Privacy Policy GDPR

Effective date: 14.08.2025

Addressed to: users of the website forteens.app and the Forteens mobile application — teenagers aged 10–18, as well as their parents/legal guardians.

Briefly (TL;DR)

Who is the controller: RENDERCH Ltd., EIK/UIC: BG-207510157, registered office: 11 Pirotska St, Burgas, Bulgaria. Privacy contact: [email protected]. LSA: CPDP (Bulgaria).
What we collect (minimally): technical data of the website (including via Cloudflare), form data (contacts), in the application — age group (10–12 / 13–15 / 16–18), settings, interactions (chat/games), diagnostic events; sex/gender — optional.
For what: to provide the service, security, stability; with your separate consent — research and model training (including predictive) on anonymized/pseudonymized data. Payments — via Google/Apple (card data held by the stores).
Transfers and processors: Cloudflare (EU/Germany), Google Workspace (mail/docs), hosting in the EU; outside the EEA — SCC/DPF/TIA.
Retention periods: operational logs up to 12 months, accounting 5–10 years, diagnostic data 6–12 months, R&D datasets — 24 months.
Rights: access, rectification, erasure, restriction, portability, objection (Art. 21), withdrawal of consent — write to [email protected].
UX principles: no “dark patterns”; equivalent “Accept/Reject” for non-essential trackers; easy consent withdrawal.

1. Who we are and how to contact us

Controller (operator): RENDERCH Ltd.
Address: 11 Pirotska St, Burgas, Bulgaria
Office: 11 Pirotska St, Burgas, Bulgaria
Privacy lead: [email protected]
DPO: not appointed at this stage; the need for appointment is regularly assessed under Art. 37 GDPR.

2. For whom this policy is intended

For visitors of the website forteens.app and users of the Forteens mobile application. The main audience is teenagers aged 10–18; parents/guardians may contact us regarding consent and the child’s rights.

3. Children and age of consent

We comply with local “age thresholds” of digital consent in EU countries (usually 13–16 years).
How we confirm parental consent (mobile application):

Parent Link (by default): the teenager specifies the parent’s email in the app → the parent receives an email with a unique link → the parent gives consent in one click (with a short notice and a link to the policy/terms).
Link code: alternatively, a one-time code is shown to the parent in their email; the code is entered in the application on the teenager’s device.
School/clinical pilots: written consent according to a template (offline/electronically) through the partner institution, with a copy stored by the institution and by the controller.
Confirmation of parent status: email domain (if corporate/school), self-declaration in the form + log of IP/time; in jurisdictions with strict requirements — an additional step (for example, attaching a scan of the signed consent).

We choose the least intrusive and proportionate mechanism for your country; details — in the document “How we verify parental consent”
If in your country parental consent is required for the processing of a teenager’s data, we use proportionate mechanisms of confirmation. If we become aware that a child’s data is being processed without the required consent, we will terminate such processing and resolve the situation.

4. What data we process

On the website (10–18 and adult visitors)

Technical data: IP address, browser/device identifiers, date/time, URL/referrer, basic cookies and similar technologies (including for security/performance via Cloudflare).
Forms: name, email, organization/role, country, subject, message; correspondence with support.
Subscription (if enabled): email + fact of consent.

In the application (10–18)

Profile/personalization settings: age group (10–12 / 13–15 / 16–18), interface language, interaction format (text/voice/character/games), sex/gender (optional) — for adapting tone and visual elements.
Interactions: messages/voice commands for the assistant’s response; selection of games/exercises and the fact of their completion; basic progress metrics at the application level; events/errors for stability.
Derived features (“features”) for R&D: aggregated/pseudonymized characteristics computed from interactions (for example, session length, type of exercise, generalized contextual signals without linkage to a person) — only for quality improvement and model training and only with separate consent.
Device diagnostics: OS/app version, model, stability, crash notifications.

Payments:

We receive from Google/Apple service transaction data (identifier, status, period/tariff) to activate access. Card payment data are processed by the app stores and are not available to us.

We do not collect and do not infer from the “sex/gender” field information about sexual life or sexual orientation. These are ordinary personal data (not a special category). We do not make inferences about the user’s personality on this basis.

5. Purposes and legal bases

Purpose	Examples	Legal basis
Provision of the Service (10–18)	chat, games/exercises, basic personalization by age group	Contract (Art. 6(1)(b))
Support and communications	responses to requests, service notifications	Contract / Legitimate interest (Art. 6(1)(b)/(f))
Security and prevention of abuse	protection against DDoS/bots (Cloudflare), audit of events	Legitimate interest (Art. 6(1)(f))
Improving quality and stability	diagnostics of failures, aggregated statistics on functions	Legitimate interest (Art. 6(1)(f))
Personalization by sex/gender (optional)	adapting tone/visual elements	Consent (Art. 6(1)(a)); where necessary — with participation of a parent
Research and improvement of algorithms (model training)	analysis of anonymized/pseudonymized data, creation of datasets for training/validation, A/B tests without individual profiling	Consent of the child and/or parent (Art. 6(1)(a)); for special categories — explicit consent (Art. 9(2)(a))
Marketing mailings (optional)	news/updates	Consent (Art. 6(1)(a))
Legal obligations	accounting/taxes (via the stores)	Law (Art. 6(1)(c))
Protection of vital interests	actions in the event of an obvious threat to life/health	Vital interests (Art. 6(1)(d))

Important:
For R&D/model training we do not use data for advertising, do not carry out individual profiling of a person and do not make decisions that produce legal effects.

