Important notice: KidsCode Gift is a platform designed for children ages 7–16. We take children's privacy extremely seriously and comply with all applicable laws. We do not sell personal information, serve behavioral advertising, or use children's data to train AI models.
1. Overview & Who We Are
KidsCode Gift ("KidsCode Gift", "we", "us", or "our") operates the website https://www.kidscodegift.com and related services (collectively, the "Platform"). We provide interactive coding education for children ages 7–16, including AI-powered tutoring tools, coding courses, challenges, and a community environment.
This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our Platform — including information collected from children. By accessing or using the Platform, you agree to this policy. If you do not agree, please discontinue use immediately.
For purposes of EU/UK data protection law, KidsCode Gift acts as the Data Controller for personal information we process.
2. Information We Collect
2.1 Information You Provide Directly
- Account registration: Email address, password (stored as a secure hash), and display name or username.
- Parent/guardian information: For users under 13, we require a parent or guardian email address for verifiable parental consent (COPPA) and account management.
- Profile information: Optional bio, avatar image, and username.
- Payment information: Billing name and payment card data submitted during subscription purchase. Payment data is processed entirely by our payment processor Stripe, Inc. — we never store full card numbers on our servers.
- AI chat interactions: Text messages you send to our AI tutor (CodeWhiz). These are used to generate responses and are subject to additional disclosures in Section 7.
- Communications: Messages you send to our support team.
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, courses completed, challenges attempted, XP earned, and session duration.
- Device & technical data: Browser type, operating system, device type, screen resolution, language, and time zone.
- Log data: IP address, access timestamps, referring URLs, and error logs. IP addresses are used solely for security, fraud prevention, and geolocation at the country level. We do not use IP addresses to build profiles.
- Cookies & session tokens: Authentication tokens necessary for login sessions. We do not use third-party advertising cookies. See Section 9 for full details.
2.3 Information We Do NOT Collect
- We do not collect precise geolocation (GPS-level) data.
- We do not collect biometric data or voice recordings.
- We do not use advertising identifiers (IDFA, GAID) or cross-site tracking technologies.
- We do not collect data from social media profiles.
- We do not collect sensitive personal information such as racial or ethnic origin, health data, or government ID numbers.
3. How We Use Your Information
We use personal information for the following purposes, each with a specific legal basis:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Platform | Contract performance |
| Process subscription payments via Stripe | Contract performance |
| Provide AI tutoring responses (CodeWhiz) | Contract performance + Legitimate interest |
| Send transactional emails (account confirmation, receipts) | Contract performance |
| Parental consent verification and management | Legal obligation (COPPA) |
| Personalize learning progress (XP, levels, badges) | Contract performance |
| Security monitoring and fraud prevention | Legitimate interest |
| Improve platform quality and fix bugs | Legitimate interest |
| Send optional educational newsletters (opt-in only) | Consent |
| Comply with legal obligations | Legal obligation |
We never use your information for behavioral advertising, data brokerage, or sale to third parties.
4. Children's Privacy (COPPA Compliance)
This section applies to all users under 13 years of age in the United States, and governs our compliance with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 Final Rule (effective June 23, 2025).
4.1 Parental Consent Requirement
We do not knowingly collect personal information from children under 13 without verifiable parental consent (VPC). Before a child under 13 creates an account, we require a parent or guardian to:
- Provide their own email address;
- Review this Privacy Policy and our data practices;
- Affirmatively consent to our collection and use of their child's data;
- Verify their identity through our consent mechanism.
If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information immediately.
4.2 What We Collect from Children Under 13
With verifiable parental consent, we collect only the minimum necessary:
- Username (does not need to be the child's real name)
- Email address (parent/guardian email or child email with parent consent)
- Learning progress data (XP, completed lessons, badges)
- AI tutor chat messages (for response generation only; see Section 7)
We do not collect: precise location, phone number, photos, voice, biometric data, or any information that could enable direct contact with the child by third parties.
4.3 Parental Rights
Parents and guardians have the following rights, exercisable at any time:
- Right to review the personal information we have collected from their child.
- Right to delete their child's account and all associated personal information.
- Right to revoke consent at any time, which will result in deletion of the child's account.
- Right to refuse further collection or use of their child's information while allowing continued access to features not requiring data collection.
