Last update:
24 Jul 2025
Privacy Policy
(Canada & New Zealand jurisdictions)
1 Who We Are
KidsGPT (“we”, “our”, “us”) provides an AI‑powered learning and creativity application for children aged 4 ‑ 12 that is managed by their parents or legal guardians (“parents”). We are committed to protecting personal information in compliance with:
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec Act to modernize legislative provisions as regards the protection of personal information (Law 25).
New Zealand: Privacy Act 2020 and its Information Privacy Principles (IPPs).
Our appointed Privacy Officer can be reached at privacy@kidsgpt.club.
---
2 Scope of this Policy
This policy applies to the personal information we collect from parents and their children through our mobile apps, website, and related services (the “Service”). Children do not create their own accounts; only parents may sign up and manage profiles.
---
3 Key Points – At a Glance
We collect only the minimum information needed to run the Service.
Child data is stored under a pseudonymous ID—never a real name or full contact detail.
Parent contact information is hashed immediately after verification; plaintext is not retained.
Voice recordings are transcribed in real time and the audio file is discarded.
All personal data is encrypted in transit and at rest; signing keys rotate at least every 90 days.
Parents can review, export, or delete their child’s data at any time.
We do not sell or trade any personal information and we do not serve behavioural advertising.
---
4 Information We Collect and Create
Category | Details | Storage & Protection |
|---|---|---|
Parent contact | One‑time use → hashed with bcrypt‑salt; plaintext discarded | |
Parent ID | Random 128‑bit UUID | Stored as primary key |
Child profile ID | Random 128‑bit UUID | Linked to Parent ID; no PII |
Child nickname | Optional; used to personalise content | AES‑256‑GCM column encryption |
Age band | e.g. 4-6, 6-7, etc. | Plain ENUM |
Voice‑to‑text transcripts | Generated from child’s microphone input | Kept ≤ [configurable] days, then auto‑deleted |
Usage metrics | Aggregated, de‑identified analytics (session length, feature taps) | IP truncated to /24 and dropped after 72 h |
Consent receipt | Parent ID, hashed contact, timestamp, consent version, verification method | Signed JSON stored in isolated audit ledger for 7 years |
We never collect dates of birth, home addresses, photos of real children, precise geolocation, advertising identifiers, or full IP addresses.
5 How We Use Personal Information
Purpose | Legal basis (Canada) | Legal basis (New Zealand) |
Create & manage parent and child profiles | Meaningful consent(PIPEDA Principles 3 & 4.3) | IPP 1 (purpose) + IPP 3 (notification) |
Generate personalised stories, quizzes and images | Same | Same |
Provide support and respond to requests | Legitimate business need within scope of consent | IPP 2 (source) & IPP 6 (access/correction) |
Security, fraud and abuse prevention | Appropriate safeguards (PIPEDA 4.7) | IPP 5 (reasonable security safeguards) |
Legal compliance & dispute resolution | Legal obligation | Legal obligation |
We do not use children’s data for automated decision‑making that produces legal or significant effects, nor for marketing.
6 Parental Consent
Parents verify their identity via a single‑use magic‑link email during sign‑up. By completing verification and clicking Agree, the parent:
Confirms they are the legal guardian of the child user(s).
Provides consent for collection and use of the child’s information as described.
May withdraw consent at any time by emailing privacy@kidsgpt.club.
7 Security Safeguards
We implement administrative, technical and physical measures aligned with industry frameworks (OWASP, NIST SP 800‑57) and the “reasonable safeguards” test of PIPEDA 4.7 and NZ IPP 5:
Encryption – TLS 1.3 in transit; AES‑256‑GCM for data at rest.
Key management – Signing keys rotate quarterly; previous key retained 7 days for validation.
Pseudonymisation & hashing – Parent contacts stored only as salted hashes; child data under UUID.
Access controls – Role‑based least privilege; production DB behind dedicated VPN.
Audit logging – All access to personal data is logged and reviewed; consent receipt ledger is write‑only.
Incident response – 24 h internal alert SLA; breach notification to OPC (Canada) or NZ Privacy Commissioner “as soon as practicable” if risk of serious harm.
8 Cross‑Border Transfers
Our servers are currently located in [United Kingdom] and [EU Latvia/Riga]. Service providers are bound by contract to provide equivalent protection and may only use data to deliver the Service.
Canada – PIPEDA allows cross‑border processing with notice and accountability; we remain accountable for service providers’ compliance.
New Zealand – IPP 12 permits overseas disclosure when recipient is subject to comparable safeguards or where the individual consents.
9 Retention & Deletion
Data type | Retention rule |
Voice‑to‑text transcripts | Auto‑deleted ≤ 30 days (parent can shorten) |
IP subnet logs | Deleted after 72 h |
Dormant accounts | Purged after 12 months of inactivity |
Consent receipts | Kept 7 years (limitation period) |
Back‑ups | Encrypted; rolling 30‑day window |
When a parent requests deletion or withdraws consent, associated child data is wiped from live systems within seven days and backups within 30 days (unless retention required by law).
10 Your Rights
Parents (and capable children) may:
Access personal information we hold.
Correct inaccuracies.
Delete personal information and close the account.
Withdraw consent to further processing.
How to exercise your rights
In‑app dashboard – Settings → Privacy → Manage My Data
Email – write to privacy@kidsgpt.club from the verified parent contact.
We will reply within 30 days (Canada) or 20 working days (New Zealand). If we need extra time, we will explain why and when you can expect a response.
11 Changes to This Policy
We may update this policy to reflect legal or operational changes. We will post the revised version here and, for substantial changes, notify verified parents by email 30 days in advance. Continued use of the Service after that date signifies acceptance of the updated terms.
13 Contact Us
Questions, comments or requests?
Privacy Officer – Arkadiy Kondrashov
Email: privacy@kidsgpt.club