Privacy Policy

Last updated: 3/19/2026

Privacy Policy

Last updated: March 19, 2026

Kidy (hereinafter referred to as "Kidy", "we", "our", "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Kidy platform (website, mobile application, and associated services).

Kidy is a SaaS (Software as a Service) platform designed for educational institutions (kindergartens, schools, after-school programs) and operates in compliance with the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679.

1. What Data We Collect

We collect the following categories of personal data:

a) Data provided directly by users

  • Account data: first name, last name, email address, phone number, role within the institution (administrator, educator, parent)
  • Institution data: institution name, address, billing information
  • Payment data: payment information is processed by Stripe and is not stored on our servers
  • Communications: messages sent through the integrated messaging platform

b) Children's data

  • First and last name
  • Date of birth
  • Attendance and absence records
  • Enrollment data and class/group assignments
  • Relevant medical information (allergies, special conditions) – only if provided by parents or the institution

c) Automatically collected data

  • IP address
  • Browser and device type
  • Pages visited and session duration
  • Cookie data (see our Cookie Policy)
  • Push notification tokens (Firebase Cloud Messaging)

2. How We Use Your Data

We use your data for the following purposes:

  • Service delivery: managing accounts, authentication, administering institutions and student/child data
  • Communication: sending push notifications, transactional emails, and in-platform messages
  • Billing: processing payments and issuing invoices
  • Platform improvement: statistical analysis and technical issue diagnostics
  • Legal compliance: fulfilling applicable legal obligations
  • Security: fraud prevention and platform protection

3. Legal Basis (GDPR Art. 6)

We process your data based on the following legal grounds:

  • Performance of a contract (Art. 6(1)(b)): processing is necessary for providing the Kidy service under contractual terms
  • Consent (Art. 6(1)(a)): for analytics and marketing cookies, push notifications, and marketing communications
  • Legitimate interest (Art. 6(1)(f)): for platform improvement, fraud prevention, and IT security
  • Legal obligation (Art. 6(1)(c)): for compliance with tax and reporting requirements

4. Children's Data

Kidy processes children's data exclusively as a data processor, under the instructions of educational institutions (data controllers). Institutions are responsible for obtaining the necessary consent from parents/legal guardians.

We do not collect data directly from children. All children's data is entered by authorized institution staff or by parents through the application.

Children's data is used exclusively for educational and administrative purposes: attendance, group management, parent communication, and reporting.

5. Data Sharing with Third Parties

We do not sell your personal data. We share data only with the following categories of providers:

  • Amazon Web Services (AWS): infrastructure hosting – EU region (Frankfurt, Germany). Data processing agreement in place.
  • Stripe: credit card payment processing. Stripe acts as an independent controller for payment data. Stripe Privacy Policy.
  • Firebase (Google): push notification delivery. Google processes only device tokens and notification content.
  • Google Analytics: platform usage analysis (anonymized/pseudonymized data).
  • Email providers: transactional email delivery.

All our providers are GDPR-compliant and have signed Data Processing Agreements (DPAs).

6. International Data Transfers

Your data is stored on AWS servers located within the European Union (Frankfurt, Germany). In cases where a service provider transfers data outside the EU/EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or other approved mechanisms).

7. Data Retention

We retain your data according to the following rules:

  • Account data: for the duration of the active account + 30 days after deletion
  • Children's data: for the duration of enrollment + according to the institution's retention policy
  • Billing data: 10 years as required by Romanian tax legislation
  • Security logs: 12 months
  • Cookie data: according to the durations specified in the Cookie Policy

Upon termination of an institution's subscription, data is retained for a 30-day grace period, after which it is permanently deleted.

8. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): you can request a copy of your personal data
  • Right to rectification (Art. 16): you can correct inaccurate data
  • Right to erasure (Art. 17): you can request the deletion of your data ("right to be forgotten")
  • Right to restriction of processing (Art. 18): you can limit data processing
  • Right to data portability (Art. 20): you can receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21): you can object to processing in certain circumstances
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us at contact@kidy.pro. We will respond within 30 days.

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) – www.dataprotection.ro.

9. Cookies

We use cookies and similar technologies for platform functionality, analytics, and marketing. For full details, please refer to our Cookie Policy.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/SSL) and at rest (AES-256)
  • Secure authentication with JWT tokens
  • Multi-tenant database isolation
  • Regular encrypted backups
  • Continuous monitoring and access logging
  • Role-based access control (RBAC)

11. Contact Information

For any questions regarding this policy or your personal data:

12. Changes to This Policy

We reserve the right to update this Privacy Policy. Significant changes will be communicated via email or in-platform notification. The date of the last update is indicated at the beginning of this document.

Continued use of the platform after changes are published constitutes acceptance of the new version of the policy.