Privacy Policy

Kudo Kids, LLC ("we," "us," or "KudoKids") operates the KudoKids mobile application and the website at kudokids.org (collectively, the "Service"). KudoKids is a digital wellbeing platform for children ages 3-12.

Because our Service is directed to children under 13, we comply with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. sections 6501-6506, and the Federal Trade Commission (FTC)'s COPPA Rule, 16 CFR Part 312, including the April 2025 amendments. This Privacy Policy describes what personal information we collect from parents and children, how we use and share it, how long we keep it, and what rights you have.

If you have questions about this policy, contact us at legal@kudokids.org.

Kudo Kids, LLC 4030 Wake Forest Road, STE 349 Raleigh, NC 27609 United States Phone: (910) 593-7070

Privacy inquiries: legal@kudokids.org

When a parent or legal guardian creates an account and manages the family, we collect:

• Account credentials: Email address (used for authentication via one-time passcode) and optional display name.
• Parent mode passphrase: A cryptographic hash of your passphrase (we never store the passphrase itself), an optional hint, and biometric enrollment preference.
• Payment information: If you subscribe to a paid plan, payment is processed by Stripe, Inc. within the KudoKids mobile app. This marketing website does not collect or process payment information. We do not receive or store your credit card number. Stripe provides us with your email address, subscription status, and plan type.
• Child profile information you provide: For each child profile, you provide the child's first name and age. You may optionally provide growth areas (behavioral focus areas), wellness feature preferences, and a PIN or image-based PIN for child access.
• Behavioral assessments you provide about your child: You may optionally complete a Strengths and Difficulties Questionnaire (SDQ)-based assessment with scores across five domains (emotional, conduct, hyperactivity, peer relationships, prosocial behavior).
• Consent records: When you consent to data collection about your child, we store your typed full legal name, the consent version, a timestamp, and which categories of data you consented to.
• Social feature approvals: If you enable social features for your child (friends, messaging, leaderboards), we record your approval and timestamp.

We collect the following categories of personal information from or about children. All child data collection requires verifiable parental consent (see Section 6). Categories marked "optional" require separate parental opt-in.

4a. Identity Information (required for core Service)

• Child's first name and age (provided by parent)
• Profile avatar and companion selection

4b. Activity Data (required for core Service)

• Task completions and last completion dates
• Kudo Coin transactions -- earned and spent (recorded as an immutable ledger)
• Store purchases (rewards, skins, themes, companions, music, games)
• Game sessions including game type, scores, and play duration

4c. Wellness and Assessment Data (optional -- requires separate parental consent)

• Personality survey: Children ages 5 and older may complete a personality survey (based on the Big Five model) that produces scores for extraversion, agreeableness, conscientiousness, emotional stability, and openness. This survey is only presented if the parent has opted in.
• Emotion check-ins: Children may voluntarily record daily emotion check-ins including a mood valence score (0-5), an arousal score (0-5, ages 8+), and an optional free-text context field. The free-text field may contain unstructured personal information typed by the child.
• Meditation sessions: Duration, frequency, and completion percentage of guided meditation sessions.
• Growth areas: Parent-defined behavioral focus areas (up to 3) used to personalize task recommendations. These may be auto-populated from personality survey results if the parent has enabled the survey.

4d. Social Data (optional -- requires separate parental consent)

• Friend alias: A searchable username (3-20 characters) that your child creates for friend discovery. Other authenticated users can search for this alias.
• Messages: Free-text messages (up to 500 characters each) sent between friends. We retain message edit history for safety auditing. Messages are subject to automated content filtering (URL detection, spam/caps/pattern checks) and are visible to both children's parents.
• Friendship connections: Records of which children are friends, including parent approval status and timestamps.
• Leaderboard participation: If the parent opts in, game scores and rankings may be visible to other families in the child's friend group.
• Multiplayer sessions: Game state and scores when playing with friends.

