Privacy Policy
Your info stays safe and sound with us
1. General Information
This Privacy Policy explains what personal data we collect when you use philosophy4kids.com (Little Thinkers!), how we use it, and what rights you have. “Personal data” means any information that can identify you as an individual.
Data collection on our website
Who is responsible?
Data processing on this website is carried out by the website operator. Contact details are listed in the legal notice (imprint).
How do we collect your data?
Some data is provided by you (e.g., via forms). Other data is collected automatically when you visit the website (e.g., browser, operating system, time of access, IP in server logs).
What do we use your data for?
To ensure proper function and security of the website, to process your submissions (questions, stories), and to provide interactive features and personalized content.
Your rights (overview)
You have the right to request access, rectification, deletion, restriction, data portability, and to lodge a complaint with a supervisory authority. Details below.
2. Controller & Hosting
TBIT DESIGN
Thomas Breher
Pappelallee 7
26122 Oldenburg, Germany
Phone: +49 441 30421914
Email: info@tbitdesign.com
Hosting: Our website is hosted on servers located in Germany by Strato (Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany). The hosting provider processes server log data for operation and security purposes.
3. Legal bases, rights & security
- Processing is based on Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (performance of a contract – for paid services), and Art. 6(1)(f) GDPR (legitimate interests such as IT security and proper operation).
- You can revoke consent at any time with effect for the future.
- You may object to processing based on Art. 6(1)(f) GDPR.
- We use SSL/TLS encryption and transmit data to external providers via HTTPS.
- We implement technical and organizational measures to protect data against unauthorized access, misuse, or loss.
4. Cookies
We use essential cookies (e.g., session, security). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional, secure website).
Additional cookies (e.g., for embedded media such as YouTube/Vimeo or analytics/ads, if used) are set only after your consent via the cookie banner. Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time via the “Cookie Settings” link in the footer.
Retention: Cookie lifetimes vary by category and are shown in the banner details.
5. Server log files
Our hosting provider automatically processes the following information for security and operation:
- Browser type/version
- Operating system
- Referrer URL
- Hostname/IP address of the accessing device
- Time of the server request
Legal basis: Art. 6(1)(f) GDPR (IT security).
Retention: typically up to 30 days unless a security incident requires longer retention.
6. Forms (Contact, “Let’s Ask!”, “Let’s Create!”)
Let’s Ask!
We process: first name, question, optional background. Submissions are published on the website together with the answer. Only the first name and the content of the question are made public. We actively remove sensitive data (e.g., full names, addresses) before publication.
Let’s Create!
We process: first name(s) of characters/team, age (may be fictional), abilities/superpowers, optional details (fictional creatures, places, plot ideas). The personalized story is published on the website (first name(s), age, voluntary details). Sensitive data is removed before publication.
Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be revoked at any time.
Retention: Published content remains online until removal is requested by parents/legal guardians or the content is otherwise taken down. Non-published submissions are not stored permanently and are deleted during moderation (no later than 30 days).
Moderation: All submissions are manually reviewed by us before publication to ensure appropriateness and remove any sensitive data.
Consent mechanism: Each form includes a mandatory checkbox where the submitter must confirm they are the parent/legal guardian providing consent for data processing and publication.
7. Newsletter (MailPoet, Double Opt-In)
If you subscribe to our newsletter, we collect your email address and, if provided, your name. After registration you will receive a confirmation email (double opt-in). Only after confirming via the link will your subscription be activated.
Our newsletters are sent using MailPoet (Automattic Inc., San Francisco, USA / Automattic EU, Ireland). For sending and analyzing newsletters, MailPoet processes recipient data (e.g., email address, IP at registration, time of registration, opening and click statistics).
Purpose: Sending and evaluating newsletters.
Legal basis: Art. 6(1)(a) GDPR (consent). Consent may be revoked at any time by unsubscribing via the link in each email or by contacting us.
International transfers: Data may be transferred outside the EU (e.g., USA) under the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs). Despite safeguards, different data protection standards may apply in third countries.
Retention: Subscriber data is stored until you unsubscribe. Opening and click statistics are retained for 365 days for analytical purposes, then deleted or anonymized. After unsubscription, data is deleted unless legal retention duties apply.
8. Embedded media & plugins
YouTube
We embed videos from YouTube (Google Ireland Limited / Google LLC). When a page with an embedded video is loaded after you give consent, a connection to YouTube servers is established; YouTube may set cookies and process usage data.
Transfers: EU-U.S. Data Privacy Framework and/or SCCs.
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).
Retention: by YouTube per its policies.
Vimeo
We embed videos from Vimeo (Vimeo Inc., 555 West 18th Street, New York, NY 10011, USA). After consent, a connection to Vimeo’s servers is established; Vimeo may process your IP, device information and interactions, and may set cookies or similar technologies. If logged in to Vimeo, your activity may be linked to your profile.
