Privacy Policy

Last updated: March 2026 · Effective: March 2026

Summary: HeyAskr is controlled by parents. Children never create accounts and we never store what they say. We collect only what is necessary to run the service. We do not sell your data. Ever.

1. Who we are

HeyAskr is operated by Daníel Þór Magnússon, an individual trader based in Reykjavík, Iceland. For the purposes of GDPR, we are the data controller of your personal data.

Contact for privacy matters: legal@heyaskr.com

2. Who this service is for

HeyAskr is a parent-controlled service. Only adults aged 18 or over may create an account. Children do not register, do not have their own profiles, and interact with HeyAskr solely through a session initiated and supervised by a parent or legal guardian. We do not knowingly collect personal data directly from children.

HeyAskr is designed for children aged 5–18. In the context of EU law (GDPR Article 8) and US law (COPPA), all accounts are held by the parent, making HeyAskr a mixed-audience service in which only adults are data subjects in the traditional sense.

3. What data we collect

3.1 Account data (parents)
  • Email address — used for login and service communications
  • Encrypted password — managed via Clerk authentication
  • Subscription status and billing history — managed via Stripe
3.2 Child profile data

Parents may enter a child's first name and approximate age to personalise responses. This information is stored in your account and never shared with third parties for advertising, profiling, or AI training purposes.

3.3 Parent rules and settings

The rules, preferences, and instructions you write as a parent are stored in our database. They are used solely to configure HeyAskr's responses for your child. They are not used to train any AI model.

3.4 Conversation data

Child conversations are never stored on our servers. When a chat session ends, the conversation is permanently gone. We have no record of what your child said or what HeyAskr replied.

During an active session, messages are transmitted to our AI providers (Anthropic and OpenAI) to generate responses. See Section 5 for how those providers handle data.

3.5 Technical and usage data
  • IP address — for security and fraud prevention
  • Browser type and operating system — for technical compatibility
  • Pages visited and time spent — aggregate only, used to improve the service
  • Error logs — to diagnose and fix technical issues

4. Why we collect your data (legal basis under GDPR)

  • Performance of a contract (Article 6(1)(b)): Your email, password, and payment data are necessary to provide the service you signed up for.
  • Legitimate interest (Article 6(1)(f)): Technical and usage data is processed to maintain security, prevent fraud, and improve the service.
  • Legal obligation (Article 6(1)(c)): We retain certain financial records as required by Icelandic accounting law (minimum 7 years).

5. Third-party services and AI providers

HeyAskr relies on the following third-party services. We share only the minimum data necessary for each to function:

Anthropic (Claude AI)

Messages sent during a child's session are transmitted to Anthropic to generate responses. Anthropic processes these messages under our API agreement. Anthropic does not use API data to train its models unless explicitly opted in — we have not opted in. Anthropic's privacy policy: anthropic.com/privacy

OpenAI (Text-to-speech)

If the voice feature is enabled, text responses are sent to OpenAI's TTS API to generate audio. We do not send child names or identifying information. OpenAI does not use API data to train models by default. OpenAI's privacy policy: openai.com/privacy

Clerk (Authentication)

Manages secure login, session tokens, and password management for parent accounts. Clerk processes your email and authentication data. clerk.com/privacy

Supabase (Database)

Stores parent account data, child profiles, and parent rules. Supabase uses EU-based servers. supabase.com/privacy

Stripe (Payments)

Handles all payment processing. We never see or store your full card number. Stripe is PCI-DSS certified. stripe.com/privacy

Vercel (Hosting)

Hosts the HeyAskr web application. Vercel may process IP addresses and request logs. vercel.com/legal/privacy-policy

We do not sell your data to any third party. We do not use advertising networks. No data is shared for marketing or profiling purposes.

6. AI training — explicit statement

HeyAskr does not use any data — from parents or children — to train AI models, including our own systems or those of third parties.

Messages sent during sessions are processed in real-time by Anthropic and OpenAI under API agreements that prohibit the use of API data for model training by default. We have made no election to change this default. No child conversation data is retained by us or shared for AI training purposes.

This is consistent with the requirements of the FTC's updated COPPA Rule (effective June 2025), which requires explicit parental consent before children's data may be used to train AI systems.

7. How long we keep your data

  • Child conversation data: Never stored. Zero retention.
  • Child profile data (name, age): Retained while your account is active. Deleted within 30 days of account closure.
  • Parent rules and settings: Retained while your account is active. Deleted within 30 days of account closure.
  • Account data (email, auth): Retained while your account is active. Deleted within 90 days of account closure upon request.
  • Payment records: Retained for 7 years as required by Icelandic accounting law (Act No. 145/1994).
  • Technical logs: Retained for up to 90 days for security purposes, then deleted.

We do not retain any personal data indefinitely. This policy is consistent with the FTC's 2025 COPPA Rule requirement for a written data retention policy with defined deletion timeframes.

8. Your rights under GDPR

As a resident of the EEA, you have the following rights:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Ask us to correct inaccurate or incomplete data.
  • Right to erasure (Article 17): Ask us to delete your personal data ("right to be forgotten").
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interest.
  • Right to restriction (Article 18): Ask us to limit how we process your data.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, email legal@heyaskr.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Icelandic Data Protection Authority: personuvernd.is

9. Children's privacy (GDPR and COPPA)

HeyAskr is designed from the ground up to protect children's privacy:

  • Children never create accounts or provide personal data directly to HeyAskr.
  • All accounts are held by adults (18+) who are parents or legal guardians.
  • Child conversations are never stored — not in our database, not in logs, not anywhere.
  • We do not share any child-related data with third parties for advertising, analytics, or AI training.
  • We do not collect biometric identifiers from children. The voice (TTS) feature converts text to audio only — no voice recordings from children are captured or stored.
  • Child profile data (first name and age) is stored only under the parent's account and used only to personalise the service for that child.

These practices are consistent with the EU's GDPR (including Article 8 on children's consent), the UK GDPR, and the US Children's Online Privacy Protection Act (COPPA), including the FTC's 2025 Rule amendments.

10. Cookies

We use essential cookies only — to keep you logged in and to protect against cross-site request forgery. We do not use advertising, analytics, or tracking cookies. See our full Cookie Policy.

11. International data transfers

HeyAskr primarily stores data within the EU (Supabase EU servers). Where data is transferred outside the EEA (for example, to Anthropic or OpenAI in the United States), we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transfer, consistent with GDPR Chapter V requirements.

12. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords, role-based access controls, and regular security reviews. However, no system is perfectly secure. In the event of a data breach that affects your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay, as required by GDPR Article 33–34.

13. Changes to this policy

We will notify you by email at least 14 days before any material changes to this policy take effect, and will update the effective date above. For minor clarifications, we will update the policy without prior notice. Continued use of HeyAskr after the effective date of changes constitutes acceptance.

14. Contact and complaints

Privacy questions or requests:

  • Email: legal@heyaskr.com
  • We aim to respond within 5 business days and will always respond within 30 days.

You also have the right to complain to a supervisory authority. In Iceland: Persónuvernd (personuvernd.is). In your EU member state of residence, the relevant national data protection authority.