← Back to Yoce

Privacy Policy

Last updated: 4 June 2026 · Version 2026-06-04-v9

For kids: we wrote a separate kid-friendly version that explains everything in plain language.

Yoce, a family rewards and chat app for parents and their children, is operated by Norton Brook (HK) Limited (“Yoce”, “we”, “us”). We take your family's privacy seriously, especially children's data. This policy explains what we collect, how we use it, who can see it, how long we keep it, and the rights you have over it.

Yoce is designed for use by families that include children under 13. Yoce is built to comply with US COPPA (our primary market), the UK Age-Appropriate Design Code (the Children's Code) and UK GDPR, the Hong Kong Personal Data (Privacy) Ordinance (PDPO) as our home jurisdiction, and the Singapore Personal Data Protection Act (PDPA). We also comply with the EU General Data Protection Regulation including the heightened protections for children (GDPR-K) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA).

Our most-protective standard

Children's privacy laws differ across countries (the age of digital consent ranges from 13 in the UK to 16 in Germany / Netherlands; COPPA in the US; GDPR-K in the EU; state-specific rules in the US). Rather than apply different rules in different places, Yoce applies the strictest applicable standard from any jurisdiction we serve, to every family worldwide. That means: parental consent is always required for any child added (regardless of age), audio recordings are always treated as GDPR Article 9 special-category data, behavioural advertising and analytics are permanently disabled on every kid surface, retention windows match the shortest required period, and consent can always be withdrawn without deleting the account. We do this so a kid's privacy doesn't depend on the country they happen to live in.

In line with the UK Children's Code, we also build for the child's best interests by default: a child's privacy settings are set to the most protective option from the start; we never profile children or build advertising audiences from their data; we use no nudge techniques or dark patterns that push a child toward weaker privacy; we practise data minimisation, collecting only what the service needs; and any parental monitoring of a child's chat is disclosed to the child in age-appropriate language (see our kid-friendly version).

1. Who we are and how to reach us

Norton Brook (HK) Limited is the “operator” under COPPA and the “data controller” under the UK/EU GDPR and the Hong Kong PDPO. Our contact details:

  • Email (privacy questions, COPPA, GDPR): support@yoce.com
  • General support: support@yoce.com
  • Postal: Norton Brook (HK) Limited (registered office address available on request — write to support@yoce.com)

For COPPA verifiable parental consent specifically, see Section 4.

2. What we collect

From parents and adult family members

  • Email address and password (password is hashed — we never see the plain text)
  • Display name you choose
  • Family name and settings you configure (timezone, message limits, etc.)
  • If you sign in with Google: the email + display name we get from Google's OAuth response
  • Device tokens for push notifications (when you enable them)
  • Audit metadata for each significant action you take (timestamp, IP, user-agent)

From children (under your supervision)

  • A nickname you choose (set by you, the parent) — never your child's full legal name
  • An avatar (a stylised illustration; no real photographs are collected)
  • A username and PIN to log in on a shared device — we never ask the child for an email
  • Their star count, behaviour history, reward redemptions
  • Messages they send (text and voice clips up to 30 seconds), within the family or with friends you have approved
  • Wall free-text your child writes — journal entries and answers to the optional daily question. Stored privately within your family, kept until you or your child delete them, and used for the optional monthly recap. Never shared outside the family, never used for advertising, never used to train any model.
  • Coarse sign-in attempt records — when your child signs in on a shared device we log an IP-region bucket plus a timestamp, kept for 24 hours, used only to defeat brute-force PIN guessing (anti-brute-force). This is not precise location and is never used for advertising or profiling.
  • Their device push token if push is enabled
  • Birthday (optional, set by you) — used to display age on the family hub and for the calendar birthday reminder. Not used for advertising or shared with any third party.

We never collect from children: location, real name (unless you set it), email, phone number, photographs, contacts, or any data used for advertising profiles. We do not use behavioural advertising and do not run third-party advertising trackers in any part of the service. Behavioural analytics (Vercel Analytics) is hard-disabled on every kid screen even if a parent has enabled it for themselves.

