Privacy Policy

Last Updated: September 12, 2025

Introduction
Greater Than Gravity LLC d/b/a Kiddo (“Kiddo,” “we,” “us,” or “our”) respects your privacy and is committed to protecting personal information. This Privacy Policy explains what information we collect through the Kiddo platform and website, how we use and share that information, and the rights and choices you have regarding your information. We have drafted this Policy to comply with applicable privacy laws in the United States and internationally, including but not limited to the Washington State Consumer Protection Act, the California Consumer Privacy Act (as amended by the CPRA), Canada’s PIPEDA, the UK and EU GDPR, Australia’s Privacy Act, and New Zealand’s Privacy Act. We recognize that Kiddo’s Services involve personal data about children, and we handle such data with particular care and in compliance with laws like COPPA and other child data protection regulations.

This Privacy Policy applies when you use Kiddo’s websites, applications, and services that link to or reference this Policy (collectively, the “Services”). It covers personal information of our users and website visitors, including childcare centers and their staff (“Centers”), parents and guardians (“Parents”), and any other individuals who interact with Kiddo. Important: There are cases where Kiddo processes personal data on behalf of a Center (for example, child enrollment information). In those cases, that data is governed by the Center’s own privacy practices and our agreements with the Center, rather than by this Policy – see the “Data Controller/Processor Roles” section below for details.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, you should not use Kiddo. This Privacy Policy is incorporated into our Terms of Service, and your use of Kiddo is subject to both documents. If you have any questions, you can always contact us at the information provided at the end of this Policy.

1. Personal Information We Collect
We may collect various categories of personal information from and about users of our Services, as described below:

• Account Registration Data: When Centers or Parents create an account or sign up to use Kiddo, we collect information such as name, email address, phone number, and account login credentials (username and password). A Center account may include the organization’s name, address, license number, and authorized staff contacts. A Parent account may include the parent’s name and contact info, and will be linked to child profiles as described next.
  
  
• Child Enrollment Information: Parents (or Centers on behalf of parents) input information about children for waitlisting or enrollment. This can include the child’s name, date of birth, gender, and any details required by the Center’s application (e.g., desired start date, schedule needs, notes about the child). Parents might also provide sensitive details like allergies, medical or developmental information, or other care requirements for the child. We treat this child data with special sensitivity, and as explained below, it is primarily controlled by the Center for whom it is collected.
  
  
• Transactional and Payment Data: If you make or receive payments through Kiddo, we collect information related to the transaction. For Parents, this might include payment method details (though note: credit card numbers or bank details are collected directly by our payment processor, not stored on our servers), billing address, and the amount and purpose of payments (e.g., “Waitlist fee for XYZ Center”). For Centers, we may have banking details to remit funds (like an account for payouts) if applicable. We also generate transactional records (receipts, timestamps).
  
  
• Communication Data: We collect and store communications that occur through the Service. For example, if Centers and Parents exchange messages via Kiddo (such as emails or chat within the app, if available), we may process those messages. If Kiddo sends out email or SMS notifications, we retain logs of those communications (and possibly the content, like email copies or SMS text content) to ensure delivery and for audit purposes. We also collect any information you provide when contacting Kiddo support (such as the content of your support requests).
  
  
• Usage Data and Device Information: Like most online services, we gather technical information when you use our app or website. This includes:
  
  
  
  • Log and Usage Data: IP address, device type, operating system, browser type, pages or screens viewed, dates/times of access, and referring website or URL. We may record actions you take in the app (e.g., when a Center changes a waitlist status, or a Parent submits a form) to maintain audit logs.
    
    
  • Cookies and Tracking: We use cookies and similar technologies (see our Cookie Policy) to remember your preferences and analyze usage. For example, a cookie might keep you logged in or track your movement between pages to help us understand traffic patterns. Some cookies may identify your geo-location (roughly, via IP) to customize content or comply with regional requirements (like showing a cookie consent banner where required).
    
    
  • Mobile Device Data: If you use a Kiddo mobile app, we might collect mobile-specific identifiers (like device ID, advertising ID if any), and information about app crashes or performance for debugging.
    
    
• Location Data (General): We do not generally collect precise GPS location by default. However, IP addresses can give a rough location (city or region). If we ever introduced location-based features (say, showing nearby centers to a parent), we would request permission for more precise location data at that time. Currently, any location-based suggestions are based on user-provided info (like postal codes) rather than background location tracking.
  
  
• Third-Party Integrations: If you or your Center link Kiddo with another service (for example, if in the future Kiddo allowed sign-in via Google, or data sync with a third-party CRM), we would receive whatever information you authorize that third-party to share. For instance, signing in with Google might provide us your Google account name and email. We will clarify at the time of integration what data may be obtained.
  
  
• Public Content: Generally, Kiddo is not a social media platform; data is private to your account or your Center’s account. We do not have public forums accessible to all users except possibly a support community. If there were any public-facing content (like testimonials on our site or blog comments), any information you post there would be collected and obviously visible to others.
  
  

Special Note on Children’s Data: As mentioned, Kiddo collects information about children only from parents or centers, not directly from children. Thus, while this Policy covers children’s personal data (since parents input it), we do not collect it from the child. We operate under the assumption that any child data provided is with appropriate parental consent (see Section 6 on COPPA and parental consent). We do not use children’s personal information for any marketing or advertising purposes.

