Privacy Policy

SpeedexMedia LLC (“we,” “us,” or “our”) sets forth this Privacy Policy (the “Policy”) regarding the handling of personal information of users of the mobile application “Pukupo” (the “App”) that we provide.

The Japanese-language version of this Policy is the authoritative original. In the event of any inconsistency between the Japanese version and this English version, the Japanese version shall prevail.

1. Scope

This Policy applies to your use of the App and to services we provide in connection with the App. The App is distributed in Japan and the United States through the Apple App Store and Google Play.

The App is a service for children between the ages of 2 and 6. We implement measures regarding the handling of children’s personal information in accordance with the principles of Japan’s Act on the Protection of Personal Information (“APPI”) and the United States Children’s Online Privacy Protection Act (“COPPA”).

2. Operator and Contact Information

Company: SpeedexMedia LLC
Address: Mutsumi Building 3F, 2-10-48 Kitasaiwai, Nishi-ku, Yokohama, Kanagawa 220-0004, Japan
Managing Member: Yuji Hayashi
Personal Information Protection Manager: Yuji Hayashi (Managing Member)
Contact (including inquiries regarding personal information): [email protected]

3. Information We Collect

We collect only the minimum information necessary to provide the App. Specifically:

The parent’s email address and password (for account authentication). Passwords are stored securely in our authentication infrastructure (Supabase GoTrue); we do not retain passwords in plain text.
Family name, parent nickname, and child nickname (for in-family display; free-text entry; the child nickname is an alias set freely by the parent or the child).
Adult-area passcode (a 6-digit numeric code set by the parent to protect the adult area).
Habit content registered by the parent (titles, intensity, etc.).
Timestamps when the child records “done.”
The creature’s growth stage and growth points.
Account-deletion request status (scheduled deletion date, etc.).
Where the parent uses a subscription or in-app purchase (purchase of the in-app virtual currency “Credits”), the subscription status (active/inactive, expiration date, whether a trial has been used, etc.) and receipt information (product ID, transaction ID, purchase date/time, etc.) communicated to us by Apple Inc. or Google LLC. We do not collect credit card numbers or any other payment-instrument information itself (payment is processed by the respective store).

4. Information We Do Not Collect

In accordance with the principle of data minimization for a children’s service, the App does not collect the following:

The child’s real name, age, date of birth, telephone number, email address, residential address, or school name.
Location information (including GPS location and IP-based location).
Device identifiers and advertising IDs (IDFA, AAID, or other advertising identifiers).
Crash reports or app-usage analytics data (event tracking, funnel analysis, etc.).
Push-notification tokens.
Contacts (address book), photos, videos, audio, files, or health information.
Credit card numbers, bank account details, or other payment-instrument information itself (payments for in-app purchases (subscriptions and Credit purchases) are processed by the Apple App Store or Google Play, and we do not directly obtain payment-instrument information; what we obtain is limited to the subscription status and receipt information described in Section 3).

The App does not incorporate any third-party analytics tools or advertising-network SDKs. We do not engage in behavioral targeted advertising based on children’s usage data.

5. Notes on Nicknames and Other Input Fields

Please do not enter real names, residential addresses, telephone numbers, school names, or any other personally identifying information in the nickname, family name, habit title, or other free-text entry fields. We do not request such information and do not collect it intentionally. We disclaim responsibility for any disadvantage arising from the handling of information that is nevertheless entered.

6. Purposes of Use

We use collected information only for the following purposes:

To provide the App and its functions (habit registration and recording, creature growth display, family-member management, etc.).
To authenticate the parent’s account and to ensure security.
To protect adult-area features and to provide parent-facing management functions.
To grant purchase benefits, restore purchase status, and prevent duplicate grants in connection with subscriptions and in-app purchases (Credit purchases), using the subscription status and receipt information communicated to us by Apple Inc. or Google LLC.
To respond to user inquiries.
To comply with legal obligations or legitimate requests from public authorities.

When we change a purpose of use, we will notify you by posting the revised purpose within the App or on our website. For material changes to the handling of children’s personal data, we may request parental consent again.

7. Handling of Children’s Personal Information

Although the App is intended for children between the ages of 2 and 6, the contracting party and the party giving consent is the parent (18 years of age or older). We handle children’s personal information as follows:

For children under the age of 13, in accordance with the principles of COPPA, we do not collect, use, or disclose personal information to third parties without verifiable parental consent.
In accordance with the principles of APPI, we implement data minimization, specification of purpose, safety management measures, and oversight of subcontractors.
We do not implement behavioral targeted advertising directed at children, and we do not disclose children’s data to third-party advertising providers.
We do not require children to enter any information beyond the App’s core functions (operating the habit-record button and viewing the creature).
Parents review and consent to this Policy and the related data-use terms on the initial onboarding screen of the App.

8. Storage Location and Infrastructure Providers

Personal data we collect is stored in the cloud database service Supabase (Tokyo region). The storage location for personal data is within Japan only; storage itself does not constitute a transfer to a third party located in a foreign country (a cross-border transfer under APPI Article 28).

However, the operator of that service, Supabase Inc., is a corporation with its principal place of business in the State of Delaware, United States. In the context of customer support, incident response, and platform operations, employees and personnel of Supabase Inc. located in the United States may access personal data. Such access is governed by our contract with Supabase Inc. and by Supabase Inc.’s data-protection policies.

To enable operation when offline, the App maintains a temporary local queue (a SQLite database) on the device’s internal storage. The contents of the local queue are synchronized to Supabase (Tokyo region) when the device connects to a network, and are discarded on the device upon completion of synchronization.

9. Disclosure to Third Parties

We do not disclose personal data to third parties except in the following cases:

With the parent’s consent.
As required by law (court orders, lawful requests from investigative authorities, etc.).
When necessary to protect the life, body, or property of a person and parental consent is difficult to obtain.
When cooperating with a national or local government agency or its delegated entity in the execution of statutory duties and obtaining parental consent could impede such duties.

The App does not disclose children’s personal data to third-party analytics providers or to third-party advertising providers.

10. Subcontractors

To provide the App, we entrust the following entities with the necessary scope of work. We exercise appropriate supervision over each subcontractor regarding the safe management of personal data.

Supabase Inc. (United States): Provision of cloud database and authentication services.
Apple Inc. (United States): Distribution of the iOS app, and payment processing for in-app purchases (subscriptions and Credit purchases).
Google LLC (United States): Distribution of the Android app, and payment processing for in-app purchases (subscriptions and Credit purchases).

11. Retention and Deletion

While the App account is active, the registered information is retained to the extent necessary to provide the App.

When the parent requests deletion of the account, use of the App ceases at the time of the request, but the data is retained for 14 days. This 14-day period is the “deletion grace period,” during which the parent may cancel the deletion request. Upon expiration of the deletion grace period, the personal data associated with the account (family-member information, habit registrations and records, creature status, account-management information, etc.) is physically deleted from the primary database.

As of the date of this Policy, we do not maintain daily backups or point-in-time recovery (PITR) configurations that retain deleted data. Accordingly, the expiration of the deletion grace period constitutes the substantive deletion point.

Separately, infrastructure providers (Supabase Inc. and the cloud operators underlying its platform) may retain short-term internal recovery copies for operational and incident-recovery purposes. The retention and handling of such copies are governed by each infrastructure provider’s data-protection policies and by their contractual arrangements with us.

12. User Rights

Users (parents) may make the following requests regarding personal data we hold:

Notification of the purpose of use of retained personal data.
Disclosure of retained personal data (including provision in electronic form).
Correction, addition, or deletion of content.
Suspension of use, or erasure.
Suspension of disclosure to third parties.

For personal data of children under the age of 13, parents exercise these rights on the child’s behalf. For specific procedures, including identity verification, please contact us at the address in Section 2. We will respond within a reasonable period in accordance with applicable law.

Parents may also erase retained personal data themselves by deleting their account through the App’s built-in functionality (the deletion procedure follows Section 11).

13. Safety Management Measures

To prevent leakage, loss, or damage of personal data, we implement the following safety management measures:

Encryption of communications (HTTPS / TLS).
Secure storage of passwords (standard hashing by Supabase GoTrue).
Access control at the database layer (mechanisms such as Row Level Security).
6-digit passcode protection of adult-area features.
Training of officers and employees on the appropriate handling of personal information.
Selection and supervision of subcontractors.

14. Cookies and Similar Technologies

The App itself does not use web-browser cookies. The use of cookies or similar technologies on our website (pukupo.com), if any, is governed by separate notices posted on that website.

15. Revisions to This Policy

We may revise this Policy in response to changes in applicable law or changes in the App. The revised Policy takes effect when posted within the App or on pukupo.com. For material changes to the handling of children’s personal data, we will provide reasonable advance notice to parents and may request parental consent again where necessary.

The App offers a paid monthly subscription and the purchase of the in-app virtual currency “Credits” (in-app purchases). These payments are processed by the Apple App Store or Google Play, and we do not directly obtain payment-instrument information itself. Our collection and use of subscription status and receipt information is as set forth in this Policy (in particular Sections 3, 4, and 10). If we make material changes to the paid features or to the handling of payment-related information, we will revise this Policy and post it within the App or on pukupo.com.

16. Effective Date and Last Updated

Effective date: June 12, 2026
Last updated: June 12, 2026

SpeedexMedia LLC