Mightyreads

Privacy Policy

Forgewell, LLC d/b/a MightyReads ("MightyReads," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

By using joinmightyreads.com (the "Site") and our apps, features, and services (collectively, the "Service"), you agree to this Privacy Policy and our Terms of Use.

Quick summary: We collect only what we need to run MightyReads (accounts, reading progress, avatars, and activity), we don't sell your data, we don't run targeted ads, and children's data is protected and controlled by a parent/guardian or school.

Controller: Forgewell, LLC, 56 Broad Street, Suite 14266, Boston, Massachusetts 02109 USA
Privacy Contact: privacy@joinmightyreads.com

Last Updated: September 4, 2025

I. Information We Collect

We collect Personal Information (identifies or can identify you) and Non-Personal Information (does not identify you on its own).

1) Information you provide

  • Account & profile: parent/guardian email, password (hashed), display name, and optional profile details (e.g., avatar).
  • Child profiles (with parental consent): child nickname or first name, date of birth, avatar, reading progress, and the content the child creates (e.g., journals, reflections, drawings).
  • Classroom or school accounts (if applicable): teacher name and email, class name, student nicknames/IDs provided by the educator.
  • User-generated content: reviews, comments, reflections, drawings, and messages you or your child choose to post or upload.
  • Support & feedback: messages and attachments you send to us.

2) Information collected automatically

When you use the Service, we and our service providers collect:

  • Usage & device data: pages viewed, features used, session duration, links clicked, approximate location (derived from IP), device type/OS, browser, app version, timestamps, referring/exit pages.
  • Log & diagnostic data: error reports and crash data to help us troubleshoot problems.
  • Cookies/local storage: to keep you signed in and remember preferences; analytics cookies to understand how the Service is used.

Typical things we track to improve the Service:

  • Sign-in state and session continuity
  • Page views and feature usage (e.g., "created journal entry," "completed reading quest")
  • Basic diagnostics (e.g., errors, performance timing)

We use both session and persistent cookies/local storage. For example, we store a persistent value to keep you signed in between visits. You can control cookies in your browser, but some features may not work without them.

3) Children's privacy (COPPA)

MightyReads is a reading app for families, children, and classrooms. Children cannot create an account without a parent/guardian or school acting as the account holder. We collect only limited information for child profiles (name, date of birth, avatar, progress, and content the child submits).

  • Parental consent: We obtain verifiable parental consent before activating a child profile (family accounts) or rely on a school's authority under applicable student-privacy laws (school accounts).
  • Parent rights: Parents can review, update, or delete a child's information at any time by contacting us at privacy@joinmightyreads.com.
  • No targeted advertising: We do not show behavioral ads to children or sell children's data.

If you believe a child used the Service without consent, contact us and we will promptly delete the information.

School Data: When MightyReads is used through a school, we process student data as a processor to the school (the controller) under our agreement with the school, and we follow the school's instructions. We do not use student data for advertising.

II. How We Use Information

We use information to:

  • Provide and maintain the Service (accounts, authentication, syncing, reading progress)
  • Personalize features (avatars, recommended activities)
  • Support safety and moderation of user-generated content
  • Communicate with you (service emails, feature updates, security alerts)
  • Analyze and improve performance and usability
  • Comply with law and enforce our Terms

Legal bases (EEA/UK): performance of a contract (providing the Service), legitimate interests (service improvement, security), consent (where required, e.g., certain cookies, child accounts).

We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising.

III. How We Share Information

We share Personal Information only with:

  • Service providers (processors):
    • Supabase (authentication, database, storage)
    • PostHog (product analytics—page views, feature usage, events)
    • Sentry (error monitoring—error details, device/browser metadata; PII scrubbing is enabled)
    • Resend (transactional email delivery)
    • OpenAI (AI-powered features for Plus subscribers)
    • Vercel (site and API hosting and logs)
    • Stripe if you purchase a subscription
  • Legal and safety: if required by law, to protect users, our rights, or the security of the Service, or to prevent fraud/abuse.
  • Business transfers: if we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to this Policy.

