Privacy Policy

Version 1.5.0 — as of 5 July 2026

This is a courtesy English translation. The legally binding version is the German Privacy Policy; in the event of any discrepancy, the German version prevails.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Michael Merzbach
operating under the name "Kikidori"
Stellbrinkweg 9
69469 Weinheim
Germany

Note: Kikidori is currently in a non-commercial, closed testing phase with invited families. A separate commercial registration or transition into a corporate form will take place with the public launch.

Phone: +49 151 42020021
Email: datenschutz@kikidori.com
Website: www.kikidori.com

Data Protection Officer

There is currently no obligation to appoint a data protection officer (Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act)):

  • We employ fewer than 20 people who are constantly engaged in the processing of personal data.
  • There is no extensive regular and systematic monitoring of data subjects.
  • Processing of special categories of personal data as a core activity is not intended (for the risk treatment of proof photos, see the section "Special categories of personal data").

Please direct data protection inquiries to datenschutz@kikidori.com — we respond within the periods applicable under Art. 12(3) GDPR.

1. General use of our website

When you use our website purely for informational purposes, i.e. when you do not transmit any information to us and do not use one of the functions described below, we collect the data that your browser transmits in order to enable your visit to the website, for statistical purposes, and to improve our online offering. These are:

  • IP address
  • Date and time of the request
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transferred in each case
  • Website from which the request originates (the "referrer URL")
  • Browser
  • Language and version of the browser software
  • Operating system of the accessing computer

We collect and use this data exclusively in non-personal form; IP addresses are automatically anonymised. The processing of the data takes place in order to make the use of the pages you access possible at all, for statistical purposes, and to improve our online offering. We store the shortened IP address only for the purpose of tracing any attacks on our website. Collection is based on our legitimate interest in the secure operation of the website (Art. 6(1)(f) GDPR). No personal evaluation or any inference about you as a user takes place.

2. Waitlist (website) — closed

Before the start of the open beta (July 2026), interested parties could leave their email address via a sign-up form on our website to be notified about the beta launch of the Kikidori app (double opt-in pursuant to § 7 UWG (German Act Against Unfair Competition); legal basis Art. 6(1)(a) GDPR).

With the start of the open beta, the waitlist is closed: the form has been removed, no new entries are accepted, and all confirmed entries were invited at the beta launch. The purpose of the waitlist is thereby fulfilled and the entries have been deleted. Unconfirmed entries had already been deleted automatically 7 days after sign-up.

If you have questions about a former waitlist entry, you can reach us at datenschutz@kikidori.com.

3. Overview

Kikidori is an app to support behavioral development in children aged 6–12, with a special focus on neurodivergent families. The app is set up by parents or caregivers (hereinafter together "caregiver") and used together with their children. The app is available both via our website (parent and child areas) and as a native app; the following descriptions apply to both.

This statement informs you, in accordance with Art. 13 and 14 GDPR, about which data we collect, on what legal basis, for what purpose, how long we store it, and what rights you have as a data subject.

3.1 Privacy-friendly default settings (ICO Children's Code Standard #7)

As an application directed at children, we follow the ICO Children's Code ("Age Appropriate Design Code") as a de facto EU benchmark. In concrete terms, this means:

  • No public profiles. All data is family-internal; there is no option to make profiles, activities, or rewards visible outside one's own family.
  • No third-party analytics in the app. Within the app itself we use no external tracking SDKs (Google Analytics, Meta Pixel, Mixpanel, Amplitude, or similar). Error diagnostics are handled via a self-hosted Glitchtip. On the public marketing website we use our own, cookieless reach measurement without an external script — see the section "Statistics & reach measurement".
  • No behavioral advertising. There are no advertisements in the app and no data sharing for advertising purposes.
  • No location data. We do not collect GPS or geolocation data.
  • Gamification without profiling. Streaks, points, and badges take effect exclusively within the family and do not produce any algorithmic assessment of the child.

3.2 Self-commitment against dark patterns

We deliberately refrain from manipulative incentive mechanics (dark patterns) with children:

  • No streak-loss threats or artificial scarcity that pressure children into engagement.
  • No asymmetric friction between "yes" and "no" in consent flows — both options are equally accessible.
  • Notification frequency is configured evenly, not engagement-driven.
  • No countdown-pressure UX in reward redemption flows.

4. Legal-bases matrix per data category

For each data category we set out the legal basis, purpose, retention period, and necessity.

Data categoryData subjectLegal basisPurposeNecessity
Caregiver email, password hash, display nameCaregiverArt. 6(1)(b) GDPR (performance of a contract)Provision of the user accountrequired
Caregiver profile photo, theme, notification settingsCaregiverArt. 6(1)(a) GDPR (consent), revocable at any timePersonalizationoptional
Consent audit recordCaregiverArt. 6(1)(c) GDPR (proof obligation under Art. 7(1))Consent auditrequired
Child profile name (pseudonym recommended), PIN hashChildArt. 6(1)(a) + Art. 8 GDPR (consent, represented by the legal guardian)Family-internal userequired
Child avatar / profile photoChildArt. 6(1)(a) + Art. 8 GDPR, revocable at any timePersonalizationoptional
Quests, quest completions, point transactions, rewards, reward requests, badges, routinesChildArt. 6(1)(a) + Art. 8 GDPRCore functionality of the token economyrequired for functionality
Quest proof photosChildArt. 6(1)(a) + Art. 8 GDPR (with Art. 9 risk note, see section 7)Record-keeping toward caregiversoptional per quest
Activity log (family-internal events)Child + caregiverArt. 6(1)(a) + Art. 8 GDPR (child-related) or Art. 6(1)(b) (caregiver-related)History fidelity as a caregiver featurerequired for feature
Server log files (IP, date, user agent)Caregiver + child (transient)Art. 6(1)(f) GDPR (legitimate interest: abuse detection, operational security)Operation, securityrequired
System logs (technical diagnostic data)Caregiver + child (pseudonymised, UUID)Art. 6(1)(f) GDPR (legitimate interest: operational security, error diagnostics)Error detection, stable operationrequired
Push subscription + preferencesCaregiverArt. 6(1)(a) GDPR, revocable at any timeNotificationsoptional

Providing the data marked as "required" is a precondition for using the respective function. Optional data can be removed at any time without impairing the functionality of the account (Art. 13(2)(e) GDPR).

4.1 Collection of children's data from the caregiver (Art. 14 GDPR)

Children's data is not collected from the child themselves, but from the caregiver when creating the child profile. This additionally triggers Art. 14 GDPR:

  • Source of the data: the caregivers' own entries in the child-profile creation flow.
  • Recipients: exclusively caregivers within the same family. No third-party recipients.
  • Information for the child: via the age-appropriate short version of the privacy policy ("What we know about you") — available at first login and at any time via the child settings menu.

5. Retention period and deletion

CategoryRetention periodDeletion mechanism
Caregiver master datauntil account deletionimmediately on delete_family_hard / remove_caregiver
Child profile datauntil child deletion or account deletionimmediately on delete_child / withdraw_child_consent / delete_family_hard
Quest completions, point transactions, rewards, badges, routinesuntil child deletioncascade delete
Activity loglifetime of the caregiver account; 90-day grace period after account deletionpg_cron hard delete daily
Quest proof photos30 days after caregiver confirmation; immediately on rejectionstorage delete via pg_cron + RPC
Profile photos (avatars)until profile editing or profile deletionstorage delete
Push subscriptionsuntil revocationimmediately on revocation
Consent records (caregiver)until caregiver deletion + 6 months (proof-obligation buffer)hard delete after 6 months
Server log filesas a rule 14 days, max. 30 dayslog rotation
System logs30 dayspg_cron hard delete daily
Orphaned child auth records (server-side housekeeping)at most 24 hoursautomatic cleanup
Payment data (Premium, future)10 years (§ 147 AO, German Fiscal Code)manual archiving

The 30-day quest-proof-photo period follows from Art. 5(1)(e) GDPR (storage limitation) and the principle of data minimisation. When a quest submission is rejected, the justification basis for storing the photo lapses immediately. The label "deleted on …" remains visible in the family history so that caregivers can trace that a file existed and when it was automatically removed.

6. No automated decision-making (Art. 22 GDPR)

There is no automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning your child or you, or similarly significantly affects you.

  • Badges and progress indicators are gamified depictions, not assessments.
  • Points are awarded exclusively by caregivers — not by the system.
  • There is no adaptive learning, no behavioral prediction, no profiling with legal effect.

7. Special categories of personal data (Art. 9 GDPR)

We do not intend to process special categories of personal data and do not carry out any classification, biometric identification, or automated image analysis.

We do not collect and do not store diagnosis details about your child (such as ADHD or autism spectrum). If you filter the template library by diagnosis, that selection stays in your device's browser only and is never transmitted to our servers.

Note on quest proof photos: A proof photo uploaded by the child or the caregiver may unintentionally reveal special categories (health — e.g. a medication quest; religious practice — e.g. a prayer routine; faces of third parties). We address this with the following protective measures:

  • Family-internal visibility (RLS): proof photos are visible exclusively to caregivers of the same family. No other family and no third parties have access.
  • No transfer to third parties: proof photos do not leave our server. No external image analysis, no ML training, no cloud processing.
  • Caregiver note in the upload dialog: we recommend avoiding faces of third parties and medical contexts. Less is better.
  • Short retention period: 30 days after confirmation, immediately on rejection — see the retention matrix.

If such a proof photo is uploaded, the legal basis for the processing is additionally Art. 9(2)(a) GDPR. If you wish to remove a proof photo before the period expires, this is possible at any time via the app or by email to datenschutz@kikidori.com.

8. Hosting and processors

8.1 Data processing in Germany — no third-country transfers

All processing takes place on servers within the European Union, specifically in Germany (Karlsruhe). There is no transfer to third countries.

If, in the future, service providers with a third-country connection are used (in particular a Premium payment provider), this will take place exclusively on the basis of standard contractual clauses (Art. 46(2)(c) GDPR) plus a documented transfer risk assessment ("TIA"); this privacy policy will be amended accordingly before any such step.

8.2 Processors

ProcessorLocationPurposeDPAThird country
netcup GmbHKarlsruhe, DEVPS hosting (compute, storage, network)Standard netcup DPA pursuant to Art. 28 GDPRno
netcup SMTP (netcup GmbH)Karlsruhe, DETransactional email for auth emails and notificationsincluded in the hosting DPAno
netcup GmbH (domain registrar)Karlsruhe, DEDomain registration and DNS for kikidori.com and kikidori.deincluded in the hosting DPAno

Glitchtip (error tracking) is operated self-hosted on netcup infrastructure and is therefore not a separate processor within the meaning of Art. 28 GDPR.

We operate our entire infrastructure ourselves (self-hosted Supabase). No cloud services such as Google Cloud, AWS, Azure, Cloudflare Workers, or Vercel are used for data processing. External fonts and CDNs are likewise not embedded.

When adding further processors (e.g. a Premium payment provider), we will announce them with a lead time of 14 days and give the affected caregivers the opportunity to object.

9. Security measures (Technical and Organizational Measures, Art. 32 GDPR)

We implement the following measures to protect personal data:

  • Encryption in transit: TLS 1.3 for all data transfers (Caddy reverse proxy with Let's Encrypt certificates).
  • Credential hashing in line with the state of the art (BSI TR-02102): passwords and PINs are stored exclusively as cryptographic hashes (salted, adaptive hash methods with a sufficient cost factor). There is no plaintext storage; outdated methods such as MD5 or SHA-1 are not used for credentials.
  • Access control: Row Level Security (RLS) at the database level is the primary authorization layer; each family sees exclusively its own data. Server-side administration only via SSH key + 2FA on admin accounts.
  • Physical security: hosting at netcup GmbH (ISO 27001 certified, Tier-3 data center, EU/DE).
  • Hardening & CSP: Content Security Policy against cross-site scripting; rate limiting on authentication attempts.
  • Incident response: a documented workflow for handling security incidents, including reporting obligations under Art. 33/34 GDPR (72 hours).
  • Dependency audits: regular automated audits for the early detection of vulnerable dependencies.

A detailed description of our technical and organizational measures is documented internally and is available on request.

Note on encryption at rest: disk encryption (LUKS) and gpg-encrypted backups are planned as a measure for Phase 2 (before the Premium launch) and will be specified in more detail in this statement once implemented. Until then, we rely on TLS in transit, credential hashing, RLS, as well as the physical security of our data center provider.

10. Cookies and local storage

Kikidori uses no tracking cookies and no advertising cookies.

The following local data is stored in the browser or on the device:

  • family_id (localStorage): identifies the device as a "trusted family device" after the first caregiver login. Contains no personal data. Can be deleted via the "Forget device" setting.
  • Session token (Supabase Auth): authentication token with a lifetime of about one hour and automatic renewal via a refresh token. Caregivers can end the session at any time via "Forget device". This is to be distinguished from the server-side cleanup of orphaned auth records mentioned in section 5.

A cookie banner is not required, as only technically necessary storage mechanisms within the meaning of § 25(2) TDDDG (German Telecommunications Digital Services Data Protection Act) are used.

10a. System logs

To ensure stable operation and technical error diagnosis, Kikidori stores internal diagnostic events in a system-side log.

  • Content: type of event (e.g. a failed API call, an automated background process), timestamp, family identifier (pseudonymised UUID), and, where applicable, child identifier (pseudonymised UUID — only when the event can be attributed to a specific child). In line with the principle of data minimisation (Art. 5(1)(c) GDPR), we endeavour to store only technical diagnostic data without personal plaintext content; message content and child-related behavioral data are not the subject of this logging.
  • Visibility: system logs are accessible exclusively for technical operations and are not visible in the parent dashboard.
  • Retention period: 30 days; thereafter automatic deletion by a daily-running database process. Independently of this, system-log entries associated with a family or a child are deleted immediately when the family or child is deleted (Art. 17 GDPR).
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security and technical error diagnostics). The 30-day retention period is measured against the window needed to investigate reported errors and support requests; as part of the balancing of interests, we have limited it to what is necessary for that purpose.
  • Distinction from the activity log: the activity log referred to in section 5 contains family events visible to caregivers (e.g. quest completions, point awards) and is retained for the lifetime of the caregiver account. System logs are entirely separate from it and are used exclusively internally.
  • Distinction from the server log files: also to be distinguished are the server log files referred to in sections 4 and 5 — these are the access logs generated automatically by the web server (reverse proxy) (including IP address and user agent). System logs, by contrast, are application-side diagnostic events in the database; access logging with IP addresses is not their purpose.

10b. Statistics & reach measurement (marketing website)

On the public marketing and legal pages (the home page and the legal documents linked here) we measure aggregated reach with our own, aggregating counter. This measurement applies exclusively to the marketing website — not in the logged-in app (parent and child areas) and not in the native app.

  • No external script. No analytics script and no third-party service is loaded. On access, the page sends only a short signal to our own infrastructure, which increments a counter. There is no third-country transfer; we are at the same time the controller and the operator.
  • No cookie, no local storage, no recognition. No cookies are set and no data is stored in or read from your browser or your device. No cross-session identifier is assigned and no fingerprinting is carried out; nor are any device properties (such as screen or window size) read out.
  • Aggregated, without personal data. Only aggregated counter values are stored (e.g. page views, anonymous campaign origin via UTM parameters, whether the waitlist sign-up was completed), bundled per day. No IP addresses are stored, no email addresses, no account identifiers, and no diagnosis or neurotype information.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a data-minimising reach measurement for our own service). A cookie banner is not required, as no information within the meaning of § 25(1) TDDDG is stored in or read from the terminal equipment (§ 25(2) TDDDG).

This measurement is consistent with our pledge of "no third-party analytics in the app": no analytics SDK is embedded in the app; the reach measurement of the marketing website is a separate, own, and cookieless measurement without an external script.

11. Push notifications

Beta status: push notifications are disabled in the beta. No permission requests are triggered, no push subscriptions are created, no push notifications are sent.

The function will be activated for regular operation. From then on, the following applies:

  • Legal basis: Art. 6(1)(a) GDPR (consent), optional.
  • Granting: via the browser/device permission in the app's settings dialog.
  • Revocation (Art. 7(3) GDPR — as easy as granting): via caregiver settings → notifications. A master toggle disables all push notifications immediately and removes the associated push subscription server-side (not just muting it locally). In addition, per-type toggles for individual notification types.
  • Effect: processing carried out up to the revocation remains lawful; after the revocation, no further push notifications are sent.

Before the function is activated, this privacy policy will be updated to the then-current version.

12. Parental consent — verification procedure (Art. 8 GDPR)

Since Kikidori processes personal data of children under 16, the consent of the legal guardian is required (Art. 8(1) GDPR). We use a two-stage procedure:

  1. Email verification: the caregiver confirms their email address when creating the account.
  2. Double-click reconfirmation: before the first creation of a child profile, a second confirmation of parental consent takes place in a dedicated modal.

Proportionality of the verification depth

Art. 8(2) GDPR requires "reasonable efforts" toward verification, graduated according to the risk of the processing (cf. EDPB Guidelines 05/2020 §7.1; DSK Short Paper No. 20). We characterize Kikidori's processing profile as low-to-medium-risk:

  • family-internal scope (no visibility outside the family),
  • no sharing with third parties,
  • no behavioral advertising,
  • no geolocation collection,
  • no profiling with legal effect (Art. 22 negative declaration in section 6).

For this risk class, email + double-click reconfirmation is a reasonable effort. For future Premium functionality (payment authorization via a payment provider), the payment touch additionally acts as a secondary verification step.

13. Child-appropriate information (Art. 12(1) GDPR)

An age-appropriate short version of this privacy policy in plain language, with pictograms and on a single screen page, is available at the first child login after PIN entry as well as at any time via the child settings menu under "What we know about you". The short version is available in German and English.

14. Your rights as a data subject

As a data subject, you have the following rights:

  • Access (Art. 15 GDPR) — information about the data stored about you.
  • Rectification (Art. 16 GDPR) — correction of inaccurate data.
  • Erasure (Art. 17 GDPR) — deletion of your data. For children's data, an immediate deletion function is available directly in the app.
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR) — receipt of your data in a structured, machine-readable format.
  • Objection (Art. 21 GDPR) — objection to the processing of your data.
  • Withdrawal of consent (Art. 7(3) GDPR) — at any time, with effect for the future. Withdrawal of the parental consent brings about the immediate deletion of the underlying children's data (Art. 17(1)(b) GDPR). There is no grace period.

14.1 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with any data protection supervisory authority of the European Union / the European Economic Area — in particular with the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg)
Lautenschlagerstraße 20
70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de

14.2 Rights of the child — exercised through the caregiver

Until the age of majority, the child's data subject rights (Art. 15–22 GDPR) are exercised by the legal guardian as the legal representative. This corresponds to the market practice of comparable children's apps in the DACH region and the EU. Upon reaching the age of majority, the now-adult person takes over the rights themselves — either by setting up their own adult account or by transferring the existing profile. The transition path will be designed in production at the time of the first relevant user constellation.

Direct inquiries from minors to datenschutz@kikidori.com will be referred back to the caregiver with a brief note.

To exercise your rights, please contact: datenschutz@kikidori.com

15. Beta program

During the beta program, additional terms apply, which will be documented in a separate beta agreement at the beta launch and consented to separately. The beta agreement addresses: experimental status, beta versioning (3-month period), feedback opt-in, follow-up contact opt-in. The beta program ends with the regular product launch; from then on, this section no longer applies.

16. Changes to this privacy policy

We reserve the right to adapt this privacy policy in order to align it with current legal requirements or functional changes to the app. In the event of substantial changes, we will inform registered caregivers by email and — where required — obtain renewed consent. The respective current version is available at /en/privacy (the binding German version is at /de/datenschutz).

17. Questions about data protection

If you have any questions, please contact:

Michael Merzbach
Email: datenschutz@kikidori.com
Phone: +49 151 42020021