Keep Your Account?

Are you sure you want to cancel the deletion? Your account and all data will be preserved.
FishSticks
Home Try Demo Sign In

Privacy Policy

Last updated: February 6, 2026

For questions, contact: privacy@getfishsticks.com

1. Operator Contact Information

Fishsticks is a child-directed educational application designed to help children practice spelling through interactive quizzes and progress tracking.

Operator Name: Fishsticks

Contact Email: privacy@getfishsticks.com

Fishsticks complies with the Children's Online Privacy Protection Act (COPPA). This privacy policy describes how we collect, use, and protect information from users of our application.

2. Information We Collect

Fishsticks collects the following types of information:

  • Parent email address - Used for account authentication and communication about the account
  • Quiz history - Spelling test results, scores, and dates to track educational progress
  • Word lists - Custom spelling word collections created by the parent or selected from our library
  • Streak data - Daily practice tracking to provide learning motivation and consistency
  • Session cookies - Authentication state and session management for secure access
  • Premium subscription status - Feature access level (free or premium) to enable appropriate functionality
  • Payment information - Collected and processed by Lemon Squeezy (our payment processor), NOT by Fishsticks directly. We receive only subscription status and receipt information.

We do NOT collect:

  • Children's names
  • Children's email addresses
  • Photos or videos
  • Voice recordings (ElevenLabs provides text-to-speech output only; no user audio is captured)
  • Biometric data
  • Geolocation information
  • Social security numbers
  • Any persistent identifiers linked to a child's identity

3. Parent-as-Account-Holder Model

Fishsticks operates on a parent-as-account-holder model. This means the parent or legal guardian creates and owns the account, and the child uses the application on the parent's device within the parent's authenticated session.

How this works:

  • The parent provides their own email address during account creation
  • The parent authenticates using their email (via magic link or OAuth)
  • The child accesses Fishsticks on the parent's device while logged into the parent's account
  • All data (quiz history, word lists, streaks) is associated with the parent's account, not with a child's personal identity

Parental consent:

Parental consent is established through the act of account creation. By creating an account with their own email address and authenticating, the parent consents to the collection and use of information as described in this privacy policy.

For premium features, additional verification occurs through credit card payment processed by Lemon Squeezy, our payment processor and Merchant of Record.

4. How We Use Information

We use the information we collect for the following purposes:

  • Educational progress tracking - Recording quiz results and word mastery to show learning progress over time
  • Account management and authentication - Securing account access and verifying user identity
  • Streak tracking for learning motivation - Encouraging consistent daily practice through visual progress indicators
  • Premium subscription management - Enabling premium features for paying subscribers
  • Service improvement and bug fixing - Identifying and resolving technical issues to improve application reliability

We do NOT:

  • Use data for advertising or marketing to children
  • Sell, rent, or share personal information with third parties for their own marketing purposes
  • Use information for behavioral advertising or ad targeting
  • Create user profiles for commercial purposes beyond providing the educational service

5. Third-Party Service Providers

Fishsticks relies on the following third-party service providers to deliver core functionality. All of these services are integral to the operation of the application:

Supabase (Database and Authentication)

  • Purpose: Database storage and user authentication services
  • Data accessed: Account data (parent email), quiz history, word lists, streak data, user settings, premium subscription status
  • Data location: Stored in compliance with Supabase's privacy policy and data protection standards
  • Function: Provides secure authentication and reliable data storage for all application features

Lemon Squeezy (Payment Processing)

  • Purpose: Payment processing as Merchant of Record for premium subscriptions
  • Data accessed: Parent email address (for payment receipts), payment method information, billing address
  • Important: Fishsticks does NOT store credit card numbers or payment details. All payment processing is handled exclusively by Lemon Squeezy.
  • Function: Enables premium subscription purchases and manages recurring billing

ElevenLabs (Text-to-Speech)

  • Purpose: Provides voice pronunciation for spelling words to support auditory learning
  • Data accessed: Text content of spelling words only (no personal information)
  • Important: No voice data is collected from users. ElevenLabs provides voice output only; the application does not record or transmit user audio.
  • Function: Generates spoken pronunciation of spelling words during quizzes

Vercel (Hosting)

  • Purpose: Web application hosting and content delivery
  • Data accessed: Standard web server logs (IP addresses, browser type, access timestamps) for security and performance monitoring
  • Important: No analytics services are enabled. Vercel Analytics is not used.
  • Function: Delivers the Fishsticks application to users' browsers and ensures reliable availability

Third-party service classification:

All third-party service providers listed above are integral to the operation of Fishsticks. We do not share personal information with third parties for advertising, marketing, data sales, or artificial intelligence training purposes. Third-party compliance documentation is maintained internally and is available to parents upon request by contacting privacy@getfishsticks.com.

