SPUNKY MONKEY - PRIVACY POLICY

Spunky Monkey Application

Effective Date: January 1, 2026 | Last Updated: December 2025

1. Introduction

Welcome to Spunky Monkey, a mobile application owned and operated by Mojoc Ltd. ("Mojoc", "Company", "we", "our", "us"). We are committed to protecting your privacy and handling personal information responsibly.

Spunky Monkey is an AI-powered therapeutic card generation application designed for speech-language pathologists ("SLPs"), parents, caregivers, and other adults who work with individuals requiring speech and language therapy.

This Privacy Policy explains how we collect, use, store, and share personal information when you use the Spunky Monkey mobile application ("App") and related services (collectively, the "Services").

By using the App, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

2. Who This Policy Applies To

This Policy applies to:

Account Holders — adults only (parents, caregivers, professionals, therapists) who create and manage accounts
Child Participants — children who may interact with the App's activities, but only under the responsibility and supervision of an adult Account Holder
Users accessing the App from Israel, the United States, the European Union, or any other region where Spunky Monkey is available

3. Data Controller

The data controller responsible for your personal information is:

Mojoc Ltd.

Kfar Yona, Israel

Email: info@mojoc.net

4. Definitions

"Account Holder" — an adult (18+ years) who creates and manages an account and bears responsibility for all use under that account.
"Child Participant" — a child who may interact with activities inside the App under the responsibility and supervision of an adult Account Holder. Children cannot create accounts or be primary account users.
"Personal Information" — information that identifies or can reasonably identify an individual.
"AI Tools" — systems that generate images from text prompts (powered by OpenAI's DALL-E 3).
"AI-Generated Content" — images created using the AI Tools based on your prompts.
"Player ID" — a unique identifier created through Unity Authentication.
"Cloud Save Data" — your cards, folders, generated images, preferences, credits, and other stored App content.

5. The Information We Collect

We collect the minimum necessary information to operate the App effectively and safely.

5.1 Information You Provide Directly

Email address (for account creation and login)
Display name or username
Prompts used to generate AI images
Cards, folders, and titles you create
Support communications and feedback

We do NOT collect personal information directly from children. Any child-related information in the App is entered by the adult Account Holder.

5.2 Information Collected Automatically

Player ID (Unity Authentication)
Device information (model, OS version, language, app version)
IP address
Crash logs and diagnostics
In-app behavior events (e.g., card creation, credit consumption, feature usage)
AI generation outcome logs (success/failure status)

No cookies or web tracking technologies are used in the App.

5.3 Subscription and Payment Information

Subscriptions are processed solely through Apple's App Store or Google Play. We receive limited information such as:

Subscription status (active, expired, refunded)
Transaction ID and renewal indicators
Entitlement information for your Player ID

We never receive or store full payment card details.

5.4 Third-Party Authentication Data

When you sign in using Google Sign-In or Apple Sign-In, we receive:

Account identifiers

We do not receive or store your email address.

We do not receive your passwords from these providers.

6. How We Use Your Information

We use the information collected to:

Create and manage your account
Authenticate you using Unity Authentication (with Google/Apple Sign-In)
Store cards, folders, images, credits, and progress in Cloud Save
Synchronize your data across devices
Generate images using AI providers
Process subscriptions and manage credit balances
Provide support and respond to inquiries
Prevent fraud, abuse, and unsafe content
Improve the App and its performance
Maintain security and integrity of our systems
Comply with legal obligations

6.1 What We Do NOT Do

We do NOT:

Sell your personal information to anyone
Share data with advertisers
Use your data for profiling or targeted advertising
Use child data for advertising or analytics
Create advertising profiles based on your content

7. Legal Basis for Processing

Under GDPR and similar laws, we process your information based on:

7.1 Performance of Contract

Processing necessary to provide the Services you requested, including account management, AI generation, cloud storage, and subscription processing.

7.2 Legitimate Interests

Processing for our legitimate interests (provided they don't override your rights), including:

Ensuring security and preventing fraud
Improving and developing our Services
Analytics to understand App usage

7.3 Consent

Where you have provided explicit consent for specific purposes.

7.4 Legal Obligation

Processing required to comply with applicable laws and regulations.

