Skip to main content
← Back to app

Privacy Policy

Last updated: April 28, 2026

Coren is a family financial-literacy product operated by The Hiwat Group SL (Spain). This policy explains how we collect, use, and protect personal data — with particular care for the data of children.

Who controls your data

The Hiwat Group SL ("Coren", "we") is the data controller. The full corporate privacy framework — covering all Hiwat Group products, including Coren — is published at thehiwatgroup.com. This page summarises the parts that apply specifically to Coren.

What we collect

  • Parent account data: email, encrypted password, parent display name, billing tier and Stripe customer reference (no card numbers — Stripe stores those).
  • Child profile data (with parental consent): first name or chosen alias, age band (6-9, 10-13, 14-17), avatar choice, theme preference, child PIN (hashed), virtual coin balance, savings, pet state, and educational progress. We do not require legal name, date of birth, or any government identifier.
  • Activity: chores, missions, savings goals, virtual coin transactions, article reads. This data exists to make the product work and to surface progress to the parent.
  • Technical: device type and browser, anonymised event names (signup_started, paywall_shown etc.) via PostHog. No tracking cookies are written without consent.

Children's data — Article 8 GDPR / COPPA

Coren does not allow a child to create an account directly. Every child profile is created and authorised by a parent, who provides explicit parental consent for the processing of their child's data when they first add a child profile. The consent text is shown at sign-up and again whenever its version is updated.

You can withdraw consent and request erasure of all data tied to a child profile at any time via Settings → Data erasure in the app. Erasure runs within 30 days.

What we never do

  • We never sell personal data.
  • We never show advertising to children.
  • We never move real money inside the app — Coren is a learning layer, not a payment processor.
  • We never share child data with third parties for marketing.

Where data is stored

Application data lives in Supabase (PostgreSQL). Stripe processes billing data. PostHog handles anonymised analytics. Hosting is in the European Union. No data is transferred outside the EEA without a lawful transfer mechanism in place.

Your rights

Under GDPR you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing. To exercise these rights, contact info@thehiwatgroup.com from the email associated with your account. We respond within 30 days.

Contact

Questions about this policy: info@thehiwatgroup.com · The Hiwat Group SL · thehiwatgroup.com