Legal

Privacy Policy

We believe families deserve clear, honest answers about how their data is handled โ€” especially when children are involved.

Last updated: 1 June 2025  ยท  Applies to all Pikidoo services

Contents

  1. Who we are
  2. Data we collect
  3. How we use your data
  4. Legal basis (GDPR)
  5. Children's privacy
  6. Data sharing
  7. Cookies
  8. Data retention
  9. Your rights
  10. Security
  11. Changes
  12. Contact us

1 Who we are

Pikidoo is a family task and reward management service operated by Pikidoo ("we", "our", "us"). Our service allows parents to create household tasks and rules, assign rewards to children, track completions, and manage pocket-money payouts โ€” all through a web and mobile application.

This Privacy Policy explains what personal data we collect when you use Pikidoo, why we collect it, how we protect it, and what rights you have over it under the EU General Data Protection Regulation (GDPR) and other applicable laws.

Data controller contact
For any privacy-related questions, please email us at privacy@pikidoo.app.

2 Data we collect

Account data (parents / guardians)

  • Name and email address โ€” collected at registration
  • Encrypted password โ€” stored as a secure hash; we never see your plain-text password
  • Family name and a unique family code you choose
  • Preferred language and currency
  • Subscription plan information (linked to your Stripe customer record)

Child profile data

  • First name (or nickname) โ€” provided by the parent
  • Avatar icon and colour โ€” chosen by the child or parent
  • Optional: birth year (used only to display age-appropriate content)
  • Hashed PIN โ€” children authenticate with a 4-digit PIN; we store only the hash
  • Wallet balance โ€” the in-app reward balance calculated from approved tasks

Task and activity data

  • Task names, reward amounts, icons, and group assignments created by parents
  • Task completion records: which child, which task, date, and approval status
  • Payout records: amounts paid, dates, and associated children

Technical data

  • Server-side logs (IP address, request path, timestamp) โ€” retained for 30 days for security and debugging
  • No browser cookies are set by the Pikidoo application itself

Payment data

Subscription payments are processed by Stripe, Inc. We never store your full card number, CVV, or bank details. Stripe shares with us only a customer reference ID and subscription status. Stripe's privacy policy applies to payment data: stripe.com/privacy.

3 How we use your data

  • Provide the service โ€” authenticate users, store and display tasks, calculate balances, process payouts
  • Manage subscriptions โ€” apply the correct plan limits, handle upgrades, downgrades, and cancellations via Stripe
  • Communicate with you โ€” send transactional emails (account creation, password reset, subscription receipts)
  • Improve Pikidoo โ€” analyse aggregate, anonymised usage patterns to prioritise features
  • Ensure security โ€” detect and prevent fraudulent or abusive access
  • Comply with law โ€” retain records required by applicable financial and tax regulations

We do not use your data for advertising, sell it to third parties, or use it to build marketing profiles.

4 Legal basis (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, our legal bases are:

  • Contract performance (Art. 6(1)(b)) โ€” processing necessary to deliver the service you signed up for (account management, task tracking, payouts)
  • Legitimate interests (Art. 6(1)(f)) โ€” security logging and aggregate service improvement, balanced against your privacy rights
  • Legal obligation (Art. 6(1)(c)) โ€” retaining financial records as required by law
  • Consent (Art. 6(1)(a)) โ€” for optional analytics cookies, where applicable (you may withdraw consent at any time via our cookie settings)

For child profile data we rely on parental consent โ€” the parent or guardian who creates the account is responsible for providing that consent on behalf of the children added to the family.

5 Children's privacy

Special protections for children's data

Pikidoo is designed to be used by parents on behalf of their children. Children do not register themselves โ€” a parent or guardian creates and manages all child profiles. This means:

  • We collect only the minimum data needed for a child profile (name, avatar, PIN hash, balance)
  • Children's data is never shared with advertisers or third-party analytics providers
  • Child profiles do not have email addresses or direct marketing contact
  • Children's task history and balances are visible only to the family (parent and the child themselves)
  • Parents may delete any child profile at any time, which permanently removes all associated data

We comply with the GDPR provisions on children's data (Art. 8) and, for US users, the Children's Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected data from a child without appropriate parental consent, please contact us immediately at privacy@pikidoo.app.

6 Data sharing and processors

We share data only with the following trusted processors, all bound by data processing agreements:

Processor Purpose Location Privacy policy
Stripe, Inc. Subscription payment processing USA (SCCs in place) stripe.com/privacy
Cloud hosting provider Database and application hosting EU Available on request
Google Fonts Typeface delivery on this website USA (SCCs in place) policies.google.com/privacy

We do not sell personal data. We do not share data with law enforcement except where legally compelled, and will notify you where permitted by law.

7 Cookies and tracking

This marketing website (pikidoo.app)

  • Essential: A cookie_consent entry in your browser's localStorage remembers your cookie preference. No expiry date is set by us; it persists until you clear your browser data.
  • Third-party: Google Fonts (loaded from fonts.googleapis.com) may set its own cookies or log your IP to serve font files. You can prevent this by using a browser extension that blocks Google Fonts requests.
  • Analytics: We do not currently use any analytics cookies or tracking pixels on this website.

The Pikidoo app

  • The app stores your authentication token in the browser's localStorage โ€” this is a technical necessity, not a tracking cookie.
  • No third-party tracking or advertising cookies are used inside the app.
You can review or change your cookie preference at any time using the button.

8 Data retention

  • Active accounts: Data is retained for as long as your account is active.
  • After account deletion: All personal data is permanently deleted within 30 days, except where we are required by law to retain financial records (typically 7 years for tax/accounting purposes โ€” these are anonymised where possible).
  • Child profiles: Deleted immediately and permanently when removed by a parent, or when the parent account is deleted.
  • Server logs: Automatically purged after 30 days.
  • Backups: Encrypted backups are retained for up to 90 days before being overwritten.

9 Your rights

Under the GDPR (and equivalent laws in the UK and other jurisdictions) you have the following rights:

Right of accessRequest a copy of all personal data we hold about you.
Right to rectificationAsk us to correct inaccurate or incomplete data.
Right to erasureRequest deletion of your data ("right to be forgotten").
Right to restrictAsk us to pause processing while a dispute is resolved.
Data portabilityReceive your data in a machine-readable format.
Right to objectObject to processing based on our legitimate interests.
Withdraw consentWithdraw cookie or marketing consent at any time.
Lodge a complaintFile a complaint with your local data protection authority.

To exercise any of these rights, email us at privacy@pikidoo.app. We will respond within 30 days. We may ask you to verify your identity before acting on the request.

10 Security

  • All data is transmitted over TLS (HTTPS)
  • Passwords are hashed using a strong, salted algorithm โ€” plain-text passwords are never stored
  • Child PINs are stored as secure hashes
  • Database access is restricted to application servers over private networking
  • Encrypted backups are stored separately from production data
  • Access to production systems is restricted to authorised personnel using multi-factor authentication

If you discover a potential security vulnerability, please report it responsibly to security@pikidoo.app rather than disclosing it publicly.

11 Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify active users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of Pikidoo after changes take effect constitutes acceptance of the updated policy.

12 Contact us

Pikidoo โ€” Privacy Team

privacy@pikidoo.app

security@pikidoo.app (security disclosures only)

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.