8. AI Processing

Spunky Monkey uses OpenAI's DALL-E 3 technology to generate images based on your text prompts.

8.1 What We Send to the AI Provider

Your text prompt
Required technical metadata (language, safety filter context)

8.2 What We Do NOT Send

Your email address or name
Child Participant personal identifiers
Device identifiers or IP address
Subscription or payment information
Your other cards, folders, or stored content

8.3 How the AI Provider Uses the Data

IMPORTANT: We access OpenAI through their API. As of the Effective Date of this Policy, according to OpenAI's API documentation, data submitted through the API is NOT used to train OpenAI's models.

OpenAI may temporarily retain API inputs and outputs for abuse monitoring and safety purposes. For the latest details on retention periods and data handling, please see OpenAI's Privacy Policy.

8.4 Content Moderation

OpenAI applies content moderation filters to prevent creation of harmful, illegal, or inappropriate content. Prompts violating usage policies may be rejected.

8.5 Ownership of AI-Generated Content

You own the AI-generated images you create. We store them only to operate the App and provide the Services. You may delete them at any time.

9. Children's Privacy

IMPORTANT: Spunky Monkey accounts are for adults only (18+ years). Children cannot create accounts or be primary account users.

9.1 Our Approach to Children's Data

We do NOT collect personal information directly from children
Children cannot create accounts or be primary account users
Children's use of the App is always under the responsibility of an adult Account Holder
Any child-related data in the App is entered by an adult Account Holder
Child data is treated as user-provided content under the Account Holder's control
We do NOT use child data for advertising, analytics, or profiling

9.2 Account Holder Responsibilities

Adult Account Holders are responsible for:

All use of the App under their account, including use by Child Participants
Obtaining any necessary consents from parents or guardians when using the App for therapy
Complying with applicable laws regarding child data (COPPA, GDPR, Israeli Privacy Protection Law)
Supervising Child Participants when they interact with the App's activities
Not uploading identifiable images of minors

9.3 COPPA and GDPR-K Compliance

Our practices are designed to comply with the U.S. Children's Online Privacy Protection Act (COPPA), GDPR provisions for children's data, and similar regulations.

If you believe a child has created an account or provided personal information directly, contact us immediately at info@mojoc.net and we will delete it promptly.

10. Healthcare and HIPAA Disclaimer

IMPORTANT NOTICE: Spunky Monkey is NOT currently HIPAA compliant and is NOT intended for storing Protected Health Information (PHI).

10.1 Not a Covered Entity

Mojoc Ltd. is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). We do not enter into Business Associate Agreements (BAAs) at this time.

10.2 No Patient Data Storage

The App is designed for creating therapy materials, not for storing patient records. Users should:

NOT store patient names, medical records, or PHI in the App
NOT use card titles or folder names to identify specific patients
Maintain HIPAA-compliant records separately from this App

10.3 Professional Responsibility

Healthcare professionals remain responsible for complying with all applicable healthcare privacy regulations in their jurisdiction.

11. How We Share Information

We share information only in the following circumstances:

11.1 Service Providers (Processors)

We work with trusted service providers who process data on our behalf:

Unity Technologies: Authentication (Player Accounts), Cloud Save storage, analytics, and in-app purchase integration (actual payments are processed by Apple and Google, not Unity)
OpenAI: AI image generation (DALL-E 3 API)
Apple/Google: Authentication (Sign-In), App distribution, and payment processing for subscriptions and in-app purchases

These providers act only under our instructions and cannot use your data for their own purposes.

11.2 Legal Requirements

We may disclose information if required to:

Comply with a valid legal request or court order
Protect the safety of users or the public
Prevent fraud, abuse, or illegal activity
Enforce our Terms of Use

11.3 Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, who will be bound by this Privacy Policy.

11.4 With Your Consent

We may share information when you have provided explicit consent for a specific purpose.

We do NOT sell personal information.

12. Cloud Storage and Synchronization

12.1 What We Store

When you create an account, the following data is stored in Unity Cloud Save:

Card metadata (titles, creation dates, folder assignments)
Folder structure and organization
AI-generated images
User preferences and settings
Credit balance and subscription status

12.2 Cross-Device Synchronization

Your data automatically synchronizes across all devices where you sign in with the same account.

