Back
LittleVestor
Privacy & Security

Privacy Policy

Last updated:June 5, 2026

Who We Are

LittleVestor is a financial-literacy service for families. The data controller responsible for your personal data is Ekstremac doo Kragujevac (Serbia), the operator of LittleVestor. You can reach our privacy team at privacy@littlevestor.com.

Information We Collect

We collect only what we need to run the service, and we keep parent and child data separate:

  • Parent account: your name, email address, language preference, and the family details you provide.
  • Child profile (created by you): first name, a username and numeric PIN used to sign in, optional birth date and avatar, and learning activity such as tasks, savings goals, transactions, and badges.
  • Payment data: handled entirely by our reseller Paddle as Merchant of Record. We never see or store full card numbers.
  • Usage and device data: basic app interactions and error diagnostics used to keep the service reliable.

We do not collect a child's precise location, biometric identifiers, or contact details, and we never use children's data for advertising or profiling.

How We Use Your Data

We use the data we collect to:

  • Provide and maintain the LittleVestor service for your family.
  • Personalize each child's age-appropriate learning experience.
  • Send the service and account notifications you have asked for.
  • Keep the service secure, diagnose errors, and improve features.
  • Meet our legal, tax, and compliance obligations.

We never sell your data, and we never serve behavioral advertising to children.

Children's Privacy (COPPA)

LittleVestor is intended for children only under the supervision of a parent or guardian. In line with the US Children's Online Privacy Protection Act (COPPA):

  • Child accounts can only be created and managed by a parent from their own account — a child cannot register on their own. By creating a child profile you provide parental consent for the limited data described above.
  • You can review, correct, export, or delete your child's data at any time from the parent dashboard or by contacting us.
  • We collect the minimum data needed for the learning experience and retain it only while the account is active.
  • We never share children's data with third parties for marketing, and never condition a child's participation on disclosing more data than necessary.

Your Rights (GDPR / GDPR-K)

If you are in the EU/EEA, the General Data Protection Regulation gives you the rights below. Our lawful basis is your consent and the performance of our contract with you; for children, processing relies on parental consent (GDPR Art. 8):

  • Access — obtain a copy of the personal data we hold about you or your child.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — delete your account and associated data (the 'right to be forgotten').
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction and objection — limit or object to certain processing.
  • Withdraw consent — withdraw parental consent at any time, which closes the child's account.

How to Exercise Your Rights

To exercise these rights — access, correction, export, restriction, or deletion — email us at privacy@littlevestor.com and we will respond within 30 days. Parents can also remove a child's profile or a family member directly in the app at any time, which deletes the associated data.

Third-Party Service Providers

We share data only with vetted processors that help us run the service, under data-processing agreements. We do not sell data. Our main processors are:

  • Supabase — database, authentication, and storage.
  • Paddle — payment processing as Merchant of Record (web).
  • RevenueCat — subscription management for mobile in-app purchases.
  • OneSignal — push notifications.
  • Mailchimp — parent email newsletters (parent emails only, never children).
  • Sentry — error and crash diagnostics.
  • Vercel — application hosting.

Data Retention

We keep personal data only while your account is active. When you delete your account, we remove the associated personal data within 30 days, except where we must retain certain records by law — for example, payment and tax records held by Paddle as Merchant of Record.

International Data Transfers

Some of our processors are located outside your country, including outside the EEA. Where data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

Data Security

We protect your data with encryption in transit and at rest, row-level security on our database, and access controls that limit who can see personal data. A child's PIN is a login credential and is never shown in any data we return to clients.

Changes to This Policy

We may update this policy as the product and the law evolve. If we make a material change, we will notify you through the app or by email. The 'last updated' date above always reflects the current version.

Questions About Privacy?

If you have any questions about how we protect your family's privacy, or to exercise your rights, contact our data controller Ekstremac doo Kragujevac at privacy@littlevestor.com.