Skip to main content
← Back to Coren

COREN PRIVACY ADDENDUM

Last updated: May 3, 2026
Document version: v1.1
Applies to: Coren — the family financial-literacy product operated by The Hiwat Group Sociedad Limitada ("THG SL").

How this Addendum works

This Addendum sits on top of THG SL's general Privacy Notice, which remains the foundational document governing how THG SL processes personal data across all its activities. The general Privacy Notice continues to apply in full. This Addendum only adds, clarifies, or extends specific items where Coren — as a consumer-facing family product — collects or uses data differently from THG SL's other professional and educational services.

In the event of any discrepancy between the THG SL Privacy Notice and this Addendum, this Addendum prevails for matters specific to the Coren product; for all other matters, the THG SL Privacy Notice governs.

1. Who We Are (Coren)

Coren is operated by THG SL. THG SL remains the Data Controller responsible for processing your personal data, as set out in §1 of the THG SL Privacy Notice.

Contact for Coren-specific privacy questions: assistant@thehiwatgroup.com.

2. What Data We Collect (Coren-specific additions)

In addition to the categories listed in §2 of the THG SL Privacy Notice, Coren collects the following data when parents and children use the product:

2.1 Parent account data

  • Email address (account login + service communications)
  • Co-parent email address, where the parent links a co-parent to the household
  • Display name
  • Subscription tier and billing status
  • Marketing communications preferences (where the parent has opted in — see §3.4)

2.2 Child profile data

We collect the minimum data necessary to operate the product for each child the parent adds to their household:

  • Display name or nickname (chosen by the parent)
  • Age range — one of "3–5", "6–9", "10–13", or "14–17". We do not collect a child's exact date of birth. The age range is used solely to present age-appropriate financial-literacy content.
  • Theme and avatar preferences (purely cosmetic, in-app personalisation)
  • Hashed PIN used for the child's in-app login. PINs are stored as a one-way hash; the original PIN cannot be retrieved.

2.3 In-app activity data

Coren stores records of in-app activity needed to operate the product:

  • Virtual coin balance and transaction history (Coren coins are an in-app virtual currency only — no real money is held, transferred, or withdrawn through the product)
  • Mission completion records and quiz scores
  • Pet, store, and home preferences and inventory
  • Streaks and progression milestones

2.4 What we do not collect

Coren does not collect:

  • A child's exact date of birth
  • Real-money payment instruments held in a child's name
  • Bank account numbers, card PANs, or financial credentials of any kind from a child
  • Geolocation data beyond the country-level information necessary for service delivery
  • Any other special-category data of the child as defined in GDPR Art. 9, unless legally required

2.5 Guidi (in-product educational character)

Coren includes an educational character called Guidi who appears in the product to explain financial-literacy concepts and answer common questions.

  • In child contexts, Guidi's responses are deterministic. They are selected from a curated, manually-authored content library based on rule-based logic. Guidi is not an AI system in the meaning of EU Regulation 2024/1689 (the AI Act) when used by children, and no machine-learning inference is used to generate Guidi's responses to child users.
  • In parent contexts, parents may optionally enable an external AI provider via a Bring-Your-Own-Key (BYOK) configuration to enrich Guidi's responses for the parent's own use in supporting their child's education. This is opt-in, parent-only, and never extends into child accounts. The architectural separation is enforced in code: child accounts never communicate with external AI providers, regardless of what the parent has configured.

THG SL has deliberately chosen this architecture to keep AI-generated content out of child accounts.

3. Why We Use Your Data (Coren-specific additions)

In addition to the purposes listed in §3 of the THG SL Privacy Notice, Coren processes data for the following purposes:

3.1 Operating the product

  • Authenticating parent and child accounts
  • Maintaining the family household structure (parent, co-parent, children)
  • Recording in-app activity (coins, missions, streaks, pet, store) so that the product functions across sessions and devices

3.2 Age-appropriate content

  • Filtering missions, articles, and other content to match the age range of each child
  • Adjusting copy, examples, and complexity to the child's age band

3.3 Service communications (transactional)

  • Account confirmations, security notifications, and billing communications
  • Service incidents, terms updates, and policy changes

3.4 Marketing communications (opt-in only)

Where the parent has explicitly opted in, Coren may send:

  • Product updates and new-feature announcements
  • Educational content and tips related to family financial literacy
  • Occasional surveys to improve the product

The parent can opt out at any time via their Coren parent settings or by contacting assistant@thehiwatgroup.com. Opting out has no effect on the parent's ability to use the product.

This is the only Coren-specific extension to the THG SL Privacy Notice's commitment in §5 — "We do not sell personal data or share it for marketing purposes." THG SL still does not sell personal data and does not share it with third parties for their marketing purposes. Coren may, with the parent's explicit opt-in, send the parent its own product-related communications.

