Huntly World logo
v1.1Last updated: February 2025Applies to: iOS and Android

Privacy Policy

This policy explains how Fluff Software Limited collects, uses, stores and protects personal data when you use the Huntly World mobile application and related services.

Data controller: Fluff Software Limited · Company no. 12275014

Contents

  1. 1.About this policy
  2. 2.Who we are and how to contact us
  3. 3.Who this policy covers
  4. 4.What personal data we collect
  5. 5.Our lawful basis for processing
  6. 6.How we use your data
  7. 7.Who we share your data with
  8. 8.International data transfers
  9. 9.Profile photos
  10. 10.Data retention
  11. 11.Security
  12. 12.Children's privacy
  13. 13.Your rights
  14. 14.Device identifiers and analytics
  15. 15.Changes to this policy
  16. 16.Contact us

1About this policy

This privacy policy explains how Fluff Software Limited ("we", "us", "our") collects, uses, stores and protects personal data when you use the Huntly World mobile application and related services ("the App").

Fluff Software Limited is the data controller for the personal data described in this policy. We are committed to protecting the privacy of all our users, particularly children. Huntly World is designed for use by families and clubs to encourage children to explore the outdoors through stories, missions and friendly characters.

2Who we are and how to contact us

Data controller:
Fluff Software Limited
Company number:
12275014
Registered office:
Nexus Business Centre, 6 Darby Close, Cheney Manor, Swindon, England, SN2 2PN
Website:
huntly.world
Privacy contact:
huntly@fluff.software

We aim to respond to all privacy enquiries within 30 days. If you are in the UK, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/concerns. If you are in the EU/EEA, you may contact your local supervisory authority.

3Who this policy covers

This policy covers two types of users:

  • Account holders – parents or guardians aged 18 or over who create and manage an account on behalf of their family or club.
  • Child users – children under the age of 13 for whom a parent or guardian has created an explorer profile.

Children cannot create their own accounts. All accounts must be created by a parent or guardian. By creating an account, you confirm you are at least 18 years old and have the authority to agree to this policy on behalf of your child.

4What personal data we collect

Account holder data

When you create an account we collect:

  • Your email address (used for sign-in and communications)
  • Your password, managed via Supabase Auth and stored in hashed form — we never store plain-text passwords
  • Any preferences or settings you configure in the app

Child explorer profile data

When you set up a profile for a child we collect:

  • The child's first name or nickname (as entered by you)
  • Team or group selection
  • In-app progress, achievements and mission data
  • A profile photo uploaded by you to personalise the child's profile (see Profile photos for full details)

Technical data

We automatically collect limited technical information to operate and improve the App:

  • Device type and operating system version
  • App version
  • Basic anonymised analytics via Apple App Analytics, Google Play Analytics and Expo's built-in analytics — this data is aggregated and does not identify individual users

We do not collect precise location data, voice recordings or biometric data.

Push notifications

If you grant permission, we use Expo's push notification service to send app notifications (for example, mission updates or account alerts). Expo stores your device's push token solely for notification delivery; notification content is not retained by Expo after delivery. You can withdraw permission at any time in your device settings.

5Our lawful basis for processing

UK GDPR and EU GDPR require us to have a lawful basis for processing personal data. Our bases are:

  • Contract – processing your account data to provide the service you have signed up for.
  • Consent – where we rely on your agreement, such as sending marketing communications or processing a child's profile photo. You can withdraw consent at any time by contacting huntly@fluff.software or adjusting your in-app settings.
  • Legitimate interests – processing anonymised usage data to improve the App, where this does not override your rights.
  • Legal obligation – where we are required to process data to comply with applicable law.

For children's data, we rely on the consent of the parent or guardian who created the account. We process children's personal data only to the extent necessary to provide the in-app experience.

6How we use your data

We use the data we collect to:

  • Create and manage your account
  • Provide the Huntly World experience, including explorer profiles, missions and progress tracking
  • Authenticate you securely and enable password reset via Supabase Auth
  • Review and moderate uploaded profile photos before they are made visible to other users
  • Send service-related notifications and, where you have consented, marketing updates
  • Improve and develop the App using anonymised usage data
  • Comply with our legal obligations and enforce our terms

We do not use children's personal data for advertising, profiling, or any purpose beyond delivering and improving the in-app experience.

7Who we share your data with

We share data only where necessary and with appropriate safeguards in place.

Supabase (database, storage and authentication)

Supabase Inc. is our primary data infrastructure provider, supplying database storage, file storage and user authentication (Supabase Auth). Supabase is based in the USA. We have a Data Processing Addendum (DPA) with Supabase incorporating:

  • EU Standard Contractual Clauses (SCCs) under Commission Decision 2021/914 (Module 2, controller to processor)
  • The UK ICO-approved Addendum to the SCCs
  • A Transfer Impact Assessment prepared by Supabase's EU privacy counsel

Supabase processes data only on our instructions and may not use it for its own purposes. Data is encrypted in transit (TLS) and at rest.

Expo (push notifications)

Expo (650 Industries Inc., USA) is used solely to deliver push notifications to your device. Expo stores your device push token for delivery purposes only; notification content is not retained after delivery. Expo is GDPR-, CCPA- and US Data Privacy Framework-compliant.

Platform analytics

Apple App Analytics and Google Play Analytics provide us with aggregated, anonymised statistics only. We receive no individually identifiable data from these platforms.

