Scrubbing Squad Limited ('Scrubbing Squad', 'we', 'us', 'our') is registered in England and Wales. Our registered address is 275 New North Road New North Road, #1203, London, England, N1 7AA
This Privacy Policy explains how we collect, use, store, and protect personal data across all parts of the Scrubbing Squad ecosystem. That ecosystem is phygital. It spans physical products, a mobile application, and a cloud database, as well as our website and online shop. Each environment handles data differently and this policy explains all of them.
Please read this policy in full. If you have questions, contact our Data Protection Officer at compliace@scrubbingsquad.com
This is not a standard app privacy policy. Scrubbing Squad is a phygital platform. Data is generated by physical gear, processed on-device, and stored in a cloud vault. This policy explains each environment and what it means for you.
This policy applies to all users of the Scrubbing Squad ecosystem including: parents and guardians who create a family account; children who use the platform (whose data is processed under parental consent); grandparents and other caregivers enrolled as Guardian Devices; visitors to scrubbingsquad.com; customers of shop.scrubbingsquad.com; and applicants for advisory, ambassador, school, or partner roles.
Children's data is treated as a special category throughout this platform. We apply the UK Children's Code (AADC) standards to all data involving or related to a child under 18. We do not process children's data for advertising purposes, ever. We do not sell children's data, ever. Children are never identified by real name in any platform-facing context. They use a Hero Codename (for example, Eagle-9). That codename is the only identity the child ever sees.
Most privacy policies describe a simple digital loop: you use an app, we store data. Scrubbing Squad works differently. Data flows across three distinct environments, plus the website and shop. Understanding this is important before we explain what we collect.
Island 1 is the physical gear. It includes the Vanguard product range: NFC-equipped toys, journals, kits, and accessories. Products V01 through V14 contain NTAG 424 DNA chips with AES-128 SUN encryption. V15 Mission Cards use printed QR codes.
When a child taps a physical product against a phone, the chip generates a unique cryptographic payload. That payload is sent to the app on the phone. It is not sent to the internet. The chip itself stores no personal data. It holds a product identifier, an encrypted counter, and a CMAC signature. The chip cannot identify the child. It cannot be cloned. If someone replays a tap or copies a chip, the rolling counter check rejects it automatically.
The physical gear does not connect to the internet. It does not collect data. It generates a cryptographic signal that the phone reads and processes locally.
Island 2 is the mobile app. All AI inference and mission processing runs on your family's own device. Nothing the child sees or does requires a cloud round-trip. When your child completes a mission, the result is calculated on your phone or tablet using a Small Language Model (SLM) running entirely on-device.
If your device is offline, session data is retained locally via a secure local protocol for up to 7 days. Missions work without an internet connection. When connectivity returns, the completed session data syncs to Island 3.
One exception: V05 The Humbled Compass uses a Haversine GPS check to confirm physical location for outdoor missions. This runs entirely on-device. The GPS coordinate is never transmitted to Island 3 or to any server. This is not a settings option. It is a privacy-by-architecture constraint built into the product.
Island 2 is your device. The AI lives on your device. Your child's missions are processed on your device. The only data that leaves your device is a structured evidence record sent to Island 3 when a session completes.
Island 3 is our cloud database. When a mission session completes and your device syncs, a structured evidence record is committed to the Sovereign Ledger. This is a WORM-enforced database. WORM stands for Write Once Read Many. Once a record is committed, it cannot be altered, deleted, or retrospectively modified. This is not a policy decision. It is an architectural constraint enforced at database level.
Why WORM? Because the clinical credibility of the evidence record depends on its immutability. A child's verified progress record is only useful to a teacher, a doctor, or a support professional if they can trust that it has never been edited. The WORM architecture is what makes the evidence institutional-grade.
Island 3 is retained for 15 years from the date of the first NFC tap. This is not a default setting. It is the core purpose of the platform: a child who joins at age 4 has a verified longitudinal development record by age 13. This is explained further in Section 9.
Island 3 records are immutable once committed. This has specific implications for your right to erasure. Section 7.5 explains exactly what happens when you request deletion.
Your Ace Mode configuration (your child's neuro-accessibility settings, cultural preferences, and accessibility profile) is stored in a Solid Pod. A Solid Pod is a decentralised personal data store. The data belongs to your family, not to Scrubbing Squad. It is portable across all enrolled Guardian Devices in your family. It travels with your child across devices and households.
