Privacy Policy

1. Information We Collect

Information You Provide Directly:

• Children's names, schools, teams, and activities
• Email notification preferences and schedule
• Keywords for filtering relevant emails

Information Collected Automatically:

• Your name and email address from Google authentication
• Google account profile information (limited to email and basic profile)
• OAuth tokens for Gmail API access (encrypted)
• Usage data and application logs for debugging

Information Accessed via Gmail API:

• Email metadata (sender, subject, date)
• Email content from connected Gmail accounts (read-only access)
• Calendar events (if calendar integration is enabled)

OAuth Scopes:

We request the following Google OAuth scopes:

• gmail.readonly - To read email messages and metadata
• userinfo.email - To identify your Google account

2. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract: Processing necessary to provide our email monitoring and summarization service
• Consent: For accessing your Gmail data and sending email notifications
• Legitimate Interests: For service improvements, security, and fraud prevention
• Legal Obligations: To comply with applicable laws and regulations

3. How We Use Your Information

We use your information for the following purposes:

• To authenticate you and manage your account
• To access and analyze emails from your connected Gmail accounts
• To filter emails relevant to your children's schools and activities
• To generate AI-powered summaries using OpenRouter services
• To send you daily email summaries at your configured time
• To improve our service and develop new features
• To detect, prevent, and address technical issues
• To comply with legal obligations

4. Data Retention

We retain your data for the following periods:

• Account Information: Until you request deletion
• Email Summaries: 30 days from creation
• Calendar Events: 90 days from event date
• Processing Logs: 30 days for debugging
• OAuth Tokens: Until you disconnect the account
• Audit Logs: 1 year for security purposes
• Temporary Email Content: Deleted immediately after processing

After these retention periods, data is automatically deleted from our active systems. Backup systems may retain data for up to 90 additional days before permanent deletion.

5. Data Sharing and Third-Party Services

We do not sell, trade, or rent your personal information. We share data only with:

Service Providers:

• OpenRouter (AI Processing): Anonymized email content for summarization - no personally identifiable information is shared
• Google OAuth: Authentication and authorization only
• Gmail API: Read-only access to email content
• Vercel: Application hosting and infrastructure
• PostgreSQL/Supabase: Database services (if applicable)

Legal Requirements:

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• OAuth tokens are encrypted using AES-256-GCM encryption
• All data transmission occurs over HTTPS/TLS 1.2+
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Secure coding practices and dependency management
• Incident response and breach notification procedures
• Limited access to personal data (need-to-know basis)

While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

7. Your Rights and Choices

Under GDPR (European Users):

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Restriction: Limit processing of your data
• Portability: Receive your data in a machine-readable format
• Object: Oppose processing based on legitimate interests
• Withdraw Consent: Revoke previously given consent
• Lodge a Complaint: File a complaint with your supervisory authority

Under CCPA/CPRA (California Users):

• Know: Request information about data collection and sharing
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale or sharing of personal information (Note: We do not sell personal information)
• Correct: Request correction of inaccurate information
• Limit Use: Limit use of sensitive personal information
• Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights:

To exercise any of these rights, please contact us at privacy@kidsupdates.com or use the data management features in your account settings. We will respond to your request within 30 days (or 45 days for complex requests).

8. Data Deletion

You can request deletion of your data at any time through:

• Account settings → Delete Account option
• Email request to privacy@kidsupdates.com

Upon receiving a deletion request, we will:

1. Delete your account and associated data within 30 days
2. Remove data from backup systems within 90 days
3. Retain only anonymized aggregate data for analytics
4. Send confirmation when deletion is complete

Note: Some information may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country. We ensure appropriate safeguards are in place, including Standard Contractual Clauses and adequacy decisions where applicable.

10. Children's Privacy

KidsUpdates is designed for parents and guardians to monitor school communications. We do not knowingly collect personal information directly from children under 13 (or 16 in the EU). The service is intended for use by adults only. If we learn we have collected personal information from a child without parental consent, we will delete that information immediately.

11. Cookies and Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication and core functionality
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Help us understand usage patterns (if enabled)

You can control cookies through your browser settings. Disabling essential cookies may affect functionality.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of discovery
• Provide details about the nature and scope of the breach
• Describe measures taken to address the breach
• Recommend steps you can take to protect yourself
• Report to relevant supervisory authorities as required

13. California Privacy Rights

California residents have additional rights under the CCPA/CPRA:

"Shine the Light" Law:

California residents may request information about disclosure of personal information to third parties for marketing purposes. We do not share personal information for third-party marketing.

Do Not Sell or Share:

We do not sell or share your personal information as defined under CCPA/CPRA. You have the right to opt-out if this practice changes.

Financial Incentives:

We do not offer financial incentives for providing personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending email notification for significant changes
• Obtaining consent where required by law

Continued use of KidsUpdates after changes constitutes acceptance of the updated policy.

15. Contact Information

For privacy-related questions, requests, or complaints, contact us at:

For GDPR-related complaints, you may also contact your local data protection authority.

16. Accessibility

This Privacy Policy is available in alternative formats upon request. Please contact us if you need this policy in a different format.