6. Data Retention Policy

We retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. Fishsticks does not retain children's personal information for longer than is reasonably necessary.

Data TypePurposeRetention PeriodDeletion Trigger
Parent emailAccount authenticationDuration of active accountAccount deletion (removed within 24 hours)
Quiz historyEducational progress trackingDuration of active accountAccount deletion (removed within 24 hours)
Word listsSpelling practice contentDuration of active accountAccount deletion (removed within 24 hours)
Streak dataLearning motivationDuration of active accountAccount deletion (removed within 24 hours)
Session cookiesAuthentication stateSession duration or 30 daysLogout or cookie expiration
Premium statusFeature access managementDuration of active accountAccount deletion (removed within 24 hours)

Account deletion process:

When a parent initiates account deletion through the Settings page, the following process occurs:

  1. A 24-hour cooling-off period begins, during which the account is marked for deletion but data is not yet removed
  2. The parent can cancel the deletion request during this 24-hour period by logging in again
  3. After 24 hours, all associated data is permanently deleted via cascade delete (parent email, quiz history, word lists, streak data, subscription status)
  4. Deletion is irreversible after the 24-hour cooling-off period expires

7. Parental Rights and Controls

Parents have the following rights with respect to their account data:

  • Right to review: Access and review all personal information associated with their account
  • Right to delete: Request deletion of their account and all associated data
  • Right to refuse further collection: Stop using the service to prevent further data collection
  • Right to restrict disclosure: Request that information not be disclosed to third parties (subject to the limitations of integral service providers described in Section 5)

How to Exercise Your Rights

Parents can exercise these rights in two ways:

  1. Email request: Send an email to privacy@getfishsticks.com with your account email address and specific request
  2. Account deletion feature: Log into Fishsticks, navigate to Settings, and select "Delete Account"

We will respond to parental requests within 30 days of receipt. For account deletion requests submitted via email, we may require verification of account ownership before processing the request.

Account Deletion Process

The account deletion feature is available directly in the application. Once initiated, the process follows these steps:

  1. Parent selects "Delete Account" from the Settings page
  2. A 24-hour cooling-off period begins
  3. During this period, the parent can log in to cancel the deletion request
  4. After 24 hours, all data is permanently deleted:
    • Parent email address
    • Quiz history (all test results and scores)
    • Word lists (custom and library selections)
    • Streak data
    • Premium subscription status
  5. Deletion is complete and irreversible

8. Security Measures

Fishsticks implements comprehensive security measures to protect personal information from unauthorized access, disclosure, alteration, or destruction:

Encryption and Transport Security

  • Encryption in transit: All data transmission uses HTTPS with TLS 1.2 or higher
  • Secure session management: Server-side session validation with httpOnly cookies
  • No plaintext storage: Sensitive data is never stored in plaintext

Access Controls

  • Row-Level Security (RLS): Database-level access controls on all tables to ensure users can only access their own data
  • Server-side validation: All data access requests are validated server-side to prevent unauthorized access
  • Authentication required: All application features require valid authentication

Input Validation and Rate Limiting

  • Input validation and sanitization: All user input is validated and sanitized to prevent injection attacks
  • Rate limiting on API endpoints: Prevents abuse and brute-force attacks
  • Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other protective headers are enabled

Third-Party Security

  • Webhook signature verification: Payment webhooks from Lemon Squeezy are verified using cryptographic signatures
  • Regular security audits: Third-party dependencies are regularly audited for known vulnerabilities
  • Service provider oversight: Third-party service providers are evaluated for security and privacy compliance

9. No Third-Party Advertising

Fishsticks does not display third-party advertisements.

We do not allow third-party advertising networks to collect information from users of our application.

We do not use personal information for behavioral advertising or ad targeting of any kind.

The application is monetized exclusively through premium subscription fees, not through advertising revenue.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of material changes:

If we make material changes to how we collect, use, or share personal information, we will notify account holders via email at the address associated with their account at least 30 days before the changes take effect.

Protection of children's information:

We will not reduce the protections provided to children's information without obtaining new parental consent through the account creation process.

Effective date:

The date of the most recent revision is indicated at the top of this page. We encourage parents to review this Privacy Policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: privacy@getfishsticks.com

We will respond to all inquiries within 30 days.

For information about the terms of use for Fishsticks, please see our Terms of Service.