Guardian account and consent records
Purpose and business need: Authenticate the adult, operate the family account, preserve the privacy choices that authorize child-profile use, and provide account support.
Deletion timeframe or trigger: Kept while the family account is active. Active account records are deleted when verified account closure completes, except for the narrow legal, security, and trial-eligibility records described below.
Child profile, placement, progress, and game records
Purpose and business need: Select reading activities, preserve game progress, adapt support, and show the guardian what the child practiced.
Deletion timeframe or trigger: Kept only while the guardian maintains the child profile and family account. Deleted when the guardian deletes the profile or closes the family account. StarSeeker does not keep a separate advertising or analytics copy.
Child voice, recordings, and transcripts
Purpose and business need: Not applicable in public family play.
Deletion timeframe or trigger: Not collected or retained. Public family accounts cannot upload child audio through the speech routes and cannot enable microphone retention.
Authentication sessions and reset links
Purpose and business need: Keep the guardian or selected child signed in and support password recovery.
Deletion timeframe or trigger: Sessions end at logout, expiry, password/security revocation, child-session replacement, or account deletion. Supabase controls one-time verification and recovery-link expiry; used or expired links cannot be used as a lasting credential.
Subscription and checkout records
Purpose and business need: Provide the trial, subscription, billing portal, cancellation, receipts, charge support, and payment-fraud protection.
Deletion timeframe or trigger: Active billing references are removed or detached during account deletion. Stripe retains transaction records for its legal and financial obligations. StarSeeker retains only records reasonably required for accounting, disputes, security, and one-trial-per-family enforcement, then deletes or de-identifies them when that need ends.
Support and privacy-request correspondence
Purpose and business need: Resolve the request, document the response, and prevent an unauthorized disclosure or deletion.
Deletion timeframe or trigger: Normally deleted within 24 months after the request is resolved. A message may be kept longer only while a legal obligation, active dispute, fraud investigation, or security incident requires it.
Application backups
Purpose and business need: Recover from a service failure or corrupted database.
Deletion timeframe or trigger: Root-only application backups are automatically aged out so none remains longer than 14 days. Provider infrastructure backups follow the provider cycle and are used only for disaster recovery. Completed deletion requests must be reapplied before a restored service resumes.