Privacy Policy

Last updated: 24 June 2026

In short

  • We are Kurba Pty Ltd, an Australian company, and we make BookCloud — a reading app for children, used by their parents.
  • Children can’t sign up. Only a parent or guardian creates an account and any child profiles.
  • We collect the minimum we need: a parent’s email; and, per child, a nickname, an emoji avatar, an age band, language preferences, and reading activity.
  • We use one analytics tool (PostHog) to improve the app — and only if you opt in. It is off by default.
  • No advertising, no ad trackers, no selling your data, no cross-app tracking.
  • You can delete your account and all data at any time, from within the app.
  • This page covers both our website (bookcloud.app) and the BookCloud app — see the two sections below.

Languages and authoritative version

This Privacy Policy is published in more than one language so you can read it in your own. The English version is the authoritative version. If there is any discrepancy between the English version and a translation, the English text prevails — except where the law of your country of residence requires the local-language version to govern.

Who we are

BookCloud is operated by Kurba Pty Ltd (ACN 697854569), registered in New South Wales, Australia. You can reach us any time at admin@bookcloud.app. See International users and our representatives below for how to contact us from the EU/EEA, UK, and Türkiye.

Data Protection Officer. We have appointed a Data Protection Officer (also acting as our Privacy Officer) as your point of contact for any privacy matter — including access, correction, withdrawing consent, or a complaint. You can reach them at admin@bookcloud.app.

What this policy covers

This policy explains how we handle information in two contexts:

  • Section A — Our website (bookcloud.app): the public site you are reading now.
  • Section B — The BookCloud app: the reading app and the accounts within it.

Where a section applies to only one context, it says so.

Governing law

This policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Additional protections apply to people in the EU/EEA and United Kingdom (GDPR / UK GDPR) and in Türkiye (KVKK), as set out under Your rights below.

Section A — When you use our website

You can read every page of bookcloud.app without giving us anything — there is no account and no signup wall.

Analytics (consent-based)

We use PostHog (hosted in the EU) to understand how the site is used. Our lawful basis is your consent: we ask with a banner on your first visit and store and capture nothing until you choose. If you accept, PostHog receives page URLs, click events, browser and device type, and your IP address (used only to derive an approximate country). If you decline, we count your visit anonymously with nothing stored on your device. You can withdraw consent at any time via the Cookie settings link in the footer of any page. See our Cookies & Local Storage page for detail.

When you email us

The “Get in touch” buttons open your email app with a pre-filled message to admin@bookcloud.app. If you send it, we receive your email address, whatever you choose to write, and any signature your email app adds automatically.

We use that to reply and — if you have asked us to — to let you know when BookCloud is available to download. We don’t sell, share, or rent your email, and we don’t pass it to advertisers or data brokers. We keep your message until you ask us to remove it or we no longer need it.

Other services your browser contacts

To render the page, your browser fetches a few files from other services. Each can see your IP address and the standard details your browser sends with any request.

  • Cloudflare — serves and protects the site. May set a small security cookie (__cf_bm) to tell humans from bots.
  • Google Fonts — serves the typefaces.
  • Tailwind CDN — serves the page styling.
  • Iconify — serves a small number of icons.

Apart from PostHog (which sends us the consent-based usage data described above), we don’t receive analytics or reports from these services, and we don’t link anything they see back to you.

Section B — When you use the BookCloud app

Parent account data

To create an account we collect your email address and a password. If you set a Parent PIN to protect restricted settings, it is stored only as a one-way hash; it is never stored in plain text and cannot be retrieved by us.

Child profile data

Parents may create profiles for their children. For each profile we collect a display name (we recommend a nickname), an emoji avatar, an age band (a range, not a date of birth), language preferences, and parent-set content rules and reading preferences. Each profile is given a pseudonymous internal identifier linked to the parent account.

Reading activity

As a child reads, we record reading sessions (book identifier and title, theme, language, timestamps, time spent, last page reached, and reading mode), favourites, and earned achievements. We treat all of this as personal data linked to the child’s pseudonymous identifier.

Usage and analytics data (opt-in)

If you enable analytics (off by default; switchable at signup or in Settings, and revocable at any time), we use PostHog (hosted in the EU) to collect: autocaptured click and page-view events; custom in-app events (such as books viewed, reading progress, and achievements) linked to your account identifier — events during a child’s reading session also include the child’s pseudonymous identifier and age band; technical metadata (platform, device model, screen size); and crash logs. We do not collect advertising identifiers (such as IDFA) and we do not use App Tracking Transparency, because we run no third-party advertising trackers and no cross-app or cross-site tracking.