2. How We Use Personal Information
We use the collected personal information for the following business and operational purposes (and we do so pursuant to the legal bases noted in Section 3 if under GDPR/UK GDPR):

• To Provide and Maintain the Services: We process data to create accounts, enable you to log in, and generally to perform the core functions of Kiddo. For example, we use child enrollment info to display waitlists to Centers and status updates to Parents. Payment data is used to execute transactions you request. Communication data is used to deliver messages. Essentially, without using the personal info provided, we couldn’t operate the service you expect. (Legal basis: performance of a contract with you, or our legitimate interest in providing a requested service.)
  
  
• To Facilitate Center-Parent Interactions: We act as an intermediary in some communications – e.g., emailing a Parent an enrollment offer on behalf of a Center, or sending a Center the details a Parent submitted. We might also send reminder emails or texts (for example, a reminder to Parents to update their waitlist status or a notification of a new message). These uses are directly related to the purpose for which the information was collected.
• To Send Service Communications: We will use contact information to send administrative or account-related messages. These include confirmations of actions (like “Your application was submitted”), alerts about changes (like updates to this Privacy Policy or Terms), important service status updates (maintenance downtime notices, security alerts), or support responses. You cannot opt out of these essential communications because they are necessary for the operation of the service or legal notifications.
  
  
• To Send Marketing Communications (as permitted): Kiddo may send promotional emails or newsletters to Center users (for example, product updates, tips for using the platform, or new feature announcements). We may also occasionally send such communications to Parents, but only if we have the appropriate consent or lawful basis. For instance, if a Parent signs up on our website for childcare tips or indicates interest in other services, we might include them in certain mailings. Opt-Out: You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link in the email or contacting us. We will not send SMS marketing messages to Parents without explicit opt-in consent. (Operational texts regarding a specific Center’s application are not marketing.) (Legal basis: consent, where required (e.g., for email marketing to individuals in certain jurisdictions); otherwise legitimate interest in promoting our services to our user base.)
  
  
• For Analytics and Service Improvement: We analyze usage data (often in aggregated form) to understand how our Services are used, to troubleshoot issues, and to make improvements. For example, we might measure which features are most used by Centers to inform our development priorities. We might use Google Analytics or similar tools, which rely on cookies or scripts, to gain insights on website traffic and user behavior. These analytics help us optimize user experience and fix pain points. (Legal basis: legitimate interests in improving and ensuring the efficiency of our Services.) See our Cookie Policy for more on analytics cookies.
  
  
• To Enforce Our Terms and Protect Our Platform: We may use information to monitor for violations of our Terms of Service or Acceptable Use Policy. For example, we might detect multiple accounts from one IP if it’s tied to abuse, or review communications if a violation is reported. We also use data (like logs and identifiers) to detect and prevent fraud, security incidents, and other malicious activities. If necessary, personal information may be used in investigations or to take action against illegal activities, threats to safety, or unauthorized access attempts. (Legal basis: legitimate interests in protecting our business, users, and compliance; legal obligation if relating to reporting illegal behavior.)
  
  
• To Comply with Legal Requirements: If we are subject to legal obligations to retain or disclose data, we will use and disclose information as required by law. Examples: responding to a court order or subpoena; maintaining transaction records for financial regulations and audits; fulfilling privacy law requirements such as responding to a verified consumer request under CCPA, or demonstrating compliance with GDPR obligations. We also may use contact information to send legally required notices (as mentioned, such as notice of a data breach or updates to terms). (Legal basis: compliance with a legal obligation.)
  
  
• In Support of Business Transfers: Should Kiddo undergo a business transaction like a merger, acquisition, or asset sale, personal information may be among the transferred assets. We would use the information as needed to evaluate or facilitate the transaction, and ensure that any successor continues to handle your information in line with this Policy (or provides notice and obtains consent for any changes). (Legal basis: legitimate interest in business continuity.)
  
  

We will not use personal information for purposes that are incompatible with those above without notifying you and obtaining any necessary consent. In particular, we do not sell personal data or share it for cross-context behavioral advertising in a way that would trigger opt-out rights under CCPA. We also do not use children’s data for any unrelated purposes – it’s only used to serve the Centers and Parents in the context of enrollment management.

3. Legal Bases for Processing (GDPR/UK GDPR)
For individuals in the European Economic Area, UK, or other regions with similar laws, we must specify the legal bases for processing your personal data. The table below outlines our primary bases:

• Performance of Contract: We process certain data because it is necessary to provide the Services under our Terms of Service. For example, processing account data and child info to enable waitlist management is based on contractual necessity – we can’t deliver the service otherwise.
  
  
• Legitimate Interests: We rely on legitimate interests for many operational purposes – such as improving the platform, preventing fraud, sending product updates to our users (Centers have an interest in getting tips, and we have an interest in retention), and securing our platform. When we process on this basis, we ensure that our interests are not overridden by individuals’ rights by conducting balancing tests. For instance, using analytics cookies – we seek consent where required, but where not strictly required, we limit data to what’s needed and allow opt-outs to balance privacy expectations.
  
