Privacy Policy

Last updated: May 11, 2026
Effective date: December 29, 2020
Developer: Mehmet Canker ("we", "us", or "our")

This Privacy Policy applies to all mobile applications developed by Mehmet Canker, including but not limited to Coddy (coding education apps), Chibify (AI-powered image transformation app), and SafeChat AI (also published as KidsChat — a kid-safe AI chat app in Apple’s Kids Category and Google Play’s Designed for Families program). By using any of our applications, you agree to the collection and use of information as described below.

Different apps process different data. Section 12 of this policy lists the third-party services that apply to each individual app. Services that are listed in the general “Third-Party Services” section below (such as Firebase, AdMob, or Facebook SDK) are not used in our apps that target children — see Section 12.3 for SafeChat AI / KidsChat specifically.

1. Information We Collect

We may collect the following types of information when you use our applications:

  • Account Information: Email address, name (when provided via third-party sign-in such as Google, Apple, or Facebook). SafeChat AI / KidsChat does not use third-party sign-in — see Section 12.3.
  • Device Information: An anonymous device identifier (UUID) is generated locally on your device to manage your account, preferences, and subscription status. This identifier is not linked to your personal identity and is not shared with any third party for advertising purposes.
  • Usage Data: In our non-kids apps we collect anonymized analytics about feature usage and crash reports. SafeChat AI / KidsChat does not collect any analytics or crash data — see Section 12.3.
  • Photos and Images: In apps that offer image features (Chibify, and optionally in SafeChat AI for visual questions), you may submit photographs from your camera or photo library. These images are processed solely to generate the result you requested and are not retained on our servers after processing.
  • Subscription Data: Payment and subscription information is collected through the Apple App Store and Google Play Store. We do not directly collect or store your payment card details.
  • Chat Content (SafeChat AI / KidsChat only): The text messages and any optional photo your child sends through the chat are forwarded to our AI provider in order to generate a reply. See Section 2 for full details and Section 12.3 for what is specific to SafeChat AI.

2. AI-Powered Features and Third-Party AI Services

Some of our applications use artificial intelligence (AI) to provide core features. This section explains how your data is processed when you use these features.

2.1 What Data Is Sent to AI Services

When you use an AI-powered feature (e.g., image transformation, code generation, AI-assisted learning, or kid-safe AI chat), the following data may be sent to our AI service providers:

  • Content you provide: The photo, text message, or code snippet you submit for processing.
  • Style, mode, or age-group selection: The transformation style, processing mode, or (for SafeChat AI) the age group you have configured. SafeChat AI sends an age-band hint (e.g. “6-7”, “8-9”, “10-11”, “12-13”) so the model can return age-appropriate replies. We do not send the child’s exact birth date.

We do NOT send your name, email, account ID, contacts, location, advertising identifier, or device identifier to the AI service providers as part of any processing request.

2.2 Who Processes Your Data

We work with the following AI service providers to deliver AI-powered features. Each provider processes data in accordance with its own privacy policy:

  • OpenRouter (used by SafeChat AI / KidsChat for text): An AI request-routing platform that forwards text requests to the underlying language model. Submitted message text is sent to OpenRouter’s API and is subject to the OpenRouter Privacy Policy (https://openrouter.ai/privacy).
  • MiniMax — model M1 (used by SafeChat AI / KidsChat for text, via OpenRouter): The language model that generates text replies. Submitted text is processed by MiniMax under MiniMax’s Privacy Policy (https://www.minimax.io/privacy-policy).
  • xAI (Grok) — used in Chibify: Used for image generation and transformation. Your submitted photos are sent to xAI API for processing and are subject to the xAI Privacy Policy (https://x.ai/legal/privacy).
  • OpenAI — used in Coddy and other non-kids apps: Used for text generation, code assistance, and educational features. Submitted content is subject to the OpenAI Privacy Policy (https://openai.com/privacy).
  • Google — Gemini Flash (used by SafeChat AI / KidsChat for image analysis, and by Coddy and other non-kids apps for content generation): When a child attaches a photo to ask a visual question in SafeChat AI, the image is sent directly to Google’s Gemini Flash API for analysis. Submitted content is subject to the Google Privacy Policy (https://policies.google.com/privacy) and Google’s generative AI terms.

We may update the list of AI service providers from time to time. Any changes will be reflected in this Privacy Policy and, for SafeChat AI / KidsChat, will require a renewed in-app parental consent before any data is sent to the new provider.

