Privacy Policy

1. Introduction

This privacy policy (“Privacy Policy”) applies to the collection, use, disclosure and processing of personal data (“Personal Data”) by Alpha World SMC Pvt Ltd, a Single Member Company (SMC) Private Limited duly incorporated under the laws of the Islamic Republic of Pakistan, having its registered office at Office No 2D, Street No 28, Javed Market, I-10/4, Islamabad, Pakistan (“we”, “us”, “our” or the “Company”) in connection with our website, the “Alpha World” mobile applications, the “Parent App” and any related online or offline services (collectively, the “Services”).

Alpha World is a digital platform designed for children of the Gen Alpha generation (typically ages 3 to 15) and their parents or legal guardians. Privacy and child safety are central to our product design. This Privacy Policy will help you understand what data we collect, how we use it and the choices and rights you have.

By accessing or using the Services, or by allowing your child to do so, you confirm that you have read, understood and agreed to this Privacy Policy. If you do not agree, please do not use the Services.

2. Personal Data we collect

Personal Data includes any information about an identified or identifiable individual. It does not include anonymous or aggregated data from which an individual cannot reasonably be identified.

2.1 Information you provide to us

• Contact data — first and last name, email address, phone number, billing or shipping address, where required for an order or to respond to a request.
• Profile data— the display name, username, avatar, age or stated date of birth, password (always stored as a salted, one-way hash), 4-digit child PIN (hashed) and optional profile preferences you set on your or your child's account.
• Parental / guardian data— for child accounts, the parent's name, email, phone number, 6-digit parent PIN (hashed) and parental approval records.
• Communications — messages exchanged with us through the website, app, email, support tickets or social channels (including Facebook, Instagram or WhatsApp where you choose to contact us).
• Transactional data — order numbers, energy-pack purchases, payment confirmation tokens and transaction history. We do not receive or store complete card numbers, CVV or expiry dates.
• User-generated content — drawings, chat messages, gallery posts, comments and AI prompts that you or your child voluntarily submit through the Services.

2.2 Information collected automatically

• Device and log data — device type, operating system, browser, app version, language, time-zone, anonymized IP address (truncated for child accounts), access timestamps and crash diagnostics.
• Service usage data — features used, time spent in each mini-app, energy earned and spent, streaks, achievements and similar engagement signals required to operate parental controls and time-limit enforcement.
• Safety and moderation signals — reports submitted, automated content-moderation flags, ban or mute history. These are used solely to keep the Services safe.

We do not use cross-app or cross-site tracking technologies for advertising purposes within Alpha World. We do not allow third-party advertising SDKs inside the Services.

2.3 Permissions we may request

• Notifications — for time-limit alerts, parent approval requests and important account messages.
• Camera / Photos — only if the user actively chooses to upload a homework photo or change their avatar; we never access the camera in the background.
• Microphone — only when the user explicitly activates an audio feature; the microphone is never opened in the background.

You can revoke any of these permissions at any time through your device settings.

3. How we use your Personal Data

We process Personal Data only where we have a lawful basis to do so, including to:

• Provide, operate, maintain and personalize the Services that you or your child request.
• Authenticate users, manage accounts and enforce parental controls and maturity-level settings.
• Process orders for energy packs and respond to parent purchase-approval requests.
• Communicate with you about your account, security notices, service updates and answers to your questions or feedback.
• Operate safety, moderation and anti-fraud systems, including detecting harmful behaviour and managing reports and bans.
• Improve content, user-experience, performance and reliability of the Services through aggregated, de-identified analytics.
• Send service updates and, with your explicit opt-in, occasional newsletters (you may unsubscribe at any time via the link in any such email).
• Comply with our financial, regulatory, accounting, tax and other legal obligations.
• Resolve disputes, enforce our Terms and Conditions and protect our or others' rights, property or safety.

We do notuse children's Personal Data for any form of behavioral, contextual or personalized advertising, and we do not profile children for advertising or any other commercial purpose unrelated to operating the Services.

4. Children's privacy & verifiable parental consent

Alpha World is directed to children. We are committed to complying with the United States Children's Online Privacy Protection Act (“COPPA”), Google Play's Families Policy Requirements, the EU General Data Protection Regulation (GDPR — including Article 8 on children's consent) and the Pakistani Personal Data Protection regime, in each case as applicable.

4.1 Age gate and consent

• An age-screening (“neutral age gate”) is presented before any account collecting Personal Data is created.
• For any user under 13 (or under 16 in jurisdictions that require it), the account is created in a restricted state, marked consentVerified = false, and login-required features are disabled until verifiable parental consent is obtained.
• Parental consent is obtained through either (a) approval inside the dedicated Parent App, or (b) a signed parental-consent email containing a one-time secure token, valid for 7 days. Both methods produce an auditable record stored against the child's account.
• Where required, the parent must confirm they are the parent or legal guardian and consent to the limited collection described in this Privacy Policy.
• Parental consent can be withdrawn at any time by emailing admin.alphaworld@gmail.com.

4.2 Limited collection for children

• We collect only the minimum data necessary to operate the Services for children.
• We do not condition a child's participation in any activity on the disclosure of more Personal Data than is reasonably necessary.
• We do not knowingly collect precise geolocation data from children.
• IP addresses associated with child accounts are truncated and used solely for security and abuse prevention.