To exercise these rights, email privacy@kidscodegift.com with the subject line "COPPA Parental Request." We will respond within 5 business days.
4.4 No Behavioral Advertising to Children
We absolutely do not engage in behavioral advertising, interest-based advertising, or profiling of children for advertising purposes. We do not sell, rent, or disclose children's personal information to data brokers, advertising networks, or any other third parties for commercial purposes.
4.5 AI Features and Children Under 13
Access to our AI tutoring feature (CodeWhiz) for users under 13 requires explicit parental consent. AI chat logs involving children under 13 are treated with heightened data minimization standards and are not used to train AI models. See Section 7 for full AI disclosures.
5. European Privacy Rights (GDPR / UK GDPR)
This section applies to individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. It reflects our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK Children's Code (Age Appropriate Design Code).
5.1 Age of Digital Consent
Under GDPR Article 8, children under 16 (or a lower age set by individual EU member states, with a minimum of 13) require parental or guardian consent to process their personal data for information society services. We apply the following standard:
- Users under 13: Verifiable parental consent required (worldwide).
- Users 13–15: Parental consent required in EU/EEA/UK jurisdictions.
- Users 16+: May consent independently under GDPR, subject to applicable national law.
5.2 Your GDPR Rights
If you are located in the EEA, UK, or Switzerland, you have the following rights:
- Right of Access (Art. 15): Request a copy of personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate personal data.
- Right to Erasure — "Right to be Forgotten" (Art. 17): Request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to Restriction of Processing (Art. 18): Ask us to limit processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is consent-based.
- Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions with significant effects. Note: Our AI tutor provides suggestions only — no automated decisions affect your rights or access.
To exercise any of these rights, contact us at privacy@kidscodegift.com. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).
5.3 UK Children's Code Compliance
We apply the UK Age Appropriate Design Code (Children's Code) standards including: data minimization by default for child accounts, highest privacy settings applied by default, no use of nudge techniques to encourage children to share more data, no geolocation tracking, and prohibition on profiling children for commercial purposes.
6. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following additional rights:
- Right to Know: Request disclosure of personal information we collect, use, disclose, and sell (we do not sell).
- Right to Delete: Request deletion of personal information we have collected.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information with third parties for cross-context behavioral advertising. No opt-out mechanism is required, but we commit to this practice in writing.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CPRA.
- Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.
California residents may submit requests at privacy@kidscodegift.com. We will respond within 45 days as required by law.
Notice regarding minors: We do not sell personal information of users under 16, and do not share such information for cross-context behavioral advertising, consistent with Cal. Civ. Code § 1798.120(c).
7. Artificial Intelligence Disclosures
This section satisfies disclosure requirements under the EU AI Act (Regulation (EU) 2024/1689, applicable from February 2, 2025), and the FTC's guidance on AI transparency.
7.1 AI System Description
Our Platform includes an AI-powered tutoring assistant called CodeWhiz. CodeWhiz is powered by Google Gemini(via Google's Generative AI API), a large language model developed by Google LLC.
7.2 Purpose & Limitations
CodeWhiz is designed solely to assist children with coding questions, explain programming concepts, and encourage learning. It is not a substitute for professional advice of any kind. Outputs from CodeWhiz may contain errors and should not be treated as authoritative.
7.3 How AI Processes Your Data
- Text messages you send to CodeWhiz are transmitted to Google's Gemini API to generate a response.
- Google may process these messages in accordance with its Privacy Policy and Generative AI Terms.
- We do not use your AI chat messages to train, fine-tune, or improve any AI models, whether our own or third-party models.
- AI chat logs are retained for 90 days for safety monitoring, then deleted.
- For users under 13, AI chat access requires explicit parental consent, and we apply enhanced data minimization.
7.4 No Automated Decision-Making with Legal Effect
CodeWhiz responses are for educational guidance only. No automated AI decision-making is used to determine access rights, subscription status, or any decision with legal or similarly significant effect on users.
7.5 EU AI Act Compliance
We assess our AI tutoring feature as an AI system within the meaning of the EU AI Act. We apply the following standards consistent with our obligations:
- Transparency: Users are always informed they are interacting with an AI system.
- Human oversight: Parents and guardians can disable AI chat access for their child's account at any time by contacting support.