We require service providers to use your information only to provide services to us and to protect it per this Policy.

IV. AI-Powered Features

We offer optional features that use generative artificial intelligence ("AI") to create or suggest content (for example, draft reflections, summaries, or prompts). When you use these features, we process the inputs you provide (such as text, images, or instructions), the outputs generated, and limited technical data (timestamps, language, feature name) to operate the feature, improve quality and safety, and prevent abuse.

Providers & role. We use vetted AI service providers acting as our processors to run these features. They may temporarily process your inputs/outputs only to provide the service to us and must protect them under our instructions.

Training. We do not allow our AI providers to use your inputs or outputs to train their public models. We also do not use your content to train models for anyone else's benefit.

Safety & review. We may apply automated filters and limited human review to help keep AI features safe and to improve prompts/guardrails.

Children & schools. AI features for child or classroom accounts are designed for age-appropriate educational use. We do not use children's inputs/outputs for advertising, and we do not sell or share this data for cross-context behavioral advertising. In school deployments, we act as a processor to the school and follow the school's instructions.

Automated decisions. AI outputs are assistance for learning and creativity; we do not make decisions with legal or similarly significant effects solely by automated means.

Retention. We retain AI inputs/outputs only as needed to provide the feature, ensure safety, comply with law, and maintain audit logs. If you request deletion of related content, we will delete or de-identify associated AI records unless we must retain them for legal/security reasons.

V. User-Generated Content & Visibility

By default, family content (e.g., a child's journal) is private to the parent/guardian account. Some features may allow sharing (e.g., posting to a class or community). We will clearly indicate when content will be visible to others and provide controls to limit or withdraw sharing.

We may use automated tools and limited human review to moderate content for safety and policy compliance.

VI. Your Choices & Rights

  • Email preferences: You can unsubscribe from marketing emails via the link in the email. We may still send transactional messages (e.g., password resets, service notices).
  • Access, correction, deletion: Your account and all associated data can be deleted at any time by going to Settings > Profile and clicking "Delete Account".
  • EEA/UK/California: You may have additional rights (data portability, restriction, objection; CPRA access/deletion/opt-out). We do not "sell" Personal Information and do not "share" it for cross-context behavioral advertising under California law.

California Notice at Collection (summary): We collect identifiers (e.g., email), internet/activity data (usage, device, IP), and user content for the purposes described above. Retention is as described below. We do not sell or share for cross-context behavioral advertising.

VII. Data Retention

We retain Personal Information for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. When you request deletion, we delete or de-identify data within a reasonable period, except where retention is required by law or legitimate business needs (e.g., security logs, payment records).

VIII. Security

We use reasonable administrative, technical, and organizational measures to protect information, including encryption in transit (TLS), access controls, and secure hosting. No method of transmission or storage is 100% secure; you are responsible for safeguarding your password and account credentials.

IX. International Transfers

We are based in the United States, and your data may be processed in the U.S. and other countries where our service providers operate. Where required, we use appropriate safeguards for cross-border transfers (e.g., Standard Contractual Clauses).

X. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Keep you signed in and remember preferences
  • Measure usage to improve features (PostHog)
  • Diagnose and fix errors (Sentry)

Manage cookies in your browser settings and (where available) via Cookie Preferences on our Site. Essential cookies are required for the Service to function.

XI. Third-Party Links

The Service may link to third-party sites or apps. Their privacy practices are governed by their own policies. We are not responsible for those sites.

XII. Children's Privacy—Parental Rights (Details)

Parents/guardians can:

  • Review and delete a child's personal information
  • Withdraw consent and delete the child profile
  • Request that no further collection or use occur

Contact: privacy@joinmightyreads.com

XIII. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will notify you (e.g., by email or a prominent notice on the Site) at least 30 days before they take effect. The "Last Updated" date will reflect the latest version.

XIV. Contact Us

Questions or requests about privacy: privacy@joinmightyreads.com
Mail: Forgewell, LLC — Attn: Privacy, 56 Broad Street, Suite 14266, Boston, Massachusetts 02109 USA