 2026

1. Who we are and how to contact us

Solvly is operated by Solvly Inc., founded by Biren Patel. Our website is getsolvly.com and the in-app world is called MissionWorld by Solvly.

If you have any questions about this privacy policy or how we handle personal data, you can contact us at:

2. What information we collect from children (and what we don't)

Solvly does not collect personal information from children without verifiable parental consent. For children under 13 (under 18 in India and UAE), a parent or guardian must create an account before any child profile is established. We do not collect children's real names, email addresses, phone numbers, location data, photographs, or voice recordings. We collect only: a display name chosen by the parent, an age band (not exact date of birth), and an avatar selected from a pre-defined set.

During gameplay, we collect the following non-personal data about each child's activity:

  • Mission choices made and their timestamps
  • Time spent on each scenario (used to determine choice quality)
  • Skill XP earned across all five pillars and EI sub-skills
  • Mission completion status and stars awarded
  • Streak data (consecutive days of play)

All child activity data is stored against an anonymised child ID (UUID). We never associate child activity data with a real name, school, or any other personally identifiable information.

We do not collect: real names, dates of birth, school names, email addresses, phone numbers, physical addresses, photographs, voice recordings, biometric data, device identifiers, or IP addresses from children. IP addresses are anonymised before any analytics processing.

3. What information we collect from parents

When a parent creates an account, we collect:

  • Email address (used for login, account recovery, and transactional communications)
  • Full name (optional, used for account display)
  • Country of residence (used for localisation and legal compliance)
  • Payment information (processed securely by Stripe; Solvly never stores card details directly)

We also store consent records that document when and how parental consent was provided. These records are immutable and cannot be edited or deleted.

4. How we use information

We use the information we collect to:

  • Provide and improve the Solvly service, including personalising mission recommendations
  • Generate skill progress reports visible to parents in the parent dashboard
  • Send transactional emails to parents (account verification, password reset, weekly digest)
  • Maintain streaks and XP calculations
  • Detect and prevent fraud or abuse
  • Comply with legal obligations (COPPA, DPDP Act, UAE CDS Law, GDPR)

We never use child data to: target advertisements, build advertising profiles, train third-party AI models, or share data with ad networks. Skill tracking within Solvly is used only to personalise learning and generate the parent dashboard.

5. How we share information (and our commitment not to sell it)

We do not sell personal data. We do not share personal data with advertisers. We will never do either.

We share data only with the following categories of service providers, all of whom are bound by data processing agreements:

  • Hosting and infrastructure: Supabase (database), Vercel (web hosting), Upstash (caching)
  • Payment processing: Stripe (payment processing only; Solvly never sees or stores card numbers)
  • Email: Resend (transactional emails to parents only)
  • Error monitoring: Sentry (crash reports; no child PII included)
  • Analytics: PostHog (product analytics with IP anonymisation enabled; no persistent user profiles; no device identifiers)

We do not share data with any advertising networks, data brokers, social media platforms, or any third party that uses data for advertising purposes.

6. How parents can review, correct, or delete their child's data

Parents have the right to:

  • Review all data associated with their child through the parent dashboard
  • Export all data by requesting a data export from Settings (delivered within 24 hours)
  • Correct their child's display name, age band, or avatar at any time through the parent dashboard
  • Delete all child data by submitting a deletion request through Settings or by emailing privacy@getsolvly.com
  • Revoke consent at any time, which will trigger immediate account deactivation and data deletion

Upon receiving a deletion request, we permanently delete all child data within 30 days. This includes all choice events, skill XP records, mission progress, Sage interactions, and streak history. This deletion is irreversible.

7. Data retention periods

We retain data only for as long as it is needed:

  • Active child data: Retained for as long as the parent account is active
  • Deleted child data: Permanently removed within 30 days of a deletion request
  • Parent account data: Retained for as long as the account is active, plus 30 days after account closure to allow for reactivation
  • Consent records: Retained indefinitely as required by COPPA for audit purposes (these contain no child PII)
  • Payment records: Retained by Stripe in accordance with financial regulations; Solvly does not store payment details
  • Analytics data: Anonymised and aggregated; no individual child can be identified from retained analytics

8. How we protect data

We implement the following security measures:

  • All data is encrypted in transit (TLS 1.3) and at rest
  • Row-level security (RLS) on all database tables containing child data ensures that only the authenticated parent can access their children's records
  • Child sessions use short-lived tokens (8-hour expiry)
  • Parent sessions use JWT tokens with automatic expiry
  • All API endpoints that access child data verify parent ownership before returning any information
  • No child data is ever stored in browser localStorage or sessionStorage
  • IP addresses are hashed before storage; raw IP addresses are never logged

9. Cookies and tracking

Solvly uses the following cookies:

  • __Host-solvly_session (or solvly_session in legacy sessions): An httpOnly, secure cookie used to maintain your login session. This is essential for the service to function and cannot be disabled.

We do not use advertising cookies, retargeting pixels, or any third-party tracking cookies. Our analytics provider (PostHog) is configured with IP anonymisation enabled, no persistent user profiles, and session recording disabled. We do not use device fingerprinting.

When you first visit our website, we default to declining all optional cookies. You may adjust your preferences at any time using the “Cookie settings” link in the footer. For the full per-cookie list (name, purpose, duration, category) see our Cookie Policy.

10. Changes to this policy

If we make material changes to this privacy policy, we will notify all registered parents by email at least 14 days before the changes take effect. We will also update the “Last updated” date at the top of this page.

If any change materially affects how we collect or use children's data, we will seek renewed parental consent before applying the change to existing accounts.

11. Contact for privacy concerns

For any questions about this privacy policy, to exercise your data rights, or to report a privacy concern:

We respond to all privacy requests within 5 business days. Data deletion requests are processed within 30 days.

Applicable regulations

This privacy policy is designed to comply with: the Children's Online Privacy Protection Act (COPPA, United States), the Digital Personal Data Protection Act 2023 (DPDP Act, India), the UAE Child Digital Safety Law, the General Data Protection Regulation (GDPR, European Union), and Saudi Arabia's Personal Data Protection Law (PDPL).

Where local regulations impose stricter requirements than those described above, we comply with the stricter standard.