A parent may choose to post family photographs to their own family's private Wall (see “Images on Yoce” above). These are provided by the adult account holder, not collected from the child; they may show the family's own children, are visible only within that family, have location metadata stripped on upload, never appear in any email, and are deleted with the account.

Images on Yoce

Yoce supports two kinds of images, both confined to a family's own private space and never shown to anyone outside it:

  • Children's drawings. Artwork a child creates in the in-app drawing canvas and saves to their Wall. These are app-generated images — never a photograph and never taken from the device's camera or photo library. A child can never upload a photo: there is no camera access or photo picker on any child screen.
  • Parent-posted photos. A verified parent or guardian — the adult who owns the account — may post photographs to their own family's private Family Wall for their children to see. This is an adults-only action enforced on the server; children cannot post photos.

All images live in a private storage bucket with no public URLs: every view is a short-lived signed link issued only after we confirm the viewer belongs to that family. Images are never shared with friends, made discoverable, shown to other families, included in any email, or used for advertising, profiling, or any third-party image analysis or facial recognition. When a parent uploads a photo we strip its embedded metadata — including any GPS location — before storing it, so a photo can't reveal where a child lives or goes to school. A parent can remove any image at any time, and full account deletion permanently removes every image from storage.

Voice messages — special category data

Voice clips are audio recordings of children, which European data-protection law (UK GDPR / EU GDPR Article 9) treats as a special category of personal data. We process voice messages under the lawful basis of explicit parental consent captured at signup. Specifically:

  • Voice clips are stored encrypted at rest (AES-256, Supabase Storage)
  • Retained for 30 days maximum, then automatically deleted by a daily cron sweep
  • Never shared with any third party (advertisers, AI training datasets, analytics platforms — none)
  • Never used to train, fine-tune, or evaluate any machine-learning model
  • You can disable voice messages family-wide in Settings → Child messages, in which case no voice data is collected
  • You can delete the entire voice history along with the rest of your data via Settings → Privacy & Data → Delete account

From your devices automatically

  • Approximate location at the country/region level only (from your IP) — for fraud prevention and legal compliance, never used to target ads
  • Device type and operating system version (for compatibility and crash diagnosis)
  • Application logs (errors, performance) — no message content is logged

3. Why we collect it (purposes)

We collect personal information only for the following purposes:

  • To operate the Yoce service — sign in, store family data, deliver messages
  • To enable family chat and approved cross-family friend chat
  • To send transactional emails (signup confirmation, password reset, optional weekly recap)
  • To prevent fraud and abuse (rate limits, captcha)
  • To debug crashes and improve reliability (aggregated, never sold, never tied to ads)
  • To comply with legal obligations (fraud-prevention and audit records, lawful subpoenas, regulatory inquiries)

We never: sell your data, rent it, share it for advertising, profile your children, target ads at children, or hand data to data brokers.

4. Parental consent (COPPA)

Because Yoce collects information from children under 13, we obtain verifiable parental consent before doing so, as required by COPPA (16 C.F.R. § 312.5).

How we obtain consent

When you create a Yoce account:

  1. You explicitly affirm that you are the parent or legal guardian of any children added to the account.
  2. You confirm you have read this policy and consent to the data described in Section 2 being collected from your children.
  3. We send you a confirmation email which you click to verify you control the email address. This is the first step of the FTC's “Email Plus” verification method.
  4. For the “plus” second touch, you have a 7-day grace period from signup. Within that window you must complete an in-app second confirmation at Settings → Privacy & Data — you simply tap a button in the app; we do not send a second email for this step. If you don't confirm before the grace period ends, adding or changing a child's data is blocked until you do (your existing data stays; no new data accumulates).

Each consent event is recorded server-side with a timestamp, the version of this policy you saw, and your IP address — so consent is verifiable and reproducible.

Withdrawing consent

You can withdraw consent at any time by deleting your account in Settings → Privacy & Data, or by emailing support@yoce.com. Withdrawal stops new data collection and triggers deletion within 30 days, except where we're legally required to keep some records (fraud-prevention and audit logs).

