Privacy Policy

Parental consent (Art. 6(1)(a) GDPR): When creating an account, the parent explicitly consents to the collection and processing of their child's data (location, browsing history, screen time) for parental control purposes. This consent can be withdrawn at any time by deleting the child's profile or the parent account.

Contract performance (Art. 6(1)(b) GDPR): Processing parent account data (email, password, billing) is necessary to provide the Kiddowall service under the terms of use accepted at registration.

Legitimate interest (Art. 6(1)(f) GDPR): Security logs and fraud prevention measures are processed on the basis of Kiddowall's legitimate interest in securing the platform and protecting minors from harm.

Regarding children under 13 (COPPA compliance): Kiddowall does not create accounts for children. Only parents create accounts and manage their children's profiles. The child's device is enrolled by the parent. We do not knowingly collect personal data directly from children. Parents bear full legal responsibility for providing accurate consent.

Right of access (Art. 15 GDPR): You may request a copy of all personal data held about you and your children. You can export your data in JSON format directly from Settings > Privacy > Export my data.

Right of rectification (Art. 16 GDPR): You may correct any inaccurate or incomplete personal data from within your account settings.

Right to erasure (Art. 17 GDPR): You may request the deletion of your account and all associated data. From Settings > Privacy > Delete my account. Deletion is permanent and irreversible.

Right to data portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format (JSON).

Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interest by contacting us at [email protected].

Right to restrict processing (Art. 18 GDPR): You may request restriction of processing of your data in the circumstances provided for by the GDPR.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Kiddowall is a parental control tool. The data of minors (location, browsing history, screen time) is collected exclusively for the purpose of enabling parents to exercise their supervisory duty. Children cannot create Kiddowall accounts themselves.

COPPA compliance (Children under 13 — United States): Kiddowall does not knowingly collect personal information directly from children under 13. Enrollment of a child's device is performed exclusively by the parent or legal guardian. If you believe that a child under 13 has provided personal data without parental consent, please contact us immediately at [email protected] and we will delete it promptly.

GDPR — Children's consent (Art. 8 GDPR): In the EU, where the lawful basis is consent, Kiddowall requires the consent of a parent or legal guardian for any child under the applicable national age (16 years in France, or lower in other member states). By creating a child profile, the parent confirms they are the legal guardian and have the authority to consent on the child's behalf.

Child data is used solely for the purposes described in this policy. It is never sold, monetized, or used for advertising.

Kiddowall implements the following technical and organizational security measures:

• Encryption in transit: All communications between devices, mobile apps, and servers use TLS 1.3.
• Encryption at rest: Sensitive data (location, browsing history) is encrypted using AES-256-GCM before being stored.
• Password hashing: Passwords are hashed using bcrypt with a work factor of 12.
• Two-factor authentication (2FA): Required for all parent accounts using TOTP (Time-based One-Time Password).
• Access control: Strict role-based access control. No employee can access user data without a logged, auditable reason.
• Regular security audits: The platform is subject to periodic security reviews.
• Incident response: In the event of a personal data breach, affected users will be notified within 72 hours in accordance with Art. 33-34 GDPR.

All personal data collected by Kiddowall is hosted exclusively in France on OVH SAS / Kimsufi infrastructure (Roubaix, France — EU). Kiddowall does not transfer personal data outside the European Economic Area (EEA).

Third-party service providers used by Kiddowall (e.g., transactional email delivery) are contractually bound to process data only within the EEA or under standard contractual clauses approved by the European Commission, and are prohibited from using data for their own purposes.

Apple Inc. processes certain data as part of the iOS MDM (Mobile Device Management) protocol. This processing is governed by Apple's privacy policy. Kiddowall uses Apple's MDM API solely to deploy configuration profiles and does not share children's personal data with Apple beyond what is technically necessary for MDM enrollment.

Kiddowall uses only strictly necessary cookies:

• Session cookie: Maintains your authenticated session (HTTP-only, Secure, SameSite=Strict). Deleted when you close your browser or log out.

Kiddowall uses PostHog analytics, session replay, heatmaps, and error tracking for registered accounts in order to improve the service. Creating an account and continuing to use the service means you accept these measurement features as part of the service terms. We do not use advertising cookies or tracking pixels, and we do not send data to Google Analytics, Facebook Pixel, or similar advertising services.