Infrastructure logging

For security, abuse prevention, and routing content from the nearest server, our providers (Supabase, Cloudflare, PostHog) log your IP address and browser user-agent.

Transactional email

We use your email address to send essential messages (account confirmations, password resets, security notices, and policy updates) via Resend.

On-device storage

The app stores authentication tokens and preferences (such as theme and language) in your device’s local storage, solely for app functionality — never for advertising or cross-site tracking. Before you create an account, the app also stores anonymous reading activity on your device only, to preserve your experience; if you create an account it may be associated with your profile, otherwise it stays anonymous and on-device.

How we use your information

To provide the service and a personalised reading experience, to improve our products, and to keep the platform secure and stable.

AI transparency. Books on our platform include content that is AI-generated or AI-assisted (illustrations, narration, and age-appropriate text).

What we never do. We never sell, rent, or trade your data, use it for advertising or behavioural marketing, or track you across apps or websites.

Legal basis for processing (EU/EEA, UK, Türkiye)

Data Legal basis
Parent account dataPerformance of a contract
Child profile and reading dataParental consent, given by the parent at account creation as a precondition for creating any child profile
Usage and analytics dataConsent (opt-in; revocable)
Security, infrastructure, and crash logsLegitimate interests (platform integrity and security)

Children’s privacy

Children cannot create their own accounts; all child profiles are created and managed by a parent or legal guardian. At account creation, the parent or guardian must affirmatively confirm their guardianship and consent to the processing of child-profile data before any child profile can be created.

We minimise the data we collect about children, link reading activity to a pseudonymous identifier, and apply full protections to it. Child profiles contain no advertising, no social features, and no third-party trackers.

Parents may review, edit, or delete child profiles at any time in the app.

Sharing and subprocessors

We do not sell or share your data. We use the following processors, which are bound by data-processing agreements and act only on our instructions:

Processor Purpose Region
SupabaseAuthentication and databaseJapan
PostHogProduct analyticsEU
CloudflareHosting and content deliveryGlobal edge (EU and AU presence)
ResendTransactional emailJapan

We may disclose information where required by law, or in connection with a merger or sale provided the recipient honours this policy.

Cross-border transfers

We transfer data globally to run the service. Australia: we take reasonable steps under APP 8. EU/EEA and UK: we rely on Standard Contractual Clauses (and the UK Addendum) where no adequacy decision applies; Japan benefits from an EU adequacy decision. Türkiye: transfers are handled in accordance with KVKK Article 9.

Data retention

  • Account and child-profile data: retained until you delete your account.
  • PostHog analytics: 12 months.
  • Authentication and crash logs: 90 days.
  • Backups: purged within 30 days of account deletion.

Account and data deletion

You can delete your account in the app via Settings → Delete Account (this requires re-authentication and a typed email confirmation). Deletion is irreversible and removes your account, all child profiles, reading history, favourites, and achievements from our active database immediately, and from backups within 30 days. Analytics events already sent to PostHog age out under the 12-month retention above; to have them deleted sooner, email admin@bookcloud.app.

Security

We use technical and organisational safeguards, including encryption in transit and at rest and hashing of credentials. No method of transmission or storage is 100% secure.

International users and our representatives

BookCloud is operated from Australia. The BookCloud app is not yet generally available in the EU/EEA or the United Kingdom. Before we make the app available in those regions, we will appoint a representative under Article 27 of the EU GDPR and the UK GDPR and publish their name and address here. In the meantime, EU/EEA and UK residents may exercise the rights set out below and contact us directly at admin@bookcloud.app. For Türkiye, we process personal data in accordance with the KVKK.

Your rights

  • Australia: you have the right to access and correct your personal information, and may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • EU/EEA: you have the rights of access, rectification, erasure, restriction, portability, and objection, and you may withdraw consent at any time. You may complain to your local supervisory authority.
  • United Kingdom: you have the same rights under the UK GDPR and may complain to the ICO at ico.org.uk.
  • Türkiye (KVKK Article 11): you have the right to learn whether your data is processed, request information and the third parties to whom data is transferred, and request correction or destruction. Complaints go to the Kişisel Verileri Koruma Kurumu.
  • Everyone: you can access, update, or delete your data through account settings; we will not discriminate against you for exercising your rights; and we respond to requests within 30 days.

Changes to this policy

We may update this policy. We will post the new version with a refreshed date and, for material changes, give an in-app notice and re-request consent where required. Prior versions are available on request.

Contact

Kurba Pty Ltdadmin@bookcloud.app — New South Wales, Australia.

Last updated: 24 June 2026