Privacy Notice
Effective Date: [EFFECTIVE DATE] Last Updated: [LAST UPDATED] Version: 2.0 Privacy Contact: [PRIVACY EMAIL]
This Privacy Notice explains how [KIDSTARTER LEGAL NAME] ("KidStarter," "we," "us," "our") collects, uses, shares, retains, and protects personal information when you access or use our website at [YOUR DOMAIN], our mobile applications, APIs, and related services (collectively, the "Service").
We are committed to transparency, data minimization, and the protection of all Users — especially minors. Please read this Notice carefully. If you do not agree with our practices, do not use the Service.
For information specifically about how we handle children's data, please also see our Children's Privacy Notice.
1. Scope
This Notice applies to all visitors, Donors, Creators (teachers, guardians, authorized representatives), school and organization representatives, Corporate Sponsors, and all other users of the Service, regardless of location.
This Notice does not apply to third-party websites, services, or applications linked from the Service. We encourage you to review the privacy policies of any third party before providing your information.
2. Data Controller
[KIDSTARTER LEGAL NAME] is the data controller responsible for your Personal Data under applicable data protection laws.
Registered Address: [ADDRESS] Privacy Contact: [PRIVACY EMAIL] Data Protection Officer (if appointed): [DPO NAME AND CONTACT] / [If not appointed: KidStarter has not appointed a Data Protection Officer as it does not meet the mandatory appointment thresholds under GDPR Article 37. Privacy inquiries should be directed to [PRIVACY EMAIL].]
3. Data We Collect
3.1 Information You Provide
| Category | Examples |
|---|---|
| Account Information | Name, email address, password (hashed), role, organization affiliation |
| Profile Information | Display name, profile photo (optional), bio |
| Campaign Content | Campaign title, description, story text, images, updates, category of need |
| Verification Data | School email verification, authorization letters, guardian consent forms, invoices, quotes, proof of enrollment (stored with restricted access) |
| Donation Data | Donation amount, currency, campaign selected, donor name/alias, gift message |
| Payment Information | Payment method selection and billing address; full card numbers are processed exclusively by our PCI DSS-compliant payment processors and are never stored by KidStarter |
| Communications | Support tickets, emails, chat messages, feedback, reports |
| Corporate Sponsor Data | Company name, authorized representative details, billing information, CSR program details |
3.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Device and Browser Data | IP address, device type, operating system, browser type and version, screen resolution, language preference |
| Usage Data | Pages viewed, features used, clicks, scroll depth, session duration, timestamps |
| Log Data | Server logs, error logs, access timestamps |
| Cookie and Tracking Data | Cookies, pixels, local storage tokens (see Cookie Policy) |
| Attribution Data | UTM parameters, referral URLs, share codes, campaign source |
| Location Data | Approximate location derived from IP address (we do not collect precise GPS location) |
3.3 Information from Third Parties
| Source | Data |
|---|---|
| Payment Processors | Transaction confirmations, payment status, fraud signals |
| Verification Providers | Identity verification results, sanctions screening results |
| Schools/Organizations | Authorization confirmations, enrollment verifications |
| Social Login Providers | If offered: name, email, profile picture from OAuth providers |
3.4 Student-Related Data (Minimized)
We apply strict data minimization for student data. Public data for minors is limited to:
- first name and last initial (or nickname/alias);
- grade band (e.g., elementary, middle, high school);
- broad geographic region (city or area only);
- category of need (e.g., books, laptop, tuition);
- a narrative story that does not contain identifying details.
We may process limited additional student-related information privately for verification, disbursement coordination, and child safety purposes. See the Children's Privacy Notice for full details.
We do not sell children's Personal Data. We do not use children's Personal Data for advertising, profiling, or behavioral targeting.
4. How We Use Data
We process your data for the following purposes:
| Purpose | Examples |
|---|---|
| Providing the Service | Creating accounts, publishing campaigns, processing donations, generating receipts, facilitating disbursements |
| Verification and Trust | Verifying creator identity and authority, school/organization legitimacy, corporate sponsor authorization |
| Safety and Child Protection | Moderating content, detecting PII exposure, enforcing child safety rules, removing harmful content |
| Fraud Prevention and Security | Transaction monitoring, velocity checks, device fingerprinting, IP analysis, sanctions screening, AML checks |
| Communications | Sending donation confirmations, campaign updates, support responses, service announcements |
| Compliance | Tax reporting, regulatory compliance, responding to lawful requests, dispute resolution |
| Analytics and Improvement | Measuring service performance, understanding usage patterns, improving features, A/B testing (aggregated/anonymized where feasible) |
| Marketing | Where you have opted in: newsletters, impact reports, fundraising tips (you may opt out at any time) |
5. Legal Bases for Processing (EU/EEA and UK Users)
Under the GDPR and UK GDPR, we rely on the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Performance of a Contract (Art. 6(1)(b)) | Account creation, campaign management, donation processing, disbursements, support communications |
| Legitimate Interests (Art. 6(1)(f)) | Fraud prevention, security monitoring, service improvement, analytics, enforcing terms and policies, protecting Users (including minors). Our legitimate interests do not override your fundamental rights and freedoms. |
| Consent (Art. 6(1)(a)) | Non-essential cookies, marketing communications, optional data sharing. You may withdraw consent at any time (see Section 10). |
| Legal Obligation (Art. 6(1)(c)) | Tax reporting, regulatory compliance, responding to lawful requests, breach notification, mandatory record-keeping |
| Vital Interests (Art. 6(1)(d)) | Emergency child safety situations where necessary to protect life |
| Public Interest (Art. 6(1)(e)) | Reporting child exploitation material to authorities (NCMEC, IWF, law enforcement) |
6. How We Share Data
We share Personal Data only as described below. We do not sell your Personal Data. We do not share Personal Data with third parties for their own marketing purposes.
