Jumzy Kids is an AI-powered fitness app designed for children ages 4-14. It uses your device's camera to track movements in real-time, turning exercise into a fun game where kids earn screen time rewards for completing physical activities.

Is my child's data safe?

Absolutely. Privacy is our top priority, especially for children's apps. We are fully COPPA and GDPR compliant. Camera data is processed entirely on-device and never stored. We only collect minimal data and never collect children's personal information, photos, or location data.

Is video recorded during exercises?

No, absolutely not. We never record, store, or transmit any video or images. The camera feed is only used for real-time pose detection - the AI analyzes body positions instantly and discards the data immediately.

How does AI movement detection work?

We use AI pose detection technology to track body positions through your device's camera. The AI identifies key body points and tracks movements like squats, jumps, and arm raises. All processing happens locally on your device - no video is ever recorded or sent to any server.

How do screen time rewards work?

Children earn screen time by completing exercise sessions. For each exercise completed, they earn 3 minutes of screen time (up to 15 minutes per session). Parents can customize these limits through the Parent Dashboard.

How much does Jumzy Kids cost?

Jumzy Kids offers a free tier with 1 child profile and 3 exercises. Premium plans are EUR 4.99/month or EUR 39.99/year (saving 33%). All premium plans include a 7-day free trial.

What exercises does the app recognize?

Jumzy Kids recognizes 12 exercises: squats, jumps, hands up, arm waves, side bends, high knees, toe touches, star jumps, marching in place, overhead claps, lunges, and cross touches. Each exercise has demonstrations and real-time feedback.

Politique de Confidentialité

1. Who We Are

MB Djump (trading as Jumzy Kids) is the data controller responsible for your personal information under the EU General Data Protection Regulation (GDPR) and the Lithuanian Law on Legal Protection of Personal Data.

Company: MB Djump

Trading as: Jumzy Kids

Address: Šilutės pl. 35G-36, LT-94105 Klaipėda, Lithuania

Email: start@djump.io

Website: https://www.jumzykids.com

Data Protection: We do not process personal data at a scale requiring a designated Data Protection Officer (DPO) under Art. 37 GDPR. Privacy inquiries should be directed to start@djump.io.

2. Camera Data — Critical Information

We NEVER Record Video

The Jumzy Kids app uses your device's camera solely for real-time AI pose detection. We do NOT record, store, save, upload, or transmit any video, images, or photos of your child. All camera processing happens locally on your device.

How Camera Data Works

On-Device Processing: Camera frames are processed entirely on your device using Google ML Kit Pose Detection (Android) and Apple Vision framework (iOS, where applicable)
Real-Time Only: Each camera frame is analyzed instantly in memory and immediately discarded — never written to storage
No Storage: No images or video are ever saved to device storage, cloud, or any backend server
No Transmission: Visual data never leaves your device or is sent to any server, third party, or analytics provider
Pose Coordinates Only: The AI extracts only numerical coordinate points of body position (17 keypoints as x/y/confidence values) which are used in-memory to count exercise repetitions, then discarded
No Facial Recognition: We do not perform face detection, facial recognition, or any form of biometric identification

3. Information We Collect

From Parents (Account Holders)

Email address (for account creation, login, and essential service communication)
Password (stored as a cryptographic hash via Supabase Auth — we never see your plaintext password)
Parental PIN (stored as a PBKDF2-HMAC-SHA256 hash with 150,000 iterations and a unique salt)
Preferred language and age group settings
Subscription status (free or premium)
Family display name (optional, parent-chosen)

From Children's App Usage (Anonymous, Non-Identifying)

Child display name (parent-chosen, can be a nickname — not required to be a real name)
Age group (4-6, 7-10, or 11-14)
Avatar selection (from a preset list of icons)
Exercise completion statistics (number of repetitions, duration, exercise type)
Session history (timestamps of completed workouts)
Achievements unlocked and points earned
Current and longest exercise streak
Parent-configured blocked apps list and screen time schedule