Internal moderation

Profile photos are reviewed by members of our internal admin team before being made visible to other users. Team members are subject to confidentiality obligations and access controls.

General

We do not sell your personal data. We do not share personal data with third parties for their own marketing. We may disclose data where required by law, court order, or to protect the rights, safety or property of Fluff Software Limited, our users or others.

8International data transfers

Supabase and Expo are based in the United States. When we transfer personal data outside the UK or EEA, appropriate safeguards are in place:

  • Supabase: EU SCCs (Module 2, controller to processor) under Commission Decision 2021/914, plus the UK ICO-approved Addendum. A Transfer Impact Assessment is also in place.
  • Expo: participates in the EU-US Data Privacy Framework and is GDPR-compliant. Push token data is processed solely for notification delivery.
  • Apple/Google analytics: data is aggregated and anonymised before reaching us; no personal data is transferred on our behalf.

9Profile photos

Account holders may upload a photo to personalise a child's explorer profile. The following process applies to all uploaded photos:

  • Photos are uploaded by account holders (parents or guardians) and stored securely in Supabase Storage
  • Each photo is reviewed by a member of our internal admin team, who checks that no identifiable individuals or sensitive details are visible
  • Only photos that pass review are approved and made visible to other users within the app
  • Photos that do not pass review are permanently deleted

We do not use profile photos for any purpose other than displaying them within the Huntly World app. Photos are not shared with third parties beyond the storage infrastructure described in section 7.

You can remove a profile photo at any time from within the app, or by contacting huntly@fluff.software.

10Data retention

We keep your data for as long as your account is active or as needed to provide the service:

  • Account holder email and authentication data: retained for the life of the account plus 30 days after deletion to allow for account recovery, then permanently deleted
  • Child explorer profile data (names, progress, photos): deleted when the profile is deleted or the account is closed
  • Anonymised usage and analytics data: retained indefinitely as it cannot be linked to individuals
  • Data required for legal compliance: retained for the period required by applicable law

When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

11Security

We implement industry-standard technical and organisational measures to protect your data, including:

  • Encrypted data transmission using TLS for all communications between the App and our servers
  • Encryption at rest for all data stored in Supabase (AES-256)
  • Secure user authentication via Supabase Auth, with passwords stored as salted hashes
  • Access controls limiting which team members can access personal data
  • Internal moderation processes for user-uploaded photos

You are responsible for keeping your account credentials secure. If you suspect unauthorised access, contact us immediately at huntly@fluff.software.

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law (within 72 hours of becoming aware, where required).

12Children's privacy

Huntly World is used by children under the age of 13. We take our obligations under the UK ICO Children's Code (Age Appropriate Design Code), UK GDPR and the US Children's Online Privacy Protection Act (COPPA) seriously.

Our commitments:

  • Children cannot create their own accounts — all accounts are created and managed by a parent or guardian
  • We collect only the minimum personal data needed to provide the in-app experience
  • We do not use children's data for advertising, behavioural tracking or commercial profiling
  • We do not share children's personal data with third parties except as described in this policy
  • Profile photos are subject to human moderation before being made visible to other users
  • We do not knowingly allow children to communicate publicly or share personal data beyond their family account

If you are a parent or guardian and believe we have collected data from or about your child in error, or wish to review, correct or delete your child's data, please contact us at huntly@fluff.software.

13Your rights

Depending on where you live, you may have the right to:

  • Access – request a copy of the personal data we hold about you
  • Correction – ask us to correct inaccurate or incomplete data
  • Deletion – ask us to delete your data (subject to legal retention requirements)
  • Portability – request your data in a structured, machine-readable format
  • Restriction – ask us to restrict processing in certain circumstances
  • Objection – object to processing based on legitimate interests
  • Withdraw consent – where we rely on consent, you can withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at huntly@fluff.software. We will respond within one month as required by UK/EU GDPR. We may need to verify your identity before acting on a request. As a parent or guardian, you may exercise these rights on behalf of your child.

US users in states with applicable privacy laws (including California — CCPA/CPRA) may have additional rights, including the right to know what data is collected and the right to opt out of sale (we do not sell data).

If you are in the UK, you have the right to complain to the ICO (ico.org.uk). If you are in the EU/EEA, you may contact your local data protection authority.

14Device identifiers and analytics

The App uses the following device-level technologies:

  • Expo push token – a device identifier used solely to deliver push notifications. Stored by Expo; not used for tracking or advertising.
  • Supabase Auth session token – a secure session token stored on your device to keep you logged in. Cleared on sign-out.
  • Apple App Analytics – aggregated, anonymised usage statistics collected by Apple. We receive no individually identifiable data.
  • Google Play Analytics – aggregated, anonymised usage statistics collected by Google. We receive no individually identifiable data.
  • Expo analytics – basic, anonymised app performance data. No personally identifiable data is shared with us.

None of these technologies are used for advertising or cross-app tracking.

15Changes to this policy

We may update this policy from time to time. Where changes are significant, we will notify you by a prominent notice within the App or by email, and will always update the “Last updated” date at the top of this policy.

For material changes that affect how we process children's data, we will seek fresh consent from account holders where required by law.

16Contact us

Fluff Software Limited
Company number: 12275014
Nexus Business Centre, 6 Darby Close, Cheney Manor, Swindon, England, SN2 2PN
Website:
huntly.world
Email:
huntly@fluff.software

We aim to respond to all privacy enquiries within 30 days.

Last updated: February 2025 · Version 1.1 · Fluff Software Limited (Company no. 12275014)