Privacy Policy

Effective Date: March 31, 2026

1. Who We Are

Tunik is operated by Mogul Living, Inc. ("Company," "we," "us," or "our"), a company incorporated in the State of California, USA, located in Los Angeles, CA.

Mogul Living, Inc. is the data controller responsible for your personal data. For privacy-related inquiries, contact our Privacy Team:

• Email: support@tunikstudios.com
• Mail: Mogul Living, Inc., Attn: Privacy Team, Los Angeles, CA, USA

2. Children's Privacy & Parental Consent

Tunik is a child-directed app. We comply with the Children's Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR) provisions for children, the UK Age Appropriate Design Code, and other applicable children's privacy laws worldwide.

2a. Verifiable Parental Consent

Before any personal information is collected from or about a child, we take steps to obtain verifiable parental consent. Account creation is restricted to adults through one of the following methods:

• Apple Sign-In — The parent authenticates using their Apple ID, which is associated with a verified payment method on file with Apple.
• Email verification with subscription — The parent creates an account via a secure email magic link. Access to child profile features requires a subscription processed through the Apple App Store, which involves an authenticated Apple ID with a verified payment method.

Children cannot create accounts or profiles themselves. All account creation, profile setup, and settings management is gated behind adult-only authentication. We may implement additional parental verification methods in the future as industry standards and regulatory guidance evolve.

2b. What We Collect from Children

We collect the absolute minimum data needed to provide the service. All child data is set and managed by the parent:

• Display name — chosen by the parent, shown in the app
• Age band — a broad range (3–5, 5–7, 7–9, or 9–12) to filter age-appropriate content
• Avatar — a selection from predefined illustrations (no photos, no uploads)
• Listening activity — which stories the child plays, pauses, completes, or favorites, used solely to enable resume-playback and personalize recommendations

We do not collect names, addresses, phone numbers, photos, precise ages, dates of birth, location data, contact lists, or any other identifier directly from children.

2c. No Advertising & No Data Monetization

• We do not display advertisements of any kind — no banners, no video ads, no sponsored content.
• We do not use children's data for behavioral targeting or profiling.
• We do not sell, rent, lease, or trade personal information to any third party for any purpose.
• We do not permit third-party tracking technologies to collect data from children using our app.

2d. Parental Controls & Rights

We provide robust parental controls to keep parents in charge:

• Parent gate — A verification challenge (math problem) prevents children from accessing account settings, profile management, subscription controls, or dismissing bedtime timers.
• Profile management — Parents can create, edit, or delete child profiles at any time.
• Bedtime reminders — Parents can set a recurring bedtime timer that locks the app after a specified time.
• Full data control — Parents can review, correct, or delete all data associated with their child by contacting us at support@tunikstudios.com or using the in-app account deletion feature.
• Consent withdrawal — Parents may withdraw consent and request deletion of their child's data at any time. We will process such requests within 48 hours.

3. Information We Collect

3a. Account Information (from parents only)

• Email address — used for authentication via secure one-time magic link or Apple Sign-In
• Apple ID token — if you sign in with Apple (we receive only the information Apple shares per your privacy settings; we do not receive your Apple password)
• User ID — an opaque, randomly generated identifier created upon account registration

3b. Child Profile Information (set exclusively by parents)

• Display name — the name shown within the app interface
• Age band — a broad range (3–5, 5–7, 7–9, or 9–12) used solely to recommend age-appropriate stories
• Avatar — a selection from predefined illustrations (no photographs or custom images)

3c. Usage Data

• Playback history — which stories were played, paused, or completed
• Playback position — your place in a story so you can resume later
• Favorites — stories marked as favorites
• Downloads — which stories are saved for offline use (stored on-device only; not transmitted to our servers)

3d. Device & Technical Data

• App version and platform — to ensure compatibility and deliver updates
• Crash logs and error reports — automatically collected when the app encounters an error, used solely to diagnose and fix bugs
• Push notification token — a device-generated identifier used to deliver notifications you have opted into
• App Tracking Transparency (ATT) status — your preference regarding iOS tracking (we honor your choice; see Section 12)
• Language/locale setting — to display the app in your preferred language

3e. Subscription & Purchase Data

• Subscription status — whether you have an active plan, its type (monthly or annual), trial status, and expiration date
• Purchase verification tokens — exchanged with Apple's App Store servers to validate and renew subscriptions. We do not receive, process, or store credit card numbers, bank account details, or any direct payment information.

