Last Updated: February 19, 2026 | Effective: February 19, 2026
Summary for Parents: PaperMagic is a kids' dress-up app. We collect minimal data (parent email, child display name, creations). We do NOT serve ads, track children, or sell data. Children under 13 need verified parental consent. You can review, delete, or export your child's data at any time.
1. Who We Are
PaperMagic is operated by Capibara Corp ("we," "us," or "our"). PaperMagic is a digital "paper dolls" app designed primarily for children ages 4–12, with features for teens (13–15) and adults (16+).
We are committed to protecting children's privacy and complying with the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR) Article 8, and applicable local data protection laws.
Capibara Corp, 123 Paper Street, Magic City, MC 12345
2. Information We Collect
We collect the minimum information necessary to provide our service.
A. Information collected from parents/guardians
Email address — for account creation, verification, and transactional communications
Password — stored in hashed form via our authentication provider (Clerk); we never see or store plain-text passwords
Country of residence — detected via device locale for GDPR consent age determination, with manual override
Birth year — for age verification during registration
B. Information collected from children (with parental consent)
Display name — chosen by the parent; does not need to be the child's real name
Creations — dressed-up character configurations and gallery saves
C. Information collected automatically
Device type and OS version — collected via Sentry for crash reporting in production only; no personal identifiers included
App version — for delivering updates via Expo/EAS
D. Payment information
Subscriptions are processed entirely through Google Play Billing (or Apple App Store for future iOS). We do NOT directly collect, process, or store credit card numbers, bank account information, or other financial data. All payment processing is handled by the respective app store.
3. Information We Do NOT Collect
To protect children's privacy, we do NOT collect:
Child's real name or surname
Android Advertising ID (AAID) or any advertising identifiers
Precise or coarse location data (GPS, Wi-Fi, cell tower)
Photos, videos, or audio recordings
Contact lists or address books
Social media accounts or profiles
SIM serial, IMEI, IMSI, MAC address, BSSID, or Build Serial
Biometric data
Browsing history or cross-app tracking data
4. How We Use Information
We use collected information exclusively to:
Create and manage user accounts
Verify parental consent for users under the applicable consent age (COPPA/GDPR requirement)
Save and display user creations within the app
Process and manage subscription status
Send transactional emails to parents (account verification, parental consent requests)
Diagnose and fix app errors and crashes (production only, via Sentry)
Deliver app updates (via Expo/EAS)
We do NOT use children's data for advertising, behavioral profiling, marketing, or any purpose beyond providing the PaperMagic service.
5. How We Share Information
We do NOT sell, rent, or trade personal information—especially children's data—to any third party. We share data only with the following service providers, strictly for the purpose of operating PaperMagic:
Service Provider
Purpose
Data Shared
Supabase
Database, cloud storage, and serverless functions
User profiles, child profiles, creations
Clerk
Authentication and account management
Parent email, hashed password, session tokens
RevenueCat
Subscription management
Anonymous user ID, subscription status
Sentry
Error monitoring (production only)
Device info, OS version, crash logs (NO child personal data)
Resend
Transactional email delivery
Parent email address only (never child data)
Expo/EAS
App updates and build delivery
Device type, app version
These service providers are contractually prohibited from using data for any purpose other than providing their services to PaperMagic. We may also disclose information when required by law or to protect the safety of our users.
6. Parental Consent (COPPA)
For children under 13 (in the United States) or under the applicable digital consent age in their jurisdiction, we require verifiable parental consent before collecting any personal information.
How we obtain consent
We use the "Email Plus" method approved by the FTC:
A parent creates an account and provides their email address
We send a verification email to the parent
The parent must confirm their email
A second confirmation email is sent 24–48 hours later (as required by COPPA)
Only after successful verification can the child use PaperMagic
What the consent covers
By completing the verification process, the parent consents to the collection and internal use of their child's data as described in this Privacy Policy. The parent may consent to collection and internal use without consenting to disclosure to third parties (though disclosure to our service providers listed above is necessary to operate the app).
7. Parental Rights
Parents and legal guardians have the right to:
Review their child's personal information at any time through the app settings
Request deletion of their child's personal information
Refuse further collection or use of their child's information
Manage their child's account settings, including child profiles
Export their child's data in a portable format
Delete the account entirely, which will remove all associated data after a 30-day grace period
To exercise any of these rights, use the account settings within the app or contact us at privacy@capibaracorp.com.
8. Children's Privacy
PaperMagic is directed at children ages 4–12. We take children's privacy seriously:
We comply with COPPA (including the 2025 amendments effective June 23, 2025) and GDPR Article 8
We do NOT knowingly collect personal information from children without verifiable parental consent
We do NOT serve behavioral advertising or any advertising to children
We do NOT collect Android Advertising ID (AAID) or any device advertising identifiers from children
We do NOT transmit restricted device identifiers (SIM serial, IMEI, IMSI, MAC, BSSID, Build Serial)
All third-party SDKs used in PaperMagic have been reviewed for compliance with children's privacy requirements
If we learn that we have collected information from a child without proper parental consent, we will delete it promptly
9. Data Retention
We retain personal data only as long as reasonably necessary to provide our services:
Data Type
Retention Period
Parent account data
While account is active, plus 30 days after deletion request
Child profile data
While parent account is active, deleted with parent account
Creations & gallery data
While account is active, deleted with account
Error/crash logs (Sentry)
90 days
Parental consent records
3 years (COPPA record-keeping requirement)
Transactional email logs
90 days
When an account is deleted, we permanently remove all associated personal information within 30 days (grace period to allow account recovery), except where retention is required by law or for COPPA record-keeping.
10. Data Security
We implement industry-standard security measures to protect personal information:
Encryption in transit — all data transmitted via HTTPS/TLS
Encryption at rest — database and storage encryption via Supabase
Secure authentication — via Clerk with hashed passwords and secure session management
Row-Level Security (RLS) — database policies ensuring users can only access their own data
Access controls — strict team access limited to authorized personnel
While we take reasonable precautions, no method of data transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@capibaracorp.com.
11. International Users & GDPR
PaperMagic is available internationally. For users in the European Union, European Economic Area, and the United Kingdom, we process personal data in compliance with the GDPR.
Legal basis for processing
Parental consent (Article 6(1)(a) and Article 8 GDPR) — for processing children's data
Contract performance (Article 6(1)(b)) — for providing the service to adult users
Legitimate interest (Article 6(1)(f)) — for error monitoring and app stability
Digital consent ages by country
Children below the following ages require verified parental consent:
Consent Age
Countries
13
Belgium, Czech Republic, Denmark, Finland, France, Latvia, Malta, Poland, Portugal, Spain, Sweden, United Kingdom
Data portability (export in a machine-readable format)
Object to processing
Lodge a complaint with their local supervisory authority
Cross-border data transfers
Our service providers may process data in various regions. Where data is transferred outside the EU/EEA, it is protected by Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by the GDPR.
12. Your Rights
All users have the right to:
Access your personal data
Correct inaccurate data
Delete your account and all associated data
Export your data in a portable format
Opt out of optional communications
To exercise these rights, use the account settings in the app or contact privacy@capibaracorp.com. We will respond within 30 days.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
We will update the "Last Updated" date at the top of this page
We will notify parents via email for material changes
If changes involve new uses of children's data, we will obtain new parental consent
We will notify users within the app
We encourage you to review this policy periodically.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about your child's privacy, please contact us: