Privacy Policy
This Privacy Policy explains how HeyQQ GmbH collects and uses personal data for users in the European Union and European Economic Area under the GDPR across our Oscar app family and related backend services.
It applies to Oscar Stories, Oscar Moneyfox, Oscar Science (Lora), and the APIs/backend infrastructure used to operate these products (collectively, the "Services").
HeyQQ GmbH is the data controller and is established in Austria.
Deutsche Fassung: /datenschutzerklaerung/
Owner and Data Controller
HeyQQ GmbH
FN: 572680b
UID: ATU77744201
FB-Gericht: Handelsgericht Wien
Sitz: 1090 Wien
Wasagasse 23, 1090 Wien, Austria
Geschäftsführer: Dmitrij Rubanov, MA; Mag. Matthias Neumayer, BA
General/product contact: hello@heyqq.app
Privacy contact: privacy@heyqq.app
Data Protection Officer (DPO): privacy@oscarstories.com
What data we collect
Depending on how you use the Services, we collect the following categories of personal data:
- Account and identity data: email address, user ID/UID, username, auth provider (email/password, Apple Sign-In, Google Sign-In where enabled), account type (anonymous or authenticated), and auth metadata (for example account creation and last sign-in timestamps).
- Child profile data: child name, age, gender, avatar/icon, interests, appearance data, and ownership references.
- Side character data: side-character name, relation/relation label, gender, icon/image selection, and ownership references.
- Story and learning data: generated story content, story metadata (story IDs, language, topic/subject context), media links (images/video/audio), quiz content/results, and adaptive learning mistake history used for reinforcement.
- AI quality and safety trace data: selected request/response traces and related metadata used to monitor quality and help ensure generated content is appropriate for children.
- App behavior and preferences: app-state flags such as rating/auth prompts seen, onboarding/login flags, and in-app counters (for example share counters/coin-related counters).
- Analytics and engagement data: event telemetry and product usage events (for example story generation, sharing, ratings, and feature usage), plus notification identity data used by OneSignal (user ID and, where provided/verified, email). Analytics payloads are pseudonymized and/or aggregated where possible and are configured not to include direct child identifiers.
- Diagnostics and performance data: crash and runtime error data and performance traces.
- Service telemetry fields (where applicable): device information, Usage Data, geography/region, language, number of Users, number of sessions, session duration, Application opens, Application updates, launches, operating systems, diagnostics, crash data, and Universally unique identifier (UUID).
- Payments and transaction identifiers (where applicable): billing address, first name, last name, email address, User ID, in-app purchases, and related payment status metadata.
- Identifiers and tracking technologies: Trackers and, where applicable for notification and ad ecosystem compatibility, unique device identifiers for advertising (for example Google Advertiser ID or IDFA).
We do not sell personal data. We do not use third-party advertising SDKs, and we do not use your data for third-party ad targeting.
For iOS, we do not use App Tracking Transparency (ATT) for cross-app tracking and we do not access or use Apple’s Identifier for Advertisers (IDFA).
For analytics, tracing, and product measurement, we use pseudonymized data and aggregated reporting where possible and avoid direct child identifiers.
Some data categories are service-specific (for example, story-generation fields in Oscar Stories or subject-progress data in Oscar Science/Moneyfox). This policy covers all such product-specific variants where they are used to deliver the Services.
How we use personal data
- Authenticate accounts (including anonymous sign-in and account upgrades).
- Provide core product functionality across our Services, including personalized educational experiences (for example stories, money-learning, and science-learning modules).
- Personalize educational content using profile context and prior incorrect concepts (adaptive-learning support).
- Review AI traces to monitor output quality and support age-appropriate/safe educational content.
- Operate in-app features such as sharing, ratings, and engagement prompts.
- Operate backend APIs required by the apps (generation, media, feedback, and account-linked features).
- Send push notifications (subject to OS/device permission and your settings).
- Measure service usage, improve product quality, and troubleshoot stability/performance issues.
- Comply with legal obligations and protect our rights.
Oscar Moneyfox AI features: data sent, recipients, and permission
For Oscar Moneyfox AI-supported learning/story features, we send a limited request payload to provide the requested output.
How this data is collected: some fields are entered by the parent/guardian in-app (profile/context choices), and some are generated automatically by the app/backend as technical or progress context needed to fulfill the request.