4. Information We Do NOT Collect

We want to be explicit about what we never collect:

• Credit card numbers or payment details (handled entirely by Apple)
• Precise or approximate geolocation
• Contacts, address books, or call logs
• Photos, videos, or camera access
• Microphone recordings
• Advertising identifiers (unless you explicitly grant ATT permission on iOS)
• Social media profiles or login credentials for other services
• Physical address, phone number, or government-issued identifiers
• Biometric data
• Browsing history outside of the Tunik app

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. How We Use Your Information

We do not use personal data for any purpose incompatible with the purposes listed above.

7. Third-Party Service Providers

We use a limited number of trusted third-party service providers to help operate Tunik. These providers fall into the following categories:

• Authentication & data infrastructure — to securely manage accounts, profiles, and app data
• Analytics & crash reporting — to understand aggregated usage patterns and fix bugs (anonymized data only)
• Push notification delivery — to send notifications to devices that have opted in
• Content delivery — to serve audio stories and illustrations quickly and reliably worldwide
• Subscription billing — Apple processes all payments; we only receive verification tokens

Each provider is subject to contractual obligations that require them to:

• Process data only for the specified purposes and in accordance with our instructions
• Implement appropriate technical and organizational security measures
• Not sell, share, or use the data for their own purposes
• Delete or return data upon termination of the relationship
• Handle children's data in compliance with applicable privacy laws

We do not share personal information with advertising networks, data brokers, social media platforms, or any party that would use it for marketing or profiling.

8. Tracking Technologies & Identifiers

Tunik is a native mobile application. We do not use browser cookies. However, we want to be transparent about the technologies used within the app:

• Device-generated tokens — Push notification tokens are generated by your device's operating system and used solely to deliver notifications. These tokens do not track you across apps.
• Anonymous analytics identifiers — Our analytics service generates a random app-instance identifier to group anonymous usage events. This identifier is not linked to your name, email, or any other personally identifiable information.
• Advertising identifier (IDFA) — On iOS 14.5+, we request your permission via App Tracking Transparency before accessing this identifier. If you decline, we do not access it. If you grant permission, it is used solely to measure the effectiveness of Tunik's own marketing campaigns — never for third-party advertising or cross-app tracking.
• Local storage — We store preferences, cached data, and downloaded content on your device using standard app storage. This data is sandboxed by the operating system and inaccessible to other apps.

9. Data Storage & Security

We implement multiple layers of security to protect your family's data:

• Encryption in transit — All data transmitted between the app and our servers uses TLS/HTTPS encryption.
• Encryption at rest — Account and profile data is stored in secure cloud infrastructure with AES-256 encryption at rest.
• Signed URLs — Audio and image content is served via cryptographically signed URLs that expire within minutes, preventing unauthorized access or link sharing.
• Authentication security — Sessions use industry-standard JWT tokens with automatic expiration and refresh. All API endpoints require authentication.
• Input validation — All inputs are validated and sanitized to prevent injection attacks.
• Webhook verification — Subscription events from Apple are verified using cryptographic signatures to prevent spoofing.
• On-device storage — Downloaded content is stored in the app's private sandbox, protected by iOS's built-in data protection.

Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users via email and/or in-app notification within 72 hours of becoming aware of the breach (as required by GDPR and recommended by best practice)
• Notify the relevant supervisory authority where required by law
• Describe the nature of the breach, the data affected, and the steps we are taking to address it
• Provide guidance on steps you can take to protect yourself

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy. Specific retention periods are as follows:

When you delete your account (available in the app under Parent Settings), we permanently delete all associated data within 30 days.