2.3 How AI Processing Works

  • Your submitted content (photo, text, or code) is sent securely over HTTPS/TLS to the selected AI provider’s API.
  • The AI provider processes your content and returns the generated result.
  • No biometric data extraction, facial recognition, or facial identification is performed. No facial geometry, faceprint, or biometric template is created or stored by us or our AI providers.
  • The AI providers may temporarily retain the request for service-provision and abuse-prevention purposes in accordance with their respective retention policies. We do not retain the raw request body on our servers after the response is returned.

2.4 Your Consent

Before any data is sent to a third-party AI service for the first time, our application will:

  • Clearly inform you what data will be sent;
  • Identify the AI service provider(s) involved;
  • Ask for your explicit consent before proceeding.

For SafeChat AI / KidsChat, this consent is collected on a dedicated full-screen disclosure presented before any chat is possible, and is gated behind a parental verification step (a simple math/logic question that a young child cannot reliably answer alone). The consent decision is stored locally on the device. You may revoke consent at any time by deleting the app or by tapping “Reset consent” in Parental Controls; revoking consent disables all AI features.

3. Third-Party Services

Our applications use the following third-party services. Not every service is used in every app. See Section 12 for a per-app breakdown:

  • Firebase Analytics and Crashlytics (https://firebase.google.com/policies/analytics) — Anonymized usage analytics and crash reporting. Not used in SafeChat AI / KidsChat.
  • RevenueCat (https://www.revenuecat.com/privacy) — Subscription and in-app purchase management. RevenueCat receives an anonymous device-generated identifier and the App Store/Play Store transaction; it does not receive your name, email, or chat content.
  • AWS S3 / CloudFront (https://aws.amazon.com/privacy/) — Cloud storage for app bundle delivery (over-the-air updates) and, in apps that produce them, user-generated images.
  • Supabase (https://supabase.com/privacy) — Database and authentication services for user accounts, app data, and serverless API functions. For SafeChat AI / KidsChat, the only personally identifying data Supabase stores is the anonymous device UUID and an optional parent email if the parent enables daily reports.
  • Google AdMob (https://support.google.com/admob/answer/6128543) — Advertising. Not used in SafeChat AI / KidsChat or in any other app we publish in a kids/family category.
  • Google Play Services (https://www.google.com/policies/privacy/) — Core Android services.
  • Facebook SDK (https://www.facebook.com/about/privacy/update/printable) — Authentication and social features. Not used in SafeChat AI / KidsChat.

4. Data Retention

  • Original photos submitted for AI processing are temporarily held in server memory during the generation process and are not permanently stored on our servers after the result is generated.
  • Generated content (in apps that produce shareable output, e.g. transformed images) is stored in cloud storage and is accessible to you. You may request deletion at any time.
  • Chat messages (SafeChat AI / KidsChat): The most recent chat history is stored in our database for up to 30 days so the child can return to a recent conversation, after which it is automatically deleted. Parents can clear the history at any time from Parental Controls. The raw request body sent to the AI provider is not retained on our servers after the response is returned.
  • Account data is retained for as long as your account is active. Upon account deletion, your personal data is removed within 30 days.
  • Analytics data (in non-kids apps only) is anonymized and retained for up to 14 months for service-improvement purposes.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • AI service providers, as described in Section 2, with your explicit consent;
  • Third-party services listed in Section 3, solely to provide the app functionality and limited to what is described in Section 12 for the specific app you are using;
  • Law enforcement, if required by applicable law.

6. Data Security

We use industry-standard security measures to protect your data, including encrypted data transmission (HTTPS/TLS), secure cloud infrastructure, and access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Children’s Privacy

Most of our apps (Coddy, Chibify, etc.) are not directed to children under the age of 13 and we do not knowingly collect personal information from children under 13 in those apps.

SafeChat AI (also published as KidsChat) is the exception: it is specifically designed for children aged 6–13 and is published in Apple’s Kids Category. For SafeChat AI we have engineered the app to be compliant with the U.S. Children’s Online Privacy Protection Act (COPPA), the U.K. Age-Appropriate Design Code, and Apple’s Kids Category requirements. The full data practices for SafeChat AI are described in Section 12.3 below; the highlights are:

  • No third-party advertising (no AdMob, no ad networks).
  • No third-party analytics (no Firebase Analytics, no Crashlytics, no Facebook SDK).
  • No social-login or third-party sign-in flows.
  • No tracking across other apps and websites; the app does not request the iOS App Tracking Transparency permission.
  • An anonymous device-generated UUID is the only persistent identifier; no name, email, phone number, or precise location is required to use the app.
  • An optional parent email may be entered by a parent (after passing a parental gate) to receive daily activity reports. This email is used solely for that purpose and is never shared with advertisers or AI providers.
  • All AI features require explicit, parent-gated consent before any data leaves the device.

Parents who believe their child has provided us with personal information they did not authorize may contact us at the email address in Section 11 and we will delete it promptly.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you;
  • Request correction or deletion of your personal data;
  • Withdraw consent for data processing at any time;
  • Request an export of your data.

To exercise any of these rights, use the Delete My Account feature within the app or contact us at the email address below.

9. App Tracking Transparency (iOS)

On iOS devices, our non-kids apps may request permission to track your activity across apps and websites owned by other companies. This permission is optional. SafeChat AI / KidsChat does not request and does not use the App Tracking Transparency permission and does not track users across other apps or websites.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Material changes that affect SafeChat AI / KidsChat (for example, adding a new AI provider) will require a renewed in-app parental consent before they take effect for that app.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

  • Email: coddy@coddykit.com
  • Developer: Mehmet Canker

12. Per-App Data Practices

This section lists, on a per-app basis, exactly which third-party services receive data and what data they receive. If a service is not listed for a given app, that service is not used in that app.

12.1 Coddy (coding-education apps)

  • Firebase Analytics & Crashlytics — anonymized event & crash data.
  • RevenueCat — subscription state, anonymous device identifier.
  • Supabase — account data, lesson progress.
  • OpenAI / Google Gemini — AI-assisted learning content (with consent).
  • Google AdMob, Facebook SDK — in some Coddy variants only; never in any kids/family-category build.

12.2 Chibify (AI image transformation)

  • Firebase Analytics & Crashlytics — anonymized event & crash data.
  • RevenueCat — subscription state, anonymous device identifier.
  • AWS S3 / CloudFront — storage of generated images.
  • Supabase — account data, generation history.
  • xAI (Grok) — image-generation requests (with consent).

12.3 SafeChat AI / KidsChat (Apple Kids Category, ages 6–13)

Identifiers and account data we store:

  • An anonymous device-generated UUID (created locally on the device).
  • The age-band selected by the parent during onboarding (one of: 6-7, 8-9, 10-11, 12-13).
  • An optional parent email, only if the parent voluntarily enters one in Parental Controls to receive daily activity reports.
  • An optional 4-digit parental PIN (stored hashed, used only to gate Parental Controls inside the app).
  • Recent chat history (up to 30 days; parent-clearable from Parental Controls).

Data sent to third parties:

  • OpenRouter (AI router, text only) — receives: the chat message text and the age-band hint. Receives nothing else. Used only to forward the text request to MiniMax. No photos are sent to OpenRouter.
  • MiniMax model M1 (text AI model, via OpenRouter) — receives the same text payload as OpenRouter; generates the text reply. Used only to generate text replies.
  • Google — Gemini Flash (image AI model, direct) — when (and only when) the child attaches a photo for a visual question, the photo and the chat message text are sent directly to Google’s Gemini Flash API, together with the age-band hint. Used only to generate the reply for that photo. No photo is ever stored by us after the reply is returned.
  • RevenueCat — receives: the anonymous device-generated UUID and the App Store / Play Store subscription transaction. Used only to determine whether the device has an active Pro subscription.
  • Supabase — receives: anonymous device UUID, age-band, optional parent email (if entered), recent chat history. Used only to operate the app’s backend (login, daily-message-quota counter, daily-report email).
  • AWS S3 / CloudFront — serves the over-the-air JavaScript bundle to the app. Receives no user data.

Data NOT collected and NOT sent in SafeChat AI / KidsChat:

  • No name, real birth date, phone number, address, or precise location.
  • No advertising identifier (IDFA / GAID); the app does not request App Tracking Transparency.
  • No third-party analytics (no Firebase Analytics, no Crashlytics, no Facebook SDK, no Mixpanel, no Amplitude, etc.).
  • No third-party advertising (no AdMob, no ad networks of any kind).
  • No social login (no Google Sign-In, no Apple Sign-In with name, no Facebook Login).
  • No push-tracking SDKs.

Daily message limit: Free users are limited to 10 AI messages per day; the count is stored on our server keyed only to the anonymous device UUID. Pro users have unlimited messages. The limit is reset daily and no message content is shared with advertisers or used for behavioural profiling.