- Parent/guardian-provided inputs: avatar/profile context (for example main avatar details), selected subject/topic, and optional personalization values.
- Optional/flexible profile values: interests, appearance, and age may be optional and may be fictional where users choose to provide fictionalized profile context.
- System-generated context: language/mode settings, progress counters, step indexes, and internal references needed to return the requested educational output.
Data fields used for Oscar Moneyfox AI requests may include: mainAvatar(including normalized interests), promptLanguage, fastMode,storyMode, selectedSubject, selectedSubjectId,childId, topicId, topicName, topicStepIndex,storyNumber, totalStories, and currentProgress.
Who receives this data: HeyQQ backend APIs (hosted via Railway) process Moneyfox AI requests. Selected AI traces may be sent to Langfuse GmbH for AI quality/safety observability. Where a contracted third-party AI model provider is used by our backend to generate output, we minimize the payload to what is necessary for the request.
Permission before third-party AI sharing: where personal data is transmitted to a third-party AI service, we request parent/user permission in-app before transmission. You can refuse or withdraw this permission in app settings; non-AI features remain available where technically possible.
We require processors handling AI-related data to provide the same or equivalent level of data protection, including contractual confidentiality obligations, security controls, and applicable international transfer safeguards.
Data required to provide the Services
Certain data is required to provide core features under our contract with you (for example account credentials/identity, story-learning inputs, and technical data needed to deliver content and secure the service). If you do not provide required data, some features or the full Services may not be available.
Optional data (for example optional analytics/engagement permissions) is not required for core access and can be managed through consent settings.
Handling payments
Unless otherwise specified, payments are processed through external payment service providers. Users provide payment details directly to the relevant provider, and this Application receives confirmation about payment status.
- RevenueCat: used for subscription and in-app purchase management and related purchase history analysis.
- Apple Pay: used for payment processing on supported Apple devices.
- Payments processed via the Apple App Store: used for app purchases and in-app purchases handled by Apple.
Where data is stored
- Firebase Authentication: sign-in credentials/provider identity and account metadata.
- Cloud Firestore: user profiles and subcollections (for example child profiles, side characters, generated stories, and topic progress). Firebase-hosted user data is stored on servers in Europe (EU regions).
- Backend and tracing infrastructure: server-side processing and API handling for app features, including temporary processing data, operational logs, and AI quality/safety traces.
- App runtime memory (Redux): temporary in-session state mirrors for app functionality.
Across our current mobile implementations, we do not rely on persistent on-device storage of full user-profile or full story-history datasets for core account records.
Service providers and recipients
We share data only as needed to provide the Services. The exact set of providers may vary by product, platform, and feature. Below is a summary of key providers, their role, and typical data categories used.
| Provider | Role and address | Services | Data categories used |
|---|---|---|---|
| Google Firebase | Service Provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Firebase Authentication, Cloud Firestore, Crashlytics, Performance Monitoring | Account/auth identifiers, user profile and learning records, generated-content records, diagnostics/crash/performance data |
| Railway | Service Provider Railway Corp., United States (current legal entity/address maintained in our processor register; available on request) | Hosting and execution of backend APIs | API request/response payloads for generation/TTS/feedback/coin features, authentication tokens, backend operational logs |
| Mixpanel | Service Provider Mixpanel, Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA EU representative: MIXPANEL S.L., Avenida Diagonal 442, P. 3 PTA. 1, 08037 Barcelona, Spain | Product analytics and telemetry | Pseudonymized event telemetry, usage metrics, device/app metadata (no direct child identifiers) |
| Langfuse GmbH | Service Provider Office address: Oranienburgerstraße 91, 10178 Berlin, Germany Registered address: Gethsemanestr. 4, 10437 Berlin, Germany E-mail: contact@langfuse.com Managing Directors: Aaron Katz, Clemens Rawert Commercial Register: Local Court Berlin (Charlottenburg), HRB 248821B VAT ID: DE358330767 | AI tracing/observability for quality and appropriateness checks | Selected AI request/response traces, quality/safety flags, technical metadata, pseudonymized service/user identifiers |
| Contracted third-party AI model provider(s) used by HeyQQ backend (where enabled) | Service Provider(s) Current legal entity names and addresses are maintained in our processor register and App Review Information, and are available on request at privacy@oscarstories.com. | AI content generation/inference | Minimized AI prompt context needed to generate requested output (for Oscar Moneyfox, this may include mainAvatar context, language/mode settings, selected subject/topic context, and progress/story context), pseudonymized identifiers, and technical safety metadata. We do not intentionally send payment data to AI model providers. |
| OneSignal | Service Provider OneSignal, Inc., 201 S. B Street, Suite 200, San Mateo, CA 94401, USA | Push and in-app messaging delivery | Push subscription identifiers/tokens, pseudonymized user identifier, message delivery/engagement metadata, optional verified email (if provided) |
| Apple Sign-In / Google OAuth | Service Providers Apple: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland Google: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Authentication and identity provider services | Authentication tokens, provider user identifiers, account claims (such as email) returned by the selected provider |
| RevenueCat | Service Provider RevenueCat, Inc., United States | Subscription and in-app purchase management | Device information, Usage Data, User ID, purchase/subscription history metadata |
| Apple Pay | Service Provider Apple Inc., United States | Payment processing | Billing address, email address, first name, last name, Usage Data |
| Apple App Store Payments | Service Provider Apple Inc., United States | App and in-app purchase processing | Billing address, device information, email address, first name, last name, Trackers, Usage Data |
| Firebase Cloud Firestore | Service Provider Google Ireland Limited / Google LLC (deployment-dependent) | Backend database infrastructure | Usage Data and service data required for app backend storage and retrieval |
| Firebase Cloud Storage | Service Provider Google Ireland Limited / Google LLC (deployment-dependent) | File and media storage infrastructure | Usage Data and service data required for hosted file storage and access |
| Google Cloud Storage | Service Provider Google LLC / Google Ireland Limited (deployment-dependent) | Hosting and storage infrastructure | Service data required for hosted storage operations |
| Crashlytics (User Opt-In) | Service Provider Google Ireland Limited | Crash monitoring and diagnostics | Crash data, device information, UUID |
| Sentry | Service Provider Functional Software, Inc., United States | Error monitoring and diagnostics | Diagnostics and error context data needed for troubleshooting |
| Firebase Performance Monitoring | Service Provider Google LLC | App performance monitoring | Performance and diagnostics telemetry needed to improve reliability |
| Firebase Cloud Messaging | Service Provider Google Ireland Limited / Google LLC (deployment-dependent) | Push notification delivery | Message delivery identifiers and service data required for notification routing |
| App Store Connect | Service Provider Apple Inc., United States | App distribution platform analytics and management | Diagnostics, Trackers, Usage Data (subject to user sharing settings) |
| Sign in with Apple | Service Provider Apple Inc., United States | Registration and authentication | Email address, first name, last name (or Apple relay email where applicable) |
| Firebase Invites | Service Provider Google Ireland Limited | Social sharing and invitation tracking | Service data required to share invites and measure invite opens/installs |
| Firebase Dynamic Links | Service Provider Google Ireland Limited | Deep-linking and user-journey tracking | Service data required to resolve links and measure entry/navigation paths |
We maintain data processing agreements (DPAs) with our processors and apply transfer safeguards where required. You can request an up-to-date processor list (including legal entity names and addresses) at privacy@oscarstories.com.
We also open or generate user-facing links (for example shared story URLs, app-store links, and external info/help pages) when you explicitly use those features.
Legal bases (GDPR)
- Contract: to provide account access, content generation, progress tracking, and requested service features.
- Legitimate interests: service security, fraud prevention, reliability, and quality improvements.
- Consent: where required for push/notification permissions, certain analytics or messaging activities, and any transmission of personal data to third-party AI services. Consent choices are presented in-app (and push permission is requested by the operating system) before optional tracking/messaging/third-party-AI features are enabled.
- Legal obligations: when required by law (for example compliance, legal claims, regulatory requests).
Purpose and legal basis mapping (summary)
- Account creation, login, and service delivery: contract (Article 6(1)(b) GDPR).
- Educational personalization and progress tracking: contract (Article 6(1)(b) GDPR).
- Safety/quality checks (including AI trace review): legitimate interests (Article 6(1)(f) GDPR) to provide safe and reliable educational content; where personal data is shared with a third-party AI service, consent is obtained in-app before transmission.