4e. Device and Technical Data

• Push notification tokens: Device-specific identifiers used to deliver push notifications. These are persistent identifiers as defined by COPPA and are treated as personal information. Tokens are stored for both parent and child profiles.
• Access logs: When a profile is selected, we log the profile ID, device type, operating system version, app version, authentication method, and timestamp. Access logs are automatically deleted after 90 days.
• Interaction data: Locally stored counts of companion interactions (taps, gestures) and screen visits. This data remains on the device and is not transmitted to our servers.

4f. Speech Recognition

The app includes speech recognition capabilities for educational features. Speech processing may be handled by Apple (on iOS devices) or Google (on Android devices) using their respective cloud services. Audio data transmitted for speech recognition is processed by these third parties according to their own privacy policies. We do not store audio recordings.

We use children's personal information for the following purposes:

• Service delivery: To operate the core features -- tracking tasks, managing Kudo Coin balances, delivering rewards, and running games.
• Age-adaptive experience: To adjust content difficulty, UI complexity, and available features based on the child's age.
• Personalized recommendations: Growth areas and (if opted in) personality survey results are used to suggest age-appropriate tasks and educational content.
• Wellness features: Emotion check-in data and meditation history are used to provide wellness insights to parents and to power features like daily affirmations.
• Parental reporting: Parents can view their child's activity, progress, assessment results, and social interactions through the parent dashboard.
• Safety and moderation: Messages are automatically screened for inappropriate content. Message edit history is retained for parent audit.

We do not use children's personal information for advertising, behavioral targeting, profiling for commercial purposes, or any purpose not described in this policy.

KudoKids is an app directed to children ages 3-12. We comply with COPPA as follows:

6a. Parental Consent Is Required

All child profiles are created by a parent or legal guardian. Children cannot self-register. Before we collect any personal information about a child, the parent must provide verifiable parental consent ("VPC") through the app's setup wizard by:

1. Authenticating their identity via email one-time passcode.
2. Reviewing a detailed notice describing all categories of data that will be collected, how the data will be used, and the parent's rights.
3. Typing their full legal name as a digital signature of consent.
4. Selecting which optional data categories (behavioral assessments, wellness tracking, social features) to permit.

We store the consent record (typed name, consent version, timestamp, and categories) to demonstrate compliance.

6b. Parental Rights

At any time, a parent may:

• Review all personal information collected about their child through the parent dashboard's data review screen, or request a copy by emailing legal@kudokids.org.
• Delete their child's personal information. Deletion is permanent and removes data across all systems (profile, assessments, transactions, game sessions, messages, friendships, leaderboard entries, push tokens, and all other associated records). Deletion can be initiated from the parent dashboard or by emailing us.
• Refuse further collection by disabling specific data categories (assessments, emotion tracking, social features) in the child's settings, or by deleting the child's profile entirely.
• Export their family's data in JavaScript Object Notation (JSON) format through the parent dashboard.

6c. Data Minimization

We do not require children to provide more personal information than is reasonably necessary to participate in the core Service (task management and rewards). Behavioral assessments, personality surveys, emotion tracking, and social features are all optional and individually controlled by the parent. No features are conditioned on providing optional data.

6d. No Behavioral Advertising

We do not display advertising to children. We do not use children's personal information for targeted advertising, behavioral advertising, or any form of commercial profiling. We do not sell children's personal information.