4.3 Parental rights and controls

• Parents may at any time review the categories of Personal Data we have collected about their child.
• Parents may request correction or deletion of their child's Personal Data and may revoke consent for any further collection or use.
• Parents have access to a Parent App dashboard to set mini-app toggles, daily time-limits, maturity level and purchase-approval requirements.
• All in-app purchases of energy packs require explicit parent approval; children cannot complete purchases on their own.

4.4 No advertising to children

We do not show third-party advertisements, behavioural ads or interest-based ads to any user, and we do notshare children's Personal Data with advertising networks, data brokers or analytics partners that use the data for advertising. This is a fundamental product commitment.

5. Who we share your Personal Data with

We do not sell, rent or trade Personal Data. To operate the Services, we share Personal Data only with carefully selected, contract-bound third parties, and only to the extent reasonably necessary:

• Cloud and infrastructure providers — including Google Firebase (Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage, Hosting) which provide the underlying secure infrastructure for the Services.
• Payment processors — certified third-party payment gateways and financial institutions (such as banks, EasyPaisa, Raast and 1LINK rails) that process card and wallet transactions on our behalf. Card and wallet details are submitted directly to these processors and are not visible to or stored by us.
• Communications providers — email-delivery, SMS and push- notification services strictly used to send transactional and safety-related messages.
• Safety and moderation partners — vendors who help us with automated content moderation and abuse detection, where used.
• Professional advisors — auditors, accountants and lawyers bound by confidentiality.
• Authorised disclosures — courts, regulators or law-enforcement authorities where required by valid legal process, or to protect the vital interests, rights or safety of a person.
• Business transfers — in connection with a merger, acquisition, financing, reorganization or sale of all or part of our business, in which case the recipient will be bound by terms no less protective than this Privacy Policy and you will be notified of any material change.

We require each third-party processor to provide adequate guarantees of data protection, to process Personal Data solely on our instructions and to apply appropriate technical and organisational measures.

6. International data transfers

Some of our infrastructure providers may store or process Personal Data on servers located outside Pakistan, including in regions covered by Google Cloud / Firebase. Where Personal Data is transferred outside of your country of residence, we rely on legally recognised transfer mechanisms (such as the European Commission's Standard Contractual Clauses, where applicable) and contractual safeguards to ensure that your data continues to receive a level of protection consistent with this Privacy Policy.

7. How we protect your Personal Data

We make reasonable, industry-standard efforts to ensure a level of security appropriate to the risk associated with the processing of Personal Data, including:

• TLS encryption for data in transit and at-rest encryption for data stored on our managed cloud infrastructure.
• Tokenised payment processing — full card details are never transmitted to or stored on our servers.
• Salted, one-way password and PIN hashing.
• Server-side validation of consent, age, parent toggles, time-limits and ban status on every sensitive request.
• Granular access controls, least-privilege provisioning and audit logging for our internal team.
• Periodic security reviews, dependency updates and vulnerability scanning.
• Documented data-breach response procedures, including notifications to affected users and the relevant regulator where required by law.

No method of transmission or storage over the Internet is 100% secure. While we use commercially reasonable means to protect Personal Data, we cannot guarantee absolute security.

8. How long do we keep your information?

We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, tax or reporting requirements, and for the establishment, exercise or defence of legal claims.

• Active account data is retained while your account remains active.
• If an account is inactive for more than 24 consecutive months, we may delete or anonymize it after giving you reasonable notice.
• Where parental consent is withdrawn or an account-deletion request is received, we will delete the underlying child's Personal Data within a reasonable period, save for limited records we are legally required to retain (e.g., financial transaction records).
• Backup copies are rotated and overwritten on standard cycles.

9. Your rights and choices

Subject to applicable law, you (or, for child accounts, the parent or legal guardian) have the right to:

• Access — request a copy of the Personal Data we hold about you or your child.
• Rectification — request correction of inaccurate or incomplete Personal Data.
• Deletion (“right to be forgotten”) — request that we erase your or your child's Personal Data, subject to limited legal exceptions.
• Restriction or objection — restrict or object to certain processing.
• Portability — receive your Personal Data in a structured, commonly used and machine-readable format.
• Withdrawal of consent — withdraw any consent you previously gave us; this does not affect the lawfulness of processing carried out before the withdrawal.
• Complaint — lodge a complaint with the data-protection authority in your jurisdiction.

To exercise any of these rights, please contact us at admin.alphaworld@gmail.com. We aim to respond within 30 days and may request reasonable information to verify your identity before acting on your request.

10. Cookies and similar technologies

Our website uses a minimal set of strictly-necessary cookies and local-storage entries to operate the site (for example, to remember your preferences and provide session security). We do not use advertising or cross-site tracking cookies. You can control or delete cookies through your browser settings.

11. Marketing communications

We may, with your explicit opt-in, send occasional product updates or newsletters to adult parent accounts. You can unsubscribe at any time using the link in any such email, or by emailing us. We do not send marketing communications to child accounts.

12. Third-party websites and integrations

Some Services may link to third-party websites, learning platforms or tools (for example educational partners). Those third parties have their own privacy policies, and we are not responsible for their practices. We encourage parents to review the privacy policies of any third-party services accessed through Alpha World.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will post the updated Privacy Policy on this page and update the “Last Updated” date above. For material changes affecting children's data, we will seek renewed verifiable parental consent where required by law.

14. Contact us

If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us: