1. Introduction
This Privacy Policy explains how Kame House Dev Studio ("Company," "we," "us," or "our") collects, uses, discloses, and protects information when you use Morsel AI (the "App"), our related application programming interfaces (APIs), and any websites or support channels that link to this policy (collectively, the "Service").
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.
Controller. For purposes of the EU/UK General Data Protection Regulation ("GDPR"), the data controller is:
Kame House Dev Studio
United States (contact us by email for correspondence)
Email: hello@kamehousedevstudio.com
If you are in the European Economic Area ("EEA") or United Kingdom ("UK") and we are required to appoint a representative, contact: Not applicable.
2. Scope
This policy applies to personal information we process about users of the App on iOS and Android, and data processed by our backend services that support learning, personalization, notifications, analytics, and subscriptions.
This policy does not apply to third-party websites, app stores, or services that we do not control. Those services have their own privacy policies.
3. Definitions
- "Personal information" / "Personal data" means information that identifies, relates to, or could reasonably be linked with you.
- "Processing" means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
- "Controller" means the entity that determines why and how personal data is processed.
- "Processor" means an entity that processes personal data on our behalf.
- "You" / "User" means an individual who uses the Service.
4. Information We Collect
We collect information in the categories below. Some information is required to provide the Service; other information is optional.
4.1 Account and identity information (required to create an account)
| Data | Examples | Source |
|---|---|---|
| Email address | The address you register with | You, via sign-up |
| Authentication credentials | Password (stored in hashed form by our auth provider; we do not store plaintext passwords) | You |
| User identifiers | Firebase user ID used to link your account across systems | Generated at registration |
| Email verification status | Whether your email has been verified | Firebase Authentication |
We use Google Firebase Authentication to manage sign-up, sign-in, password reset, and email verification.
4.2 Profile and onboarding preferences
| Data | Examples | Source |
|---|---|---|
| Learning goal | Selected topic or learning path (e.g., system design, AI basics) | You, during onboarding |
| Experience level | Self-reported prior knowledge level | You |
| Motivations and goal type | Why you are learning | You |
| Timezone | IANA timezone name (e.g., America/New_York) — not GPS location | You or device-derived timezone you confirm |
| Learning schedule | Preferred days/times and session duration (e.g., 5/10/15 minutes) | You |
| Learning modality | Preferred format (reading, visual, audio, mixed) | You |
| Content locale | Language/locale for lessons and UI (e.g., English, Spanish) | You |
4.3 Learning activity and progress
| Data | Examples | Source |
|---|---|---|
| Lessons and curriculum | Generated lesson content, quiz questions, completion status | Service, based on your profile |
| Quiz responses | Selected answers, correctness | You |
| Progress metrics | Streaks, completed lessons, accuracy, path completion | Derived from your activity |
| Engagement signals | Time spent on lessons (dwell time), daily activity markers | App, sent to our servers |
| Adaptation data | Difficulty recommendations, format hints derived from your activity | Derived by our systems |
4.4 Feedback you provide
| Data | Examples | Source |
|---|---|---|
| Lesson feedback | Free-text comments about lesson quality or difficulty | You (optional) |
| Feedback codes | Structured tags such as "too easy," "too hard," "boring" | You (optional) |
Feedback is limited in length and used to improve personalization.
4.5 Notifications
| Data | Examples | Source |
|---|---|---|
| Push notification token | Expo push token for this device | Device, with your permission |
| Notification preferences | Local reminder schedule; opt-in for server-driven re-engagement reminders | You |
| Last app open time | Timestamp of recent app activity (for eligibility for optional remote reminders) | App |
Local reminders are scheduled on your device. Remote push notifications require device permission and, for re-engagement reminders, an in-app opt-in toggle.
4.6 Subscriptions and billing
| Data | Examples | Source |
|---|---|---|
| Entitlement tier | Free or premium status | RevenueCat / app stores |
| Purchase events | Purchase started, restore, subscription changes | App stores via RevenueCat |
We do not receive or store your full payment card number. Payment processing is handled by Apple App Store or Google Play.
4.7 Analytics and product diagnostics
| Data | Examples | Source |
|---|---|---|
| Product analytics events | Onboarding completed, lesson opened, quiz submitted, purchase started, etc. | App and API |
| Event properties | Goal, locale, difficulty band, lesson identifiers, app version | App and API |
| User ID in analytics | Firebase user ID (or anonymous/demo ID when not signed in) | App |
We use PostHog for product analytics on mobile and server-side.
4.8 Crash and error reporting
| Data | Examples | Source |
|---|---|---|
| Crash reports | Stack traces, error messages, device/OS metadata | App |
| Diagnostic context | App version, environment (development/staging/production), user ID | App |
We use Sentry for crash and error reporting.
4.9 Information stored only on your device
| Data | Examples | Storage |
|---|---|---|
| Theme preference | Light, dark, or system | On-device (AsyncStorage) |
| Content locale cache | Saved language preference | On-device (AsyncStorage) |
| Firebase session | Auth session persistence | On-device (AsyncStorage) |
This on-device data is generally not transmitted to us except where it informs settings you sync to your account (e.g., timezone, content locale during onboarding).
4.10 Information we do NOT collect
Based on the current version of the App, we do not intentionally collect:
- Precise GPS or continuous location tracking
- Camera, microphone, contacts, or photo library data
- Advertising identifiers for cross-app behavioral advertising
- Health, biometric, or government ID data
If we introduce new data categories, we will update this policy and, where required, obtain consent or provide notice before collection.
5. How We Collect Information
We collect information:
- Directly from you — when you register, complete onboarding, answer quizzes, submit feedback, adjust settings, or contact support.
- Automatically — when you use the App, including analytics events, crash reports, and activity signals sent to our API.
- From third parties — such as subscription status from RevenueCat and Apple/Google following in-app purchases, and authentication tokens from Firebase.
6. How We Use Information
We use personal information to:
| Purpose | Examples |
|---|---|
| Provide the Service | Create and manage your account; deliver daily lessons and quizzes; track streaks and progress |
| Personalize learning | Adapt difficulty, duration, and format based on your profile and activity |
| Generate AI content | Send relevant onboarding and learning context to AI providers to create curricula and lessons |
| Send notifications | Deliver local lesson reminders and, if enabled, optional remote re-engagement push notifications |
| Process subscriptions | Determine premium access, restore purchases, and respond to billing webhooks |
| Analytics and improvement | Understand feature usage, fix bugs, and improve the product |
| Security and fraud prevention | Authenticate requests, enforce rate limits, and protect the Service |
| Legal compliance | Respond to lawful requests and enforce our Terms of Service |
| Communications | Send transactional emails (verification, password reset) via Firebase |
We do not use your personal information to sell advertising or build cross-context behavioral advertising profiles.
7. Legal Bases for Processing (GDPR)
If you are in the EEA or UK, we process personal data under the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, lesson delivery, progress tracking, billing | Performance of a contract (Art. 6(1)(b)) — necessary to provide the Service you requested |
| Personalization and AI-generated content | Performance of a contract (Art. 6(1)(b)); where optional features apply, legitimate interests (Art. 6(1)(f)) in improving your learning experience |
| Product analytics and crash reporting | Legitimate interests (Art. 6(1)(f)) in understanding usage, maintaining reliability, and improving the Service, balanced against your rights |
| Push notifications (remote) | Consent (Art. 6(1)(a)) — device permission and in-app opt-in where applicable |
| Security, abuse prevention, rate limiting | Legitimate interests (Art. 6(1)(f)) in protecting the Service and users |
| Legal obligations | Legal obligation (Art. 6(1)(c)) where applicable |
| Responding to privacy rights requests | Legal obligation or legitimate interests, as applicable |
Where we rely on legitimate interests, you have the right to object (see Section 13). Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
We do not make automated decisions that produce legal or similarly significant effects solely based on automated processing.
8. AI Processing
Morsel AI uses third-party artificial intelligence services (such as Google Gemini and/or OpenAI) to generate educational content, including curricula, lessons, quizzes, and optional visuals.
To generate content, we may send AI providers:
- Your learning goal and onboarding preferences (experience level, motivations, modality, locale, schedule)
- Context needed for the current lesson (topic, day number, difficulty band)
- Feedback text you submit (to improve future content)
AI providers process this data as our processors (or sub-processors) under their terms and privacy policies. AI-generated content may be inaccurate or incomplete. It is for general educational purposes only and is not professional advice.
Our operators may optionally use LangSmith for internal LLM tracing and quality monitoring. This is used for service operation and improvement, not for advertising.
9. How We Share Information
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
We disclose information to the following categories of recipients:
| Recipient | Role | Purpose |
|---|---|---|
| Google (Firebase) | Authentication processor | Account sign-up, sign-in, verification, password reset |
| Supabase | Database hosting processor | Store user profiles, lessons, progress, events, entitlements |
| Railway | Infrastructure processor | Host our API and background workers |
| PostHog | Analytics processor | Product analytics and event tracking |
| Sentry | Diagnostics processor | Crash and error reporting |
| RevenueCat | Billing processor | Subscription management and entitlement sync |
| Apple / Google | Payment and distribution platforms | In-app purchase processing (when you subscribe) |
| Expo (EAS) | Push and updates processor | Deliver push notifications; over-the-air app updates |
| Google GenAI / OpenAI | AI processor | Generate lesson and curriculum content |
| LangSmith (optional) | Operations processor | Internal LLM observability |
We may also disclose information:
- To service providers who assist us under confidentiality obligations
- For legal reasons — if required by law, court order, or governmental request, or to protect rights, safety, and security
- In a business transfer — in connection with a merger, acquisition, or sale of assets, with notice where required by law
Links to key third-party privacy policies:
- Google / Firebase: https://policies.google.com/privacy
- Supabase: https://supabase.com/privacy
- PostHog: https://posthog.com/privacy
- Sentry: https://sentry.io/privacy/
- RevenueCat: https://www.revenuecat.com/privacy
- Expo: https://expo.dev/privacy
- OpenAI: https://openai.com/policies/privacy-policy
- Google AI: https://policies.google.com/privacy
10. International Data Transfers
We and our processors may process and store information in the United States and other countries where we or our vendors operate. These countries may have data protection laws different from those in your country.
When we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities
- Data Processing Agreements with our processors
- EU-U.S. Data Privacy Framework or UK Extension, where applicable and where the recipient is certified
You may contact us (Section 17) for more information about transfer mechanisms.
PostHog is configured with a default host of https://us.i.posthog.com unless otherwise specified in your deployment.
11. Data Retention
We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this policy.
| Data category | Retention period |
|---|---|
| Account and profile data | Until you delete your account, plus a short processing window |
| Learning history and progress | Until account deletion |
| Analytics events (PostHog) | Per PostHog project retention settings — 12 months |
| Crash reports (Sentry) | Per Sentry project retention settings — 90 days |
| Server logs | 90 days for operational and security purposes |
| Backups | Encrypted backups may retain deleted data until rotated — up to 30 days after deletion |
When you delete your account (Section 14), we delete or anonymize user-linked records in our primary database. Residual copies may persist in backups, analytics, or logs for a limited period before automatic expiration.
12. Security
We implement technical and organizational measures designed to protect personal information, including:
- Encryption in transit (HTTPS/TLS) for communications between the App and our API
- Authentication via Firebase ID tokens verified on the server
- Access controls and row-level security on database tables where applicable
- Rate limiting on sensitive API endpoints
- Secrets management for API keys and service credentials in production environments
No method of transmission or storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at hello@kamehousedevstudio.com.
13. Your Privacy Rights
Your rights depend on your location. We honor applicable rights regardless of where you live, subject to legal limitations.
13.1 All users
You may:
- Access and update profile and preference settings in the App (Account → Profile)
- Export a copy of data we store about you (see Section 14)
- Delete your account and associated data (see Section 14)
- Opt out of remote push notifications via device settings and the in-app re-engagement toggle
- Contact us to exercise rights or ask questions
13.2 EEA / UK (GDPR)
If GDPR applies, you have the right to:
- Access your personal data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability (receive data in a structured, machine-readable format)
- Object to processing based on legitimate interests
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local supervisory authority
13.3 California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and retain
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information — We do not sell or share personal information for cross-context behavioral advertising. You do not need to submit an opt-out request for sales because we do not engage in such activity.
- Limit the use and disclosure of sensitive personal information — We use sensitive personal information only as necessary to provide the Service and as described in this policy.
We will not discriminate against you for exercising your privacy rights.
Authorized agents. California residents may use an authorized agent to submit requests. We may require verification of the agent's authority and your identity.
Shine the Light. California Civil Code Section 1798.83 permits California residents to request certain information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.
13.4 How to exercise your rights
See Section 14 for in-app export and deletion. For other requests, email hello@kamehousedevstudio.com with the subject line "Privacy Request" and describe your request. We will verify your identity (typically by confirming control of your registered email) and respond within the timeframe required by applicable law (generally 30–45 days for CCPA; one month for GDPR, extendable where permitted).
14. Account and Data Deletion
Apple App Store and Google Play require apps that support account creation to offer account deletion. We provide the following options.
14.1 In-app deletion (recommended)
If you are signed in with a registered account (not demo or guest mode):
- Open the App and go to Account
- Tap Privacy
- Tap Delete my account
- Read the confirmation message and tap Delete forever
This action is permanent and cannot be undone.
When deletion succeeds, we:
- Remove your user record and associated data from our primary database (including onboarding data, lessons, progress, quiz results, learning events, learner profiles, notification preferences, and entitlements), using cascading deletion where configured
- Delete pending background jobs associated with your account
- Revoke your Firebase Authentication login for that account
You will be signed out and returned to the sign-in screen. You may register again with the same email address later, but it will be treated as a new account with no restored history.
If Firebase deletion fails after database deletion, you may receive an error message asking you to contact support. In rare cases, credentials may require manual cleanup.
14.2 In-app data export
Before deleting, you may export your data:
- Go to Account → Privacy
- Tap Export my data
- Save or share the JSON file using your device's share sheet
The export includes onboarding preferences, progress, learning events (up to 10,000 records), learner state snapshots (up to 2,000 records), and learner profile data stored on our servers, delivered as a JSON file you can save or share via your device's share sheet.
14.3 Deletion by email (no app access)
If you cannot access the App, email hello@kamehousedevstudio.com with the subject "Account Deletion Request" from the email address associated with your account. We will verify your identity before processing the request.
14.4 What may remain after deletion
Even after account deletion, limited information may persist for a period in:
- Encrypted backups until backup rotation
- Analytics systems (PostHog) until retention expires — contact us to request deletion from analytics where feasible
- Error logs (Sentry) until retention expires
- App store / RevenueCat records required for billing, tax, and fraud prevention — governed by those providers' retention policies
We do not retain your data for deletion requests beyond what is necessary to comply with law or resolve disputes.
This page URL (including the account deletion section) may be used as the account deletion URL in app store listings.
15. Children's Privacy
The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13.
If you are under 13, do not use the Service or provide any information to us. If you are 13–17, you may use the Service only with the permission of a parent or legal guardian who agrees to these terms on your behalf.
If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. Contact hello@kamehousedevstudio.com if you believe we have collected information from a child under 13.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this policy
- Provide notice in the App, by email, or by other reasonable means where required by law
Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes, except where further consent is required by law.
17. Contact Us
For privacy questions, requests, or complaints:
Kame House Dev Studio
United States (contact us by email for correspondence)
Email: hello@kamehousedevstudio.com
Support: hello@kamehousedevstudio.com
For general support (non-privacy): hello@kamehousedevstudio.com
This Privacy Policy is available at: https://www.kamehousedevstudio.com/privacy/morsel-ai