1. Introduction
Welcome to Zupia, a product of Haputa LLC ("we," "our," or "us"). We are committed to protecting your privacy and the privacy of your house members, especially children. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our house reward system application, including optional Premium features such as Zupini, our AI household assistant.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Name
- Encrypted password
- Household information
2.2 House Data
To provide our services, we collect:
- House member names and relationships
- Activity logs (tasks completed, reading time, attendance, etc.)
- Reward redemptions
- Currency balances and transaction history
- Photos uploaded as proof of activity completion (if applicable)
2.3 Usage Data
We may collect information about how you use our application, including:
- Device information
- IP address
- Browser type
- Access times and dates
2.4 Zupini (Optional Premium AI Assistant)
Zupini is an optional AI assistant available only when a Premium household guardian enables it. Zupini is off by default and does not run for Free-tier households. When enabled, we may collect and process the following only as needed for features you use:
- Zupini settings: Whether Zupini is enabled for your household, briefing preferences, and related configuration you choose in the app
- Energy balance and usage: AI Energy credits, debits for metered AI actions, pack purchase references, and ledger records needed to operate the Energy economy
- Staged quests and AI suggestions: Draft activity proposals Zupini generates (names, suggested rewards, links to source events), plus any feedback you give on those suggestions
- Weekly briefing: Summaries we generate about household activity trends for the in-app briefing tab and, if you opt in to notifications, related push or email delivery
- AI inference logs: Technical records of AI requests (for example, provider, timing, and Energy charged) to operate, debug, and audit metered AI features
2.5 Optional Calendar Import (Zupini)
Guardians may optionally connect external calendars so Zupini can suggest draft activities from upcoming events. Calendar import is never required to use Zupia. We support read-only import only—we do not create, edit, or delete events in your calendar.
Google Calendar (recommended): If you choose to connect, we use Google OAuth with read-only calendar access. We receive:
- Your connected Google account email (to label the connection in the app)
- The calendar IDs you select for import
- Encrypted OAuth tokens stored so we can sync on your schedule until you disconnect
- Event metadata from selected calendars: titles, start and end times, recurrence information, location, and description fields when present
Advanced CalDAV import (optional): If you choose this method for supported providers (for example, Apple iCloud via an app-specific password), we store:
- Your calendar account email
- Your app-specific password, encrypted at rest
- The calendar collection URLs you select
- Event metadata similar to the Google import described above
Imported calendar data is stored for your household only, used to suggest in-app draft activities, and synced until you disconnect the feed or disable Zupini. We do not sell calendar data or use it for advertising.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Process activity logs and reward redemptions
- Send notifications about pending approvals and activities
- Manage household accounts and user relationships
- Operate optional Zupini features, including calendar import, draft quest suggestions, weekly briefings, and Energy-metered AI actions you initiate or enable
- Generate household-scoped AI suggestions from imported calendar events when Zupini inference is enabled
- Ensure the security and integrity of our platform
- Respond to your inquiries and provide customer support
- Comply with legal obligations
4. Children's Privacy (COPPA Compliance)
Zupia is designed for families with children. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA). We do not:
- Knowingly collect personal information from children under 13 without parental consent
- Share children's personal information with third parties
- Use children's information for advertising purposes
All accounts must be created and managed by a parent or legal guardian. Children's accounts are linked to guardian accounts, and guardians have full control over their children's data.
5. Data Sharing and Disclosure
We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:
- Within Your Household: Information is shared among members of your household as part of the service functionality
- Service Providers: We may share data with trusted service providers who assist in operating our platform (for example, hosting, database management, payment processing, email delivery, and push notifications)
- AI and calendar providers (when you use Zupini): If you enable Zupini features that use them, we may send data to:
- Google — when you connect Google Calendar, to authenticate and read selected calendars under read-only OAuth scopes you approve
- AI model providers (such as OpenAI) — when you use Energy-metered AI features, limited household and event context needed to generate suggestions or briefings; we do not authorize these providers to use your data to train their public models for our production integrations
- Lemon Squeezy — when you purchase Energy packs, payment and fulfillment data needed to complete the transaction
- Legal Requirements: We may disclose information if required by law or to protect our rights and safety
- Business Transfers: In the event of a merger, acquisition, or sale, your information may be transferred
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
6. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of sensitive data, including calendar OAuth tokens and CalDAV app-specific passwords
- Secure password storage using industry-standard hashing
- Regular security assessments
- Access controls and authentication
- Secure data transmission (HTTPS)
- Household-scoped access to imported calendar and Zupini data
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
7. Your Rights and Choices
You have the right to:
- Access: Request access to your personal information
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account and associated data
- Data Portability: Request a copy of your data in a portable format
- Opt-out: Unsubscribe from non-essential communications
- Disconnect calendar import: Remove a connected Google or CalDAV feed at any time from House → Zupini → Import; this stops future syncs and deletes the connection credentials from our active systems
- Revoke Google access: You may also revoke Zupia’s access to your Google account at Google Account permissions
- Disable Zupini: Premium guardians can turn off Zupini for the household in Zupini settings, which stops Zupini features from running going forward
To exercise these rights, please contact us at the email address provided below.
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide our services. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal purposes.
When you disconnect a calendar import or disable Zupini, we stop using associated credentials and cease syncing new calendar data. Previously imported event records and draft suggestions may remain until you delete them, disconnect related feeds, or delete your account, after which we delete or anonymize them according to this policy.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. We take appropriate safeguards to ensure your information receives adequate protection.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us: