We collect only what is necessary to deliver the ZobbyKids service. We do not collect more than we need.
Account Information: When you register, we collect your name, email address, and password (hashed with bcrypt — never stored in plain text). We also assign your family a unique 6-digit invite code.
Child Profile Information: When you add a child, we collect the child's name, date of birth, gender, grade, school name, hobbies, and optional medical notes. Medical notes and date of birth are never returned in list endpoints — they are protected by design.
Activity & Usage Data: We collect the activity logs, school points, health records, diary entries, and routine completions that you choose to record within the app.
Device & Session Data: We collect device type and session timestamps to power features like Smart Notification Timing. We do not collect your precise GPS location.
What we never collect: We never collect payment card details directly — all billing is handled by Stripe. We never collect government-issued ID numbers, Social Security numbers, or biometric data.
We use the information we collect for the following purposes only:
- To provide, operate, and improve the ZobbyKids application
- To authenticate your account and keep your family's data secure
- To send OTP verification emails and account-related notifications
- To generate activity reports, 15-day evaluations, and AI coaching insights
- To enforce subscription plan limits (Trial, Silver, Premium)
- To comply with our legal obligations under COPPA, GDPR, and CCPA
No advertising: We do not use your data for advertising. We do not allow third-party advertisers to access your data. ZobbyKids products are completely ad-free.
ZobbyKids is designed for parents to track their children's development. We take our obligations under the Children's Online Privacy Protection Act (COPPA) extremely seriously.
Verifiable Parental Consent: Before any child profile is created in the app, we require explicit verifiable parental consent. Parents must check a consent checkbox and agree to the current Privacy Policy version. Every consent event is logged with a timestamp, IP address, parent ID, and policy version.
No direct collection from children: Children do not create accounts, log in, or interact with the app directly. All data about a child is entered by a verified parent or guardian.
Right to Erasure: Parents may permanently delete all data associated with a child at any time using the Delete Child Data option in the app, or by contacting us at support@zobbykids.com. Deletion is permanent and irreversible.
Data Minimisation: We collect only the child information necessary to deliver the tracking and reporting features. Child medical notes and date of birth are excluded from all list and bulk API responses.
🛡️ How does ZobbyKids protect young children?
When you add a child, we ask for their date of birth. If the child is under 13 years old, our system automatically turns on extra privacy protections for that child — this is required by law in the US (COPPA), UK, EU, and Australia.
These extra protections mean: you must give explicit consent before we save any data about that child. No data is stored until you tick the consent checkbox and agree to this Privacy Policy.
You can remove your consent and delete all data for any child at any time — just go to Settings → Child Profile → Delete Child Data in the app.
We do not sell your personal data. We do not share your data with third parties for marketing purposes. We share data only in the following limited circumstances:
- Service Providers: We use Railway (hosting), Resend (transactional email), and Stripe (payment processing). Each provider is bound by data processing agreements and their own privacy policies.
- Family Members: When a second parent joins your family using the 6-digit invite code, they gain access to the shared family data you have both agreed to share.
- Legal Requirements: We may disclose data if required by law, court order, or to protect the safety of a child.
- Business Transfer: If ZobbyKids is acquired or merged, your data may be transferred. You will be notified via email before any such transfer.
We implement industry-standard security measures to protect your family's data:
- All data is transmitted over HTTPS with TLS encryption
- Passwords are hashed using bcrypt with a salt factor of 10 — never stored in plain text
- JWT access tokens expire after 7 days; refresh tokens after 30 days
- All API secrets and database credentials are stored in Railway environment variables — never in code
- Family data isolation is enforced at the API level — users can only access their own family's data
- Rate limiting is applied at 100 requests per minute per IP address in production
- PostgreSQL database is hosted on Railway with automatic backups
Data breach notification: In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours as required by GDPR Article 33.
We retain your data for as long as your account is active or as needed to provide the service.
- Active accounts: Data is retained indefinitely while your subscription is active
- Deleted child profiles: Permanently removed within 30 days of deletion request
- Deleted accounts: All personal data permanently removed within 30 days of account deletion
- Billing records: Retained for 7 years as required by tax and financial regulations
- Consent records: Retained for the life of the account as proof of COPPA compliance
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access: Request a copy of all personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request permanent deletion of your account and all associated data
- Right to Portability: Export your data in CSV or JSON format (Premium plan)
- Right to Restrict Processing: Ask us to pause processing of your data
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw COPPA consent for a child at any time
To exercise any of these rights, contact us at support@zobbykids.com. We will respond within 30 days.
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:
- Right to Know: Request details about the categories and specific pieces of personal information we have collected about you
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Opt-Out: We do not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
We do not sell personal information under any circumstances, including as defined under the CCPA's broad definition of "sale."
ZobbyKids uses minimal cookies and tracking technologies:
- Essential cookies only: We use JWT tokens stored securely for authentication. These are essential to the service and cannot be disabled.
- No advertising trackers: We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.
- No cross-site tracking: We do not track your activity on other websites or apps.
As we add analytics in the future, we will update this policy and provide a cookie consent banner for users in applicable jurisdictions.
We may update this Privacy Policy from time to time. When we make significant changes, we will:
- Update the "Effective Date" at the top of this page
Continued use of ZobbyKids after the effective date of a revised policy constitutes acceptance of those changes. If you do not agree to the revised policy, you may delete your account at any time.