Last updated: January 1, 2025
This Privacy Policy describes how Kinderpedia SRL ("Kinderpedia", "we", "us", or "our"), a company registered in Bucharest, Romania, collects, uses, discloses, and protects personal data in connection with the Kinderpedia school management platform and related services accessible at kinderpedia.tech and through our mobile applications.
Kinderpedia SRL is the data controller for personal data collected through the kinderpedia.tech website and the customer account portal. For personal data processed on behalf of subscribing schools — including student records, attendance data, grades, medical information, and family contact details — the subscribing school is the data controller and Kinderpedia SRL acts as the data processor pursuant to a Data Processing Agreement entered into at the time of subscription.
Our contact for data protection matters is: data@kinderpedia.tech. Our registered address is Bucharest, Romania. Inquiries regarding this Privacy Policy or your rights under applicable data protection law may be submitted to that address.
This policy is written to comply with the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the Romanian Law No. 190/2018 on measures for the implementation of the GDPR, and other applicable data protection legislation. Where we refer to "EEA", we mean the European Economic Area.
When you visit kinderpedia.tech, we collect standard web server log data including your IP address, the pages you visited, the time and date of your visit, and the browser and operating system you used. This data is collected automatically by our web hosting infrastructure. We use it for security monitoring, site performance analysis, and aggregate traffic reporting. We do not use this data to identify individual visitors unless required to do so for the purpose of investigating a security incident.
If you complete a contact form or request a product demonstration through the website, we collect your name, email address, school name, role, country, and any information you include in your message. We use this data to respond to your inquiry, to schedule demonstrations, and — where you have given consent — to send information about Kinderpedia's products and services. We retain contact form submissions for 24 months from the date of submission.
When a school subscribes to Kinderpedia, the school's designated administrator creates accounts for staff members. Account data includes: full name, email address, job role, school name, and where provided, a profile photograph. We use this data to operate the platform, authenticate users, and deliver notifications. We retain account data for the duration of the subscription plus 12 months following termination, after which accounts are permanently deleted unless a longer retention period is required by applicable law.
We log actions taken within the platform by account holders, including data entry, record modifications, messages sent, and reports generated. These audit logs are retained for 24 months and are accessible to the school's designated administrators as part of the platform's accountability features. We use audit log data for security monitoring, dispute resolution, and product quality improvement.
Parents and guardians access Kinderpedia through an invitation sent by the school. Account data includes: name, email address, mobile phone number (for SMS notification purposes), and relationship to the enrolled student. We use this data to authenticate the parent account, deliver notifications about their child's attendance, grades, and school communications, and to process in-app payment transactions where the school has enabled this feature.
Payment transaction data (card type, last four digits, transaction amount, date) is processed by our payment service provider Stripe, Inc. Kinderpedia does not store full card numbers or card security codes. Stripe's privacy policy is available at stripe.com/privacy. We retain payment records for 7 years in accordance with Romanian accounting law requirements.
Kinderpedia processes student data on behalf of subscribing schools acting as data controllers. Categories of student data processed through the platform include: name and date of birth, enrollment status and class assignment, attendance records, academic grades and assessments, behavioral and pastoral records, health and medical information provided by parents or recorded by school health staff, Individual Education Plan and SEND documentation, family contact information, and sibling relationships.
Special category data under GDPR Article 9 — including health data, SEND assessments, and data relating to mental health or well-being — is processed only where the subscribing school has obtained the appropriate lawful basis (typically explicit consent from the parent or guardian, or processing necessary for the provision of educational services under national education law). Schools are responsible for ensuring that appropriate legal basis exists for all special category data they process through the platform.
We rely on the following legal bases for processing personal data, depending on the category of data subject and purpose:
Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to deliver the Kinderpedia platform under the subscription agreement, including account management, platform operation, billing, and customer support.
Legitimate interests (Article 6(1)(f) GDPR): Processing for security monitoring, fraud prevention, aggregate analytics for product improvement, and audit logging. Our legitimate interests are assessed to be proportionate and not to override the rights of data subjects.
Compliance with a legal obligation (Article 6(1)(c) GDPR): Processing required by Romanian law or EU regulations, including accounting record retention and responding to lawful requests from public authorities.
Consent (Article 6(1)(a) GDPR): Where you have given specific consent, such as for direct marketing communications or for non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
We do not sell personal data to third parties. We do not share personal data for advertising purposes. We share data only in the circumstances described below.
We engage the following categories of sub-processors to operate the platform. All sub-processors are subject to contractual data processing obligations that meet the requirements of GDPR Article 28:
Cloud hosting and infrastructure: Amazon Web Services EMEA SARL (AWS) provides server infrastructure. Data is hosted in AWS data centers located in the European Union (eu-west-1, Ireland region, primary; eu-central-1, Frankfurt region, disaster recovery). No personal data is transferred to AWS infrastructure outside the EEA without appropriate safeguards.
Payment processing: Stripe, Inc., acting as an independent controller for payment card data under its own privacy policy. Kinderpedia shares transaction amount, student/school identifiers, and payer email address with Stripe for payment processing purposes only.
Email and SMS delivery: Transactional email (notifications, password resets, account invitations) is delivered via Amazon SES. SMS notifications are delivered via Twilio Inc., a US company, under Standard Contractual Clauses pursuant to GDPR Article 46. Only the phone number and message content required for the specific notification are transferred.
Customer support: We use an internal support ticketing system. Support tickets containing personal data are accessible only to Kinderpedia support staff and are deleted 24 months after closure.