6. Cookies and SDK

Website: strictly necessary/functional cookies (including Cloudflare) for security, routing and performance. If analytical/marketing cookies appear — we will show a banner with a clear choice “accept/reject”.

Application: system SDKs for stability/notifications/diagnostics; any optional SDKs and R&D experiments — only with separate consent and with the possibility of disabling.

7. Data recipients (categories)

Infrastructure/security: Cloudflare, Inc. (CDN/protection/routing; nodes in the EU, including Germany).
Hosting/DB: [provider(s) in the EU].
Mail and office services: Google Workspace (Google Ireland Limited) — corporate mail (Gmail), documents and storage of work materials. Personal data contained in correspondence/attachments and work files are processed by Google as our processor under Art. 28 GDPR; cross-border transfers are possible under DPF/SCC safeguards.
Payments/subscriptions: Google LLC (Google Play), Apple Inc. (App Store).
Partnership projects (with separate consent): schools/clinics/NGOs — the minimum necessary amount of data for pilots.

We conclude data processing agreements with all processors under Art. 28 GDPR and require adequate security and confidentiality measures.

8. Cross-border transfers

When transferring data outside the EEA (for example, to providers in the USA) we use recognized mechanisms: Standard Contractual Clauses (SCC), transfer impact assessment (TIA) and/or work with providers certified under the EU–US Data Privacy Framework. Details are available upon request from the privacy lead.

9. Retention periods

We store data for as long as necessary for the stated purposes, then delete/anonymize:

Support/correspondence — up to 12 months after closing the request.
Technical logs (security/access) — up to 12 months (if the law does not require longer).
Transaction data of the stores/accounting — 10 years.
Application diagnostics — up to 6–12 months.
Profile settings (including “sex/gender”) — until deleted by the user/parent or deactivation of the account; upon withdrawal of consent for personalization, the use of this attribute ceases.
R&D/model training datasets: stored pseudonymized/anonymized with access on a need-to-know basis for up to 24 months with regular review of appropriateness; elements allowing identification are deleted or irreversibly anonymized. The trained models are not intended to reconstruct the original content. Risk of re-identification: when working with R&D datasets we apply measures to reduce the risk of re-identification: removal of direct identifiers, pseudonymization with separate storage of keys, aggregation, samples with minimum record thresholds, access limitation on a need-to-know basis, logging, as well as periodic re-assessment of risks within the DPIA

10. Users’ rights (children 10–18 and parents)

You are entitled to: request access and a copy of data; rectification; erasure (in cases provided by law); restriction of processing; portability (for data based on contract/consent); object to processing based on legitimate interest; withdraw consent (for example, for mailings, personalization by sex/gender or participation in R&D).

Objection to processing (Art. 21 GDPR): you may object to processing based on legitimate interest. We will cease such processing unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defense of legal claims.

Send your request to [email protected]. Response time — up to 1 month (in complex cases — up to 3 months with notification).

11. Security

We apply measures under Art. 32 GDPR: encryption in transit/at rest (where applicable), access control, logs and monitoring, backups, vulnerability management and regular reviews. For the child audience we use careful interfaces and transparent prompts.

12. DPIA, fairness and absence of “dark patterns”

Taking into account the age of the audience and the nature of the technologies, we carry out and update the DPIA before significant releases. For R&D/model training we apply anonymization/pseudonymization, tests for fairness and prevention of bias, including a separate risk assessment for the “sex/gender” attribute.

Anti–dark-patterns: consent and settings interfaces are built on a neutral choice — equivalent “Accept”/“Reject” buttons for non-essential cookies/SDKs, without pre-ticked checkboxes, without intrusive repeated requests, without “payment/cookie walls” (when not necessary), with equal ease of giving and withdrawing consent. In child scenarios we use plain language and short “just-in-time” explanations.

13. Complaints and supervisory authority

You can contact any EU data protection supervisory authority. Our lead supervisory authority (LSA) is the Commission for Personal Data Protection (CPDP), Bulgaria. We consider requests in good faith and cooperate with regulators.

14. Policy updates

We may update this Policy. The current version is published on the website/in the application; significant changes are communicated by a notice.

15. Contacts

For questions of privacy, rights and security, please contact the privacy lead:

Email: [email protected]