| Recipient Category | Purpose | Data Shared |
|---|---|---|
| Payment Processors (e.g., Stripe, PayPal) | Process donations, manage refunds/chargebacks | Payment details, transaction data, billing address |
| Cloud and Infrastructure Providers | Hosting, storage, CDN, backups | All data as necessary for hosting (encrypted at rest and in transit) |
| Email and Communication Providers | Service emails, notifications | Name, email, communication content |
| Analytics Providers | Performance measurement | Aggregated/pseudonymized usage data |
| Verification and Fraud Prevention | Identity verification, sanctions screening, fraud detection | Verification documents, transaction signals, IP/device data |
| Schools/Organizations/Vendors | Coordinate disbursements and deliveries | Campaign details, invoice information, authorization data (not for marketing) |
| Moderation Tools | Automated PII detection, content safety scanning | Campaign content, images |
| Legal and Regulatory Authorities | Comply with lawful requests, court orders, subpoenas; report child exploitation | As required by law |
| Professional Advisors | Legal, accounting, audit, insurance | As necessary, under confidentiality |
| Corporate Transaction Parties | In connection with a merger, acquisition, or asset sale | All data; subject to equivalent protections |
7. Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your preferences through our cookie consent banner (EU/UK), browser settings, or by contacting [PRIVACY EMAIL].
8. Data Retention
We retain Personal Data only as long as necessary for the purposes described in this Notice and in accordance with our Data Retention & Deletion Policy. Indicative retention periods:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 3 years after closure (or longer if required by law) |
| Donation records | 7 years (financial/tax compliance) |
| Verification evidence | Duration of campaign + 3 years (fraud prevention, audit) |
| Campaign content | Duration of campaign; archived on completion; deleted on request where legally permitted |
| Student data (private) | Deleted or anonymized within 12 months after campaign completion or disbursement, unless retention is required by law |
| Server/security logs | Up to 24 months (security, fraud investigation) |
| Marketing consent records | Duration of consent + 3 years |
| Cookie data | See Cookie Policy for specific durations per cookie |
After expiry, data is deleted or irreversibly anonymized unless a legal hold, ongoing dispute, or regulatory obligation requires further retention.
9. Data Security
We implement technical and organizational security measures proportionate to the risk, including:
- encryption in transit (TLS 1.2+) and at rest;
- role-based access controls and least-privilege principles;
- secure, segregated storage for verification evidence;
- multi-factor authentication for administrative access;
- continuous monitoring, logging, and alerting;
- regular vulnerability assessments;
- incident response procedures;
- employee security awareness training;
- vendor security assessments.
No system is perfectly secure. See our Security Practices Summary and Incident Response & Breach Notice Summary.
10. Your Rights
Depending on your location, you may have the following rights. To exercise any right, contact [PRIVACY EMAIL].
10.1 All Users
- Access: Request a copy of your Personal Data.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your data, subject to legal retention obligations.
- Objection: Object to certain processing activities.
- Complaint: Lodge a complaint with us or a supervisory authority.
10.2 Additional Rights (EU/EEA and UK)
- Restriction of Processing: Request that we restrict processing in certain circumstances.
- Data Portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Withdraw Consent: Withdraw consent at any time for processing based on consent (without affecting the lawfulness of prior processing).
- Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 11).
- Lodge a Complaint: With your local supervisory authority (see Section 14).
10.3 Additional Rights (California, US — CCPA/CPRA)
See Section 13.2 below.
10.4 Additional Rights (Canada — PIPEDA)
See Section 14 below.
We will respond to verifiable requests within the timeframes required by applicable law (generally 30 days under GDPR/UK GDPR, 45 days under CCPA/CPRA). We will not discriminate against you for exercising your rights.
11. Automated Decision-Making and Profiling
11.1. KidStarter may use automated systems for fraud detection, transaction monitoring, content moderation (including PII detection in text and images), and sanctions screening.
11.2. These systems may flag content for human review, delay disbursements, or restrict account functionality based on automated signals.
11.3. We do not make decisions based solely on automated processing that produce legal effects or similarly significant effects on you without human review, except where permitted by law (e.g., fraud prevention with appropriate safeguards).
11.4. If you believe an automated decision has adversely affected you, you may request human review by contacting [SUPPORT EMAIL].
12. EU/EEA (GDPR) Disclosures
12.1 Controller
KidStarter is the controller for Personal Data processed under this Notice, unless otherwise stated in a Data Processing Addendum.
12.2 Legal Bases
See Section 5 above.
12.3 International Transfers
Where Personal Data is transferred outside the EEA to countries without an adequacy decision, we implement appropriate safeguards including:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission;
- supplementary technical and organizational measures where required (encryption, access controls, data minimization);
- Transfer Impact Assessments where appropriate.
See the International Transfers Addendum.
12.4 Data Protection Officer
[DPO details if appointed] / [Statement that DPO is not required under Art. 37 GDPR, with contact details for privacy inquiries.]
12.5 Supervisory Authority Complaints
You have the right to lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or place of the alleged infringement. A list of authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
13. United States Disclosures
13.1 Children (COPPA)
The Service is not directed to children under 13. If KidStarter has actual knowledge that it has collected Personal Data directly from a child under 13 without verifiable parental consent, we will delete that data promptly. See the Children's Privacy Notice.
13.2 California Privacy Rights (CCPA/CPRA)
Categories of Personal Information Collected: Identifiers; financial information; internet/electronic activity; geolocation data; professional/employment-related information (for corporate sponsors); education information (limited, minimized student data).
Sources: Directly from you; automatically from your devices; from third parties (payment processors, verification providers).
Business Purposes: See Section 4 above.
Sharing and Disclosure: See Section 6 above.
Sale of Personal Information: We do not sell Personal Information as defined by the CCPA/CPRA.
Sharing for Cross-Context Behavioral Advertising: We do not share Personal Information for cross-context behavioral advertising.
Sensitive Personal Information: Where we process sensitive Personal Information (e.g., financial account information), we do so only as necessary to provide the Service and do not use it for profiling.
Your California Rights:
- Right to Know: Request disclosure of the categories and specific pieces of Personal Information collected, the sources, business purposes, and categories of third parties with whom we share it.
- Right to Delete: Request deletion of your Personal Information, subject to exceptions.
- Right to Correct: Request correction of inaccurate Personal Information.
- Right to Opt-Out of Sale/Sharing: Not applicable (we do not sell or share for cross-context behavioral advertising).
- Right to Limit Use of Sensitive Personal Information: Request limitation of use of sensitive data to purposes necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights.
How to Exercise Rights: Contact [PRIVACY EMAIL] or call [TOLL-FREE NUMBER, if applicable]. We will verify your identity before processing your request. You may designate an authorized agent.
Retention: See Section 8 above.
13.3 Other US State Privacy Laws
We comply with applicable state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states as their laws take effect. Residents of these states may exercise rights to access, correct, delete, and opt out of certain processing by contacting [PRIVACY EMAIL].
14. United Kingdom (UK GDPR) Disclosures
14.1. We comply with the UK GDPR and the Data Protection Act 2018.
14.2. We follow the ICO Age Appropriate Design Code (Children's Code) principles by defaulting to high privacy for minors, minimizing data collection, and disabling profiling and behavioral targeting for child-related content.
14.3. Where Personal Data is transferred outside the UK to countries without an adequacy decision, we use the UK International Data Transfer Addendum (IDTA) or the UK addendum to the EU SCCs.
14.4. You may lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/.
15. Canada (PIPEDA and Provincial Laws) Disclosures
15.1. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Quebec's Act respecting the protection of personal information in the private sector (Law 25).
15.2. We obtain meaningful consent for the collection, use, and disclosure of Personal Data, which may be express or implied depending on the sensitivity and the reasonable expectations of the individual.
15.3. We limit collection to information that is reasonable and necessary for stated purposes.
15.4. You have the right to access your Personal Data, request correction, and withdraw consent (subject to legal or contractual restrictions). Contact [PRIVACY EMAIL].
15.5. Quebec (Law 25): If you are a Quebec resident, you have the right to data portability in a commonly used technological format. We will conduct a privacy impact assessment where required by Law 25 and will notify the Commission d'accès à l'information du Québec and affected individuals in the event of a confidentiality incident that presents a risk of serious harm.
15.6. Cross-Border Transfers: Where your Personal Data is transferred outside Canada, we ensure it receives a comparable level of protection through contractual safeguards. You may contact [PRIVACY EMAIL] for information about our cross-border transfer practices.
15.7. You may file a complaint with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/, or with the applicable provincial commissioner.
16. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. There is no industry standard for how to respond to DNT signals, and we do not currently respond to them. Our Cookie Policy describes your choices regarding tracking technologies.
17. Changes to This Notice
We may update this Notice from time to time. We will post the updated version and change the "Last Updated" date. For material changes, we will provide at least 30 days' notice via email or prominent notice on the Service. Your continued use after the effective date constitutes acceptance. If you disagree, you must stop using the Service.
18. Contact
Privacy Inquiries: [PRIVACY EMAIL] General Support: [SUPPORT EMAIL] Data Protection Officer (if appointed): [DPO EMAIL] Mailing Address: [ADDRESS]
For safety concerns involving minors: [REPORT LINK OR EMAIL]