5. Who can see your family's data

Inside the app

  • Members of your family (parents and children you have added)
  • Adult family members you invite, if you grant them access
  • Approved friends — only after both your family and the friend's family confirm the friendship

Service providers (processors)

These providers process data strictly on our behalf, under contract, and never use it for their own purposes:

  • Supabase — database, authentication, file storage. Hosted on AWS in the United States (AWS us-east-1, Virginia). Encryption at rest and in transit. Their privacy policy.
  • Vercel — application hosting and edge delivery. Their privacy policy.
  • Cloudflare — bot protection (Turnstile) on signup. Their privacy policy.
  • Resend — transactional email. Their privacy policy.
  • Expo — push notifications to mobile devices. Push payloads contain only what you see in the in-app notification (e.g. “Sam earned 3 stars”); message bodies are never included in push.
  • Sentry — crash and error reporting. Receives stack traces and device/browser metadata when something in the app throws an unhandled error, so we can fix bugs you hit. Before any event leaves your device, Yoce strips IDs (kid IDs, message IDs, family IDs) from URLs, drops request and response bodies, removes auth headers and cookies, and never attaches screenshots or view hierarchies. Session replay is disabled. You can turn off crash reports entirely in Settings → Privacy & Data → Crash reporting on either web or mobile. Their privacy policy.
  • Vercel Analytics — first-party, cookie-less product analytics. Tracks anonymised page views and Web Vitals only; no cross-site tracking, no advertising profiles, no cookies stored in your browser by us. Hard-disabled on every child screen (path-gated in code) so kids' sessions are never measured even if you have analytics enabled for yourself. We do not use any third-party advertising or marketing analytics on Yoce. You can disable analytics for the whole account in Settings → Privacy & Data; our cookie banner also offers an opt-out. Their analytics privacy notice.

These are the only parties to which we disclose children's data; all are contractually limited service providers, and the optional ones (crash reporting, analytics) can be declined without losing core features.

Cookies and similar technologies

Yoce uses a small number of strictly-necessary first-party cookies to keep you signed in and to remember your privacy preferences. We do not use:

  • Advertising cookies — none, ever.
  • Cross-site tracking cookies — none.
  • Third-party analytics cookies — Vercel Analytics is cookieless by design.
  • Social media / sharing pixels — none.

The cookies we do set: a Supabase auth cookie (session, ~7 days), a child-mode session cookie when a kid signs in (24-hour rolling), and a small preferences cookie that remembers whether you've seen the cookie banner. None of these are sold or shared.

No one else

We do not sell, rent, license, or trade personal information to advertisers, data brokers, ad networks, or marketing aggregators. We do not share kids' data for any purpose unrelated to operating Yoce.

6. International data transfers

Yoce's primary data centre is in the United States (Supabase us-east-1, Virginia). If you sign up from outside that region, your data is transferred there for processing.

Hong Kong-based controller, United States processor. Yoce is operated by Norton Brook (HK) Limited, a company incorporated in Hong Kong. The personal data of our users is processed and stored in the United States by our processor Supabase (us-east-1, Virginia), chosen because the substantial majority of our users are in the United States and US data residency minimises latency and matches our COPPA compliance posture. As the data controller, Norton Brook (HK) Limited handles personal data under the Hong Kong Personal Data (Privacy) Ordinance (PDPO) and its Data Protection Principles, and contractually requires its processors to apply comparable protections. For families in Singapore, we also apply the cross-border-transfer safeguards required by the Singapore Personal Data Protection Act (PDPA s.26).

UK and EU users. Yoce's primary market and data residency is the United States. Yoce also serves families in the United Kingdom and complies with the UK Age-Appropriate Design Code (the Children's Code) and UK GDPR. For UK and EU users, data is transferred to and stored in the United States under the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (SCCs), alongside our processors' own safeguards.

7. How long we keep data

We retain children's personal information only as long as reasonably necessary for the purpose it was collected, and never indefinitely.

