Privacy Policy
Effective: 10 June 2026
Data controller: Malggu, [Your registered business address — update in Framer]. Privacy contact: privacy@malggu.com
This policy covers malggu.com, market.malggu.com, wordbook.malggu.com, and related interactive learning Services. It applies to users in the UK, EEA, Korea, the United States, and worldwide. Where GDPR or UK GDPR applies, you have the rights in Section 9.[EU-6]
1. Data we collect
- Account: email, password hash, consent choices, age confirmation flag.[KR-15]
- Purchase & redeem: order references, license/redeem keys, purchaser email (via Polar checkout and market.malggu.com).
- Learning & games: wordbook/quiz progress, scores, deck completion, faction/profile choices, simulation dialogue selections, session timestamps. We do not require camera data for core account features.
- Usage: pages visited, device/browser, IP (short retention) — analytics only with cookie consent.[EU-7]
- Support: messages you send us.
- Phone (optional): if you provide a number and consent to SMS marketing.
2. Lawful bases (GDPR Art. 6)
- Contract: account, delivery of digital products, license redemption, support, saving game progress tied to your account.[EU-6]
- Consent: marketing use of data, promotional email/SMS/push, analytics cookies, marketing cookies, and camera access in Magic Motion games. Withdraw anytime without losing core Services (except camera-based features).[EU-7][KR-22-5]
- Legitimate interests: security, fraud prevention, essential server logs — not for analytics cookies or promotional email.
- Legal obligation: tax and accounting.
3. Processors (who helps us)
We use trusted providers under data processing agreements:
- Supabase — auth, database (USA; SCCs).
- Polar — payments, merchant of record & license delivery.
- Cloudflare — CDN & security.
- Framer — website hosting (www).
- Google Analytics — only if you accept analytics cookies.
- Email provider — transactional and (if opted in) marketing email.
We do not sell your personal data.
4. Marketing & promotional messages
Service messages (receipts, redeem keys, password reset, security) — sent under contract; no marketing consent required.
Optional marketing requires separate choices at signup or in account settings. Refusing marketing does not block signup, purchase, or use of learning games.[KR-22-5][EU-7]
- Marketing use of personal data (events, offers, recommendations).
- Promotional email, SMS, or app push — each channel separately.
Free gift: optional marketing opt-in may include a free starter PDF. Not required to sign up or buy.
Withdraw in account privacy settings or via unsubscribe links. We keep proof of consent/withdrawal (timestamps, policy version).[KR-15]
5. Cookies & similar technologies
Essential (always on): login session, malggu_at cross-site auth, checkout, security.
Analytics (opt-in): e.g. Google Analytics — loaded only after you accept in the cookie banner.
Marketing (opt-in): ad measurement cookies — only after consent.
Change choices anytime via “Cookie settings” in the footer. Rejecting non-essential cookies does not block the site.[EU-7]
6. Third-party links
Our Services may link to other websites (Polar checkout, social profiles, partner venues shown in Simulation). Those sites are operated by third parties with their own privacy policies. Review their policies before you provide personal information.
7. International transfers
Data may be processed in the USA and other countries. For UK/EEA users we use Standard Contractual Clauses and processor agreements. Request copies via privacy@malggu.com.
8. Retention
- Account: until deletion request, then erase within 30 days (except legal holds).
- Consent logs: consent period + up to 3 years for proof.
- Game progress: while your account is active, unless you delete it.
- Purchases: 5–7 years for tax/accounting where required.
9. Your rights
Access, rectification, erasure, restriction, portability, object to processing, withdraw consent, complain to a supervisory authority (ICO UK, your EU DPA, or PIPC Korea). Email privacy@malggu.com — we respond within one month.[EU-6]
10. Children
Malggu is an educational product but not directed at young children without appropriate safeguards. At signup we require you to confirm you meet the minimum age for your region:
- European Economic Area / UK: 16, or the lower age set by your country (not below 13) with parental consent below 16.[EU-8]
- Republic of Korea: under 14 requires verifiable consent from a legal guardian; we do not knowingly collect data from under-14s without that process.[KR-22-2]
- United States: we do not knowingly collect personal information from children under 13 (COPPA). If you believe a child under 13 has registered, contact privacy@malggu.com for deletion.[US-COPPA]
Camera-based games are offered only after a separate in-game consent step (see Section 13). Parents/guardians may contact us to review or delete a minor's account.
11. Camera & motion (Magic Motion games)
Some games (e.g. Grammar Spells / Magic Motion) may ask to use your device camera to detect body movement for gameplay. This is optional and requested only when you enter those games — not at account signup.[KR-ICT][EU-13]
- On-device processing: video frames are processed in your browser (e.g. TensorFlow.js / MediaPipe). We do not upload raw video or store your face on our servers by default.
- What we may store: gameplay results (scores, spell success, session duration) linked to your account — not raw camera recordings.
- Refusal: you may decline camera access and use non-camera study modes where available. Declining does not block your account, purchased content, or non-camera games.[KR-ICT]
- Withdrawal: revoke camera permission in browser settings; previously saved scores remain unless you delete your account.
12. Korea Simulation & sponsored content
Our Korea Simulation experience may show maps, landmarks, fictional cafés, and real or partner restaurants/cafés for language practice. Some locations may be sponsored or promotional — they are labelled in-game (e.g. “Sponsored” / “Partner”).[KR-AD]
- Dialogue scenarios are for learning only — not professional travel, immigration, or legal advice.
- We may log which scenarios you complete and choices you make to improve learning paths (contract/legitimate interest). We do not sell this data to sponsors.
- Partner names, logos, and offers are provided by those businesses; their own terms apply if you visit or purchase from them.
13. Security & breaches
We use encryption, access controls, and monitoring. If a breach risks your rights, we will notify you and regulators as required by law.
14. Changes
We may update this policy. Material changes are posted here and may be emailed. Consent-based processing (marketing, camera, analytics) may need fresh consent after major changes.
Legal references (MCP-verified, 22 Jun 2026)
[KR-22-2] Personal Information Protection Act (PIPA) Art. 22-2 — consent of legal guardian for children under 14 (korean-law MCP / law.go.kr).
[KR-15] PIPA Art. 15 — notice of purpose, items, retention period when obtaining consent.
[KR-22-5] PIPA Art. 22(5) — must not refuse service because user declines optional consent (e.g. marketing).
[KR-ICT] Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. Art. 22-2 — notice and consent for device access permissions; no service denial for non-essential permissions.
[KR-AD] Act on Fair Labeling and Advertising Art. 3 — prohibition of false, exaggerated, or deceptive advertising.
[EU-6] GDPR Regulation (EU) 2016/679 Art. 6 — lawfulness of processing (EUR-Lex CELEX 32016R0679).
[EU-7] GDPR Art. 7 — conditions for consent; consent must be distinguishable and not bundled with unnecessary processing.
[EU-8] GDPR Art. 8 — child consent for information society services (default 16; MS may reduce to 13).
[EU-13] GDPR Art. 13 — information to be provided when data are collected from the data subject.
[US-COPPA] U.S. Children's Online Privacy Protection Act — no knowing collection from under-13 without verifiable parental consent; see e.g. In Re Nickelodeon Consumer Privacy Litigation (CourtListener MCP, 2016).