11. Your Rights

We respect your data rights regardless of where you live. Depending on your jurisdiction, you may have some or all of the following rights:

Rights available to all users

• Access — Request a copy of the personal data we hold about you and your children
• Correction — Update or correct inaccurate information
• Deletion — Delete your account and all associated data (available in-app or by contacting us)
• Opt-out of notifications — Disable push notifications via device settings at any time
• Parental review — Review all data associated with your child's profile
• Consent withdrawal — Withdraw consent for your child's data processing at any time

Additional rights for EEA, UK & Swiss residents (GDPR/UK GDPR)

• Portability — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
• Restriction — Request that we limit how we process your data
• Objection — Object to processing based on legitimate interest
• Automated decisions — Tunik does not make automated decisions with legal or similarly significant effects. Content recommendations are preference-based and do not constitute profiling under GDPR.
• Supervisory authority — You have the right to lodge a complaint with your local data protection authority

California residents (CCPA/CPRA)

• Right to know — Request disclosure of the categories and specific pieces of personal information we have collected
• Right to delete — Request deletion of your personal information
• Right to non-discrimination — We will not discriminate against you for exercising your rights
• No sale of data — We do not sell or "share" (as defined by CPRA) personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the service.
• Shine the Light — California Civil Code Section 1798.83 permits California residents to request information regarding the disclosure of personal data to third parties for direct marketing. We do not disclose personal data for direct marketing.

Canadian residents (PIPEDA)

• You may request access to your personal information and challenge its accuracy.
• You may withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
• Complaints may be directed to the Office of the Privacy Commissioner of Canada.

How to exercise your rights

Contact us at support@tunikstudios.com with the subject line "Privacy Rights Request." We will verify your identity using the email associated with your account and respond within:

• 30 days for GDPR/UK GDPR requests (extendable by 60 days for complex requests, with notification)
• 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notification)
• 30 days for all other requests

12. App Tracking Transparency (iOS)

On iOS 14.5 and later, Apple requires apps to request permission before tracking users across apps and websites. When you first open Tunik, you may see a system prompt asking for tracking permission.

• If you allow tracking: We may use an anonymous identifier to measure how users discover Tunik (e.g., whether a marketing campaign led to an install). This data is never used for third-party advertising.
• If you decline tracking: We do not access any advertising identifier. Your experience in Tunik is identical — no features are restricted.
• Changing your choice: You can change your tracking preference at any time in iOS Settings > Privacy & Security > Tracking.

13. Push Notifications

We may send push notifications about new stories, features, or service updates. You have full control:

• Notifications are only sent after you explicitly opt in via the iOS permission prompt.
• You can disable notifications at any time in iOS Settings > Notifications > Tunik.
• Bedtime reminders are local notifications scheduled on your device by the parent. They do not transmit any data to our servers.

14. International Data Transfers

Tunik is operated from the United States. If you access the app from outside the US — including from the European Economic Area, United Kingdom, Canada, or any other jurisdiction — your personal data may be transferred to and processed in the United States.

For users in the EEA and UK, we ensure that international data transfers are protected by appropriate safeguards, including:

• Appropriate contractual safeguards with our service providers, including data protection commitments equivalent to those required under EU and UK data protection law
• Ensuring that all third-party processors maintain adequate levels of data protection for international transfers

By creating an account and using Tunik, you acknowledge and consent to the transfer of your data to the United States for the purposes described in this policy.

15. Age-Specific Consent Thresholds

Different jurisdictions define different ages at which individuals can provide their own consent for digital services. Because Tunik is designed for children ages 3–12, all users of our app are below the applicable consent threshold in every jurisdiction, and we therefore always require parental consent:

• United States (COPPA) — Under 13
• European Union (GDPR) — Under 16 (or lower as set by individual member states, but never below 13)
• United Kingdom — Under 13
• Canada (PIPEDA) — Determined by meaningful consent capacity, generally considered to be under 13
• South Korea (PIPA) — Under 14
• Australia — Under 18 (parental involvement recommended for under 16)

Because our app is exclusively for children within these age ranges, we treat all child data as requiring the highest level of parental consent and protection, regardless of jurisdiction.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the features of our app. When we do:

• Material changes — We will notify you via email and/or a prominent in-app notice at least 30 days before the changes take effect. Material changes include new categories of data collection, new third-party sharing, or changes to children's data practices.
• Non-material changes — Minor clarifications or formatting updates may be made without advance notice but will be reflected in the updated "Effective Date."
• Continued use — Your continued use of Tunik after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree, you may delete your account.

17. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact our Privacy Team:

• Mogul Living, Inc.
• Attn: Privacy Team
• Los Angeles, California, USA
• Email: support@tunikstudios.com

For complaints related to data protection, you may also contact the relevant supervisory authority in your jurisdiction. For EU residents, a list of supervisory authorities is available at edpb.europa.eu.