Document · privacy policy v1.0 · April 2026

Privacy policy

How Kidoio collects, uses, and protects information when you use the iOS app, the website at kidoio.com, and related services. Plain text, no marketing language. Where we diverge from a typical consumer privacy policy, the divergence is documented.

Kidoio (“we,” “us,” “our”) is a behavioural-measurement service for children's digital media. The Service is designed for parents who want to understand the patterns inside content their child consumes. The Service does not collect information from or about children directly. Children are not the account holders, and the Service is not directed to children under 13.

1. Information we collect

1.1 — Information you provide

Email address. When you sign in via magic link, we store your email so we can send the sign-in link and identify your account on subsequent sign-ins.
YouTube URLs you submit for analysis. When you paste a link, we send that URL to our analysis pipeline. The URL itself, the resulting behavioural profile, and the date are stored against your account.
Watch list items. Shows you save are stored against your account.
Payment information. Payments are processed by Stripe. We never receive or store your card details. Stripe sends us a confirmation webhook including a reference identifier and the credit pack purchased; we use these to credit your account.

1.2 — Information collected automatically

Device identifier (push token). If you grant push-notification permission in the iOS app, your device's APNs token is stored against your account so we can notify you when an analysis completes.
Server logs. Our backend logs the time, IP address, and endpoint of each API request for operational and security purposes. Logs rotate every 30 days.
Cookies and similar technologies. We use essential cookies for authentication and session management. With your consent, we may also set analytics cookies (Google Analytics) and advertising cookies (Google AdSense). Non-essential cookies are never set without your explicit consent. See our Cookie Policy for full details.

1.3 — Information we do not collect

We do not collect children's personal information.
We do not collect biometric data.
We do not collect contacts, calendars, photos, or location.
We do not access the camera or microphone.
We do not request HealthKit, HomeKit, or any sensitive permission.

2. How we use information

To run the Service. Sign in, run analyses, store your watch list, generate Kids Mode session links.
To process payments. Stripe processes; we credit your account on webhook confirmation.
To send essential email. Sign-in links and (rarely) account-related notices. We do not send marketing email by default.
To send push notifications if you've granted permission. The only push we send today is “Your analysis of [show] is complete.”
To improve the Service. Aggregate, anonymised metrics — for example, total analyses run last week — without personal identifiers.

We do not sell your data. If you consent to advertising cookies, Google AdSense may use that data to serve personalised ads on our site. You can withdraw advertising consent at any time via the Cookie Settings link in the footer or our Cookie Policy page. If you decline advertising cookies, no personalised ad scripts run and no ad-tracking cookies are set.

3. Third parties we share data with

Limited and only as necessary to operate the Service:

Google (Gemini API). YouTube URLs and the resulting transcript text are sent to Google's Gemini API for analysis. Subject to Google's API terms.
Stripe. Payment processing.
Resend. Transactional email delivery (sign-in magic links).
Apple Push Notification Service. Delivery of push notifications.
Railway (hosting). Our backend runs on Railway. Railway sees encrypted data in transit and at rest.
Google AdSense (with consent). If you consent to advertising cookies, Google and its certified ad technology providers may collect data and use cookies to serve ads based on your prior visits to this and other websites. You can opt out of personalised advertising at Google Ad Settings. See Google's ad technology policies.
Google Analytics (with consent). If you consent to analytics cookies, we use Google Analytics to understand aggregate site usage. IP anonymisation is enabled. Google Privacy Policy.

Third-party analytics and advertising services are only activated if you give explicit consent via our cookie consent manager. See our Cookie Policy for a full list of cookies used.

4. Children's privacy

The Service is intended for parents and other caregivers, not for children. We do not knowingly collect personal information from children under 13.

When a parent shares a Kids Mode link with a child's device, that device receives only the parent's curated watch list — no account, no personal data, no analytics. The kid-session token is short-lived (default 8 hours) and revocable from the parent's account at any time.

If you believe a child has provided us personal information, contact hello@kidoio.com and we will delete it.

5. Data retention

Account data — email, watch list, library — retained while your account is active.
Analysis results — retained against your account so you can review past decisions in the library view.
Server logs — retained 30 days.
Stripe payment records — retained 7 years per financial-records best practice.

You can request account deletion at any time by emailing hello@kidoio.com. We will delete your account and all associated data within 30 days.

6. Security

All traffic between your device and our backend uses HTTPS (TLS 1.2+).
Your session token is signed with a secret only the backend knows.
Passwords do not exist on this Service — we use magic-link sign-in exclusively, so there is nothing to leak.
Stripe handles all payment-card data; we never see card numbers.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours per industry best practice.

7. Your rights

Depending on your jurisdiction, you may have rights to:

Access the data we hold about you
Correct inaccurate data
Delete your account and associated data
Export your data
Opt out of any non-essential communications

Email hello@kidoio.com to exercise any of these. We respond within 30 days.

8. International data transfers

The Service is operated from the European Union, but our infrastructure and certain third-party services (Google Gemini, Stripe, Resend) may process data in the United States and other jurisdictions. By using the Service, you consent to these transfers.

For EU/EEA users, our legal basis for processing is:

Contract — for service operation (you signed up for analyses).
Legitimate interest — for security logging and fraud prevention.
Consent — for push notifications, analytics cookies, and advertising cookies.

9. Changes to this policy

If we materially change this policy, we will notify you via email and post a notice in the app at least 14 days before the change takes effect. Your continued use after that constitutes acceptance.

10. Contact

Questions, complaints, or data requests:

Email hello@kidoio.com
Web kidoio.com

This policy is provided for informational purposes and does not constitute legal advice. Kidoio is operated by the entity disclosed on kidoio.com. By using the Service, you accept this Privacy Policy.