1. Who is responsible for your data
Outzy is operated by SpectrumLabs B.V., a company registered in the Netherlands. SpectrumLabs B.V. is the data controller for the personal data described in this notice. You can reach us at support@spectrumlabs.dev, by post at SpectrumLabs B.V., Seinhuiswachter 2, 3034 KH Rotterdam, the Netherlands. We are not legally required to appoint a Data Protection Officer; the role is performed by the company's management. You can reach the privacy team at support@spectrumlabs.dev.
2. What personal data we collect, and why
For all accounts (children and parents): name, email address, locale, the WebAuthn public-key credential your device generates, the IP address that hits our servers, the user-agent string, and the audit-log entries describing actions taken under your account. The legal basis is the performance of a contract with you (Art. 6(1)(b) GDPR). For child profiles created inside the app: a display name, year of birth (not the full date), an optional avatar, and a coarse home location stored at neighbourhood granularity (~1.2 km cell, never raw GPS coordinates). The legal basis is the consent of the parent who creates the profile (Art. 6(1)(a) and Art. 8 GDPR). For paying parents (Outzy Family subscribers): subscription identifiers from RevenueCat, Stripe, the App Store, or the Play Store; the country of the billing address; the last four digits of the card or the type of payment instrument. We never receive your full card number. The legal basis is the performance of the subscription contract.
3. What we never collect
We never collect or store the precise GPS coordinates of children. We never read the contents of your phone's contact list, photo library, microphone, or camera unless you actively pick something to share. We never run third-party advertising trackers in the kid app. We never sell, rent, or trade your personal data.
4. Children specifically
Outzy is designed to be used by children. A child can create an account themselves with a name, an email address (theirs or a parent's) and a passkey. We treat all child accounts as belonging to a person below the age of digital consent unless the parent has explicitly confirmed otherwise during account linking. Communication between children is restricted to safety-classified text. Free-form chat is only enabled when at least one parent in the friendship pair has an active Outzy Family subscription, so a real human adult is reading along. AI moderation runs on every message before it reaches anyone. Where the law of your country requires explicit parental consent for a child's online account (e.g. the Netherlands at age 16, Germany at 16, France at 15, Spain at 14, Ireland and the UK at 13, varying by jurisdiction), the parent who links the child's account confirms consent during the linking flow.
5. Who we share data with
Hosting and infrastructure: a single hosting provider in the European Economic Area (EEA). Email delivery: a transactional email provider in the EEA. Payments: Stripe (for web purchases) and RevenueCat (for App Store and Play Store purchases). Apple Inc. and Google LLC handle the actual store-side billing on their respective platforms. AI moderation: an LLM provider whose servers are located in the EEA where available; the moderator only ever sees the text being classified, never the user's identity. Push notifications: Expo, the operator of the Expo push service. Customer support tickets sent through the support form go only to our own internal mailbox. We do not use any analytics SDK, tag manager, or advertising network in any part of the product.
6. Where your data is stored
On servers physically located in the European Union. Backups are encrypted at rest. We do not transfer personal data outside the European Economic Area unless one of our processors does so under EU Standard Contractual Clauses (Art. 46 GDPR), which currently applies only to RevenueCat and Stripe for billing-related data; the parent-readable data export endpoint includes the SCC processors used for your account.
7. How long we keep your data
Account data: while the account exists, then deleted within 90 days of the deletion request. Audit-log entries describing safety-relevant actions: 365 days even after account deletion, retained for the legitimate interest (Art. 6(1)(f) GDPR) of being able to respond to law-enforcement requests, child-safety incidents, and account take-over investigations. Backup copies: rotated out within 35 days. Payment records: kept for 7 years to comply with Dutch tax law (article 52 of the Algemene Wet inzake Rijksbelastingen).
8. Your rights under the GDPR
You have the right to: access the personal data we hold about you (Art. 15); have it corrected (Art. 16); have it deleted (Art. 17); restrict our processing of it (Art. 18); receive it in a portable format (Art. 20); object to processing based on legitimate interest (Art. 21); withdraw any consent you have given (Art. 7); and lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the supervisory authority in your country. To exercise any of these rights, email support@spectrumlabs.dev from the address linked to your account, or use the in-app "Download my data" / "Delete my account" actions. We respond within 30 days.
9. Cookies and similar technologies
The marketing site (the pages on outzy.app outside the app) uses one strictly necessary cookie to remember your chosen language, and one session cookie if you are signed in. We do not use analytics cookies, advertising cookies, or third-party trackers. The mobile app does not use cookies; it uses platform-native local storage to keep your session active. See our cookies notice for the full list.
10. Security
Your account is protected by a passkey bound to your device (Face ID, Touch ID, or your device PIN). Outzy does not store passwords because it does not use any. Sensitive actions (deleting your last passkey, removing a child profile, cancelling your subscription) require a fresh passkey assertion. Data in transit is encrypted with TLS 1.2 or higher. Data at rest in the database is encrypted via the cloud provider's default disk encryption; sensitive fields (passkey credentials, audit-log payloads) are additionally encrypted at the application layer using Laravel's encrypted casts.
11. Automated decision-making
AI-based content moderation is automated. When a moderator decision affects you (e.g. a message is hidden or an account is restricted), you are informed and can request a human review by emailing support@spectrumlabs.dev. We do not run profiling for advertising or marketing purposes.
12. Changes to this notice
When we change this notice in a way that affects you (e.g. a new processor, a new data category, a longer retention period), we email all account holders at least 30 days before the change takes effect. Past versions of this notice are kept at outzy.app/privacy/history.
13. Contact and complaint
For privacy questions: support@spectrumlabs.dev. For safety reports: support@spectrumlabs.dev. For everything else: support@spectrumlabs.dev. By post: SpectrumLabs B.V., Seinhuiswachter 2, 3034 KH Rotterdam, the Netherlands. If you are unhappy with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority at autoriteitpersoonsgegevens.nl, or with the supervisory authority in the EU country where you live or work.