Privacy Policy

Effective Date: 28 April 2026 · Last Updated: 28 April 2026

Controller: GameAnalyze B.V., Langegracht 70, 2312 NV Leiden, the Netherlands — Dutch Chamber of Commerce (KVK) 93609191

This Privacy Policy describes how GameAnalyze B.V. (“GameAnalyze,” “we,” “us,” or “our”) collects, uses, and shares information of users of our wellbeing application Tweexy (the “App”), our web parent dashboard at client.gamenalyze.com (the “Parent Dashboard”), and our websites gamenalyze.com and tweexy.gamenalyze.com (together with the Parent Dashboard, the “Sites”). By using the App or the Sites, you confirm that you have read and understood this Privacy Policy.

1. Wellbeing — Not Medical

Tweexy is a wellbeing app that helps parents understand patterns in how their child plays and pays attention. It is not a medical device, a screening tool, or a diagnostic instrument.

All information we collect — including gameplay, behavioral, and (where enabled) biometric data — is processed exclusively to generate wellbeing insights, personalize the experience, and provide general lifestyle and parenting suggestions. This data is not processed for the diagnosis, monitoring, prevention, prediction, prognosis, treatment, or alleviation of any disease, injury, or disability, and Tweexy therefore does not fall within the scope of Regulation (EU) 2017/745 on Medical Devices (MDR).

The insights produced by Tweexy are intended to support conversations parents already plan to have — not to replace them, and not to replace professional advice from a doctor, psychologist, or other qualified specialist.

2. Who This Policy Applies To

Tweexy is intended to be used by parents and legal guardians on behalf of their child(ren) aged 4–12. The App is not designed for direct use by children. The parent or guardian creates the account, manages the child’s profile, supervises play sessions, and reads all wellbeing insights.

This Privacy Policy therefore applies primarily to:

The parent / legal guardian as the registered account holder; and
The child whose play data is captured during supervised sessions and processed under parental consent.

3. Information We Collect

The exact data we collect may evolve as we improve the App. The categories below describe what we collect today and what we may collect in future versions.

Account information (about the parent / guardian)

Name
Email address
Password (stored as a salted hash — never in plain text)
Optional profile information you choose to provide
Subscription and billing status (we do not store or have access to your full payment-card details — payments are processed on our web parent dashboard at client.gamenalyze.com by Stripe, a PCI-DSS Level 1 certified payment provider, who handles the card data directly)

Information about your child (provided by you, the parent)

First name or nickname
Year of birth (used to apply age-appropriate norms)
Sex assigned at birth, if you choose to provide it (used to apply age-and-sex-matched norms)
Optional context you provide (e.g., sleep patterns, medication notes, daily structure) used solely to enrich the wellbeing insights presented to you

Gameplay data (captured during play sessions)

Tap timing, tap accuracy, response times, error patterns, hit/miss patterns
Session length, pauses, and engagement patterns
Derived metrics such as Response Speed, Erratic Rate, Attentional Efficiency, and the GameAnalyze Points (GAP) composite score

Technical data

IP address (truncated where feasible)
Device type, operating system, language, and time zone
App version and crash diagnostics
Cookies and similar technologies on our Sites (see Section 11)

Usage data

Features used in the App and on the Sites
Time spent on specific features
Actions taken and navigation patterns

Billing and payment data

Subscriptions to Tweexy are managed and charged through our web-based parent dashboard at client.gamenalyze.com, not through the Apple App Store or Google Play. When you subscribe, payments are processed by Stripe Payments Europe, Limited (registered office: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland), our payment provider. Stripe collects and stores your payment details (such as card number, expiry date, CVC, and billing address) directly through its PCI-DSS Level 1 certified infrastructure, embedded into our checkout page. GameAnalyze receives only the information needed to operate the subscription — for example, your billing email, the subscription tier and status, the last four digits of the card, the card brand and country of issue, and Stripe’s transaction identifiers. We do not see, store, or have the ability to retrieve your full card number or CVC. Stripe’s processing of your payment data is governed by its own privacy notice, available at stripe.com/privacy.

Optional / future biometric and environmental features (off by default)

We may, in future App versions, offer optional features that capture additional behavioral signals — for example, facial expression patterns, gaze direction, vocal tone, ambient noise level, or location context. These features are not part of the current core App. When and if such features are enabled, they will be:

Clearly marked as optional;
Subject to a separate, explicit opt-in consent that is independent from the main account consent;
Documented in detail in our separate Biometric Data Policy;
Possible to disable at any time; and
Processed under the same wellbeing-only purpose limitation as all other data.

If you do not enable these features, we do not collect this data.

4. Children’s Data and Parental Consent (GDPR Article 8 / Dutch UAVG)

This section is essential. Please read it carefully.

4.1 The role of the parent

Tweexy is designed for use by a parent or legal guardian on behalf of a child. The parent creates the account, configures the child’s profile, supervises play, and is the primary recipient of all insights. We do not market the App to children directly, and we do not present advertising to children inside the App.

4.2 Legal basis for processing children’s data

Under Article 8 of the General Data Protection Regulation (GDPR) and the Dutch implementing law (Uitvoeringswet AVG / UAVG), processing the personal data of a child under the age of 16 in the Netherlands requires the consent of the holder of parental responsibility. Other EU/EEA member states have set this age between 13 and 16; we apply the highest applicable threshold (16) by default to ensure parental consent is always in place across our European user base.

Because Tweexy targets children aged 4–12, parental consent is always required. The legal basis for processing the child’s personal data is:

Article 6(1)(a) GDPR — consent of the holder of parental responsibility, given on behalf of the child; and
Where applicable, Article 9(2)(a) GDPR — explicit consent for special category data (see Section 5).

The parent giving consent confirms that they are the holder of parental responsibility for the child, that they have reached the age of majority in their country of residence, and that they have the legal authority to provide this consent.

4.3 How we obtain and verify parental consent

The parent registers the account in their own name, using a verifiable email address.
During onboarding, the parent reviews and explicitly accepts this Privacy Policy, the Terms & Conditions, and the dedicated Parental Consent flow on the Parent Dashboard.
Consent is recorded with date and time, the parent’s name, and their relationship to the child, and stored securely as evidence.
Any optional biometric or sensor-based feature requires a separate, granular consent distinct from the main onboarding consent.
Mobile-store age-gate mechanisms (App Store, Google Play) provide an additional layer of verification.

4.4 The parent’s rights regarding their child’s data

As the parent or guardian, you can at any time:

Access all data we hold about your child;
Correct inaccurate information;
Delete your child’s profile and all associated data (right to erasure under Article 17 GDPR — see also the retention table in Section 9 and the post-termination retention model in Section 13.3 of the Terms and Conditions);
Withdraw consent for any specific processing activity (without affecting the lawfulness of processing carried out before withdrawal);
Export your child’s data in a structured, commonly-used format;
Object to specific processing;
Restrict processing in defined situations.

To exercise any of these rights, contact us at privacy@gamenalyze.com. We respond to requests within 30 days.

4.5 Privacy by design and default for children

We apply enhanced safeguards specifically because children’s data is involved:

Data minimization: we collect only what is necessary to produce the wellbeing insights we describe.
No advertising profiling: we do not use children’s data to build advertising profiles, do not run ad networks inside the App, and do not sell children’s data — to anyone, ever.
No public profiles: child profiles are private to the parent’s account by default. There is no social feed, no in-app messaging, and no public discoverability.
Default conservative settings: optional features (biometrics, location, etc.) default to OFF.
Plain-language disclosures: we explain what we do in language that a non-specialist parent can understand.
Age-appropriate retention: see Section 9.

4.6 If you believe a child has used the App without parental consent

If you are a parent or guardian who believes that a child has used Tweexy without your consent (for example, by registering through an adult’s account), please contact privacy@gamenalyze.com and we will delete the child’s data and the underlying account promptly.

5. Special Category Data (GDPR Article 9)

Some of the data we may process — in particular, biometric data when biometric features are enabled, and any health-context information you choose to provide — may qualify as special category data under Article 9 GDPR.

When this is the case:

We rely on Article 9(2)(a) GDPR — explicit consent, given by the parent on behalf of the child.
Such data is processed strictly for the wellbeing-insight purpose described in this Policy, never for medical diagnosis, monitoring, treatment, or any other purpose that would bring the App within the scope of MDR 2017/745.
We apply additional technical and organizational safeguards, including encryption at rest and in transit, restricted access on a need-to-know basis, and stricter retention limits.
Consent for this category is separately, granularly granted and can be withdrawn at any time without affecting the rest of your account.

6. How We Use Your Information

We process information for the following purposes:

Providing the service: delivering core App and Site functionality, generating wellbeing insights, personalizing the parent’s dashboard and the child’s play experience.
Improving the service: investigating technical issues, monitoring usage trends, performing quality assurance.
Research and product development: working with anonymized and aggregated data to refine our methodology, validate our metrics, build statistical norms, develop new features, and develop other GameAnalyze products and services — both current and future, including consumer apps, professional decision-support tools, and B2B offerings. Identifiable personal data is not used for product research; only data that has been irreversibly anonymized in line with Section 9 is used for these purposes. Once data is anonymized, it is no longer personal data within the meaning of the GDPR, and we may use it for any of the purposes described in this bullet without further consent.
Security and fraud prevention: detecting, investigating, and preventing unauthorized access, abuse, or other unlawful activity.
Communication: sending you service-related messages (e.g., security alerts, billing notices, important changes to this Policy).
Marketing communications: sending you promotional information about our products — only with your separate, opt-in consent, which you can withdraw at any time.
Legal compliance: meeting our obligations under EU and Dutch law and the law of any other country in which we operate, including responding to lawful requests from public authorities.