We use the following third-party service providers to operate the Service. Each provider receives only the data necessary for its function:

• Supabase, Inc. (cloud database, authentication, real-time subscriptions): Supabase hosts our database and handles parent authentication (email OTP). All family data -- including children's personal information -- is stored on Supabase's infrastructure in the United States (AWS us-east-1 region). Supabase processes data in accordance with its Privacy Policy and Data Processing Agreement.
• Expo / Expo Application Services (push notifications): We use Expo's push notification service to deliver notifications to devices. When sending a notification, Expo's servers receive the device push token (a persistent identifier) and the notification content. Notification payloads may include references to child profiles. Device push tokens are considered persistent identifiers under COPPA; Expo processes these tokens in accordance with its terms of service.
• Stripe, Inc. (payment processing): If you subscribe to a paid plan, Stripe processes your payment within the KudoKids mobile app. This marketing website does not collect or process payment information. Stripe receives the parent's email address, plan selection, and payment details. No child data is sent to Stripe.
• Apple Inc. / Google LLC (speech recognition): If speech recognition features are used, audio may be processed by Apple's or Google's speech recognition services depending on the device. On most modern devices, speech recognition is processed on-device; however, some older devices or configurations may send audio to cloud servers. We do not control how Apple or Google process speech data or how long they retain it; refer to their respective privacy policies for details.
• Sentry (error monitoring and diagnostics): Sentry receives error context (stack traces, device information) and the parent user ID for debugging purposes. When errors occur, Sentry may capture a masked recording of the app screen to help our team diagnose issues. All text, images, and visual content are automatically replaced with placeholder blocks before transmission -- no child names, messages, or personal content is visible in these recordings. Only screen layout and interaction patterns (tap locations, navigation flow) are captured alongside a device identifier for debugging purposes. This data collection is performed under COPPA's support for internal operations exception (16 CFR section 312.5(c)(7)) as the sole personal information collected is a persistent identifier used for maintaining and debugging the app. In child mode, breadcrumb collection is disabled and child identifiers are not transmitted. Sentry processes data in accordance with its Privacy Policy.
• Resend (email delivery): We use Resend to deliver email notifications to parents (e.g., approval requests, security alerts, weekly reports). Resend receives only the parent's email address and the notification content. No child data is sent to Resend. Resend processes data in accordance with its Privacy Policy.
• Google Gemini (text-to-speech synthesis): We use Google's Gemini API to synthesize speech for non-personalized content such as story narration and generic companion phrases. Child names and other personal identifiers are never transmitted to Google; personalized speech (e.g., affirmations containing the child's name) uses on-device synthesis exclusively.

We do not use advertising networks, analytics SDKs in the mobile app, data brokers, or any service that monetizes user data. The kudokids.org website uses Google Analytics 4 for aggregate page view statistics, loaded only after visitor consent (see Section 13). Website analytics do not track children.

We do not sell personal information. We do not rent, trade, or share personal information with third parties for their own marketing purposes.

Affiliate and Partner Application Data

If you apply to our affiliate or partner program, we collect your name, email address, primary platform URL, audience size, platform types, and optional notes about your interest. This data is stored in Supabase and used solely to evaluate your application and manage the partnership. Affiliate application data is retained for the duration of the partnership plus 3 years for tax and legal compliance purposes. You may request deletion of your affiliate data by emailing legal@kudokids.org.

• Meta Platforms, Inc. (advertising measurement and optimization): The KudoKids website uses the Meta Pixel and Meta Conversions API (CAPI) to measure the effectiveness of our advertising campaigns on Facebook and Instagram. When you consent to advertising cookies, the Meta Pixel sets _fbp and _fbc cookies in your browser and sends event data (page views, content views, form submissions, and purchases) to Meta. Additionally, our server sends hashed versions of information you provide through forms (email, name, phone, country, state) along with your IP address and browser user agent to Meta's Conversions API for event matching and deduplication. All personally identifiable data is SHA-256 hashed before transmission. Meta may use this data to measure ad conversions, build retargeting audiences, and optimize ad delivery. Meta processes data in accordance with its Data Policy. You can control Meta's use of your data through your Facebook Ad Preferences.

• Stripe, Inc. (payment processing): Stripe processes payments for KudoKids subscriptions and one-time purchases, both within the KudoKids mobile app and via Stripe Checkout on the KudoKids website (kudokids.org). When you make a purchase, your payment information (credit card number, billing address) is sent directly to Stripe and is never stored on KudoKids servers. Stripe also receives your email address for receipt delivery. Stripe processes data in accordance with its Privacy Policy. No child data is shared with Stripe.

• Google LLC (website analytics): The KudoKids website uses Google Analytics 4 (GA4) to understand aggregate website traffic patterns when you consent to analytics cookies. IP anonymization is enabled, and no advertising, remarketing, or demographic features are activated in our GA4 configuration. Google processes this data in accordance with its Privacy Policy.

• Netlify, Inc. (website hosting): Netlify hosts and serves the KudoKids website. Netlify processes server logs that include IP addresses and browser user agents as part of standard web hosting. Netlify processes data in accordance with its Privacy Policy.

Beyond the service providers listed above, children's personal information may be visible to other users in the following circumstances, all of which require explicit parental consent:

• Friend discovery: If social features are enabled, the child's friend alias (username) is searchable by other authenticated users.
• Messaging: Messages are visible to the recipient child and to both children's parents (for safety monitoring).
• Leaderboards: If opted in by the parent, game scores and rankings may be visible to children in the same friend group.

We may also disclose personal information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect the safety of a child.

We retain children's personal information only as long as reasonably necessary to fulfill the purposes described in this policy. Our retention schedule is:

When a parent deletes a child's profile, all associated personal information is permanently removed from our systems. We do not retain copies after deletion except for consent records, which are retained for compliance documentation purposes.

Automated purge processes run on a regular schedule to enforce retention limits. Data that has exceeded its retention period is permanently deleted.

We maintain a written information security program proportionate to the sensitivity of the data we collect. Our security measures include:

• Encryption in transit: All data transmitted between the app and our servers is encrypted using Transport Layer Security (TLS).
• Encryption at rest: Our database provider (Supabase) provides disk-level encryption for all stored data.
• Row-Level Security (RLS): Database access controls ensure that each family can only access its own data. All queries are filtered by family membership.
• Authentication security: Parent PINs and passphrases are stored as cryptographic hashes, never in plaintext. Rate limiting and account lockout protect against brute-force attacks.
• Access controls: Server-side functions that bypass normal access controls validate caller identity and ownership before executing.

No system is perfectly secure. While we implement reasonable safeguards, we cannot guarantee absolute security. If we discover a data breach affecting children's personal information, we will notify affected parents without unreasonable delay, and in no event later than 72 hours after discovery, and report to applicable authorities as required by law.

Parents and guardians have the following rights:

• Access: Review all personal information we hold about your child, either in-app or by contacting us.
• Correction: Update or correct any inaccurate information through the app or by contacting us.
• Deletion: Request permanent deletion of your child's profile and all associated data.
• Refuse collection: Opt out of any optional data collection category at any time without affecting access to core features.
• Revoke consent: Withdraw consent for data collection, which will result in deletion of the associated data.
• Data export: Export your family's data in JSON format from the parent dashboard.

To exercise any of these rights, use the parent dashboard in the app or email us at legal@kudokids.org. We will respond within 30 days.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Post the revised policy on this page with an updated effective date.
• Send notice via email to the address associated with your account.
• Display a notice within the app.

If we make material changes to how we collect, use, or share children's personal information, we will obtain new verifiable parental consent before implementing the changes.

The KudoKids website (kudokids.org) uses cookies only when you consent. We do not use cookies in the KudoKids mobile app.

Analytics cookies (require Analytics consent)

Advertising cookies (require Advertising consent)

Essential cookies (always active)

When you consent to advertising cookies, the Meta Pixel tracks page views, content views, waitlist signups (Lead events), and purchases on our website. This data is sent to Meta to measure ad campaign performance, build retargeting audiences of website visitors, and optimize ad delivery. Additionally, when you submit the waitlist form or complete a purchase, our server sends a redundant event to Meta's Conversions API with hashed personal information (email, name, phone, location) and your IP address for improved event matching. You can withdraw advertising consent at any time via the cookie preferences panel in our website footer.

The KudoKids website (kudokids.org) collects information from parents and prospective users through our waitlist signup form. No child data is collected on the website -- child data collection occurs only within the KudoKids mobile app.

Information collected via the waitlist

• Name: First and last name (required)
• Email address: Used for authentication and waitlist communication (required)
• Phone number: Country code and number (optional)
• Location: Country and state/province (optional)
• Interest level and referral source: How you heard about us and your interest level (optional)
• Referral tracking: If you arrive via a referral link, we store the referrer's code (referred_by URL parameter) to credit the referring user
• Marketing consent: Whether you opted in to receive product updates via email

Retention

Waitlist data is retained until the waitlist campaign concludes or 24 months from signup, whichever is sooner. You may request deletion of your waitlist data at any time by emailing legal@kudokids.org.

KudoKids is currently a United States service. Our servers and data infrastructure are located in the US. If you access KudoKids from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For Families in the European Economic Area (EEA)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional information applies to you.

Lawful Basis for Processing: We process personal data on the following legal bases: (a) parental consent for child data under COPPA and GDPR Article 8; (b) performance of a contract when you create an account and use our services; (c) legitimate interests for website analytics and security, where these interests are not overridden by your rights.

Your Additional Rights: In addition to the rights described above, you have the right to: lodge a complaint with your local data protection authority; request restriction of processing; and object to processing based on legitimate interests.

International Data Transfers: Your data may be transferred to and processed in the United States, where our servers and service providers (Supabase, Stripe, Expo) are located. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard these transfers.

Data Protection Contact: For GDPR-related inquiries, contact us at privacy@kudokids.org.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Your rights

• Right to know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt out of sale/sharing: KudoKids does not sell your personal information and does not share personal information for cross-context behavioral advertising. For more information, visit our Do Not Sell or Share My Personal Information page.
• Right to limit use of sensitive information: You have the right to limit our use of sensitive personal information to purposes necessary for providing the Service.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Financial incentive disclosure

KudoKids offers a referral program that provides free premium subscription months to users who refer new paying subscribers. Under the CCPA, this may constitute a "financial incentive" program because the reward is linked to providing personal information (the referral relationship). Participation is voluntary. You may opt out at any time without affecting your access to the Service. The value of the incentive is reasonably related to the value of the data provided, based on the cost of the premium subscription tier.

How to submit a request

To exercise your California privacy rights, email us at legal@kudokids.org. We will verify your identity and respond within 45 days. If you are an authorized agent, include proof of authorization with your request.

Residents of certain US states have additional privacy rights under state law, including but not limited to the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Texas Data Privacy and Security Act (TDPSA). If you reside in one of these states, you may have the right to:

• Access, correct, or delete your personal data
• Obtain a portable copy of your personal data
• Opt out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects

Right to appeal

If we decline a privacy request, you have the right to appeal our decision. To appeal, email legal@kudokids.org with the subject line "Privacy Request Appeal." We will respond to your appeal within 60 days. If you are not satisfied with the outcome, you may contact your state attorney general.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will automatically decline analytics cookies and treat it as a valid opt-out request under applicable state privacy laws, including the CCPA and Colorado CPA.

Do Not Track

Our website does not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard protocol for DNT. However, you can manage your tracking preferences through our Cookie Settings (available in the website footer) or by enabling Global Privacy Control in your browser.

In accordance with the April 2025 COPPA amendments, we provide a separate, simplified direct notice for parents that summarizes our children's data practices. You can view this notice at our Parents' Notice: Children's Data Practices page.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Kudo Kids, LLC 4030 Wake Forest Road, STE 349 Raleigh, NC 27609 Email: legal@kudokids.org Phone: (910) 593-7070

We will respond to all privacy-related inquiries within 30 days.

If you believe we have collected personal information from your child without your consent, please contact us immediately and we will delete the information promptly.