  • Account & family data: for as long as your account is active
  • Wall content (drawings, journal entries, daily-question answers): kept until you or your child delete it (keepsake + optional monthly recap); permanently removed on account deletion
  • Voice messages: automatically deleted from storage 30 days after they're sent (the database retains a placeholder showing “Voice expired”)
  • Sign-in attempt records: coarse IP-region bucket + timestamp, kept 24 hours for anti-brute-force, then purged
  • Audit log: 7 years for COPPA, fraud-prevention, and regulatory record-keeping (anonymised after account deletion)
  • Backups: rolling 30-day window, then purged

When you delete your account, the data above is removed within 30 days, except for the limited records we're legally required to keep (e.g. fraud-prevention and audit logs).

8. Your rights

Regardless of where you live, every parent on Yoce has the following rights over their own and their children's data:

  • Right of access: see what we hold — Settings → Privacy & Data → Export, or email support@yoce.com
  • Right to correct: edit any data via Settings; for things you can't edit yourself, email us
  • Right to delete: Settings → Privacy & Data → Delete my family. Takes effect within 30 days
  • Right to restrict processing: pause us using your data while you challenge accuracy
  • Right to portability: the export above is in JSON, machine-readable
  • Right to object: to anything done on the basis of legitimate interests
  • Right to withdraw consent: at any time
  • Right to lodge a complaint: with your local data protection authority (UK: ICO; EU: your member state DPA; US: FTC; California: AG)

We respond to verifiable rights requests within 30 days (45 if complex, with notice). There's no fee unless requests are manifestly excessive or repetitive.

9. How we protect your data

  • TLS 1.3 in transit; AES-256 at rest (provided by Supabase)
  • Row-level security so families can only see their own data, enforced by the database itself
  • SECURITY DEFINER access policies on every read and write — every action checks the caller is authorised
  • Voice clips served via short-lived signed URLs that expire
  • An immutable audit log of every state change (signups, message sends, family edits) — append-only, used for incident review
  • No third-party advertising trackers anywhere in the app

In the unlikely event of a personal-data breach affecting kids' data, we'll notify affected parents and the relevant authorities as required by applicable law and without undue delay (for EU/UK personal-data breaches, the GDPR's 72-hour authority-notification window applies).

10. California residents (CCPA / CPRA)

The categories of personal information we collect are listed in Section 2. We use them for the purposes in Section 3, share them with the categories of recipients in Section 5, and retain them for the periods in Section 7.

We do not “sell” or “share” (as defined under CPRA) any personal information, and have not in the previous 12 months. We do not knowingly sell or share the personal information of consumers under 16. California residents have the rights listed in Section 8; to exercise them email support@yoce.com.

10b. Other US state privacy laws

We comply with the following US state comprehensive privacy laws where applicable to residents of those states:

  • Virginia (VCDPA): rights to access, correct, delete, and port your data; to opt out of targeted advertising and sale (we do neither).
  • Colorado (CPA): same rights set as Virginia plus the right to opt out of profiling that produces legal or similarly significant effects (we don't profile).
  • Connecticut (CTDPA): aligned with Virginia/Colorado.
  • Utah (UCPA): aligned with the above; Yoce does not engage in sensitive-data processing without consent.
  • Texas (TDPSA): aligned; Texas residents have the same access/delete/correct/port rights.
  • Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA): aligned baseline rights; same exercise process.

To exercise any of these rights, email support@yoce.com from the email address associated with your Yoce account, or use the in-app Settings → Privacy & Data tools. Most rights can be self-served from the app without contacting us.

Children's data under state laws. We do not sell or share children's personal data and never use it for targeted advertising. State law often grants additional protections to data of users under 13 (under 16 in some states); we apply the most- protective standard regardless of which state-specific rule technically applies.

11. Updates to this policy

When we make material changes — particularly to what we collect from kids, who we share with, or your rights — we'll notify you by email and require fresh consent before the new terms apply to children's data. Minor edits (clarifications, typos) are reflected by updating the “last updated” date above.

You can always view this policy's current version inside the app at Settings → Privacy & Data, and your consent history (which version you agreed to when) at the same place.

Kid-friendly versionTerms of ServiceBack to Yoce