Privacy Policy

1. Who We Are (Data Controller)

Kiddoz is operated by:

For parent and teacher accounts, HOW GP acts as the data controller.

For child data, HOW GP acts as a data processor on behalf of each school, which remains the data controller.

2. Data We Collect

2.1 Account Information (Parents & Teachers)

• Name
• Email address
• Password (encrypted)
• Role (parent or educator)

2.2 Child Information (Provided by Schools/Teachers)

• Child's first name
• Classroom or group
• Photos and videos of classroom activities
• Notes, tags, and updates created by teachers

2.3 Usage Data

• Device type, OS, browser version
• IP address and approximate location for security
• Log data (login timestamps, in-app actions)
• Website analytics data (page views, navigation patterns) collected via Google Analytics

We do not collect advertising identifiers or behavioural tracking data.

3. How We Use Personal Data

We process data strictly to:

• Provide the Kiddoz platform and its core features
• Allow educators to securely share updates with families
• Maintain account security and prevent abuse
• Improve app performance and reliability
• Analyze website usage to improve user experience (via Google Analytics)
• Fulfil legal obligations related to child data protection

We never sell personal data or use it for targeted advertising.

4. Legal Basis for Processing

We rely on the following legal bases:

• Performance of a contract (providing access to Kiddoz)
• Legitimate interests (security, fraud prevention)
• Consent obtained by schools from parents/guardians for image sharing
• Legal obligations where applicable

Schools remain responsible for obtaining appropriate parental consent.

5. How We Share Data

We only share data with carefully selected service providers ("subprocessors") required to operate Kiddoz:

• Cloudflare R2 (secure file storage)
• Fly.io (application hosting)
• Mailgun (transactional email)
• Google Analytics (website analytics and usage statistics)

All subprocessors are bound by GDPR-compliant Data Processing Agreements (DPAs).

We never share data with advertisers, data brokers, or unrelated third parties.

6. International Transfers

All primary data storage occurs within the European Union.

Some subprocessors, such as Google Analytics, may transfer data outside the EU. If a subprocessor performs transfers outside the EU, we ensure adequate protection through:

• EU adequacy decisions, or
• Standard Contractual Clauses (SCCs)

7. Data Retention

• Photos and videos: retained only for as long as the school account is active or until the school deletes them.
• Parent/teacher accounts: retained until the user deletes the account.
• Security logs: retained for a limited period (e.g., 30–90 days).

Upon school request or contract termination, all child-related data is deleted or returned to the controller.

8. Your Rights

Under GDPR, you have the right to:

• Access your personal data
• Correct inaccurate information
• Request deletion ("right to be forgotten")
• Restrict or object to processing
• Receive a copy of your data (data portability)

Parents must submit child-data requests through their school. We assist schools in fulfilling these requests.

To exercise rights related to your own account, contact: privacy@kiddoz.app

9. Security

We use industry-standard security measures, including:

• End-to-end TLS encryption
• Encrypted data storage
• Role-based access controls
• No publicly accessible URLs for media
• Continuous monitoring and security reviews

We design Kiddoz to minimise data exposure and prevent unauthorised access.

10. Children's Data

Kiddoz is designed for early-childhood education environments.

We do not create accounts for children.

Child data is uploaded and managed solely by schools and teachers under parental consent.

HOW GP processes child data exclusively under documented instructions from the school, in accordance with GDPR Article 28.

11. Account Deletion & Data Removal

Parents and teachers may delete their accounts at any time from within the app or by contacting us.

Schools may request full deletion of all associated child data.

Deletion is permanent and irreversible.

12. Changes to This Policy

We may update this Privacy Policy occasionally.

Significant changes will be communicated to schools and users before they take effect.

13. Contact Us

For questions or GDPR requests, you may contact: