Privacy Policy

KudoBits ("we", "us", or "our") is committed to protecting the privacy of everyone who uses our platform, especially children. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.

By creating an account or using KudoBits you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

This policy applies to the KudoBits web application and any associated mobile apps.

We collect the following categories of information:

• Account information: name, username, email address, date of birth, gender, and optional contact number provided during registration.
• Family data: family name, timezone, and membership relationships between adults and children.
• Activity data: tasks, kudos requests, points balances, store purchases, and ledger entries generated through normal use of the Service.
• Messages: content sent between users within the platform.
• Profile images: avatars uploaded by users or adults on behalf of children.
• Device and usage data: browser type, IP address, and pages visited, collected automatically via server logs.
• Push notification tokens: stored only if you explicitly opt in to browser push notifications.
• Google sign-in data: if you choose to sign in with Google, we receive your Google account name and email address from Google. We do not receive your Google password or any other Google account data.

We do not collect payment information, precise GPS location, microphone or camera data, SMS or call data, or device advertising identifiers (such as the Android Advertising ID).

KudoBits is a family platform and may be used by children under the age of 13. We take children's privacy extremely seriously and comply with applicable laws including:

• The New Zealand Privacy Act 2020
• The United States Children's Online Privacy Protection Act (COPPA)
• The EU General Data Protection Regulation (GDPR) and UK GDPR

Parental consent: Child ("Kid") accounts may only be created by a parent or guardian ("Adult") who has registered their own account. By creating a Kid account, the Adult provides verifiable parental consent on behalf of the child and takes responsibility for all data associated with that account.

We do not knowingly collect personal information directly from children. Children cannot self-register. All data associated with a child's account is created and controlled by the parent or guardian.

We do not allow children to communicate with users outside their approved family and friends list without adult oversight and approval.

Parental rights: A parent or guardian may at any time review, correct, or request deletion of their child's data by using the account management features in Settings or by contacting us directly via the Support page.

If you believe we have inadvertently collected information from a child without appropriate parental consent, please contact us immediately and we will delete it promptly.

We use the information we collect solely to:

• Provide, operate, and maintain the Service.
• Manage user accounts, family groups, tasks, and rewards.
• Deliver messages and push notifications between users.
• Send transactional emails such as account invitations, password resets, and activity notifications.
• Respond to support requests and troubleshoot issues.
• Monitor and improve the security and performance of the Service.
• Comply with legal obligations.

We do not use your data for advertising. We do not build advertising profiles. We do not use any third-party advertising SDKs or analytics platforms.

KudoBits contains no advertising of any kind. We do not display ads, use advertising networks, or share data with advertising platforms. This applies equally to child accounts and adult accounts.

We do not collect or transmit any advertising identifiers (including the Android Advertising ID, IDFA, or any equivalent) from any user.

We do not sell, rent, or trade your personal information to third parties.

We may share information only in the following limited circumstances:

• Within your family group: adults in your family can see activity data, task history, and points for kids they manage.
• Infrastructure providers: we use hosting providers (currently located in New Zealand) who process data on our behalf under strict confidentiality obligations and are not permitted to use your data for any other purpose.
• Google (sign-in only): if you use "Sign in with Google", your authentication is handled by Google LLC. Google receives the fact that you are signing in to KudoBits and provides us with your name and email. Google's use of this data is governed by the Google Privacy Policy. We do not share any other user data with Google, and Google sign-in is never available for Kid accounts.
• Email delivery: transactional emails (invitations, notifications, password resets) are sent via our own mail server. Email addresses are used solely to deliver the email and are not shared with third parties.
• Legal requirements: we may disclose information if required by law, court order, or to protect the rights, property, or safety of KudoBits, our users, or the public.

We do not share any data from child accounts with third parties except as described above.

Your data is stored on servers located in New Zealand. We implement reasonable technical and organisational security measures including:

• Passwords stored using bcrypt hashing (never in plain text).
• HTTPS-only encrypted connections for all data in transit.
• Access controls limiting which staff members can access user data.
• Regular security reviews of the application.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security and encourage you to use a strong, unique password.

We retain your personal information for as long as your account is active or as needed to provide the Service.

Account deletion: You may delete your account at any time from the Settings page within the app. Upon account deletion, your personal data will be permanently deleted within 30 days, except where we are required to retain it for legal or compliance purposes.

Parents and guardians may delete a child's Kid account and all associated data from within the family management settings, or by contacting us directly.

Server and activity logs may be retained for up to 90 days for security and debugging purposes before automatic deletion.

Under the New Zealand Privacy Act 2020 and other applicable laws (including COPPA and GDPR where relevant), you have the right to:

• Access the personal information we hold about you or your child.
• Correct inaccurate or incomplete information.
• Delete your account and all associated data (see Section 8 above).
• Withdraw consent and object to certain processing of your data.
• Request a copy of your data — you may request an export of your personal data by contacting us via the Support page. We will fulfil such requests within 30 days.

To exercise any of these rights, please use the account settings within the app or contact us via the Support page. We will respond to all privacy requests within 30 days.

KudoBits uses the following cookies and browser storage strictly for the purpose of operating the Service:

• Session cookie: a secure, HTTP-only cookie used to keep you signed in. This cookie expires when you sign out or after a period of inactivity.
• Theme preference: stored in browser local storage to remember your chosen colour theme. This is not transmitted to our servers.

We do not use any third-party tracking, analytics, or advertising cookies. No cookie consent banner is shown because we only use cookies that are strictly necessary to operate the Service.

The Service may contain links to external websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

For significant changes affecting children's data, we will take additional steps to inform parents and guardians before the change takes effect.

This Privacy Policy is governed by the laws of New Zealand. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of New Zealand.

Where COPPA or GDPR applies to specific users, we comply with those laws in addition to New Zealand law.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data — including requests relating to a child's personal information — please contact us:

• Support page: kudobits.youngcloud.nz/support

We aim to respond to all privacy-related enquiries within 30 days.