1. Who we are (data controller)
BeeBee Tones AB (org. nr. 559589-2323), a Swedish limited company, is the data controller for the Fabeligo app under the EU General Data Protection Regulation (GDPR) and equivalent laws.
- Controller: BeeBee Tones AB, Sweden
- Contact: [email protected]
Because BeeBee Tones AB is established within the EU, we act as your direct point of contact for privacy matters and do not appoint a separate Article 27 representative. For data-protection questions you may also contact the Swedish supervisory authority, the Integritetsskyddsmyndigheten (IMY).
2. The short version
- No account, no sign-up, no email required to use the app.
- No advertising and no advertising SDKs anywhere in Fabeligo.
- No analytics or attribution SDKs that profile users or children.
- We do not use push notifications.
- Subscriptions are handled by Apple and Google. We never see your card or your name.
- Listening history, favourites and progress live on your device only.
- We comply with COPPA, GDPR / GDPR-K, the EU Digital Services Act (DSA) and the UK Children’s Code by design.
3. What we collect (and what we don’t)
Fabeligo processes only what is strictly required to deliver stories to your device and to operate subscriptions through the App Store and Google Play.
What we process:
- Story content requests. When you stream or download a story, our content delivery network receives a request for the relevant audio and illustration files. This request includes a device IP address, which is processed transiently to deliver the file. We do not link these requests to a person, a child, or a subscription, and we do not build a listening profile from them.
- Server logs. Our content provider keeps standard security logs (including truncated/again-anonymised IP addresses) for a short period to protect the service against abuse and attacks. See §7 for retention.
- Subscription status. When you buy a subscription or one-off purchase, Apple, Google and our subscription middleware (RevenueCat) tell our servers, via an opaque anonymous identifier, only that “a device has an active Fabeligo entitlement.” We receive a transaction identifier and an anonymous App User ID, never your name, email, billing address, or card details.
What we do not collect: name, email address, phone number, precise or coarse location, contacts, photos, microphone audio, listening history, favourites, advertising identifiers, or anything tied to a child’s identity.
Crash and diagnostic data. Fabeligo contains no third-party crash-reporting or analytics SDK. The only diagnostic data that may be produced is the standard operating-system crash and performance reporting that Apple (iOS) and Google (Android) collect at the platform level. That data goes to Apple or Google under their privacy policies and platform settings (not to BeeBee Tones AB), and you can disable it in your device’s privacy settings (iOS: Settings → Privacy & Security → Analytics & Improvements; Android: Settings → Google → Usage & diagnostics).
4. Who receives data (sub-processors)
We keep the recipient list as short as the product allows. Each recipient receives only the narrow, mostly anonymous data described below.
| Recipient | What they receive | Why | Location / safeguard |
|---|---|---|---|
| Cloudflare (R2 + CDN) | Content-file requests; device IP transiently; short-lived security logs | Deliver story audio and illustrations; protect the service | Global edge network; EU/US transfers under Standard Contractual Clauses (SCCs) |
| RevenueCat | Anonymous App User ID, transaction/entitlement identifier, subscription state | Validate and restore subscriptions across devices | United States, under SCCs |
| Apple (App Store) | Your payment and account data, handled entirely by Apple | Process purchases and subscriptions | Per Apple’s privacy policy |
| Google (Play) | Your payment and account data, handled entirely by Google | Process purchases and subscriptions | Per Google’s privacy policy |
We do not sell, rent, or share personal data with anyone for advertising, marketing, or profiling. We have no other sub-processors. RevenueCat’s policy is at revenuecat.com/privacy; payment data is governed by Apple’s and Google’s policies respectively.
5. Legal basis for processing (GDPR Article 6)
For users in the EU/EEA and UK, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)). Delivering story content to your device and operating the subscription you purchased.
- Legitimate interests (Art. 6(1)(f)). Keeping the service secure and available, for example short-lived security logging to prevent abuse. We balance this against your rights and limit it to what is necessary; it never involves profiling.
- Legal obligation (Art. 6(1)(c)). Where we must retain limited transaction records to meet Swedish accounting and tax law.
We do not rely on consent for advertising or profiling, because we do none. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects (Art. 22).
6. Children’s privacy (COPPA, GDPR-K, DSA, UK Children’s Code)
Fabeligo is designed for children aged 2–9, but is purchased and managed by a parent or guardian. Protecting children is the central design principle of the app.
- We do not knowingly collect personal information from children. The app requires no name, email, login, or any personal input from a child to function.
- No profiling of minors. We do not profile children, and we serve no advertising of any kind, so none of it is targeted at children. This satisfies DSA Article 28, which prohibits advertising based on profiling of minors and requires privacy, safety and security by design for services accessible to them.
- COPPA. We collect no personal information from users under 13, so there is no information requiring verifiable parental consent. Settings that affect a child’s experience or any spending are placed behind a parental gate.
- GDPR-K (Art. 8). Because we process no personal data of children that depends on consent, the member-state digital-consent ages (13–16 depending on country) do not gate use of Fabeligo. A parent or guardian is the contracting party.
- Push notifications. Fabeligo does not use push notifications, consistent with the FTC’s 2025 COPPA-rule treatment of push notifications as personal information from children.
- Parental rights. A parent or guardian may contact us at [email protected] to ask any question or exercise the rights in §9 on a child’s behalf.
7. How long we keep data (retention)
Our default is to keep nothing tied to you.
- On-device data (listening history, favourites, progress, downloads): kept on your device only, under your control, removed when you delete the app.
- Content-delivery & security logs: retained by Cloudflare for up to 30 days in line with their standard security-log retention, then deleted.
- Subscription / transaction records: the anonymous entitlement state is kept only while needed to operate your subscription; limited transaction records are retained where Swedish accounting law requires (up to 7 years), held in anonymised form with no link to a person.
We retain no other categories of personal data.
8. Where data is processed and international transfers
Story content is served from Cloudflare’s global edge network, with EU edge locations used where available. Subscription-status data is processed by RevenueCat in the United States. Where personal data is transferred outside the EU/EEA, the transfer is covered by Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures. Apple and Google process payment data under their own published policies and transfer mechanisms. No personal data leaves your device for any other purpose.
9. Your rights
Under the EU GDPR, the UK GDPR, and equivalent laws, you have the right to access, rectify, erase, restrict, port, and object to the processing of personal data we hold about you, and to withdraw consent where processing is based on it. Because we deliberately hold almost no personal data tied to you, most of these rights have little or nothing to act on, but you may exercise them at any time.
- How to exercise them: email [email protected].
- On a child’s behalf: a parent or guardian may exercise these rights for their child.
- Response time: we respond within one month (30 days), as required by the GDPR, and free of charge in ordinary cases.
- Complaints: you may lodge a complaint with your local supervisory authority (in Sweden, the Integritetsskyddsmyndigheten (IMY)).
10. Regional addenda
European Economic Area & United Kingdom
The whole of this policy applies. For UK users, references to the GDPR should be read as the UK GDPR, and the relevant authority is the Information Commissioner’s Office (ICO). The UK Children’s Code (Age Appropriate Design Code) is met by the by-design measures described in §6.
California (CCPA / CPRA)
If you are a California resident:
- Notice at collection. The only information we “collect” is described in §3; we collect no sensitive personal information and none of the special categories defined by the CPRA beyond what is in §3.
- No sale or sharing. We do not sell or “share” (as the CCPA/CPRA define those terms, including for cross-context behavioural advertising) any personal information, and we do not do so for consumers we know to be under 16. There is therefore no “Do Not Sell or Share My Personal Information” action required, because none occurs.
- Your rights. You may request to know, delete, or correct personal information, and you have the right not to be discriminated against for exercising these rights. Exercise them via [email protected].
- Children. We do not have actual knowledge that we collect or sell the personal information of consumers under 16.
Other regions
If you are located elsewhere, your local data-protection law may grant you similar rights; we honour applicable equivalents on request.
11. Changes to this policy
We will update this page if anything material changes, and we record the date at the top. Where a change affects how we process personal data, we note it in the changelog below and, where appropriate, surface it in the app.
Changelog
- 8 June 2026: Full policy published, replacing the pre-launch placeholder: data-controller identity, sub-processor breakdown, GDPR legal bases, children’s-privacy section, retention, transfers, rights, and EEA/UK/California addenda.
12. Contact
For any privacy question, request, or concern, email [email protected]. A parent or guardian may contact us on a child’s behalf. We aim to respond within 30 days, and usually much sooner.