  
• Consent: In certain cases, we ask for consent. For example, before sending marketing emails to a Parent who is not our direct customer, we might gather consent. Similarly, if we ever process any sensitive personal data beyond what’s needed (we generally avoid doing so), we’d obtain explicit consent or rely on the relevant legal allowances. When consent is our basis, you have the right to withdraw it at any time (which will not affect processing already done).
  
  
• Legal Obligation: Some processing is required to comply with law, e.g., retaining records for tax, responding to data subject rights requests, or disclosing data to authorities when legally compelled.
  
  
• Public Interest or Vital Interests: These bases are unlikely to apply to Kiddo’s usual operations. We do not perform tasks in the public interest (like government functions), nor do we typically process data to protect someone’s life (vital interest) except in an emergency situation where, say, sharing info is necessary to prevent harm.
  
  

If you have questions about the legal basis of specific processing or need more detail, please contact us (see Contact section).

4. How We Share Personal Information
We may share personal information with the following categories of recipients, for the purposes described:

• Centers and Parents (Mutual Sharing): The very nature of Kiddo is to share certain information between Centers and Parents. When a Parent submits an application or joins a waitlist for a Center, the information they provide (child’s name, birthdate, parent contact info, answers to application questions, etc.) is shared with that Center. Likewise, if a Center updates an application status or sends a message to a Parent via Kiddo, that information is shared with the Parent. This sharing is controlled by the user’s actions and is necessary for the Service. Note: One Center cannot see data about another Center’s applicants, and Parents do not see each other’s data (unless, for example, a Parent intentionally shares referral info with a friend – but that’s outside the platform’s standard operation).
  
  
• Service Providers (“Processors”): We use third-party companies to help us operate the Service. These include:
  
  
  
  • Hosting/Infrastructure: e.g., Amazon Web Services (AWS) for cloud hosting – personal data is stored on their secure servers.
    
    
  • Email and SMS Providers: e.g., an email sending service to deliver notifications, or Twilio (or similar) to send text messages to parents on our behalf. These providers would get the necessary info like phone numbers or email addresses and message content.
    
    
  • Payment Processors: as noted, Stripe processes all payment transactions. Stripe will receive personal data as needed to process payments – such as a payer’s name, card info, billing zip, email, etc. Stripe is a service provider in this context, and they are bound by their own privacy commitments and by us via contract not to use this info for other purposes.
    
    
  • Analytics/Tracking Partners: e.g., Google Analytics might process IP addresses and device info to give us insight into usage. We configure such tools to limit data sharing (for example, using IP anonymization where available).
    
    
  • Customer Support Tools: e.g., if we use a CRM or helpdesk (Zendesk, Intercom, etc.), and you contact us, your communications might flow through those systems which store your name, email, and issue details.
    
    
  • Other Vendors: We might engage vendors for functions like data backups, cybersecurity monitoring, marketing email distribution (if separate from our core email), etc. They will have access only to the data necessary for their function.
    
    

All service providers are contractually obligated to protect personal information and use it only for our authorized purposes (they act as our processors). We do not permit them to sell or use the data for their own marketing.

• Affiliates: If Kiddo in the future has affiliate companies (under common ownership), we might share data with them if needed to operate the Services or for corporate governance. For example, if Kiddo creates a subsidiary for international operations, data might flow between the US and that subsidiary to service European customers. Any affiliate will uphold privacy protections consistent with this Policy.
  
  
• Business Transfers: In the event of a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or other business combination, personal information may be transferred or disclosed as part of that deal. We would ensure that any recipient of the data (e.g., a new owner) honors the commitments in this Policy or provides notice of changes. For example, if Kiddo is acquired by another software company, user data would likely be one asset transferred, but users would be informed and could exercise rights (perhaps even to delete data) if they choose.
  
  
• Legal and Safety Disclosures: We may disclose information if we in good faith believe that such disclosure is necessary to:
  
  
  
  • Comply with the law or legal process: This includes responding to subpoenas, court orders, or governmental requests. We will attempt to limit the scope of disclosure to what is legally required and, if allowed, will notify affected users of the request so they can seek protection (unless clearly prohibited or if we believe it’s futile/unsafe to do so).
    
    
  • Enforce our rights: Such as disclosing information to enforce our Terms of Service, or to protect our services from fraudulent, abusive, or unlawful use.
    
    
  • Protect safety: If someone’s safety is at risk, or if we need to investigate and prevent security incidents or other harms, we might share data with relevant authorities. For example, if we suspect that a child is in danger or that our platform is being used for unlawful conduct harming a child, we may alert law enforcement consistent with applicable laws.
    
    
  • Address violations or disputes: For instance, if a Parent claims a Center misused their data, and attorneys get involved, we might share relevant records to resolve the dispute.
    
    

In any case of legal disclosure, we will carefully review requests and only provide information that is reasonably responsive and necessary. We may seek to redact or object where appropriate.

• With Consent: Aside from the above, if we want to share your info in a way not covered, we will ask for your consent. For example, if Kiddo wanted to feature a Parent’s story on our blog, we’d ask that Parent’s permission to use their name or quotes. Or if we plan any collaboration with a partner that requires user info, we’d present an opt-in.
  