Prohibited uses: we do not use the collected data — and our service providers may not use it — for healthcare, clinical, or medical decision-making. Tweexy is not a substitute for professional medical, psychological, educational, or therapeutic advice.

7. Legal Basis for Processing

We rely on the following legal bases under Article 6 GDPR (and Article 9 where applicable):

Performance of a contract (Art. 6(1)(b)) — to deliver the App and Site features you have subscribed to.
Consent (Art. 6(1)(a) and Art. 9(2)(a)) — for processing children’s data, for biometric and other special category data, for marketing, and for any optional features. Consent can be withdrawn at any time.
Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, internal analytics on anonymized data, and improving our service. We balance these interests against your fundamental rights and have documented our balancing tests.
Legal obligation (Art. 6(1)(c)) — to comply with applicable EU, Dutch, and other laws.

8. Automated Processing and Insights (Article 22)

Tweexy generates wellbeing insights using automated analysis of gameplay data (and, where enabled, biometric and contextual data). This processing is not “solely automated decision-making producing legal or similarly significant effects” within the meaning of Article 22 GDPR, because:

The insights are informational, framed as patterns, and presented to the parent as one input among many;
No decision with legal or similarly significant consequences is taken automatically about the child;
The parent retains full interpretive control and is encouraged to consult professionals when any concern arises.

If you would like a human review of how an insight was generated for your child, please contact privacy@gamenalyze.com.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

Data category	Retention period
Account information (parent)	For the duration of the active account; deleted within 90 days after account closure. Subscription and billing records are retained for 7 years after the end of the contractual relationship to comply with the Dutch fiscal record-keeping obligation under Article 52 of the Algemene wet inzake rijksbelastingen (AWR).
Child profile and gameplay data	Personal data is deleted within 90 days after the subscription ends, or earlier upon parent request. After this 90-day window, gameplay data is irreversibly anonymized and retained indefinitely for research, statistical, and product-improvement purposes; once anonymized, it is no longer personal data. See Section 13.3 of the Terms and Conditions for details.
Optional biometric / sensor data (if enabled)	A maximum of 30 days after the corresponding session, after which it is deleted or fully anonymized.
Anonymized and aggregated research data	Retained indefinitely. Once data is irreversibly anonymized it is no longer personal data within the meaning of applicable privacy law, and GameAnalyze may use it without further consent for internal and external research, product development, validation of methodology, statistical norms, and the development and operation of other GameAnalyze products and services — including future consumer apps, professional decision-support tools, and B2B offerings. We may also grant access to anonymized data to third-party research partners (such as universities, research institutes, and commercial research collaborators) under written agreements that prohibit re-identification, restrict use to research and validation purposes, and require equivalent confidentiality and security safeguards. See also Section 10.
Consent records	For the duration of the account plus 3 years after closure, as evidence of compliance.
Backup copies	Removed from rolling backups within 90 days of the corresponding live deletion.

You can request earlier deletion at any time at privacy@gamenalyze.com.

10. How We Share Information

We share personal data only as described below:

Service providers (“processors”): we use trusted third-party providers to operate the App and Sites — including cloud hosting, error monitoring, product analytics, customer-support tooling, and transactional email delivery. Each processor handles data only on our documented instructions, under a written Data Processing Agreement (Article 28 GDPR), and only to the extent necessary to perform their service.
Payment processor (Stripe): subscription payments made on our web parent dashboard (client.gamenalyze.com) are processed by Stripe Payments Europe, Limited (“Stripe”), based in Dublin, Ireland. Stripe acts as an independent controller for the payment-card data you submit directly into its PCI-DSS Level 1 certified checkout fields, and as our processor for the limited transaction metadata it returns to us (subscription status, the last four digits of the card, card brand and country, and transaction identifiers). Stripe’s handling of payment-card data is governed by its own privacy policy at stripe.com/privacy. Stripe may transfer payment data to the United States and other jurisdictions; such transfers are protected by the European Commission’s Standard Contractual Clauses and by Stripe’s own technical and organizational safeguards.
Research partners and anonymized-data recipients: we may share, license, or otherwise grant access to anonymized and aggregated data with third parties — including universities, academic and clinical research institutes, and commercial research and development partners — for research, scientific publication, methodology validation, statistical benchmarking, and the development of new products and services (whether by GameAnalyze or jointly with the partner). All such sharing takes place under written agreements that:
- prohibit any attempt to re-identify the data;
- restrict use to the agreed research or development purpose;
- require equivalent confidentiality, security, and integrity safeguards; and
- prohibit onward transfer outside the agreed scope.

