Embedded Files
Privacy Policy
Privacy Policy
Effective date: 2025-09-13
App: BioPlay — mobile app for learning biology (IGCSE Biology 2026–2028).
Data controller: ЖК Hexa.bilim (IE “Hexa.bilim”), Mangystau Region, Munayly District, Daulet Rural District, Zhana Daulet Residential Area.
Contact: hexa.bilim@gmail.com
This Policy is intended for users in the Republic of Kazakhstan and references the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” (2013). It is provided for information only and is not legal advice.
1. Scope
1. Scope
This Policy explains what personal data we process in BioPlay, why, and how we protect it. By installing the app and creating an account you acknowledge this Policy and updates to it.
2. Data we collect
2. Data we collect
We follow the principle of data minimization.
2.1 Account & identification
2.1 Account & identification
Firebase UID (pseudonymous identifier)
Email, display name (if provided)
2.2 Device & app
2.2 Device & app
Country/region, language, time zone
Device model, OS version, app version
2.3 Session & diagnostics (necessary)
2.3 Session & diagnostics (necessary)
Session identifiers, timestamps, duration
Crash logs/diagnostics (Crashlytics) and essential technical logs
2.4 Learning progress (minimal telemetry)
2.4 Learning progress (minimal telemetry)
Opening a lesson/module, completion flags
Basic counters (e.g., honey, steps) stored in our database
2.5 In-app data structure (for transparency)
2.5 In-app data structure (for transparency)
In Firebase Realtime Database under users/{uid} we store:
profile (e.g., name, email, color, timestamps)
prefs (e.g., notificationsEnabled)
gamedata (e.g., honey totals)
steps (per-step progress counters)
leaderboard / streaks (weekly results and streak info)
subscription (months/source; no full payment data — stores only status)
survey (if you voluntarily fill it)
We do not collect research psychometrics (e.g., NASA-TLX, IMI, STAI, Raven) in the current version.
3. Purposes and legal bases
3. Purposes and legal bases
Provide and maintain the service (registration, login, progress syncing, subscription checks) — performance of contract and/or other grounds allowed by law.
Security and fraud prevention (rate-limiting, abuse detection) — legitimate interests and/or other lawful grounds.
Product improvement with minimal telemetry — where required, based on consent and aggregated thereafter.
Marketing communications (if used) — separate opt-in consent; you can withdraw at any time.
We do not sell personal data and do not share it with third parties for direct marketing.
4. Processors and third parties
4. Processors and third parties
We use trusted providers under data-processing agreements:
Firebase (Google): Authentication, Realtime Database, Cloud Functions, Messaging (if enabled), Crashlytics. Analytics SDKs are disabled by default unless clearly enabled with consent.
App stores (Apple App Store / Google Play): payments and subscriptions processing.
The list may be updated as services evolve.
5. International transfers
5. International transfers
Our cloud infrastructure may process personal data on servers outside Kazakhstan. Transfers occur under contractual and technical safeguards (encryption in transit/at rest, strict access control, confidentiality commitments). Where local storage is required by law, we implement appropriate organizational and technical measures.
6. Retention
6. Retention
We retain data only as long as needed for the purposes described or required by law:
Data category
Typical retention
Account & progress (users/{uid})
While account is active; limited backups may persist for a short technical period, then purged
Subscription records
Active period + any legal (tax/accounting) retention
Diagnostics & crash logs
Up to 12–18 months, then aggregated or deleted
Consent/opt-out records (if any)
Until withdrawn or per legal requirements
Actual periods may be clarified in-app: Settings → Privacy.
7. Your rights
7. Your rights
Subject to applicable law, you may request: access (copy), correction, deletion, restriction/object (where applicable), and data portability.
How to exercise:
In app: Settings → Privacy → Data requests – Export data: generates a machine-readable JSON of your users/{uid} data and Auth profile. – Delete account: deletes Auth account and your users/{uid} data.
Or email: hexa.bilim@gmail.com
We may ask you to verify your identity (e.g., recent sign-in). We aim to respond within 30 days (may be extended for complex requests; we will notify you).
Note: Some records may temporarily remain in encrypted backups/logs and will be purged on the next scheduled cycle.
8. Children’s data
8. Children’s data
The app can be used by minors for education. Where required by law, certain processing (e.g., analytics or marketing) requires parental/guardian consent. We do not use personalized advertising and avoid collecting excessive data about children.
9. Security
9. Security
We use encryption in transit and at rest, least-privilege access, role-based permissions, audit logging, and data minimization. No online system can be guaranteed 100% secure, but we continuously improve safeguards.
10. Changes
10. Changes
We may update this Policy. Significant changes will be communicated in-app; the Effective date above will be updated.
11. Contact
11. Contact
Controller: ЖК Hexa.bilim
Address: Mangystau Region, Munayly District, Daulet Rural District, Zhana Daulet Residential Area
Email: hexa.bilim@gmail.com
Page updated
Google Sites
Report abuse