Privacy Policy
How Gabee collects, uses and protects parents' and children's data. Proxia Digital is the data controller under law 2024/017.
Last updated: 30 May 2026 · v0.1
This document describes the structure and intent of each section. The actual binding wording must be drafted or reviewed by a qualified lawyer — particularly because Cameroon's data-protection law 2024/017 applies (compliance deadline: 23 June 2026) and minors' data is involved.
Anchored in Cameroon law (verified May 2026)
- Law No. 2024/017 of 23 December 2024 — the primary framework. Article 5 defines personal data; Article 6 et seq. lay out the principles ("prior, free, informed, specific and unambiguous consent").
- Minors' provision (Art. 6+): "A minor under 18's consent is valid only if supported by that of their parents or legal representative."
- Article 54 et seq. — sanctions (administrative up to 100M FCFA, civil, penal). Compliance deadline: 23 June 2026.
- Law No. 2023/007 (online child-protection charter) and law No. 2010/012 (cybersecurity) also inform this policy.
01Who we are
Proxia Digital, Cameroon (registered address to specify); the data controller under law 2024/017; contact for data-protection questions. Lawyer review required.
02What data we collect
Parent: email, first name, last name, country, language, hashed password, login metadata. Child: first name, birthday (derived age), avatar choice, optional school level + objectives, language picked each session. Learning data: module, level, lesson, language, duration, answers, hints, keystrokes, classification. Pairing: device label, last activity, refresh-token reference. Lawyer review required.
03Why we collect it
Provide the service (sync across devices); show the parent what their child is doing; improve content (anonymized); operational (debugging and security logs). Lawyer review required.
04Legal basis
Parental consent for the child's data — the basis under Gabee's model, revocable at any time. Contract for the parent's own data. Legitimate interest for security logs and abuse prevention. Lawyer review required.
05Who we share with
Named sub-processors: Supabase (database + auth, EU region); Mailgun (email, US). Never shared with advertisers, data brokers or social platforms. Mailgun entails a US transfer, covered by documented safeguards. Lawyer review required.
06Co-parents
When a parent invites a co-parent, the invitee gains access to the shared kids' data. Each parent provides their own consent at signup. Lawyer review required.
07Data retention
Active accounts: data retained while active. Deletion: 30-day soft-delete (recoverable), then hard-delete. Inactive accounts: after 24 months without login, an email warning then deletion. Aggregated analytics (not linked to any person) may be retained indefinitely. Lawyer review required.
08Data-subject rights
Access, rectification, erasure ("right to be forgotten"), portability, objection / restriction, and the right to lodge a complaint with the Cameroon authority. For minors, these rights are exercised by the parent or legal representative. Lawyer review required.
09Security
HTTPS everywhere (HSTS on the .app domain); hashed passwords; database encryption at rest; access controls; structured logging; incident-response plan and breach notification per law 2024/017. Lawyer review required.
10International transfers
Supabase is hosted in the EU; Mailgun entails a US transfer; safeguards (contractual clauses, sub-processor commitments) documented in the published policy. Lawyer review required.
12Changes to this policy
Notice via email and an in-app banner on next sign-in for material changes, which trigger renewed consent. Lawyer review required.
13Contact for privacy questions
Email and postal address; Data Protection Officer (DPO) — name and contact details published in the live policy. Lawyer review required.
14Effective date & history
Effective date and version history. Lawyer review required.