Privacy Policy

1 Who we are

Marshmallow Reading operates the Marshmallow Reading website and Android application — a children's reading platform that rewards kids with bitcoin for logging books and audiobooks. The parent or guardian who creates an account is the account holder. Children do not create accounts and do not directly provide personal information to us.

2 What we collect

Information you provide

• Email address — collected when you create an account or join the waitlist. Used solely for account access and subscription billing.
• Bitcoin wallet address — optionally provided in account settings to receive reading rewards. Never required to use the app.

Information collected automatically

• Subscription and billing status — managed by Stripe. We store your Stripe customer ID and subscription status to verify access. We do not store payment card details.
• Book and audiobook logs — titles and dates you log, associated with your account to track reward progress. No information is collected from children directly.
• Server logs — standard logs (IP address, browser type, pages visited) retained for up to 30 days for security purposes. Not linked to your account for marketing.

What we do not collect

• Names, dates of birth, or any personal information from children.
• Advertising trackers, analytics SDKs, or third-party marketing cookies.

3 How we use it

• To create and manage your account and verify subscription status.
• To process subscription payments via Stripe.
• To calculate and send bitcoin rewards when milestones are reached.
• To respond to support requests.
• To comply with legal obligations.

4 Bitcoin rewards

Reading rewards are denominated in US dollars and fulfilled in bitcoin (satoshis) at the prevailing market rate at the time of payout. The number of satoshis you receive will vary with the bitcoin price. We use a live market price feed to calculate the sat equivalent at payout time.

Marshmallow Reading is not a financial institution. Rewards do not constitute investment advice.

5 Third-party services

• Stripe — processes subscription payments and holds your email and billing data. stripe.com/privacy
• BTCPay Server — self-hosted instance used to process bitcoin reward payouts to your wallet address.
• CoinGecko — queried for live bitcoin price at payout time. No personal data is transmitted.
• Vercel — hosts our website and API. See vercel.com/legal/privacy-policy.

6 Children's privacy (COPPA & PIPEDA)

The subscribing parent or guardian is the account holder. We do not knowingly collect personal information directly from children under 13 (or under 16 where applicable).

Book logs associated with your account may reflect a child's reading activity, but this information is provided by the parent or guardian and stored under the parent's account. Children do not have separate login credentials and we do not create profiles of children.

If you believe we have inadvertently collected personal information from a child without parental consent, contact us at privacy@marshmallowreading.com and we will delete it promptly.

7 Your rights

Canada (PIPEDA)

You have the right to access the personal information we hold about you and to request correction of inaccurate data. Contact privacy@marshmallowreading.com.

European Union (GDPR)

If you are in the EEA, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. Our legal basis for processing your email is performance of a contract. Contact us to exercise any right or to lodge a complaint with your supervisory authority.

United States (COPPA)

Parents may contact us to review, request deletion of, or refuse further collection of information associated with their account.

8 Data retention

Account information is retained while your subscription is active and for 90 days after cancellation. Server logs are retained for up to 30 days. You may request deletion at any time by emailing privacy@marshmallowreading.com.

9 Security

All data in transit is encrypted via HTTPS. Stripe handles payment card data under PCI-DSS compliance. We do not store passwords — account access is via email. We conduct periodic security reviews of our API and infrastructure.

10 Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email. Continued use of the service after notice constitutes acceptance of the updated policy.

11 Contact

For privacy questions, requests, or complaints: