Privacy Policy

KinFlowApp — Privacy Policy Effective Date: 24 May 2026 KinFlowApp Ltd | https://kinflowapp.com | [email protected] --- 1. WHO WE ARE KinFlowApp Ltd ("KinFlow", "we", "us", "our") operates a nursery management and parent engagement platform that connects nurseries, parents, and guardians across the UK. Registered company: KinFlowApp Ltd Website: https://kinflowapp.com Contact: [email protected] For questions about this Privacy Policy or how we handle your data, please contact us at the email above. --- 2. OUR ROLE: DATA CONTROLLER AND JOINT CONTROLLER KinFlowApp Ltd is the Data Controller for the personal data it collects and processes to operate the Platform. This includes account registration and authentication, parent and child profiles, nursery applications, platform communications, audit logging, and the fulfilment of your data protection rights. Joint Controller Arrangement with Nurseries Where both KinFlowApp and a nursery jointly determine the purposes and means of processing personal data — primarily enrolled child data visible to both parties — both act as Joint Controllers under Article 26 UK GDPR. The division of responsibilities between KinFlowApp and nurseries is set out in our Terms & Conditions (Section 8A). You may exercise your data subject rights against either party; KinFlowApp is the primary point of contact for requests submitted through the Platform. Nurseries also act as independent Data Controllers for their own statutory processing under the Early Years Foundation Stage (EYFS) framework, the Children Act 1989, and Ofsted requirements. For data processed solely under those obligations, you should also refer to the nursery's own privacy notice. If you are unsure which role applies to data about you or your child, contact us at [email protected] and we will clarify. --- 3. WHAT DATA WE COLLECT AND WHY 3.1 Account Data We collect your name, surname, email address, password (stored as a secure hash), date of birth, and optionally your phone number when you create an account. Each time you log in, we send a one-time passcode to your registered email address. That code is stored temporarily (for up to 10 minutes) and deleted once used or on your next login attempt. Lawful basis: Article 6(1)(b) UK GDPR — necessary to perform the contract to provide you with access to the Platform. 3.2 Parent Profile We collect profile information including your name, surname, date of birth, phone number, email address, home address, and optionally a profile photo. You may also upload identity documents such as a passport for the purpose of nursery enrollment. Lawful basis: Article 6(1)(b) UK GDPR — necessary for nursery enrollment and identity verification. 3.3 Child Profile We collect your child's name, surname, date of birth, gender, address, nationality, and home language. Lawful basis: Article 6(1)(b) UK GDPR — necessary to facilitate nursery enrollment and childcare services. 3.4 Child Health and Care Data We collect health and care information about your child where you or a nursery provide it, including: • Allergies and dietary considerations; • Medical conditions and current medications; • NHS number and GP details; • Special educational or care notes; • Education, Health and Care Plans (EHCP); • Individual Health Plans (IHP); • Anaphylaxis plans and immunisation records. Lawful basis: Article 9(2)(a) UK GDPR — your explicit consent, obtained at account creation and at the point of nursery application submission. You may withdraw consent at any time by requesting erasure of your child's profile, subject to any overriding legal or safeguarding retention obligations. 3.5 Looked-After Child Status Where indicated, we record whether a child is a looked-after child (a child in the care of a local authority). Lawful basis: Article 9(2)(a) UK GDPR — your explicit consent, obtained at account creation and at the point of nursery application submission. 3.6 Ethnicity and Religion You may optionally provide information about your child's ethnicity, religion, or cultural background. These fields are entirely voluntary. Lawful basis: Article 9(2)(a) UK GDPR — your explicit consent. You may update or remove this information at any time from your child's profile without affecting your access to the Platform. Withdrawing this information does not affect the lawfulness of any prior processing. 3.7 Messages and Chat We store messages and chat records between parents and nursery staff on the Platform. Lawful basis: Article 6(1)(b) UK GDPR and safeguarding obligations. Communication records may be retained beyond account closure where required for safeguarding, legal, or audit purposes. 3.8 Nursery Applications When you apply to a nursery, we record and store a snapshot of your and your child's information at the point of submission. This snapshot is used to provide the nursery with an accurate record of the application as submitted. Lawful basis: Article 6(1)(b) UK GDPR — necessary for the performance of the contract. Application records are retained for the legally required period applicable to contractual records. 3.9 Device Tokens (Push Notifications) We collect your device's push notification token (via Firebase Cloud Messaging) to deliver real-time notifications to your device. Lawful basis: Article 6(1)(b) UK GDPR — necessary to provide the notification features of the Platform. Tokens are deleted when your account is deleted or the token expires. 3.10 Terms Acceptance We record a timestamp and version number when you accept our Terms & Conditions at registration. Lawful basis: Article 6(1)(c) UK GDPR — necessary to comply with our legal obligation to demonstrate that users have agreed to the Terms governing use of the Platform. --- 4. HOW WE SHARE YOUR DATA We do not sell your personal data. We do not share your data for advertising purposes. We share data only in the following circumstances: With nurseries you are connected to When you enrol a child at a nursery or communicate through the Platform, the relevant nursery will have access to your profile and your child's data. The nursery acts as an independent Data Controller in this context and is responsible for its own data processing. With our technology providers (Data Processors) We use the following sub-processors who process data on our behalf under appropriate data processing agreements: • Cloudflare R2 — cloud storage for documents, images, and media attachments. • Resend — transactional email delivery (verification emails, password resets, data export notifications). • Railway (Google Cloud Platform) — PostgreSQL database hosting. All data is encrypted at rest using AES-256. • Firebase / Google LLC (Firebase Cloud Messaging) — push notification delivery. With legal or regulatory authorities We may disclose personal data where required by law, court order, or to protect the safety of a child or other individual. --- 5. INTERNATIONAL DATA TRANSFERS KinFlowApp endeavours to store and process data within the UK and EEA. However, some of our technology providers — including Cloudflare R2 and Firebase (Google LLC) — may process data in countries outside the UK. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office or adequacy decisions. You may request further details about these safeguards by contacting [email protected]. --- 6. CHILDREN'S DATA KinFlow is a platform designed for use by parents, guardians, and nursery professionals. Children do not directly register for or use the Platform. All personal data relating to a child is submitted by a parent or legal guardian acting on the child's behalf. By submitting a child's data, you confirm that you are the parent or legal guardian of that child and have the authority to provide this information. We apply particular care to children's health and care data. Access to this data is restricted to the nursery staff directly responsible for the child's care, and to the connected parent or guardian. Parents and guardians may request erasure of their child's personal data at any time. Such requests will be fulfilled in accordance with our legal obligations, which may require us to retain certain records for safeguarding or statutory purposes even after a deletion request. --- 7. DATA RETENTION We retain personal data only for as long as necessary for the purposes set out in this Policy. • Account and profile data: retained for the duration your account is active. On account deletion, personal fields are redacted. Certain anonymised or safeguarding-related records may be retained after deletion. • Messages and chat: may be retained beyond account closure where required by safeguarding obligations or applicable law. • Nursery application records: retained for the legally required period applicable to contractual records following the conclusion of an application. • Authentication tokens (login, password reset, email verification): deleted on expiry or account deletion. • Email OTP codes: valid for 10 minutes; deleted on use or when a new code is requested. All OTP records are deleted on account deletion. • Push notification tokens (FCM): deleted on account deletion or token expiry. • Draft application data: deleted when no longer required. Where data is retained for safeguarding reasons after account closure, it is held in anonymised or minimised form where possible. --- 8. YOUR RIGHTS UNDER UK GDPR You have the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected]. • Right of access: You may request a copy of the personal data we hold about you. • Right to rectification: You may request correction of inaccurate or incomplete data. • Right to erasure: You may request deletion of your personal data. You can do this directly through the Platform by deleting your account. The table below sets out exactly what is deleted, anonymised, or retained when you exercise this right. What happens when you delete your account: Deleted immediately: — Your account details (name, email, date of birth, phone number, password) are permanently overwritten. Your email address is replaced with an anonymised placeholder and your account is marked as erased. — Your account avatar (profile photo) is deleted from our storage. — All active login sessions and device tokens are deleted. — Files you uploaded as attachments in chat messages are deleted from our storage. — Any nursery inquiry messages you sent are replaced with "[deleted]". — Any nursery reviews you submitted have their text permanently removed. — Any saved draft application data is cleared. Anonymised (content preserved, identity removed): — Chat messages you sent remain visible to other participants but your name is replaced with "Deleted User". The content of the messages is not deleted, as it forms part of a shared conversation record. If you wish to remove the content of specific messages, you can redact individual messages before deleting your account. Not deleted automatically — action required before or after erasure: — Child profiles linked to your account. These must be deleted separately from your account settings. Deleting your account does not delete your children's profiles. — Parent profiles linked to your account. These must also be deleted separately. Retained after erasure for legal reasons: — Your record of accepting our Terms & Conditions and Privacy Policy (timestamp and version only) is retained for 7 years as evidence of consent, as required by law. — Audit log entries recording security-relevant events (such as login history and the erasure itself) are retained for 3 years for security and accountability purposes under Article 6(1)(f) UK GDPR. — Nursery application records are retained for the legally required contractual retention period and then redacted automatically by our retention system. The snapshot of your data within an application record is nulled at the end of that period. This right is subject to our legal obligations. Where data must be retained for safeguarding, statutory, or contractual reasons, we will retain the minimum necessary and notify you if we are unable to fulfil a request in full. • Right to restriction: You may request that we limit the processing of your data in certain circumstances. • Right to data portability: You may request a copy of data you have provided to us in a structured, machine-readable format, where processing is based on contract or consent. • Right to object: You may object to processing based on legitimate interests. • Right to withdraw consent: Where processing is based on your explicit consent (specifically, ethnicity and religion data), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. • Right to complain: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We will respond to all requests within one calendar month. Where a request is complex or numerous, we may extend this by a further two months and will notify you accordingly. --- 9. SECURITY We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include password hashing, email one-time passcode verification on every login, encrypted data transmission (HTTPS), access controls, and secure cloud storage. When you change your email address, the new address must be confirmed via a verification link before it takes effect. Your old address remains active until confirmation. Once confirmed, a security notification is sent to your previous email address. When your password is changed — whether by you directly or via a password reset link — a security notification is sent to your registered email address. If you receive a notification for a change you did not make, contact us immediately at [email protected]. No method of transmission or storage is entirely secure. If you have concerns about the security of your data, contact us at [email protected]. --- 10. COOKIES AND TRACKING Information about our use of cookies and similar tracking technologies is set out in our separate Cookie Policy, available at https://kinflowapp.com/cookies. --- 11. UPDATES TO THIS POLICY We may update this Privacy Policy from time to time. Where changes are material, we will notify you via the Platform or by email before the changes take effect. The version of this Policy is identified by its effective date, shown at the top of this document. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy. --- 12. CONTACT US If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact: KinFlowApp Ltd Email: [email protected] Website: https://kinflowapp.com