4. Legal Bases for Processing (Coren-specific additions)

In addition to the legal bases listed in §4 of the THG SL Privacy Notice, the following bases apply to Coren:

  • Performance of a contract (GDPR Art. 6(1)(b)) — operating the parent's Coren account, the household structure, and the child profiles the parent has set up
  • Legal obligation (GDPR Art. 6(1)(c)) — meeting our obligations under GDPR, LOPDGDD, and Spanish consumer-protection law
  • Legitimate interests (GDPR Art. 6(1)(f)) — security, fraud prevention, abuse mitigation, and quality assurance of the Coren service
  • Explicit consent (GDPR Art. 6(1)(a)) — for marketing communications under §3.4 above, and for any processing where consent is the appropriate basis under applicable law

4.1 Children's data — universal parental control

Coren is designed for global use across multiple jurisdictions. Rather than tying the product's protections to any single national age threshold, Coren operates on the principle that the parent or legal guardian holds absolute control over a child's account: account creation, age range setting, content filtering, PIN reset, pause, and deletion are all parent-only operations. Children themselves do not exercise data-protection rights directly in Coren; the parent acts on the child's behalf throughout.

This stance is intended to satisfy or exceed the parental-consent requirements of the GDPR (Art. 8), the Spanish LOPDGDD (Art. 7), the UK Data Protection Act, the US Children's Online Privacy Protection Act (COPPA), and other relevant child-protection frameworks.

The parent may withdraw consent at any time, which results in deletion of the child's profile and associated data, subject to the retention periods in §6 below.

5. Who We Share Data With (Coren-specific additions)

The general principles in §5 of the THG SL Privacy Notice apply to Coren in full. THG SL still does not sell personal data, and still does not share personal data with third parties for those third parties' marketing purposes.

Coren-specific processors include:

  • The Coren application's hosting and database providers (currently Supabase and Vercel — both cover the EU as standard, with Standard Contractual Clauses where any data transit may touch a non-EEA region)
  • Email service providers used to send transactional and (opt-in) marketing communications
  • Payment processors used to handle subscription billing

All processors are contractually bound to handle data only on THG SL's documented instructions and to apply at least the same standard of protection as THG SL itself.

6. Data Retention (Coren-specific additions)

The general retention principles in §6 of the THG SL Privacy Notice apply. In addition, for Coren:

  • Active accounts: child profile data and in-app activity are retained for the duration of the parent's active Coren subscription, plus a limited grace period after cancellation to enable reactivation.
  • Cancelled accounts: child profile data and in-app activity are deleted within 90 days of subscription cancellation, unless the parent requests immediate deletion or longer retention is required by law.
  • Marketing preferences: opt-in records are retained for as long as the marketing relationship is active, plus a reasonable period afterwards to demonstrate compliance with consent rules.
  • Accounting / payment records: retained as required by Spanish law (currently four years for tax-related records, six years for commercial records — same as THG SL).

A parent may request immediate deletion of any child profile, or of their entire household, by contacting assistant@thehiwatgroup.com.

7. Your Rights (Coren-specific notes)

The full set of rights listed in §7 of the THG SL Privacy Notice applies to all data Coren processes. Specifically, parents may:

  • Access the data held about them and their children in Coren
  • Correct inaccurate data — for instance, updating a child's age band or display name via the parent settings
  • Request deletion of a child profile or the entire household
  • Restrict or object to specific processing, including marketing communications (which can be turned off at any time)
  • Request data portability — an export of the parent's account data and the children's profile data in a structured, machine-readable format

Requests can be made by contacting assistant@thehiwatgroup.com as set out in the THG SL Privacy Notice.

Children themselves do not exercise these rights directly within Coren; the parent who set up the child profile acts on the child's behalf. Once a person reaches the age of majority under the law applicable to them, they may contact us to assume direct control of any data still held about them.

8. Data Security (Coren-specific additions)

The general security principles in §8 of the THG SL Privacy Notice apply. In addition, Coren applies these measures:

  • Child PINs are stored as a one-way hash and cannot be retrieved
  • Parent accounts are protected by password authentication; admin accounts (those with elevated access to the Coren backend) are additionally protected by two-factor authentication
  • Access to child data within the Coren backend is minimised — staff debugging tools surface identifiers (e.g. anonymous child IDs) rather than child names wherever practical
  • Coren is a digital-only product; no real-money transactions occur in the product itself

9. International Transfers

The general principles in §5 of the THG SL Privacy Notice apply unchanged. Where any Coren processor is located outside the European Economic Area, transfers are protected by GDPR-approved safeguards, such as Standard Contractual Clauses.

10. Updates to This Addendum

This Addendum may be updated from time to time. Material changes will be communicated to parents in-product and may require fresh consent before the parent can continue using the product, in line with the Coren consent versioning system.

The current version of this Addendum is shown at the top of this document.

11. Governing Law

This Addendum is governed by Spanish law. The general jurisdiction and dispute resolution provisions of THG SL (§7 of the Legal Notice and §10 of the Terms & Conditions) apply.

12. English Version Notice

This Addendum is provided in English for convenience. If a Spanish version is published, the Spanish version shall prevail in the event of any discrepancy, consistent with §7 of the THG SL Legal Notice.

Coren Privacy Addendum · Coren · The Hiwat Group SL