Fun Games Now

Plain-English summary. Fun Games Now is built for SEND tutors and parents to use with children in screen-share sessions. We hold the bare minimum information needed to run the service: a tutor account (email + password), the children you choose to add (first name, year group, working level, optional notes), and what those children play (stickers, picks, sessions). We never sell data, never serve ads to children, and never let third parties profile them. If you want anything deleted, email hello@fungamesnow.co.uk and we'll do it within 30 days.

1. Who we are

Fun Games Now ("we", "us", "our") is a service operated from the United Kingdom. We act as the data controller for tutor accounts and as a data processor for the information tutors record about the children they support. Our registered contact for data questions is hello@fungamesnow.co.uk.

We are registered with the UK Information Commissioner's Office (ICO). [ICO registration number to be added once issued.]

2. What we collect about tutors / parents (the account holder)

Email address and a hashed password (handled by Supabase Auth).
Optional display name.
Stripe customer ID and subscription status — to keep your access active. We never see or store card numbers; payment details are handled directly by Stripe.
Server-side logs (IP address, request timestamps, user-agent) for security and abuse prevention. Retained for 30 days.
If you opt-in to analytics cookies (see §6), aggregated usage events to help us improve the product.

3. What we collect about children

You choose what to enter. The fields are deliberately minimal:

First name (or nickname).
Avatar emoji.
Year group (Reception–Y6) and working Key Stage (KS1, Lower KS2, Upper KS2).
Optional: favourite game categories, interests (e.g. "dinosaurs, drawing"), and private support notes you write for yourself.
Activity records — which decks they played, which contender they picked each round, stickers they earned, and any "why I picked this" reasons they chose to record. These help you evidence progress; they are not used for profiling, advertising, or content recommendations beyond surfacing favourites.

We do notcollect: surnames, dates of birth, postal addresses, photos uploaded by tutors, voice recordings, school identifiers, EHCP plan documents, or any special-category data beyond what you choose to enter in "support notes".

4. The Children's Code (UK Age Appropriate Design Code)

We design Fun Games Now for use by an adult tutor or parent witha child. The adult is the account holder; they enter and control the child's data. Specifically:

We never serve advertising to children.
We never use behavioural profiling, recommendation algorithms, or engagement-maximising mechanics on children. Sticker rewards are simple, transparent, and fully visible to the supervising adult.
Default settings are privacy-protective: stickers stay local until a tutor signs in; child profiles are private to the tutor that created them; we don't track a child across the web.
We don't share child data with third parties for their own purposes. Our processors (listed in §7) only act on our instructions to deliver the service.
Children's first names are the only direct identifier; we recommend tutors use first names or nicknames only.
If you stop being the appropriate adult to hold a child's data (the child moves tutors, leaves school, or a parent withdraws consent), you can delete that child's profile from /dashboard/children/[id] at any time. All associated stickers, session events, and notes are deleted within 24 hours.

5. Lawful basis for processing

Tutor account data — performance of the contract you enter into when you sign up (UK GDPR Art. 6(1)(b)).
Children's data — entered and controlled by the tutor under their professional duty of care, with the parent's separate consent obtained by the tutor (Art. 6(1)(f) legitimate interests, balanced by the Children's Code).
Marketing emails — opt-in consent only (Art. 6(1)(a)). You can opt out at any time via the unsubscribe link.
Security logs and abuse prevention — legitimate interests (Art. 6(1)(f)).

6. Cookies and analytics

We use a small number of cookies. They fall into three groups:

Strictly necessary — Supabase auth session, Stripe checkout state, and your active-child preference. These are essential for the service to work and are exempt from consent under PECR.
Analytics (consent required) — anonymous usage pings via Vercel Analytics + PostHog (if enabled). Used to find broken pages and improve the product. Refused by default.
Marketing (consent required) — none currently. If we add advertising pixels (Meta, Google Ads) we'll request opt-in consent before loading them.

See the Cookie policy for the full list and how to change your choices.

7. Who else processes your data

Supabase (database + auth) — EU-hosted. Acts as our processor under a UK-IDTA-compliant Data Processing Agreement.
Stripe (payments) — payment data is sent directly from your browser to Stripe; we never see card numbers. Stripe is a separate data controller for fraud-prevention purposes.
Vercel (hosting + analytics) — UK/EU edge regions. Aggregated analytics only.
Resend or similar transactional email provider (sign-up confirmations, billing notifications). EU-hosted.
We do not transfer data to processors outside the UK/EEA without UK-approved safeguards (UK-IDTA or equivalent).

8. How long we keep your data

Tutor account — for as long as you have an active subscription, plus 6 months after cancellation in case you return.
Child profiles — until you delete them, or 12 months after the linked tutor account is deleted.
Billing records — 6 years (UK accounting law requirement, HMRC).
Server logs — 30 days.
Marketing email opt-ins — until you unsubscribe.

9. Your rights

You can ask us, free of charge, to:

Show you everything we hold about you (subject access request).
Correct anything that's wrong.
Delete your account and the child profiles you control (right to erasure).
Pause processing while we sort out a complaint (right to restrict).
Export your tutor + children data in a portable format (right to data portability).
Object to processing based on legitimate interests.
Withdraw consent for analytics or marketing at any time, with no impact on service access.

Email hello@fungamesnow.co.uk and we'll respond within 30 days. If you're not happy with our response, you can complain to the UK ICO at ico.org.uk/concerns.

10. Security

Tutor passwords are hashed at rest by Supabase Auth (bcrypt). Database access is gated by row-level security policies that scope every read and write to the owning tutor — your data is invisible to other accounts even if a backend bug occurred. Traffic is HTTPS-only and Stripe traffic is PCI-DSS compliant. Routine security patches are applied automatically through our managed hosting providers.

11. Changes to this policy

If we make material changes to how we handle data, we'll email account holders at least 30 days before the change takes effect. Minor wording fixes are noted by updating the "Last updated" date at the top.

Need help? Email hello@fungamesnow.co.uk. We're a small UK team and reply within two working days.