The Solid Pod vault is encrypted with AES-256. The keys are derived from a family cryptographic seed. Scrubbing Squad holds a pseudonymised identifier, not the seed itself. This means we cannot decrypt your Solid Pod. Only your enrolled devices can.
The Solid Pod means your child's neuro-configuration and accessibility profile belongs to your family, not to us. You can take it with you. We cannot read it.
When you visit our website we collect:
• IP address and browser type (for security and analytics)
• Pages visited and time spent (via privacy-respecting analytics -- no cross-site tracking)
• Form submissions: name, email address, role type (parent, school, partner, advisor, ambassador, investor)
• Cookie data - see our Cookie Policy at /cookies
We do not run advertising on this website. We do not use Meta Pixel, Google Ads tracking, or any third-party advertising trackers. The analytics we use collect aggregate, anonymised data only.
The Scrubbing Squad shop is hosted on Shopify. When you make a purchase we collect:
• Name and delivery address
• Email address and phone number (for order updates)
• Payment details (processed by Shopify Payments and Stripe - we never see or store your card number)
• Order history
Shopify's own privacy policy applies to the commerce subdomain. Shopify is a registered data processor under our GDPR data processing agreement. Your payment data is handled by Stripe, which is PCI-DSS Level 1 certified.
Once you have a family account and are using the platform with physical gear, we collect the following:
NFC tap events (Island 1 to Island 2 to Island 3):
• Product SKU (which physical product was tapped)
• Timestamp of the tap
• Cryptographic payload confirming the tap is genuine
• Resulting Evidence of Effort score
What we do not collect from NFC: the chip does not store your child's name, age, or any personal identifier. The product identifier is matched to your child's account on your device only.
Routine completions (Island 2 to Island 3):
• Which mission objectives were verified, skipped, or incomplete
• Whether and when Green Eject was triggered
• Mission Points awarded
• Time taken
What we do not collect during missions: audio, video, or images of your child. Ever.
Emotional state logs (V10 Feelings Finder Log only, Island 2 to Island 3):
• Pre-mission and post-mission emotional state, recorded as a numbered scale response
This is not free text. Your child cannot type or speak into this log. It is a numbered scale only.
BLE signals (V11 Hero Beacon):
• The Hero Beacon communicates with the app via Bluetooth Low Energy (BLE 5.0) within the home
• BLE signals are used to trigger Green Eject on the physical device and confirm the child is within range
• BLE data is processed on-device. It is not transmitted to Island 3 as a separate data point.
The Beacon does not track your child's location.
What we never collect:
• Audio or voice recordings
• Video or photographs
• Your child's real name in any platform-facing context
• Location data transmitted to our servers (the V05 GPS check is on-device only)
• Biometric data
• Social media activity
Summary of what leaves your device: structured evidence records only. No audio. No video. No location. No images. No free text from your child.
If you configure Ace Mode for your child (neuro-accessibility settings, sensory preferences, cultural configuration), that data is stored in your family's Solid Pod. As explained in Section 2.4, we cannot read this data. It is encrypted with your family's cryptographic seed, which we do not hold.
The only thing we hold relating to Ace Mode is a pseudonymised identifier that allows your enrolled devices to retrieve and apply your family's configuration. We cannot reconstruct your child's neuro-profile from this identifier.
If you enrol additional Guardian Devices (a second parent's phone, a grandparent's tablet), each device derives a pseudonymised identifier from your family's cryptographic seed. Evidence records from all enrolled devices route to the same child record in Island 3. The child's evidence trail remains unbroken across caregiving environments.
We record: which devices are enrolled; when each device last synced; the enrollment consent record for each Guardian Device.
We do not record: which specific caregiver used the device for any given session.
We process personal data under the following legal bases:
Contractual necessity: Processing your account data, order data, and platform usage data is necessary to deliver the service you signed up for.
Legitimate interests: Analytics and security monitoring on the website, fraud prevention on the shop, and platform performance monitoring. We have assessed that these interests do not override your rights and freedoms.
Consent: Email marketing (the founding supporter sequence and any future marketing communications). You can withdraw consent at any time by unsubscribing. Ace Mode configuration data stored in the Solid Pod is processed under your explicit consent during the calibration setup.
Legal obligation: We may process data to comply with a court order, regulatory requirement, or safeguarding duty.
Processing data relating to children under 13 requires verifiable parental consent under the UK Children's Code. We obtain this during account creation. The consent record is stored for 7 years post-account closure. For children aged 13 to 17 we apply the same protections as for under-13s. Our platform applies UK AADC standards to all child users regardless of age.
The parent or guardian who created the account sees the parent dashboard: routine completion rates, Green Eject history, emotional state trends, and PDF progress reports. The child sees only their missions, characters, and Mission Points. The child never sees the parent dashboard. Guardian Devices enrolled by secondary caregivers see the same dashboard view as the primary account holder.
Our technical team has access to Island 3 for platform maintenance and support. Access is role-based, logged, and subject to our data access policy. Individual child records are accessed only when required for a specific support request from the account holder. No member of the team browses child records for any other purpose.
If your child's school uses the institutional version of the platform, the school may see anonymised cohort-level data. Individual child data is only accessible to the school if you have explicitly consented to institutional access as part of the school's programme setup. This is a separate consent layer to your family account consent.
We do not sell your data. We do not share your data with advertisers. The platform has no advertising model. There is no advertising system. There are no third-party tracking scripts in the app.
We share data with the following categories of data processors, under GDPR data processing agreements:
• Cloud infrastructure provider (Island 3 hosting)
• Shopify (commerce subdomain)
• Stripe (payment processing)
• Customer.io (email sequence and marketing communications -- waitlist and founding supporter emails only)
• Analytics provider (website only -- anonymised aggregate data, no cross-site tracking)
We do not share data with any other third party except where required by law (a valid court order or regulatory requirement). We will notify you if we receive such a requirement unless we are legally prohibited from doing so.
Website form submissions (waitlist, applications): For the duration of the relationship plus 2 years. Email marketing records: 7 years from consent date.
Shop order data: 7 years (UK financial record-keeping obligation).
Family account and child records (Island 3 Sovereign Ledger): 15 years from the date of the first NFC tap. See Section 6.1 below.
Ace Mode and Solid Pod configuration: For the duration of the active family account.
Consent records: 7 years post-account closure.
Guardian Device enrollment records: For the duration of the device's enrollment.
The Sovereign Ledger retains mission records for 15 years from the date of the first NFC tap. This is not a standard commercial retention period. It is the core purpose of the platform.
A child who joins at age 4 and uses the platform through childhood has a verified, longitudinal record of their development in Education, Health, Hygiene, and Safety by age 13. That record is the foundation of the Hero legends Mater Graduate tier, a future platform product that allows young people to carry their verified childhood development record into adulthood, further education, or employment.
The 15-year retention period is tied to the child's developmental timeline. It is not indefinite retention. Records older than 15 years from the first tap are eligible for deletion under our scheduled retention review.
15-year retention is specific to Island 3 mission records only. Website data, shop data, and marketing data are subject to shorter standard retention periods.
Under UK GDPR you have the following rights. We honour all data subject rights requests within 72 hours. To exercise any right, contact compliance@scrubbingsquad.com
You can request a full export of all personal data we hold about you and your family. The B2C Data Export Package includes: your child's mission records and evidence reports (PDF and JSON); emotional state logs; streak and milestone data; subscription and billing history; Solid Pod Church layer (RDF Turtle format); and Sovereign Ledger WORM records as signed JSON with verifiable hash-chain integrity. Export requests are fulfilled within 72 hours and delivered to your verified email address.
You can correct personal data we hold about you (name, email address, account details). Island 3 mission records cannot be corrected after commitment - this is the WORM constraint. However, if a record was created in error (for example, a phantom NFC tap caused by a technical fault), we can flag the record as disputed and exclude it from reports.
You can receive your data in a structured, machine-readable format. See Section 7.1 for the full export package specification
You can opt out of analytics while retaining full access to platform benefits. You can withdraw consent for marketing emails at any time using the unsubscribe link in any email.
You can request deletion of your account and all associated data at any time. Given the phygital architecture, erasure works differently here than on a standard platform. Here is what happens:
Within 72 hours of an erasure request:
• Your Solid Pod vault is permanently and irreversibly destroyed, eliminating the family cryptographic seed, all child pseudonymous identifiers (actor_dids), all neuro-configurations, all accessibility preferences, and all Guardian Device enrollments
• All session data on enrolled devices is flagged and purged on next connectivity
• All consent records, all PII held outside the Sovereign Ledger, and all attributable reports are permanently deleted
• All account records are permanently deleted
• An auditable deletion certificate is delivered to your last verified contact address
Important: Island 3 WORM records cannot be deleted. This is a technical constraint, not a policy choice. WORM enforcement means deletion is architecturally impossible on committed records. However, once your Solid Pod is destroyed, every record in Island 3 is orphaned: the pseudonymous identifiers in those records have no mapping to any real person in any system we control. Under GDPR Recital 26, anonymised data (data that can no longer be linked to an identified person) is outside the scope of the Regulation. The DPIA signed by our DPO before launch confirms this legal position.