  

Cross-Border Transfers: Kiddo is based in the United States. If you are using our Services from outside the U.S., note that personal information will likely be transferred to and processed in the United States (and possibly other countries where our service providers are located, such as Canada or EU for certain cloud services). These countries may have data protection laws different from those in your country (the U.S. may be seen as providing less legal protection than the EU, for example). We take steps to ensure appropriate safeguards when transferring data internationally, as detailed in Section 7 below.

5. Cookies and Tracking Technologies
Kiddo uses cookies, web beacons, and similar technologies (collectively “cookies” unless otherwise stated) to operate and improve our website and Services. We have a separate Cookie & Tracking Policy that provides detailed information, but here’s a summary:

• What Cookies Are: Cookies are small text files placed on your browser or device by websites. Web beacons are tiny graphics (pixel tags) that function similarly to convey info. SDKs are code in mobile apps that do related tracking.
  
  
• Types of Cookies We Use:
  
  
  
  • Necessary Cookies: These are essential for the website or app to function. For example, session cookies that keep you logged in as you navigate, or cookies that remember your language preferences. Without these, the Service may not work properly. These do not require consent in many jurisdictions, but we still disclose them.
    
    
  • Analytics/Performance Cookies: These help us understand how users engage with Kiddo. For instance, we use Google Analytics to see aggregate stats (which pages are visited, how long spent, etc.). This information is typically anonymized or aggregated. It helps us improve content and usability.
    
    
  • Functional Cookies: These may store preferences and settings that enhance your experience (like remembering a Center you last visited or pre-filling your login email).
    
    
  • Advertising Cookies: Currently, Kiddo does not display third-party ads to users, and we do not use advertising cookies targeting our users. If our marketing site uses any advertising or retargeting cookies (for example, a Facebook Pixel to track conversions from ads), we will disclose that. In any case, such cookies would not be used on the logged-in platform where children’s data is present – it might only be on marketing pages. We do not sell personal data for advertising purposes.
    
    
• Cookie Choices: On our first interaction (especially for users from regions like the EU), we will present a cookie consent banner if required. You can choose to accept or decline certain non-essential cookies. If you opt-out of analytics or other optional cookies, we will honor that. Additionally, most web browsers allow you to control cookies via settings (e.g., block third-party cookies, clear cookies). You can also use browser extensions to block trackers. For mobile apps, you can usually reset or limit ad tracking via device settings. Note: blocking cookies might affect Service functionality, particularly the necessary ones.
  
  
• Do-Not-Track Signals: Some browsers have a “DNT” setting. Currently, there is no consensus on how to interpret DNT signals. Kiddo’s systems do not respond to Do Not Track signals, and instead we provide the cookie management options described. We will update our practices if a standard emerges.
  
  
• Third-Party Analytics: We mentioned Google Analytics; Google provides an opt-out mechanism (a browser add-on) if you don’t want GA on any site. We might use other tools like Mixpanel or similar – if so, we will document them in our Cookie Policy and how to opt out.
  
  

For more details or an up-to-date list of cookies, please see our full Cookie Policy (which would list the individual cookies, their purposes, and lifespans).

6. Children’s Privacy and Parental Consent
Protecting children’s privacy is extremely important to Kiddo. Our Services are not directed to children under 13 for any direct use. Children cannot create accounts or interact with Kiddo without parental involvement. We comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and similar laws. Here’s what that means in practice:

• Kiddo as an Operator for Parents and Schools: COPPA applies when an online service is collecting personal information from children under 13. In Kiddo’s case, we design the system such that the parent or guardian provides the child’s info, or a trusted school staff member does so with parental authorization. We do not knowingly collect info from the child directly. For example, a 4-year-old child is not filling out their own form; the parent is. Therefore, verifiable parental consent is obtained offline by the school or inherently given by the parent’s actions online. We operate under the assumption that when a Parent enters child data, that is an act of consent for us to have that data to fulfill the enrollment/waitlist purpose.
  
  
• No Child Accounts: A child cannot log in to Kiddo or access the platform. If in the future we introduced any child-facing feature (unlikely for an enrollment tool, but hypothetically an older child might check in via an app at a center), we would implement age gates and parental consent flows as required.
  
  
• Parental Rights (COPPA and beyond): If you are a parent or guardian and you have submitted your child’s personal information through Kiddo (or a center did so on your behalf), you have rights to review that information, have it deleted, and refuse further collection or use of the child’s information. Practically, because the Center is the primary collector in many cases, a parent should first contact the Center to exercise these rights (e.g., withdraw an application if you no longer want data stored). You can also contact Kiddo directly at privacy@kiddosoftware.com and we will facilitate your request with the relevant Center. If a Parent withdraws consent for Kiddo to retain a child’s info (for example, after leaving a waitlist), we will delete the child’s personal data from our records (unless retention is required by law or legitimate interests like recordkeeping). Note that deleting data might mean the child can no longer be considered for enrollment via Kiddo.
  