Identifiable personal data is not shared with research partners.

Legal authorities: we may disclose data when required by law, court order, or other valid legal process.
Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the new entity. We will inform you in advance and your rights under this Policy will continue to apply.

We do not sell personal data, and we do not share it with advertisers.

11. Cookies and Similar Technologies

Our Sites use cookies and similar technologies for essential functionality, performance measurement, and (with your consent) analytics. You can manage your cookie preferences through the cookie banner on first visit and through your browser settings. Strictly necessary cookies do not require consent under the ePrivacy Directive; all other categories are activated only with your explicit consent.

12. International Data Transfers

We process and store data primarily within the European Economic Area (EEA). Where data is transferred to a country outside the EEA — for example, to a service provider operating from the United States — we apply one of the following safeguards required by Chapter V GDPR:

An adequacy decision by the European Commission;
The European Commission’s Standard Contractual Clauses (SCCs) (Decision 2021/914), supplemented by appropriate technical and organizational measures (encryption, pseudonymization, access controls); or
Other lawful transfer mechanisms.

You can request a copy of the relevant safeguards at privacy@gamenalyze.com.

13. Data Security

We apply technical and organizational measures appropriate to the sensitivity of the data, including:

Encryption in transit (TLS 1.2+) and at rest;
Role-based access controls and the principle of least privilege;
Logged, audited administrative access;
Regular security reviews and dependency monitoring;
Vendor security due diligence and contractual security commitments;
A documented data breach response procedure.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay where the risk is high, in accordance with Articles 33 and 34 GDPR.

No method of electronic storage or transmission is entirely foolproof, but we work continuously to keep our protections current.

14. Your Rights

Subject to applicable conditions and exemptions, you (or, in the case of a child, the parent or guardian) have the right to:

Access the personal data we hold;
Rectify inaccurate or incomplete data;
Erase (“right to be forgotten”) personal data;
Restrict processing in defined circumstances;
Object to processing based on legitimate interests or for direct marketing;
Data portability — receive your data in a structured, commonly-used, machine-readable format;
Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 8).

To exercise any of these rights, contact privacy@gamenalyze.com. We respond within 30 days. There is no charge for reasonable requests.

15. Lodging a Complaint

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority. The competent authority for GameAnalyze B.V. is:

Autoriteit Persoonsgegevens

Postbus 93374, 2509 AJ Den Haag, the Netherlands

Telephone: +31 (0)70 888 8500

Website: autoriteitpersoonsgegevens.nl

You may also lodge a complaint with the supervisory authority in your country of residence. We would appreciate the opportunity to address your concern before you contact the authority — please reach out to us first at privacy@gamenalyze.com.

16. Data Protection Contact

GameAnalyze B.V. has appointed a Data Protection contact responsible for overseeing privacy compliance. You can reach them at:

Email: privacy@gamenalyze.com

Postal address: GameAnalyze B.V., Attn: Data Protection, Langegracht 70, 2312 NV Leiden, the Netherlands

For general questions about the App or your account, please use info@gamenalyze.com.

17. Restrictions on Representation

No user, partner, distributor, or third party may represent, advertise, or promote Tweexy or any other GameAnalyze product as a medical device, screening tool, diagnostic instrument, or as providing medical, psychological, or therapeutic functionality. Any such representation is unauthorized and prohibited.

18. Regulatory Compliance Reserve

If, in the future, GameAnalyze expands its services in a way that could fall under Regulation (EU) 2017/745 (EU MDR) or any other applicable health regulation, we will obtain all required regulatory approvals and certifications before offering such functionalities, and will update this Privacy Policy and our consent flows accordingly. Until then, our services remain strictly non-medical in nature.

19. Third-Party Links

The App and the Sites may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read their privacy policies before providing any information.

20. Changes to this Privacy Policy

We may revise this Privacy Policy from time to time. Material changes will be communicated by posting the updated Policy in the App and on our Sites, and — for significant changes affecting your rights or our processing of children’s data — by direct notice to your registered email address. The “Last Updated” date at the top of this Policy reflects the most recent revision. Your continued use of the App or Sites after the effective date of any change constitutes acceptance of the updated Policy.

21. User Acknowledgement

By using the App or the Sites, you acknowledge and agree that GameAnalyze does not provide medical, psychological, educational, or therapeutic services, and that you remain solely responsible for seeking qualified professional advice on any health, developmental, educational, or wellbeing matter.