- Safety: The AI system is configured with safety guidelines to prevent harmful, inappropriate, or manipulative content, with particular attention to child users.
- No prohibited practices: We do not use AI for subliminal manipulation, exploitation of vulnerabilities of children, real-time biometric identification, or social scoring.
- Data governance: Training data exclusion — child users' conversations are excluded from AI training datasets.
8. Third-Party Services & Data Processors
We share personal information with the following carefully selected third-party service providers ("processors") only to the extent necessary for them to perform services on our behalf:
Supabase, Inc.
Database & Authentication
User accounts, profile data, learning progress
Location: United States (AWS)
Stripe, Inc.
Payment Processing
Billing name, payment card data (Stripe stores; we receive only tokens)
Location: United States
Google LLC (Gemini API)
AI Tutoring Engine
AI chat messages
Location: United States
Vercel, Inc.
Website Hosting & CDN
Access logs, IP addresses (transient)
Location: United States
We do not share personal information with any advertising networks, data brokers, analytics companies that build user profiles, or any entity for commercial purposes beyond the services listed above. We require all processors to maintain adequate data protection standards, including entering into Data Processing Agreements (DPAs) where required by GDPR.
8.1 Legal Disclosures
We may disclose personal information if required by law, court order, or governmental authority, or to protect the safety and rights of our users, including reporting suspected child exploitation or abuse to the appropriate authorities (e.g., NCMEC CyberTipline).
10. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 30 days after deletion request |
| AI chat logs | 90 days, then automatically deleted |
| Payment records | 7 years (required by tax law) |
| Security and access logs | 90 days |
| Parental consent records | Duration of child's account + 3 years |
| Deleted account data | Purged within 30 days of confirmed deletion request |
| Backups | Overwritten within 90 days of deletion |
11. Data Security
We implement industry-standard technical and organizational security measures to protect personal information, including:
- Encryption in transit (TLS 1.2+) for all data transmitted between your device and our servers.
- Encryption at rest for database storage via Supabase (AES-256).
- Bcrypt hashing of passwords — we never store plaintext passwords.
- Row-Level Security (RLS) policies on our database to ensure users can only access their own data.
- Stripe's PCI-DSS Level 1 certified payment infrastructure — we never touch raw card data.
- Regular security reviews and access control audits.
- Principle of least privilege for internal access to user data.
No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@kidscodegift.com. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law (within 72 hours under GDPR).
12. Your Rights & Choices
Regardless of your location, you have the following rights:
- Account deletion: Delete your account at any time from Settings → Account, or by emailing privacy@kidscodegift.com.
- Data export: Request a copy of your personal data in JSON format.
- Marketing opt-out: Unsubscribe from any marketing emails at any time using the unsubscribe link or by emailing us.
- AI opt-out: Disable the AI tutoring feature by contacting support. This will not affect your access to other platform features.
- Cookie management: Manage cookies through your browser settings (note: disabling session cookies will prevent login).
To submit any privacy request, email privacy@kidscodegift.com with your account email and a description of your request. We verify identity before processing requests to protect account security.
13. International Data Transfers
We are based in the United States. If you are located in the EEA, UK, or other regions with data transfer restrictions, your personal information is transferred to and processed in the United States.
We rely on the following legal mechanisms for international transfers:
- Standard Contractual Clauses (SCCs): We use EU Standard Contractual Clauses approved by the European Commission for transfers to third-party processors.
- UK International Data Transfer Agreements (IDTAs) for transfers to the UK.
- Adequacy decisions where applicable.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you by:
- Email notification to the address on your account (for material changes);
- A prominent notice on our Platform for at least 30 days;
- Updating the "Effective Date" at the top of this page.
For changes affecting children's data under COPPA, we will obtain fresh verifiable parental consent before applying the new practices to children's accounts. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
15. Contact Us
For any privacy questions, rights requests, or COPPA parental requests, contact our Privacy Team:
KidsCode Gift — Privacy Team
Email: privacy@kidscodegift.com
Support: support@kidscodegift.com
Website: https://www.kidscodegift.com
We aim to respond to all privacy inquiries within 5 business days, and no later than 30 days as required by applicable law.
If you are in the EU/EEA and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your national data protection authority. A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).