- Optional analytics/engagement tracking and certain notifications: consent (Article 6(1)(a) GDPR), where required.
- Compliance, legal claims, and recordkeeping: legal obligation (Article 6(1)(c) GDPR) and/or legitimate interests (Article 6(1)(f) GDPR), as applicable.
Automated decision-making
We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects for users (Article 22 GDPR).
Where consent is required, optional analytics/engagement tracking and any third-party AI personal-data transmission are gated and only enabled after consent. You can withdraw consent at any time in app/device settings or by contacting us.
AI trace processing for content-quality and appropriateness checks is carried out to provide safe, reliable educational experiences and is subject to data minimization and access controls.
Parental controls
We provide parental controls in our child-focused products. These controls are designed to support parent/guardian oversight of child profiles, content usage, permissions, and account-level privacy settings.
International data transfers
Some processors may process data outside the EU/EEA. Where required, we use appropriate safeguards such as European Commission adequacy decisions, EU Standard Contractual Clauses, and additional technical/organizational protections. Where relevant and available, we also rely on the EU-U.S. Data Privacy Framework.
We assess international transfer risks and apply supplementary measures where appropriate (for example encryption, access controls, and data minimization).
Information on opting out of interest-based advertising
In addition to provider-specific settings, users can manage broader interest-based advertising preferences through industry resources.
- YourOnlineChoices (EU): www.youronlinechoices.com
- Network Advertising Initiative (US): www.networkadvertising.org
- Digital Advertising Alliance (US): www.privacyrights.info
- AppChoices: youradchoices.com/appchoices
Users can also adjust device-level ad and notification settings. Availability of controls depends on device type, operating system version, and region.
Data retention
We retain personal data only for as long as necessary. Typical retention periods are:
- Account data: for as long as the account is active; deleted after verified deletion request, subject to legal retention obligations.
- Educational content and progress data: retained while needed to provide history, personalization, and learning continuity; deleted upon verified deletion request unless legal retention is required.
- Diagnostics, security logs, and performance data: typically up to 12 months, unless a longer period is required for security incidents or legal claims.
- Analytics/tracing data: retained for a limited period and minimized in scope; typically up to 24 months unless shorter retention is configured.
- Support and privacy correspondence: typically up to 24 months after closure of the request.
- Legally required records: retained for the period required under applicable law (for example Austrian tax/commercial retention duties).
After deletion requests are processed, limited residual copies may remain in encrypted backups for a short, defined backup cycle before automatic overwrite/deletion.
Account and data deletion
You can request account/data deletion through our GDPR Request page (DSAR & account deletion) or by emailing privacy@oscarstories.com. If your app version includes an in-app deletion option, you can use it in Settings.
Upon a verified deletion request, we delete the account and associated personal data across our apps and backend services (including linked profile, learning, and generated-content records), except where limited retention is legally required.
Children’s privacy
Our Oscar educational apps are intended to be used with parental/guardian involvement. Child-related profile data is provided by the parent/guardian for personalization and learning features, and parental controls are available to manage child-related settings and usage. We also use controlled quality/safety review processes (including AI tracing) to help keep generated educational content age-appropriate.
In Austria, the age threshold for a child’s own consent to information-society services is 14. Where required, users under this age must have parental/guardian authorization.
If you believe child data was provided without appropriate authorization, contact us and we will investigate and delete where required.
Your rights (EU/EEA)
You have the right to access, rectify, erase, restrict, object, withdraw consent, and request portability.
To exercise these rights, use our GDPR Request page (DSAR & account deletion)or email privacy@oscarstories.com. We respond without undue delay and within one month, subject to GDPR requirements.
You also have the right to lodge a complaint with your supervisory authority. In Austria, this is the Österreichische Datenschutzbehörde (Austrian Data Protection Authority), Barichgasse 40-42, 1030 Vienna, Austria, www.dsb.gv.at.
Security
We use technical and organizational measures (such as access controls and data minimization) to protect personal data. No method of transmission or storage is fully secure, but we continuously work to improve protections.
Changes to this policy
We may update this Privacy Policy from time to time. We will publish the latest version on this page.
Last updated: March 6, 2026