12.3 Data Encryption

All Cloud Save data (card titles, folder names, and images) is encrypted on your device using AES-256 encryption before being transmitted to our cloud storage. This means your content is unreadable to anyone — including Mojoc and our infrastructure providers — without access to your authenticated account.

13. International Data Transfers

Mojoc Ltd. is based in Israel. Data may be processed in:

Israel
United States
European Union
Other locations where our service providers operate

13.1 Transfer Safeguards

When transferring data internationally, we implement safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Processor agreements ensuring security and confidentiality
Transfers to countries with adequate data protection (Israel has EU adequacy status)

14. Data Security

We implement reasonable technical and organizational safeguards, including:

Encryption in transit (TLS/SSL) and at rest (AES-256)
Secure authentication systems
Restricted access to production systems
Monitoring for misuse or unsafe behavior
Regular security updates and patches

No system is perfectly secure. We cannot guarantee absolute protection of your data.

14.1 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law, as expeditiously as possible.

15. Data Retention

We retain data:

For as long as your account is active
For limited periods afterward for backup, troubleshooting, fraud prevention, and legal compliance

15.1 After Account Deletion

Upon account deletion:

AI-generated images, cards, folders, prompts, and user content are deleted or anonymized
Log data may be retained for a reasonable period for security purposes
Financial transaction records retained as required by law (typically 2-7 years)

16. Your Privacy Rights

Depending on your location, you may have the following rights:

16.1 Rights for All Users

Access — request a copy of your personal information
Correction — request correction of inaccurate information
Deletion — request deletion of your account and data
Portability — receive your data in a structured format (where applicable)
Withdrawal of Consent — withdraw consent at any time

16.2 Additional Rights (EEA/UK/Switzerland)

If you are in the European Economic Area, UK, or Switzerland, you also have:

Right to Object — object to processing based on legitimate interests
Right to Restrict Processing — request limitation of processing
Right to Lodge a Complaint — file a complaint with your local data protection authority

16.3 California Residents (CPRA)

California residents have additional rights under the California Privacy Rights Act (CPRA):

Right to Know — categories and specific pieces of personal information collected
Right to Delete — request deletion of personal information
Right to Non-Discrimination — equal service regardless of exercising privacy rights

We do not sell personal information as defined under CPRA.

16.4 Israel Users

Rights under the Israeli Privacy Protection Law apply.

16.5 Exercising Your Rights

To exercise any of these rights, contact us at info@mojoc.net. We will respond within the timeframe required by applicable law (typically 30 days).

17. Account Deletion Process

When you request account deletion:

Your account is disabled immediately
Cloud Save data (cards, folders, prompts, images, credits) is deleted within 30 days
Authentication data is removed from Unity Player Accounts
Critical logs may be retained temporarily for security or legal reasons

You may request deletion at any time by contacting us at info@mojoc.net.

18. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects on individuals.

While AI is used for image generation, this does not constitute automated decision-making that affects your rights.

19. "Do Not Track" Signals

Our App does not currently respond to "Do Not Track" (DNT) browser signals as there is no consistent industry standard. However, as noted above, we do not use cookies or web tracking technologies in the App.

20. Third-Party Links and Services

The App may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies.

Relevant third-party privacy policies:

21. Changes to This Policy

We may update this Privacy Policy to reflect:

New features or services
Legal or regulatory requirements
Security improvements
Changes in our practices

We will notify you within the App when changes are significant. The "Effective Date" at the top will be updated.

Continued use of the Services after changes indicates acceptance. If you do not agree, discontinue use and delete your account.

22. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights:

Mojoc Ltd.

Jerusalem, Israel

Email: info@mojoc.net

We will endeavor to respond to all inquiries within 30 days.

Acknowledgment

By using Spunky Monkey, you acknowledge that you have read this Privacy Policy and understand how we collect, use, and protect your personal information.

This Privacy Policy is incorporated into and subject to our Terms of Use.

Last Updated: December 1, 2025

Version: 2.2

Document Reference: SM-PP-2025-v2.2