  
• If a Child Directly Contacts Us: If a child under 13 (or under the applicable age in their jurisdiction, e.g., under 16 in the EU) somehow tries to communicate with Kiddo or sign up, we will not keep their information. For instance, if a kid emailed our support asking a question, we would respond appropriately (likely seeking the parent’s involvement) and then purge the contact. If we ever discover that we collected personal data directly from a child, we will delete it promptly. Parents can also notify us if they believe we have any unauthorized data about their child.
  
  
• Design Measures: We design our user interface and data flows with children’s privacy in mind. We minimize the data about children we request – typically just what Centers need (basic identity and enrollment info). We avoid any public display of child info. Only the child’s own parent and the relevant Center can see a child’s personal details on Kiddo.
  
  

For users in other jurisdictions: our approach is in line with GDPR’s requirements for children’s data (we require parental action, and if we did need consent for say a 15-year-old’s data in Europe, we’d get the parent’s OK since under 16 requires it). Australia and New Zealand also emphasize handling children’s data carefully and usually obtaining consent from guardians, which we do.

7. International Data Transfers
Kiddo is headquartered in the United States, and the personal information we collect is generally stored on servers located in the U.S. However, we serve users in multiple countries (U.S., Canada, UK, EU, Australia, NZ, etc.), which means personal data may be transferred or accessed internationally:

• Transfers from EU/UK/Switzerland: If you are in the European Union, United Kingdom, or a country with data transfer restrictions, know that when you provide data to Kiddo, it will likely be transferred to the United States. The EU and UK have determined that the U.S. does not have “adequate” privacy laws, so we rely on specific mechanisms to legitimize the transfer. Typically, we use the European Commission’s Standard Contractual Clauses (SCCs) and the UK’s International Data Transfer Addendum as appropriate. These are contractual commitments between our entity and (if applicable) our EU/UK customers or among our affiliates and service providers, obligating all parties to protect personal data according to EU privacy standards. If required, we can provide a copy of these clauses upon request. Additionally, we may implement supplementary measures (encryption, access controls) to further secure the data during and after transfer.
  
  
• Other Countries: For Canada, personal data can flow to the U.S. under PIPEDA as long as individuals are informed and the data is protected (which we do). For Australia and New Zealand, we will only transfer data outside those countries in compliance with their requirements (ensuring similar protection or getting consent). In general, by using our Services or providing us personal information, you consent to the transfer of information to the U.S. and any other country in which Kiddo or its service providers maintain facilities. We recognize that other countries might have different data protection rules than your country, but as noted, we take steps to maintain a high level of privacy protection wherever the data is.
  
  
• Cloud Infrastructure: Some of our subprocessors may store data in other regions – for example, if we use a European data center for some processing, EU user data might be kept within EU in some cases, but it’s safest to assume cross-border movement. We maintain a list of key subprocessors and their locations in our DPA or on our website, so that customers (Centers, mainly) are aware.
  
  
• Government Access: We want to transparently note that when data is in the U.S., it may be subject to lawful access by U.S. authorities (under laws like FISA or the Cloud Act). We have no indication of any interest by authorities in our type of data (childcare info is not a likely national security target), but we have to mention it. We commit to challenging unlawful or overbroad requests and, where feasible, to notify individuals of government demands as part of our policy on legal disclosures (see section 4).
  
  

8. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Here’s our general retention approach:

• Account Data: We keep your account information while your account is active. Center accounts: as long as the Center subscribes to Kiddo. Parent accounts: as long as you have an ongoing relationship (e.g., your child is on a waitlist or enrolled at a Center using Kiddo). If a Parent’s application is declined or they remove themselves, the Parent might still keep an account for future use, and we retain it until they choose to delete it or after a prolonged period of inactivity (with notice). If you deactivate or request deletion of your account, we will delete or anonymize your personal info within a reasonable period, except as noted below for certain data we may need to keep.
  
  
• Children’s Data: Enrollment records and child profiles are typically tied to Center accounts. A Center may archive or delete records of families that are no longer attending or on waitlists. Kiddo may keep archived copies on our servers for backup or legal purposes for some time. We strongly emphasize minimal retention for children’s sensitive info – if not needed, it should be deleted. We abide by Centers’ instructions under the DPA for deleting data when requested. If a Parent account is deleted, any associated child data is either deleted or retained only as part of the Center’s records (if the Center is still using it). We won’t keep orphaned child data indefinitely if there’s no business need.
  
  
• Transactional Data: Payment records are retained in accordance with financial recordkeeping rules – often at least 7 years, since financial transactions may be needed for audits, tax, or accounting, and to resolve any disputes. We keep minimal info (e.g., ledger of who paid whom, when, and how much), not full payment details (card numbers aren’t stored by us anyway).
  
  
• Communications: Support emails or chat logs might be kept for a period (up to a couple of years) to train our team and monitor issues. Critical communications (like a parent confirming something important) might be attached to account history and retained as long as the account is active.
  
  
• Logs and Backups: Our system logs (recording events, errors, sign-in attempts) may be kept for security analysis for several months. Backup databases might store snapshots of data – we typically rotate and purge backups on a set schedule (e.g., incremental backups overwritten after 30 days, full backups monthly and kept for 6 months, etc.). Once the retention period expires, we delete or anonymize the data in backups as well.
  
