✶   Privacy

Privacy Policy

Updated 22 May 2026

Koodinorppa is a learning app developed by Koodisto Digital (Business ID 2829298-1). This privacy policy describes what data the app processes, how it is used, and how you can manage it. The policy is aligned with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act, and accommodates equivalent rights for residents of the UK, California (CCPA/CPRA), and other jurisdictions.

At a glance

• We do not use advertising or analytics trackers in the app.
• We do not share your data with third parties.
• Sign-in uses Sign in with Apple — Apple can anonymize your email if you choose.
• Your progress is stored in your own iCloud account (CloudKit Private Database) — not on our servers.
• You can delete your account at any time from the app's Settings, which clears your data from iCloud.

1. Data controller

Koodisto Digital
Business ID: 2829298-1
Email: [email protected]

2. What data we collect

2.1 Sign in with Apple data

When you sign in to Koodinorppa, Apple provides us with:

• Stable user ID — a pseudonymous identifier we use to recognize you on return visits. It is not your email address or Apple ID name.
• Name (only on first sign-in, if you shared it) — used as the default display name on your profile, which you can edit.
• Email address (only on first sign-in, if you shared it) — Apple may provide an anonymized "private relay" address if you chose "Hide My Email". We use it only to route support replies.

2.2 Gameplay data

• Progress: XP points, streaks, completed lessons, mistakes
• Profile: display name, selected language, level, league
• Country code: ISO 3166 code (e.g. FI, SE) for the leaderboard flag — derived from your iOS settings, not from geolocation
• Activity: last active day (used to maintain your streak)

2.3 Aggregate analytics

Aggregated analytics from App Store Connect (downloads, crashes, session durations) come directly from Apple — we see only aggregated statistics, no personal data. We do not embed a third-party analytics SDK.

2.4 What we do not collect

• We do not collect location data (other than the country code above)
• We do not collect your contacts or address book
• We do not collect browser history, app history, or other device data
• We do not engage in cross-app tracking (NSPrivacyTracking = false)

3. How we use the data

• App functionality: tailoring lesson content, saving progress, calculating streaks
• Leagues and leaderboards: via Game Center, your public display name and XP are visible to competitors (public CloudKit data)
• iCloud sync: moving progress between your devices
• Support: if you contact us, we use your email address to reply

We do not use your data for advertising or profiling, and we do not sell it to third parties.

4. Where data is stored

4.1 iCloud (CloudKit)

Most data is stored in your own iCloud account via Apple's CloudKit service:

• Private Database: your profile and progress (visible only to you)
• Public Database: your leaderboard entry (public: display name + XP)

Apple stores this data on its servers under the EU General Data Protection Regulation. See Apple's privacy policy.

4.1.1 International data transfer

Apple CloudKit servers are located in the United States, Europe, and Asia. By using Koodinorppa you accept that your data may be transferred to and stored on those servers. Apple acts as a data processor and adheres to the EU Standard Contractual Clauses (SCC) and the EU–US Data Privacy Framework (DPF) for personal data transferred to the United States. Koodisto Digital does not operate any third-country servers of its own.

4.2 Game Center

League and achievement data is stored in Apple's Game Center service. See Game Center terms.

4.3 Local device storage

UserDefaults settings (language, sound on/off, last active day) are stored locally on your device only, not in the cloud.

5. Data retention and deletion

We retain your data for as long as your account is active. You can, at any time:

• Sign out: Settings → My Account → Sign out. Your local cache is cleared.
• Delete your account: Settings → My Account → Delete account. Your CloudKit records are deleted, your leaderboard entry is removed, and local data is cleared.
• Request a copy of your data by email: send a request to [email protected]; we reply within 30 days under GDPR.

5.1 GDPR Art. 17 — Right to erasure

When you delete your account we trigger the removal of your CloudKit records immediately. Due to how Apple iCloud (CloudKit) works, deleted records can persist on Apple's servers for approximately 30 days, after which Apple permanently removes them from its backup and replication systems. Koodisto Digital cannot force Apple to accelerate this process, as Apple acts as an independent data processor. Apple complies with GDPR Art. 17 obligations as part of its own privacy practices.

6. Children's privacy

Koodinorppa is designed to be child-friendly. We do not collect data from children under 13 without parental consent, in line with Apple's Family Sharing system. Signing in with Apple under a parent's Apple ID or under a Family Sharing child profile ensures that the parent can manage usage with iOS Screen Time and Ask to Buy.

7. Your rights (GDPR)

If you reside in the EU/EEA you have the right to:

• Know what data we process about you
• Request rectification of your data
• Request deletion of your data ("right to be forgotten")
• Restrict processing
• Receive your data in a portable format
• Object to processing
• Lodge a complaint with a supervisory authority (the Finnish Data Protection Ombudsman)

Requests: [email protected]. We reply within 30 days.

8. Cookies and tracking

8.1 App

The Koodinorppa app does not use cookies or tracking. The Privacy Manifest declares NSPrivacyTracking: false — we do not use trackers covered by Apple's ATT framework.

8.2 Website (koodisto.org/koodinorppa)

We use Google Analytics 4 with anonymized IP to measure site traffic. This helps us understand where visitors come from and which pages are most useful, so we can improve the content.

• Before consent: we do not set GA4 cookies or send data to Google
• Consent: on your first visit we show a cookie banner (Accept / Decline)
• After acceptance: GA4 loads, sets _ga and _ga_* cookies, and sends page views (anonymized IP, no personalization)
• After declining: we set no cookies; your choice is stored in localStorage
• Changing your mind: clearing your browser cookies or this site's localStorage will restore the consent prompt

GA4 collects: page views, timestamps, referer, device type (mobile/desktop), country (from anonymized IP). We do not link these to personal data and we do not use them for advertising.

9. Changes to this policy

If we update this policy we will publish the new version on this page and notify users of material changes in the app. The date at the top shows the last revision.

10. Contact

Email: [email protected]
Postal address: Koodisto Digital, Finland
Business ID: 2829298-1

Data Protection Ombudsman (Finland): tietosuoja.fi