Transfers: EU-U.S. Data Privacy Framework and/or SCCs.
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention: by Vimeo per its policies.
Google Web Fonts
We use Google Web Fonts hosted locally on our servers. No connection to Google servers is established, and no data is transmitted to Google.
Font Awesome
We use icons/fonts from Font Awesome (Fonticons, Inc., USA). Loading these assets may connect your browser to servers in the USA and transmit your IP address. IPs are only stored temporarily and deleted unless required to block malicious activity.
Legal basis: Art. 6(1)(f) GDPR (appealing presentation).
Transfers: EU-U.S. DPF and/or SCCs; residual risk note as above.
Security plugins (Solid Security & Wordfence)
We use WordPress security plugins to protect against attacks and abuse. These plugins may temporarily store IP addresses locally to detect and block malicious activity. Data is not shared with third parties.
Legal basis: Art. 6(1)(f) GDPR (IT security).
Retention: IP-based security logs are deleted when no longer needed (typically within 30 days) unless required to investigate incidents.
Google Ads (Conversion Tracking)
We use Google Ads Conversion Tracking to measure the success of our advertising campaigns. The provider is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
When you click on an ad delivered by Google, a conversion tracking cookie is placed on your device (if you consent via the cookie banner). These cookies lose their validity after 30 days and are not used for personal identification. If you visit certain pages of our website and the cookie has not yet expired, we and Google can see that you clicked the ad and were redirected to our site.
Data processed: cookie ID, IP address (shortened/anonymized where possible), browser information, visited pages, interactions with our site, advertising campaign details.
Purpose: Statistical analysis of ad performance and optimization of future advertising measures.
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner). Consent may be withdrawn at any time in the cookie settings (link in footer).
International transfers: Google LLC (USA). Data transfers rely on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs). Despite safeguards, different data protection standards may apply in third countries.
Retention: Conversion cookies expire after 30 days. Aggregate statistics are retained for up to 26 months before being deleted or anonymized.
For more information, see Google’s privacy policy: policies.google.com/privacy.
Independent Analytics
We use Independent Analytics, a privacy-focused analytics plugin that processes data exclusively on our own web server. No personal data is transmitted to third parties.
Data collected: Page views, referrer sources, device types, and browser information in anonymized form. No cookies are set and no personal identifiers are collected.
Purpose: Statistical analysis to understand site usage and improve our content.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analyzing and optimizing our website). As no personal data is shared with external providers, no separate consent is required.
Retention: Anonymous statistical data is retained for up to 365 days.
CDN (Content Delivery Network)
We use Bunny.net Content Delivery Network (BunnyWay d.o.o., Slovenia) to deliver content faster globally.
Data processed: Your IP address is transmitted to Bunny.net when accessing cached content. Content is replicated on servers worldwide for optimal performance.
International transfers: Bunny.net operates servers globally. Transfers rely on EU Standard Contractual Clauses (SCCs). Despite safeguards, different data protection standards may apply in third countries.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in fast, reliable content delivery).
Retention: Access logs are processed according to Bunny.net’s policies. Details: bunny.net/privacy
Google reCAPTCHA v3
We use Google reCAPTCHA v3 (Google Ireland Limited / Google LLC) to protect our forms from spam and abuse.
Data processed: reCAPTCHA analyzes user behavior in the background (mouse movements, time spent on page, IP address, technical data). This data is transmitted to Google and may be combined with data from other Google services.
International transfers: Data may be transferred to the USA under the EU-U.S. Data Privacy Framework and/or SCCs. Despite safeguards, different data protection standards may apply in third countries.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting against spam and abuse).
Opt-out: You can object to this processing by disabling JavaScript or using script blockers, though this may limit site functionality.
For more information, see Google’s Privacy Policy.
9. Use of External Services
For the creation of personalized content in “Let’s Ask!” and “Let’s Create!”, we use the following external service providers:
Service Providers:
- Anthropic PBC (San Francisco, USA) – AI-based text processing
- OpenAI, LLC (San Francisco, USA) – AI-based text and image processing
- Google LLC (Mountain View, USA) – AI-based image processing
- Celonis s.r.o. (Prague, Czech Republic) – Technical provision of external services
We have implemented appropriate safeguards including Data Processing Agreements where applicable.
What data is transmitted?
- First names of characters or participants
- Age of the main character (if provided)
- Text inputs (questions, story or background details)
No last names, addresses, email addresses, or contact details are transmitted. Any sensitive information is removed before transmission.
Purpose of processing
The data is transmitted exclusively to generate the personalized content (stories, voice, images) that you requested. External providers are not permitted to use this data for their own purposes.
International transfers
Some providers are located outside the EU (e.g., USA). Transfers rely on the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs) to ensure an adequate level of protection. Despite safeguards, different data protection standards may apply in third countries.
Legal basis
Art. 6(1)(a) GDPR (consent). Parents/legal guardians give consent by submitting the relevant forms in “Let’s Ask!” or “Let’s Create!”. Consent may be revoked at any time.
Retention & deletion
Inputs are not stored longer than necessary for the requested personalization. After generation and publication (or rejection), inputs are deleted on our side unless legal or security reasons require temporary retention.
Note on AI & automated processing
AI services are used to generate creative content. We do not conduct automated decision-making with legal or similarly significant effects on individuals, and we do not perform profiling under Art. 22 GDPR.
10. Children’s Privacy (COPPA, GDPR, UK GDPR, Privacy Act)
Our website and its interactive features (“Let’s Ask!”, “Let’s Create!”) serve families worldwide. When children participate, we apply child-specific safeguards to meet international privacy requirements.
Age thresholds by jurisdiction:
- USA (COPPA): Under 13 requires verifiable parental consent
- UK (UK GDPR): Under 13 requires parental consent
- EU/EEA (GDPR): Under 16 requires parental consent (varies 13-16 by country)
- Australia (Privacy Act): Special care for users under 18
Our unified approach:
- Under 16: Parent/guardian consent required for all submissions
- 16 or older: May provide their own consent
Consent mechanism and limitations:
All submission forms include a mandatory checkbox where submitters confirm they are either (a) the parent/legal guardian of a child under 16, or (b) 16+ and consenting themselves.
Important disclosure: We operate on a privacy-first, minimal data collection basis. We do NOT collect email addresses or implement technical age verification. This means we rely on users’ honest confirmation of their age/parental status. While this approach maximizes privacy, it does not constitute “verifiable” parental consent as defined by COPPA. Parents concerned about their children’s submissions should supervise their online activities directly.
What we do NOT collect from children:
We do not knowingly collect full names, email/postal addresses, phone numbers, social media handles, or precise location data from any users, especially children. Submissions are limited to first names and creative content only.
Cookies and tracking for child users:
Non-essential cookies (analytics, ads, embedded media tracking) are OFF by default and only activated after adult consent via the cookie banner. Parents can revoke consent anytime via “Cookie Settings” in the footer.
Parental rights:
- Review their child’s submitted content
- Request immediate deletion of published content
- Refuse further collection/use of their child’s information
Contact: info@tbitdesign.com
COPPA compliance note:
If we discover that a child under 13 has submitted content without parental involvement, we will delete it immediately upon becoming aware. However, due to our privacy-first approach (no email collection), we cannot implement COPPA’s verifiable parental consent mechanisms. Parents must supervise their children’s use of our site.
COPPA Limitation Notice: While we aim to protect children’s privacy, we do not collect email addresses and therefore cannot implement COPPA’s “verifiable parental consent” requirement. Parents who require full COPPA compliance should not allow their children to use our interactive features.
Jurisdiction note:
We serve users globally and apply the strictest applicable standard. Users are responsible for ensuring their use complies with local laws.
11. California Privacy (CCPA/CPRA)
California residents have the following rights: right to know, right to delete, right to opt-out of sale (we do not sell personal data), and right to non-discrimination. You may submit a verifiable request by contacting info@tbitdesign.com. We may need to verify your identity before processing your request.
12. Exercising your rights (GDPR)
You can contact us at any time to exercise your rights:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Portability (Art. 20)
- Objection (Art. 21) to processing based on legitimate interests
- Withdrawal of consent at any time (Art. 7(3))
Primary contact: info@tbitdesign.com
You also have the right to lodge a complaint with your competent data protection authority (in Germany, e.g., the State Commissioner for Data Protection of Lower Saxony).
13. Payments (Stripe)
For paid services, we use Stripe (Stripe Payments Europe Ltd., Dublin, Ireland; Stripe, Inc., San Francisco, USA). When you make a payment, the payment details you provide (e.g., card number, billing address, email) are transmitted directly to Stripe. We do not store this information on our servers. Stripe may process data for fraud prevention, transaction monitoring, and compliance with financial regulations.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (secure and efficient payment processing). International transfers: EU-U.S. DPF and/or SCCs; despite safeguards, different standards may apply in third countries.
Retention: Transaction records may be retained according to statutory commercial and tax retention periods (typically up to 10 years in Germany). For details, see Stripe’s privacy policy: stripe.com/privacy.
14. Withdrawal of consent & cookie settings
You can withdraw any consent given to us at any time by emailing info@tbitdesign.com. You can also adjust your cookie choices at any time via the “Cookie Settings” link in the footer.
15. Data Breaches
In the event of a personal data breach, we will notify the competent supervisory authority in accordance with Art. 33 GDPR without undue delay. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also inform the affected individuals in accordance with Art. 34 GDPR.
16. Version & updates
This Privacy Policy may be updated to reflect changes to our services or legal requirements.
Version: 1.0 • Last updated: 2025-09-18