What We NEVER Collect From Children

Real names, surnames, or any personal identifiers
Photos, videos, images, or any visual data from the camera
Location data (GPS, WiFi, IP-based geolocation)
Contact information (phone, address, email of the child)
Voice recordings or audio data
Biometric data (fingerprint, face, iris)
Browsing history or web activity
Contacts, calendar, or social media information
Advertising identifiers or behavioral profiling data

4. Legal Basis for Processing (GDPR Art. 6)

We process personal data under the following lawful bases:

Consent (Art. 6(1)(a)): Parents explicitly consent during account creation to the processing of their data and their children's data. Parental consent under GDPR-K (Art. 8) is required for users under 16 (under 13 under COPPA in the US).
Contract (Art. 6(1)(b)): Processing necessary to provide the app services you subscribe to.
Legitimate Interest (Art. 6(1)(f)): Crash reporting and service stability (minimal technical data only, via Firebase Crashlytics).
Legal Obligation (Art. 6(1)(c)): Tax and accounting records required by Lithuanian law.

5. Android Permissions and Accessibility Services

The Jumzy Kids Android app requests the following sensitive permissions, each used exclusively for the purposes described below. Data collected via these permissions never leaves the device.

Accessibility Service

Purpose: To detect when a blocked app is launched so we can display the exercise prompt overlay. This is required for the core parental control feature of Jumzy Kids.

What it does: Listens only for the event "a foreground app changed" and compares the new foreground app's package name against the parent-configured blocked apps list. It does NOT read app content, passwords, keystrokes, or any user data.

Data collected: None leaves the device. Package names of foreground apps are compared in-memory and immediately discarded.

Device Administrator

Purpose: Optional uninstall protection, so children cannot remove the app to bypass parental controls. Parents must explicitly enable this in the Parent Dashboard.

What it does: Only the "prevent uninstall" capability is used. No remote wipe, password enforcement, or device lock functionality.

Usage Access (PACKAGE_USAGE_STATS)

Purpose: Backup mechanism to detect foreground app when Accessibility Service is not available. Same purpose as above — detecting when a blocked app is opened.

Display Over Other Apps (SYSTEM_ALERT_WINDOW)

Purpose: To display the exercise prompt overlay when a child attempts to open a blocked app. The overlay contains exercise instructions and a button to start the workout.

Camera

Purpose: On-device pose detection during exercise sessions. As detailed in Section 2, camera data never leaves the device.

Query All Packages

Purpose: To show parents a list of installed apps they can select to block. Only app names and icons are displayed — no app data is read.

Post Notifications

Purpose: Local notifications only (exercise reminders, streak alerts, achievements). No push notification tracking or ad delivery.

Foreground Service

Purpose: Keep the app blocker active while the device is in use. Uses the "special use" foreground service type as declared in the manifest.

6. iOS Family Controls and Screen Time API

Where supported (iOS version), Jumzy Kids uses Apple's Family Controls framework, ManagedSettings, and DeviceActivity frameworks to provide parental controls consistent with Apple's privacy-preserving design:

Opaque ApplicationTokens: Blocked apps are represented as opaque tokens. We never see the actual names or bundle IDs of blocked apps — Apple handles this entirely via the FamilyActivityPicker UI.
On-Device Enforcement: All shielding and activity monitoring happens on-device. No app usage data is transmitted to our servers.
No Screen Time Reports: We do not access or store reports about which apps children use.
Parental Consent: iOS requires explicit parental consent through Apple's native Family Controls authorization flow before our app can apply any restrictions.

7. Third-Party Service Providers (Processors)

We use the following processors under data processing agreements:

Supabase (USA)

Backend database and authentication. Stores parent email, hashed password/PIN, and exercise statistics. Data transfer to the USA is covered by EU Standard Contractual Clauses (SCCs).

Google Firebase — Crashlytics (USA/EU)

Anonymous crash reporting. Transmits device model, OS version, app version, and stack traces when the app crashes. Does not include personal data.

Google Play Services (Android)

In-app purchase processing via Google Play Billing. Subject to Google's privacy policy.

Apple App Store (iOS)

In-app purchase processing via StoreKit. Subject to Apple's privacy policy.