  
• Legal Holds: If we are in a legal dispute or under investigation that requires us to preserve certain data, we will retain that specific data until it is resolved, even if it would otherwise be removed.
  
  

After the retention period, we either delete personal data or anonymize it (so it can no longer be associated with an individual). For example, we might keep aggregated usage statistics that no longer identify anyone, to understand our business trends. If deletion is not immediately feasible (e.g., archived on old backups), we ensure it’s securely stored and isolated until deletion is possible.

9. Your Rights and Choices
Depending on where you live and whether you are using Kiddo as a consumer (Parent) or on behalf of a business (Center), you may have certain legal rights regarding your personal information. We strive to let all users control their data as much as practicable. Key rights include:

• Right to Access: You can request that we confirm whether we are processing your personal information and provide a copy of that information. For Parents, much of your info (and your child’s info) is visible by logging into your account or by asking the Center. You may contact us to get a full report of what we have on you if needed. We will provide this in a commonly used format. For EU users, this is the GDPR right of access; for California, the right to know categories and specific pieces of info we’ve collected.
  
  
• Right to Rectification (Correction): If any personal data we have is inaccurate or incomplete, you have the right to request correction. In many cases, you can edit certain profile info yourself (e.g., update your contact info). For data that you cannot change (like a Center’s admin notes on your application), you can request the Center or us to correct it. We’ll honor correction requests where feasible. (We might need to verify accuracy of new info, etc.)
  
  
• Right to Deletion: You may request that we delete personal information we have collected from you. This is subject to some exceptions: e.g., we might retain data that is required for our internal purposes like completing a transaction you’re involved in, detecting security incidents, complying with legal obligations, etc. If you are a Parent and want your and your child’s info deleted, the simplest path is often to contact the Center to ensure they don’t need the data, then contact us. We will delete the data from our active systems and instruct our processors to do the same. (Keep in mind, if your child is currently enrolled or on a waitlist, deletion would disrupt that – so deletion is typically appropriate after that relationship ends.)
  
  
• Right to Opt-Out of “Sale” or “Sharing” (California): We do not sell personal data as defined by CCPA, nor do we share it for targeted advertising. Therefore, there is generally no need to opt out. We also do not have actual knowledge of selling data of minors under 16. If in the future our practices change (unlikely), we would implement a “Do Not Sell or Share” link and process accordingly.
  
  
• Right to Limit Use of Sensitive Info (California): If we collect “sensitive personal information” (as defined by CPRA – e.g., account login with password, precise geolocation, etc.), California residents can direct us to limit its use to what’s necessary for providing the services. We essentially already do that – we only use sensitive info (like login credentials or child health info) to provide the service, not to infer characteristics or for secondary purposes. If you have concerns, you can contact us and we will honor any rights to limit use or disclosure of sensitive data.
  
  
• Right to Non-Discrimination: We will not discriminate or retaliate against you for exercising any of your privacy rights. For example, we won’t deny you services or charge you a different price just because you made a data rights request (except insofar as your request might make it impossible for us to continue providing the service, e.g., if a Parent requests deletion of all data while still wanting to use the waitlist – we’d explain the conflict).
  
  
• Right to Withdraw Consent: If we rely on consent for any processing, you can withdraw that consent at any time. For instance, if you gave consent to receive marketing emails, you can unsubscribe. If you gave explicit consent for something like using an optional feature, you can disable it. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
  
  
• Right to Object (GDPR): If you are in the EU/UK, you can object to processing based on our legitimate interests or for direct marketing. If you object to marketing, we will stop (as we do for unsubscribe). If you object to other processing (like analytics), we will evaluate the request – if we have compelling legitimate grounds to continue, we may (for example, security logging we might need to retain), otherwise we’ll honor your objection by ceasing that processing for your data.
  
  
• Right to Restrict (GDPR): You can ask us to restrict processing of your personal data under certain circumstances (for example, while a data accuracy issue is being resolved or if the processing is unlawful and you oppose deletion).
  
  
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have that transmitted to another controller when feasible. For example, a Parent could request an export of all their and their child’s info to send to another childcare software or to keep a copy. We will provide such exports upon request, typically as CSV or JSON files.
  
  
• Right to Complain: If you have concerns about our data practices, you have the right to lodge a complaint with a supervisory authority. EU users can contact their nation’s Data Protection Authority; UK users can reach out to the ICO. Canadian users can contact the Office of the Privacy Commissioner. Australian users can reach OAIC. We would appreciate the chance to address your concerns directly first, so we invite you to contact us and we’ll do our best to resolve the issue.
  
  

Exercising Your Rights: To make any request regarding your personal data, you (or an authorized agent, where applicable by law) can contact us at privacy@kiddosoftware.com. Please specify which right you wish to exercise and provide enough information for us to verify your identity. Verification may include confirming control of the email associated with your account, or other information we have on file. For certain requests (like access or deletion for California residents), we may need to obtain a signed declaration verifying your identity due to the sensitivity of the data.

For authorized agents (California): If you want someone else to make a request on your behalf, we need proof of their authority (e.g., a written permission from you or a power of attorney). We will also likely ask you to verify your identity directly or confirm to us that you provided the agent permission.

We will respond to requests within the timeframe required by law. Under GDPR that’s typically one month (extendable by two if complex). Under CCPA, we aim for 45 days (extendable by another 45 if necessary). If we need an extension, we’ll inform you of the reason and length.

Some requests we might decline if an exemption applies. For example, if you as a Parent ask for deletion of records that the Center needs to keep for legal reasons, we might have to deny that but explain why. We will always inform you of the outcome of your request and the reasoning if we cannot fulfill it entirely.

10. Security Measures
Kiddo employs a variety of security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. We recognize that the data we handle (especially about children) is sensitive and requires strong safeguards. Our security program includes:

• Encryption: We encrypt personal data in transit using TLS (HTTPS on our website and app). We also enforce HSTS to ensure browsers only use secure connections. For data at rest, we encrypt sensitive data fields in our databases and utilize disk encryption on servers. For example, any passwords are stored as salted hashes (we never store plaintext passwords), and certain sensitive fields (like perhaps health info) might be encrypted at the application level too.
  
  
• Access Controls: We implement strict access controls so that only authorized Kiddo employees or service provider personnel with a legitimate need can access personal data. This includes role-based access within our company (for instance, support agents can only see info relevant to assisting users, and even then, maybe partially masked in some cases). All access to administrative tools is protected by strong authentication (password policies, two-factor authentication) and logged. We also require our Centers and Parents to create strong passwords, and we support multi-factor authentication for user accounts where possible to prevent unauthorized account access.
  
  
• Network and System Security: Our servers are protected by firewalls and monitored for intrusion attempts. We regularly update software and apply security patches to address vulnerabilities. We run anti-malware and threat detection on our systems. We also utilize monitoring solutions to detect anomalies or suspicious behavior in our infrastructure.
  
  
• Testing and Audits: We conduct periodic security assessments, such as penetration testing by third-party experts, to find and fix vulnerabilities. We may also obtain security certifications or compliance audits (for example, we aim to align with SOC 2 or ISO 27001 principles as the company grows). Our payment processing relies on Stripe, which is PCI-DSS compliant, ensuring card information is handled with top security.
  
  
• Employee Training and Policies: All Kiddo employees undergo privacy and security training upon hiring and periodically thereafter. We emphasize confidentiality and have internal policies about handling user data. Only staff who need to assist with the product or support have access to personal data, and they are bound by confidentiality obligations. We also vet our employees (background checks where allowed) especially those with access to sensitive systems.
  
  
• Data Minimization: We only collect data that is needed, and keep it only as long as necessary (as described in retention). By minimizing what we store, we reduce risk. For instance, we don't store any financial account numbers on our servers, and we avoid collecting social security numbers or other highly sensitive info in our workflows unless absolutely required (currently, we do not collect such info).
  
  
• Incident Response: Despite best efforts, no system is 100% secure. We have an incident response plan in place for handling any data breaches or security incidents. If a breach is suspected or detected, we will immediately investigate, mitigate any harm, and comply with breach notification laws. This means, if personal data is compromised, we will notify affected Centers and/or individuals as required – for example, GDPR requires notice to authorities within 72 hours for significant breaches, and various U.S. state laws require notifying affected individuals without unreasonable delay. We will provide information on the nature of the breach, the data affected, and steps we are taking and that users should take to protect themselves.
  
  

While we are committed to security, it’s important for Users as well to play a part:

• Keep your credentials safe: Don’t share your password or login link with others. Use a unique, strong password for Kiddo. If you suspect someone obtained your account info, change your password immediately and notify us.
  
  
• Phishing awareness: Kiddo will never ask you for your password via email or phone. Be cautious of emails that look like Kiddo but request sensitive info. Verify the sender and if in doubt, contact us directly.
  
  
• Device security: If you use our mobile app or access via a personal device, ensure your device is protected (PIN, not jailbroken, etc.) and use anti-malware software if applicable.
  
  

We follow industry best practices and continuously improve our security as threats evolve. However, we must note that no method of transmission over the internet or electronic storage is perfectly secure. Therefore, while we strive to protect your personal information, we cannot guarantee its absolute security. In the unlikely event of a security compromise, we will follow the steps mentioned to inform and protect our users.

11. Additional Notices for Specific Regions

11.1. California Residents: If you are a California resident, this Privacy Policy is intended to comply with the CCPA/CPRA. In Sections above, we have outlined the categories of personal information collected (which correspond to those in the CCPA, like identifiers, characteristics of protected classifications – e.g., child’s age could imply age group under 40, etc., Internet activity, geolocation, education information if any, etc.), the business purposes for collection, the categories of sources (primarily you, or Centers on your behalf), and the categories of third parties with whom we share personal information (service providers, Centers, etc.). We do not sell data, and we only “share” for behavioral advertising as described (virtually none, except perhaps our own cross-context promotions which currently we do not do). California law also grants you specific rights, which we detailed in Section 9 (access, deletion, etc.) and we provided methods to exercise them. There is a California Supplemental Notice available (if needed) that restates some of this in legal format for clarity. Also, under California’s “Shine the Light” law, residents can ask for a list of what personal info (if any) we disclosed to third parties for their direct marketing in the past year. We do not disclose personal data to third parties for independent direct marketing, so there’s nothing to list in that regard.

