Privacy Policy

MeriTokens ("we," "our," or "us") is committed to protecting the privacy of your family. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the MeriTokens application, website, and related services. We comply with the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and applicable data protection laws. By using our Service, you agree to the terms of this Privacy Policy.

We collect the following types of information: Account Information (Parents/Guardians): • Email address • Password (hashed — we never store plaintext passwords) • First name or display name • Subscription plan information • Payment method (processed by Stripe — we do not store card numbers) Child Profile Information: • Child's first name or nickname (no last names required) • Age range (optional, for appropriate content) • Token usage history and session statistics • Points and achievement badges earned Usage Data: • Pages visited and features used • NFC scan events (token ID hashed, not personally identifiable) • Session start/end times • Device type and browser version • IP address (anonymized after 24 hours) What We Do NOT Collect: • Children's email addresses or contact information • Children's photos or biometric data • Social media profiles • Precise GPS location • Children's real names (nicknames only)

MeriTokens takes special care to protect children's privacy in accordance with COPPA. • We do not knowingly collect personal information from children under 13 without verifiable parental consent • All child profiles are created and controlled by parents/guardians • Child profiles contain only a nickname and usage statistics • We do not display advertising to child users • We do not allow children to make purchases directly • Parents can review their child's data at any time from the parent dashboard • Parents can request deletion of their child's data at any time To review, update, or delete your child's data, contact us at privacy@meritokens.com or use the parent dashboard settings.

We use collected information to: • Provide, operate, and improve the Service • Process payments and manage subscriptions • Send transactional emails (receipts, password resets) • Send product updates and waitlist notifications (you may opt out) • Analyze usage patterns to improve user experience • Detect and prevent fraud or abuse • Comply with legal obligations • Respond to support requests We do NOT: • Sell your personal data to third parties • Use your data for behavioral advertising • Share data with data brokers • Use children's data for any purpose other than delivering the Service

We may share your information only in the following circumstances: Service Providers: We share data with trusted third parties who assist in operating our Service: • Supabase — database and authentication • Stripe — payment processing • Vercel — hosting • Google Cloud Run — application hosting All service providers are contractually required to keep your data confidential and use it only for the services they provide us. Legal Requirements: We may disclose data when required by law, court order, or to protect the rights and safety of our users. Business Transfer: In the event of a merger, acquisition, or sale, user data may be transferred. We will notify you via email before your data is subject to a different Privacy Policy. We do not sell personal information. Period.

We retain your data for as long as your account is active or as needed to provide services. • Account data: Retained until you delete your account • Child profile data: Deleted within 30 days of your deletion request • Payment records: Retained for 7 years as required by tax law • Anonymized usage analytics: May be retained indefinitely • Backups: Deleted within 90 days of account deletion You can delete your account at any time from Settings → Account → Delete Account, or by emailing privacy@meritokens.com.

We use minimal, essential cookies to operate the Service: • Session cookies: Keep you logged in • Preference cookies: Remember your settings • Analytics cookies: Anonymous usage statistics (no personal data) We do NOT use: • Third-party advertising cookies • Cross-site tracking pixels • Fingerprinting techniques You can control cookies through your browser settings. Disabling cookies may affect Service functionality.

We implement industry-standard security measures: • All data transmitted over TLS 1.2+ • Passwords hashed using bcrypt • Database access restricted and audited • Regular security reviews • NFC token IDs hashed before storage No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data. If you discover a security vulnerability, please report it to security@meritokens.com.

Depending on your location, you may have the following rights: • Access: Request a copy of the data we hold about you • Correction: Request correction of inaccurate data • Deletion: Request deletion of your data • Portability: Receive your data in a machine-readable format • Opt-out: Opt out of marketing communications at any time • COPPA rights: Parents may review, delete, or restrict use of their child's data California residents have additional rights under CCPA, including the right to know what categories of data we collect and the right to opt out of data sale (which we do not engage in). To exercise any of these rights, contact us at privacy@meritokens.com. We will respond within 30 days.

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time. We will notify you of material changes by: • Sending an email to your registered address • Posting a prominent notice on the Service Changes take effect 30 days after posting unless you continue using the Service, which constitutes acceptance.

For privacy questions, data requests, or COPPA-related inquiries: Email: privacy@meritokens.com Legal inquiries: legal@meritokens.com Website: meritokens.com Address: San Diego, CA, United States We aim to respond to all privacy inquiries within 5 business days.