Phygital vangaurd products V01 through V14 contain NTAG 424 DNA NFC chips. These chips comply with UK Age-Appropriate Design Code Standard 14 (Connected Toys and Devices) and EU Cyber Resilience Act requirements for connected products.
Each chip holds 416 bytes total. 128 bytes are reserved for encryption keys and CMAC signature. 288 bytes are available for mission payload data. The chip stores no personal data. It holds a product SKU and a rolling counter. It cannot identify the child. It cannot connect to the internet. It cannot be read without physical proximity.
The anti-clone architecture means each tap increments a rolling counter. A replayed or cloned tap is rejected locally on the device. Effort cannot be fabricated.
V15 SOP Mission Cards use printed QR codes scanned via the standard phone camera. V15 is not subject to NFC connected device compliance requirements. QR scans are processed on-device. No QR scan data is transmitted in isolation: only the resulting mission record is committed to Island 3.
The Hero Beacon communicates with the app via Bluetooth Low Energy (BLE 5.0) within the home environment. The Beacon triggers Green Eject physically (RGB LED and haptic pulse). BLE range is within a single household. The Beacon does not communicate beyond the home network. It does not collect or transmit personal data independently.
V05 uses a Haversine GPS calculation to confirm a child is within 50 metres of a target location for outdoor exploration missions. This GPS check runs entirely on your device. The coordinate is never transmitted to Island 3 or to any Scrubbing Squad server. This is a privacy-by-architecture constraint. It cannot be changed via settings. It is built into the product.
These products are non-gated: they operate without the Hardware-First Gate activation and do not require a prior NFC handshake. They still comply with all connected device safety standards. V04 operates independently and auto-terminates at 15 minutes. V07 Signal Kit triple-token (HELP, BREAK, READY) does transmit one data event: the HELP token triggers an immediate push notification to the parent device. This is the only V07 data transmitted beyond the local network.
We apply the following security standards across the platform:
• AES-256 encryption at rest for all Island 3 data
• TLS 1.3 in transit for all data flows between Island 2 and Island 3
• AES-128 SUN encryption on all NTAG 424 DNA NFC chips
• Ed25519 cryptographic signatures on all Sovereign Ledger entries
• SHA-256 hash-chain integrity linking all Island 3 records
• WORM enforcement at database trigger level: UPDATE and DELETE on verified records are blocked at the database engine
• Zero-knowledge identity architecture: PII never traverses the pseudonymous identity system
• Role-based access controls with full audit logging for all team access to Island 3
• Multi-factor authentication enforcement for all team accounts
• Annual third-party penetration testing (target: SOC 2 Type II certification)
The child's Hero Codename system (for example, Eagle-9) means children are never identified by real name in any platform-facing context or in any data stored on Island 3. Real names exist only in the parent account record on Island 3, which is stored separately from the child's mission record.
We use cookies on scrubbingsquad.com. The app (Island 2) does not use browser cookies. The Shopify commerce subdomain has its own cookie behaviour governed by Shopify.
For full details of every cookie we set, its purpose, and how to control it, see our Cookie Policy at /cookies.
We use a cookie consent manager on the website. Strictly necessary cookies (for security and site function) are active without consent. All other cookies require your explicit consent before they are set.
We store Island 3 data in the UK and/or European Economic Area. Where any data processor operates outside the UK/EEA, we ensure appropriate safeguards are in place via UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms. Our current data processors and their transfer mechanisms are listed in our Data Processing Register, available on request from compliance@scrubbingsquad.com
We will notify founding supporters and account holders by email of any material changes to this policy at least 30 days before the change takes effect. The current version is always published at /privacy-policy. The effective date and version number at the top of this page confirm which version is live.
Data Protection Officer:
• Mike J Midgley
• compliance@scrubbingsquad.com
General privacy enquiries:
• compliance@scrubbingsquad.com
• Subject line: Privacy Enquiry
Registered address:
• 275 New North Road, Islington. #1203, London, N1 7AA, United Kingdom
• Scrubbing Squad Limited, registered in England and Wales
• ICO registration number: ZC149149
Privacy Policy version 1.1. Effective date: 01st May 2026. Last reviewed: 01st May 2026. Next review: 30 April 2027. This policy was drafted by the Scrubbing Squad founding and technical team.