11.2. Canadian Residents: If you are in Canada, we comply with PIPEDA and substantially similar provincial laws where applicable. We will obtain your consent for collection, use, and disclosure of personal info, except where otherwise permitted by law. By using the service (and in particular by providing child info as a Parent), you are consenting to our handling of that information as described. We also note that your data may be processed outside Canada (in the U.S.), as described in Section 7. Canadian law rights are similar to others – you can request access and correction of your info. We will respond to such requests within a reasonable time. If you are not satisfied, you can contact the Office of the Privacy Commissioner of Canada. Kiddo does not charge any fee for handling your access request (unless it’s exceptionally burdensome, then we’d only charge what the law allows and inform you beforehand). We do not require you to provide social insurance numbers or health card numbers – we do not collect those, so you won’t be asked for highly sensitive Canadian identifiers.

11.3. European Economic Area (EEA) and UK Individuals: Kiddo is the data “controller” for personal data we collect directly (like account info), and a “processor” for data we handle on behalf of Centers. Our EU/UK representative (if appointed) and/or DPO contact will be listed on our website or available by contacting us – since we process special categories (children’s data), we may appoint a Data Protection Officer to oversee compliance. You have the rights under GDPR as described earlier. You also have the right to lodge a complaint with your local Data Protection Authority (for example, in France, CNIL; in Germany, each state’s DPA; in the UK, the ICO). We ask that you come to us first so we can try to resolve it amicably. For international transfers, we rely on Standard Contractual Clauses as noted, and you can ask for a copy or information about where they’re used. We also commit to complying with GDPR principles of transparency, purpose limitation, data minimization, etc., in all processing.

11.4. United Kingdom: Post-Brexit, UK law aligns with EU GDPR with some differences. We handle UK data under UK GDPR and DPA 2018 rules. A UK resident can complain to the ICO as mentioned. If required, we will designate a UK representative (similar to an EU representative) if we systematically offer services in the UK and no local presence. This rep’s details would be in an appendix or on our site.

11.5. Australia: We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Although as a small business we might be exempt if revenue is under $3m, we voluntarily choose to comply given the sensitive nature of data. This means:

• We will only use your information for the purposes we collected it (or related purposes you’d expect, or otherwise with consent).
  
  
• If we transfer data overseas (to the U.S.), we take steps to ensure similar protection as APPs require, or we seek your consent for the transfer. By using our services, Australian users are deemed to consent to the transfer of their data to our servers overseas for the stated purposes.
  
  
• You can request access to or correction of your personal information by contacting us, and we will respond as per APP guidelines (generally within 30 days). We can refuse in limited circumstances (e.g., if giving access poses a serious threat to someone or is unreasonably burdensome), but we’ll give reasons.
  
  
• If you have a complaint, contact us to resolve. If not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC).
  
  
• We do not use your personal info for direct marketing to you unless you’d reasonably expect it or we have your consent; and we will include opt-out options.
  
  
• We don’t typically collect any government identifiers (like TFNs or Medicare #) – if we ever did, we wouldn’t use them to identify you in our system.
  
  

11.6. New Zealand: Kiddo adheres to the NZ Privacy Act 2020 and its Information Privacy Principles (IPPs) to the extent applicable. The data we collect is primarily provided by you (IPP1–4 compliance). We will not use personal info in ways that are unfair or intrude unreasonably on personal affairs (respecting IPP 4). We give you access and correction rights (IPP6 & 7) as detailed. We also meet overseas transfer requirements (we believe the protections in the U.S. via SCCs etc. and our practices ensure comparable safeguards, satisfying NZ IPP12 “cross-border disclosure” rules). If you have concerns, you can reach out to us or to the NZ Privacy Commissioner.

If any provision of this Privacy Policy is inconsistent with a law of a specific jurisdiction, we will interpret and apply the Policy in a way that complies with that law.

12. Updates to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make a material change, we will notify users in an appropriate manner. This might include:

• Posting a prominent notice on our website or within the app (e.g., a banner or popup about the Privacy Policy update).
  
  
• Updating the “Last Updated” date at the top of the Policy.
  
  
• For significant changes, we may also email registered account holders to inform them of the new Policy.
  
  

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. If you continue to use Kiddo after an update takes effect, it generally indicates your acceptance of the revised Policy. If you do not agree to the changes, you should discontinue use of the Services and can request that your data be removed.

For historical reference or to compare, we maintain archives of previous versions of our Privacy Policy (available upon request or via our website if we provide a changelog).

13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or about how your personal information is handled, please contact us at:

• Email: privacy@kiddosoftware.com
  
  
• Address: Privacy Officer, Greater Than Gravity LLC (Kiddo), 7405 Thompson Ave SE, Snoqualmie, Washington, USA.
  
  

We will gladly address your inquiries and work with you to resolve any issues.

By using Kiddo’s Services, you acknowledge that you have read this Privacy Policy and agree to its terms. Thank you for entrusting Kiddo with your childcare management needs and the personal information that comes with it – we take that trust seriously and are dedicated to keeping your data safe and your privacy respected.

‍