RevenueCat (USA)

Subscription state management. Receives a pseudonymous user ID and subscription status. Data transfer to the USA is covered by EU Standard Contractual Clauses (SCCs).

Google ML Kit (on-device)

Pose detection models that run entirely on your device. No data is transmitted to Google during exercise sessions.

We do not use any advertising networks, behavioral analytics, attribution SDKs, or data brokers. Jumzy Kids is not financed by advertising.

8. International Data Transfers

Some of our processors (notably Supabase and RevenueCat) are located in the United States. When personal data is transferred outside the European Economic Area (EEA), we rely on EU Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Art. 46, plus supplementary technical measures (TLS 1.2+ in transit, encryption at rest).

9. Data Retention

Active account data: Retained as long as the account is active.
After account deletion: Personal data is permanently deleted within 30 days of request. Hashed authentication tokens and cryptographic identifiers are purged immediately.
Anonymous aggregate statistics: May be retained indefinitely for service improvement, as they contain no personal data.
Purchase and tax records: Retained for 10 years as required by Lithuanian accounting law (VMI requirements).
Crash reports: Retained by Firebase for 90 days, then anonymized aggregate data only.

10. Children's Privacy (COPPA & GDPR-K)

Jumzy Kids is designed for children ages 4-14 under the direct supervision of a parent or legal guardian. We comply with:

COPPA (US): We do not knowingly collect personal information from children under 13 without verifiable parental consent, which is obtained during parent account creation.
GDPR-K (EU Art. 8): Parental consent is required for children under 16 in the EU. Our account creation flow requires the parent to confirm they are 18 or older and acting on behalf of their child.
No child-directed advertising: We do not serve any advertising whatsoever, behavioral or otherwise.
No third-party tracking: No third-party SDKs track children across apps or websites.
No social features: Children cannot chat, post content, or communicate with anyone outside their family group. All "social" features are limited to the parent-controlled family unit.

11. Your Rights as a Parent / Data Subject

Under GDPR and COPPA, you have the right to:

Access: Request a copy of all personal data we hold about you and your child
Rectification: Correct inaccurate or incomplete data
Erasure ("Right to be Forgotten"): Request deletion of your account and all associated personal data
Restriction: Ask us to temporarily stop processing your data
Portability: Receive your data in a machine-readable format
Objection: Object to processing based on legitimate interest
Withdraw consent: Revoke consent at any time without affecting the lawfulness of prior processing
Review child's data: Review, modify, or delete information collected from your child
Disable data collection: Stop further collection of your child's information (by disabling account or uninstalling)

To exercise any of these rights, contact us at start@djump.io. We will respond within 30 days as required by GDPR Art. 12.

12. Data Security

We implement technical and organizational measures appropriate to the risk:

All data transmissions encrypted with TLS 1.2 or higher
Database encryption at rest (AES-256)
Passwords hashed with bcrypt (Supabase Auth default)
Parental PINs hashed with PBKDF2-HMAC-SHA256 (150,000 iterations, 16-byte salt)
Row-Level Security (RLS) policies on all database tables
Camera permission required at runtime with clear user consent
Parental PIN rate limiting with escalating lockouts (30s → 2min → 10min → 30min)
Cleartext network traffic disabled at the Android manifest level
Code obfuscation (R8/ProGuard) in release builds
Regular dependency security updates
Limited access: only authorized personnel at MB Djump can access production systems

13. Cookies (Website Only)

The Jumzy Kids mobile app does not use cookies. Our marketing website (jumzykids.com) uses only strictly necessary cookies required for locale preference and basic functionality. We do not use analytics, marketing, or tracking cookies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

Update the "Last updated" date at the top of this page
For material changes affecting children's data, notify parents by email and require renewed consent on next app launch
Post a notice in the app for 30 days

15. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the supervisory authority in your country of residence. The Lithuanian supervisory authority is:

Valstybinė duomenų apsaugos inspekcija (VDAI)

State Data Protection Inspectorate of Lithuania

Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

Website: https://vdai.lrv.lt

Email: ada@ada.lt

EU consumers may also use the European Commission Online Dispute Resolution platform.

Contact Us

Data Controller: MB Djump