Last updated: April 7, 2026
1. Introduction
Undralingur ehf. (“Wonderling”, “Undralingur”, “we”) is the data controller for personal data processed when you use our Services as an individual subscriber. This privacy policy explains how and why we process your personal data and what rights you have.
This policy applies to Individual Users (parents/legal guardians) and their children’s reading profiles. If you use Wonderling/Undralingur through a school or educator, please refer to our Privacy Policy for Schools and Educators, available on our website.
It is very important to us that our reading platform is privacy-friendly and secure, especially as our users are children. We are committed to the following principles:
We collect only as much personal data as is necessary for your child to use the Services.
We do not use personal data for advertising and we never display targeted ads to children.
We never sell personal data to third parties.
We do not use personal data for biometric identification.
Parents have control over their child’s data at all times.
We will not knowingly retain a child’s personal data after it is no longer needed.
2. What Personal Data Do We Collect?
2.1 Parent/Guardian Account
When you create an account, we process:
Email address — provided via magic link, Apple Sign-In, or Google Sign-In
Authentication provider — which sign-in method you use
Account identifier — a unique ID assigned to your account
We do not collect or store passwords. Authentication is handled through one-time magic links or third-party sign-in providers (Apple, Google).
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your contact information changes.
2.2 Child Profiles
As a parent you create reading profiles for your children. Each profile contains:
Display name — chosen by you or your child
Avatar — selected from available options
Language preference
Reading settings — text level, reading speed, display preferences
2.3 Reading Activity
We collect reading activity data per profile to provide the service and track progress:
Books accessed and pages read
Reading time and duration
Reading level progression
Challenge completion, scores, and attempts
2.4 Speech Features
Our platform may offer speech-based reading exercises that use the device microphone. These features:
Require your explicit consent before activation
Can be revoked at any time through the app settings
Record audio only during active reading exercises
Send audio to our own servers (hosted in the EU) for analysis
Do not store recordings — audio is processed and immediately deleted
Are not used for biometric identification
In the future, we may offer the option to allow storage of audio recordings to improve our speech recognition service. This will require separate, explicit consent.
2.5 Technical Data
We automatically collect limited technical data:
IP address — for security purposes
Device and app information — for crash reporting and service stability
Anonymous usage analytics — reading patterns and app usage, not linked to your personal identity
2.6 Book Feedback
If you submit feedback about books through the app, we collect the feedback message along with the associated profile and book.
2.7 Account Deletion Requests
If you request account deletion, we collect your email address and optional reason for leaving.
3. Why Do We Process Your Personal Data?
Purpose | Legal Basis |
|---|---|
Providing the reading platform and services | Performance of contract |
Managing your account and profiles | Performance of contract |
Processing payments (via app stores) | Performance of contract |
Tracking reading progress and activity | Performance of contract |
Speech analysis features | Explicit consent |
Anonymous analytics to improve our service | Legitimate interest |
Crash reporting and service stability | Legitimate interest |
Responding to enquiries and support | Legitimate interest |
Transactional and system emails (welcome, account notices, deletion warnings) | Performance of contract |
Sending newsletters and marketing | Consent |
Complying with legal obligations | Legal obligation |
4. How Do We Secure Your Personal Data?
Data is transmitted using HTTPS encryption
Our database enforces access controls so users can only access their own data
Sensitive credentials are stored using secure on-device storage
Crash reporting is configured with personal data collection disabled
We use reputable, industry-standard security solutions
No system can be guaranteed to be 100% secure. If you believe the security of your account has been compromised, please contact us immediately.
We have procedures in place to deal with suspected data breaches. We will notify you and the relevant supervisory authority where we are legally required to do so.
5. Who Has Access to Your Personal Data?
We may share personal data with the following categories of recipients:
Cloud infrastructure providers — for hosting our platform and database (EU-based)
Analytics providers — anonymous usage data only, no personal data shared (EU-based)
Crash reporting providers — technical error data, personal data collection disabled
Subscription management providers — for managing in-app purchases
Email service providers — for transactional emails (EU-based)
Authentication providers — Apple and Google, for sign-in
Professional advisors — lawyers, accountants, auditors as needed
Public authorities — if required by law or valid legal process
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to applicable data protection law.
We enter into appropriate data processing agreements with all service providers. We never share personal data without a legal basis.
6. Transfers of Personal Data
Most of our service providers are based in the EU/EEA. Some providers (crash reporting, subscription management, authentication) may involve limited transfers of data to the United States. For such transfers, we ensure an equivalent level of protection through the EU–U.S. Data Privacy Framework.
7. How Long Do We Store Your Personal Data?
Active account — data is stored for as long as you have a valid account
After subscription cancellation — personal data is retained for up to 24 months, then anonymized (personal identifiers removed, aggregated analytics data retained)
Newsletters — until you unsubscribe
Enquiries and support — normally not stored for more than 3 years
Uninstalling the app does not delete your data or cancel your subscription. To delete your data, use the in-app account deletion feature or contact us.
In some situations we may retain data longer due to legal obligations or to establish, exercise, or defend legal claims.
8. Your Rights
Under applicable data protection law, you have the right to:
Access — request whether and what personal data we process about you
Rectification — request correction of inaccurate personal data
Erasure — request deletion of your personal data
Restriction — request that we limit processing of your personal data
Objection — object to processing based on legitimate interest
Data portability — request your data in a structured, machine-readable format
Withdraw consent — where processing is based on consent, withdraw it at any time
As a parent, you may access, review, or modify information in your child’s profile at any time through your account.
To exercise your rights, contact us at personuvernd@undralingur.is. We will respond as soon as possible and may ask you to verify your identity before proceeding.
These rights may be subject to limitations under applicable law. Exercising certain rights may affect our ability to provide the Services.
9. Children’s Privacy
We do not permit children to create accounts. Children access the Services only through accounts created by a parent or legal guardian. We do not collect personal information directly from children.
The personal data associated with a child’s profile is limited to:
A display name and avatar chosen by the parent or child
Language and reading settings
Reading activity (books read, progress, challenge results)
Speech analysis results, if the parent has given explicit consent
We do not require a child to provide more personal data than is reasonably necessary to use the Services. Children cannot publicly share personal information or communicate with other users through the Services.
As a parent, you may at any time:
Review the personal data associated with your child’s profile by signing into your account
Modify or delete your child’s profile and associated data
Withdraw consent for optional features such as speech analysis
Request deletion of all data associated with your child by contacting us
To make a request, contact us at personuvernd@undralingur.is.
10. Complaints
If you have concerns about how we process your personal data, please contact us at personuvernd@undralingur.is.
You may also file a complaint with the Icelandic Data Protection Authority (Personuvernd) or the relevant data protection authority in your EU/EEA member state.
11. Changes
We may update this privacy policy to reflect changes in our services or applicable law. Updates will be published in the app and on our website. Material changes will be communicated via the email associated with your account.
12. Contact Information
Undralingur ehf.
Address: Undralingur ehf., Hlíðasmári 8, 201 Kópavogur, Iceland
Privacy enquiries: personuvernd@undralingur.is
General enquiries: hallo@undralingur.is