Analytics: We use aggregate, anonymized analytics to understand platform usage patterns. No personal data is shared with third-party analytics providers.
We may disclose personal data to law enforcement or regulatory authorities where required by applicable law, court order, or other legal process. We will notify affected schools and individuals where permitted to do so before making any such disclosure. We will only disclose the minimum information required to comply with the legal obligation.
In the event of a merger, acquisition, or sale of all or substantially all of Kinderpedia's assets, personal data held by us would be among the assets transferred. We would provide notice to affected data controllers (subscribing schools) and to individual data subjects where practicable before any such transfer occurs and would require the acquiring entity to honor the data protection commitments described in this policy.
Kinderpedia's primary data processing infrastructure is located in the European Union. Certain sub-processors (Twilio for SMS delivery, Stripe for payment processing) are US-based entities. Transfers to these processors are governed by Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c). Copies of relevant SCCs are available on request by contacting data@kinderpedia.tech.
No student personal data is transferred outside the EEA except as described above in connection with transactional notifications and payment processing. Core school management data — student records, attendance, grades, medical information — is stored and processed exclusively within EEA infrastructure.
We apply the following retention schedules to the categories of data we control directly:
Website contact form data: 24 months from submission date, then permanently deleted.
Marketing consent and communication history: Until consent is withdrawn, then deleted within 30 days.
Customer account data (post-termination): 12 months after subscription termination, then permanently deleted.
Billing and financial records: 7 years from the date of the transaction, in accordance with Romanian Accounting Law No. 82/1991.
Security audit logs (platform): 24 months, then permanently deleted.
For student data processed on behalf of schools, data retention is governed by the subscribing school's data retention policy and applicable national education legislation. Schools are required under the Data Processing Agreement to provide Kinderpedia with instructions regarding data deletion schedules. In the absence of specific instructions, student records are retained for the duration of the subscription and for 12 months following termination to enable data recovery if required, then permanently deleted.
Schools have the ability to initiate deletion of student records directly within the platform at any time. Deleted records are permanently purged from all systems, including backups, within 90 days of deletion initiation.
Data subjects whose data we process as a controller (website users, direct Kinderpedia customers) have the following rights under GDPR, subject to applicable exceptions and limitations:
Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data and information about how it is processed. We will respond to access requests within 30 days.
Right to rectification (Article 16): You have the right to request correction of inaccurate personal data and to have incomplete data completed.
Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where the processing is unlawful.
Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while an accuracy dispute is under review.
Right to data portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Article 21): You have the right to object to processing based on legitimate interests, including profiling. We will cease the processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights regarding automated decision-making (Article 22): Kinderpedia does not make decisions about individuals using solely automated processing that produce legal or similarly significant effects.
To exercise your rights, contact data@kinderpedia.tech with the subject line "Data Rights Request". We will verify your identity before processing the request. We will respond within 30 days and will extend this period by a further 60 days where necessary for complex requests, notifying you of the extension and reason within the initial 30-day period.
For rights relating to student data processed by Kinderpedia on behalf of a subscribing school, requests should be directed to the school acting as data controller. Schools are obligated under their Data Processing Agreement with Kinderpedia to assist in responding to such requests using the platform's data export and deletion tools.
Kinderpedia implements technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:
Encryption of data in transit using TLS 1.2 or higher. Encryption of data at rest using AES-256 for all data stored on AWS infrastructure. Role-based access controls restricting platform access to authenticated users with appropriate permissions. Multi-factor authentication available for all platform accounts and required for administrative accounts. Regular penetration testing conducted by external security professionals on an annual basis. Staff data protection training for all Kinderpedia employees with access to personal data. An incident response procedure covering detection, containment, notification, and remediation of personal data breaches.
In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of data subjects, we will notify the Romanian National Supervisory Authority (ANSPDCP) within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required under GDPR Article 34.
Kinderpedia's platform processes data about children as a core function, on behalf of subscribing schools. Student accounts accessible to parents and guardians are managed by the school and by the parent or guardian. Students below the age of 16 do not directly create Kinderpedia accounts. Where students aged 16 or above are given direct platform access (for example, to view their own grades or timetable), the school is responsible for ensuring appropriate permissions and communications are in place.
Kinderpedia does not process children's personal data for marketing or advertising purposes. We do not build profiles of individual children for purposes beyond providing the school management services described in our agreement with subscribing schools.
Kinderpedia uses cookies and similar tracking technologies on kinderpedia.tech. For full information about the cookies we use, their purposes, and how to manage your preferences, please read our Cookie Policy.
We may update this Privacy Policy from time to time. We will notify subscribing schools of material changes via email to the designated account administrator at least 30 days before the changes take effect. For website visitors and non-subscribed users, we will post the updated policy on this page with a revised "Last updated" date. Your continued use of the website or platform after the effective date of any changes constitutes your acknowledgment of the updated policy.
If you believe we have not handled your personal data in accordance with this policy or applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority. For data subjects in Romania, the supervisory authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul Magheru 28-30, Sector 1, Bucharest, Romania
Website: dataprotection.ro
For data subjects in other EU member states, the supervisory authority in their country of residence is competent. We encourage you to contact us directly at data@kinderpedia.tech before lodging a supervisory authority complaint, as we may be able to resolve your concern more quickly through direct engagement.
For questions, requests, or concerns related to this Privacy Policy or our data processing practices, contact:
Kinderpedia SRL
Bucharest, Romania
Email: data@kinderpedia.tech
General enquiries: info@kinderpedia.tech