KIDLENA — PRIVACY POLICY
Version 2026-07-13
This Privacy Policy explains what personal data Kidlena collects, why, and
what rights you have over it. It should be read together with our Terms &
Conditions. "We", "us", "our" means [COMPANY LEGAL NAME], [REGISTERED
ADDRESS] (the data controller for this service) unless stated otherwise.
1. WHO KIDLENA IS FOR
Kidlena accounts are created and used by parents/legal guardians (18+), not
by children. Children never create an account, log in, or interact with
Kidlena directly — all information about a child is entered by their
parent/guardian. If we become aware that a child has registered their own
account, we will delete it and the associated data.
2. WHAT WE COLLECT
(a) Account data: your name, email address, hashed password (bcrypt — we
never store your password in plain text), locale, and timezone.
(b) Child data you provide: your child's name, birth date, avatar, and any
free-text notes you add.
(c) Child facts: structured facts about your child (e.g. interests,
routines, temperament, screen time, siblings) either entered by you during
onboarding or inferred from your chat messages with the guide, always
grounded to what you actually wrote. You can view, correct, or delete any
fact at any time.
(d) Conversations: the text of your chats with the AI guide. Each parent's
conversations are private to them — not shared with a co-parent, even
within the same family.
(e) Growth moments and narratives: short qualitative observations you or
the app record about your child's development. By design we never generate
or store a numeric score, rating, or ranking of a child (no IQ/EQ score,
no leaderboard) — see Section 6.
(f) Plans and activities: suggested and completed activities, and any
feedback or skip reasons you provide.
(g) Technical/usage data: login timestamps, rate-limiting counters tied to
your email/IP (to block brute-force and spam), and token/cost metering for
AI usage tied to your account.
(h) We do not use cookies, third-party analytics, advertising SDKs, or
tracking pixels. We do not run any behavioral advertising.
3. WHY WE PROCESS IT (LEGAL BASIS)
- Providing the account, child profiles, chat, plans, and growth features:
necessary to perform our contract with you (GDPR Art. 6(1)(b)).
- Security, fraud/abuse prevention, and rate-limiting: our legitimate
interest in keeping the service safe and available (Art. 6(1)(f)),
balanced against your rights — we keep this data minimal and short-lived.
- Sending you a password-reset code: necessary to perform our contract /
your explicit request (Art. 6(1)(b)).
- Anything we ask you to separately opt into in the future: your consent
(Art. 6(1)(a)), which you can withdraw at any time without affecting the
lawfulness of processing before withdrawal.
We do not process any category of special/sensitive data (e.g. health,
biometric data) as a matter of policy; please avoid entering such details
in free-text notes or chat beyond what's needed for parenting context, and
never enter data for medical decision-making — see our Terms, Section 2.
4. WHO WE SHARE DATA WITH
We do not sell your personal data or your child's data, and we do not share
it for third-party advertising. We use a small number of processors, strictly
to operate the service:
- Groq, Inc. — receives your chat messages and relevant child context
(never your raw account credentials) to generate the AI guide's
responses. Groq is based in the United States.
- Amazon Web Services (AWS) — hosts our application server and database.
- Our transactional email provider — sends password-reset emails only
(your email address and a one-time code; no marketing).
Embeddings used for retrieving knowledge-base content are computed locally
on our own server and are not sent to any third party.
We may also disclose data if required by law, to enforce our Terms, or to
protect the safety of a user or the public.
5. INTERNATIONAL DATA TRANSFERS
If you are located in the EEA, UK, or another jurisdiction with data-
transfer restrictions, your data may be transferred to and processed in the
United States (by Groq and AWS, and depending on our email provider) under
appropriate safeguards such as Standard Contractual Clauses. Contact us
(Section 10) for details of the safeguards used for a specific transfer.
6. NO PROFILING OR SCORING OF CHILDREN
We deliberately never produce or store a numeric assessment, score, rating,
or ranking of a child (no IQ/EQ score, no leaderboard, no percentile). We do
not carry out automated decision-making that produces legal or similarly
significant effects concerning a child, within the meaning of GDPR Art. 22.
Growth narratives are qualitative, generated to help you reflect — not to
evaluate your child.
7. DATA RETENTION
We retain your account and child data for as long as your account is
active. Deleting a child profile immediately and permanently erases all
data tied to that child (facts, plans, conversations about them, growth
moments/narratives, nudges). Deleting your account permanently erases your
account and personal data as described in Section 9; if you are the sole
member of your family, this also erases your family's children and their
data. Password-reset codes expire and are purged automatically. Rate-limit
counters are short-lived (minutes) and not retained.
8. SECURITY
Passwords are hashed with bcrypt and never stored or logged in plain text.
Traffic to our servers is encrypted in transit (TLS). Access tokens are
short-lived; refresh tokens are long-lived but revocable by changing your
password. We apply rate limiting to slow credential-stuffing and brute-force
attempts. No method of transmission or storage is 100% secure, and we
cannot guarantee absolute security.
9. YOUR RIGHTS
Depending on your location, you may have the right to: access the personal
data we hold about you; correct inaccurate data; erase your data ("right to
be forgotten"); restrict or object to certain processing; receive your data
in a portable format; and withdraw consent at any time. In the app, under
Profile, you can already: edit or delete any child fact, delete a child
profile (erasing all of that child's data), and request a full account
deletion and a data export. For anything the app doesn't yet self-serve,
email us (Section 10) and we will respond within 30 days. If you are in the
EEA/UK, you also have the right to lodge a complaint with your local data
protection supervisory authority.
10. CONTACT
Questions about this policy, or to exercise a privacy right not yet
available in-app: abdul18raheem@gmail.com
11. CHANGES TO THIS POLICY
We may update this policy. When we make material changes, we will publish a
new version and ask for your consent again before continued use, the same
way we do for our Terms & Conditions.