Privacy Policy

1. Introduction

This Privacy Policy explains how Hefes Technology Group doo, PIB: 111909858, MB: 21567426, headquartered at Vitezova Karađorđeve zvezde 50, 11050 Belgrade, Serbia ("we", "us", "Kiddly") collects, uses, and protects your personal data when using the Kiddly platform.

Kiddly is a digital platform for management and communication within preschool institutions. It includes:

• Website: kiddly.io
• Web Application: app.kiddly.io
• Mobile Applications: Kiddly (for managers and educators) and Kiddly for Parents (for parents).

This Privacy Policy applies to all users — preschool administrators, educators, and parents/guardians — as well as to all data about children processed through the platform.

Preschools using our platform act as Data Controllers and bear full responsibility for the collection, processing, and protection of personal data of children, parents, and employees.

We act as a Data Processor, providing a secure infrastructure for storing and processing such data on their behalf, in accordance with their instructions and applicable laws.

2. Data We Collect

We collect different categories of data depending on the user's role and how they use the platform.

2.1. Child Data

• Personal information such as name, surname, date of birth, and personal ID number (JMBG)
• Photos and videos
• Information about activities, diet, and habits
• Educator notes and reports
• Group or class membership

2.2. Special Categories of Data

• Information about allergies and medical restrictions

These data are stored only with parental consent, collected and submitted by preschools as data controllers.

2.3. Parent/Guardian Data

• Name and surname
• Contact details (email, phone number)
• Relationship to the child (mother, father, guardian)
• Account credentials and access data

2.4. Educator and Manager Data

• Name and surname
• Contact details (email, phone number)
• Employment information
• Account credentials and access data

2.5. Technical Data

• IP address, device type, operating system
• Access and activity logs
• Cookies and similar tracking technologies

We do not collect or process sensitive data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data for unique identification, or data concerning sexual life or orientation.

3. How We Collect Data

Kiddly primarily collects personal data directly from users — for example, during account registration, while entering data in the app, or through communication within the platform.

In certain cases, direct collection may not be possible or efficient due to the nature or purpose of processing. In such cases, Kiddly may process data provided by preschools (as data controllers) on behalf of parents and employees, with necessary consent when required by law.

Additionally, some technical and usage data are collected automatically using cookies, local storage, and server logs to maintain functionality, security, and service improvement.

Regardless of how data are collected, Kiddly adheres to legal principles of fairness, transparency, and data minimization. We strive to ensure accuracy and timeliness of all processed data, and encourage users to contact us for corrections or updates.

We employ appropriate technical, organizational, and security measures to ensure effective protection of all collected personal data, in accordance with best practices and applicable legislation.

4. Purpose of Data Processing

Kiddly processes personal data solely for legitimate and clearly defined purposes, including:

4.1 Providing Kiddly Platform Functionality

• Creating and managing user accounts for parents, educators, and preschool managers
• Displaying, entering, and managing data about children, staff, and activities within the platform

4.2 Enabling Communication Between Preschools and Parents

• Sending notifications, messages, photos, videos, and other relevant content about the child
• Sharing information on events, meals, planned activities, and other updates

4.3 Tracking Children's Attendance and Activities

• Recording attendance, participation in activities, photos, and videos
• Logging daily meals, routines, and other relevant information

4.4 System Administration and Security

• Managing user access and authentication
• Detecting and preventing misuse or technical issues
• Monitoring and improving performance and stability

4.5 Legal Compliance

• Fulfilling obligations under data protection regulations (e.g. GDPR, Serbian Data Protection Law)
• Cooperating with competent authorities where legally required or necessary to protect user rights and safety

5. Legal Basis for Processing

Data processing on the Kiddly platform is carried out based on one or more of the following legal grounds, in compliance with Serbian and EU data protection laws (GDPR):

5.1 Contractual Necessity

Processing is necessary to perform a contract between Kiddly (Hefes Technology Group doo) and the preschool, and to provide services to users.

This includes processing of data such as names, contact details, employment information, and technical identifiers necessary for platform operation.

5.2 Parental/Guardian Consent

For child-related data (e.g. photos, videos, activity logs, meal information), explicit prior consent from the parent or legal guardian is required.

Consent is collected, recorded, and stored by the preschool using Kiddly and may be withdrawn at any time without affecting prior lawful processing.

5.3 Legitimate Interest

Processing is necessary to improve functionality, enhance system security, prevent misuse, and protect user rights.

Before relying on this basis, Kiddly performs an assessment to ensure its interests do not override the rights and freedoms of users.

5.4 Legal Obligation

Processing may be required to comply with applicable legal obligations (e.g. responding to official requests, maintaining legally required records).

In such cases, processing is limited to what is strictly necessary.

6. Data Sharing

Data are shared only with:

• Hetzner Online GmbH (Germany, EU) – hosting provider and sub-processor
• Authorized preschool employees
• Competent public authorities, where required by law

We do not sell, rent, or otherwise disclose personal data to third parties for marketing purposes. Data sharing occurs only with trusted partners providing services on our behalf (e.g. hosting, technical support, payment processing) under strict contractual and security safeguards.

7. International Data Transfers

All data are currently stored and processed within the European Union, on servers located in Germany.

If data are transferred outside the EU/EEA, such transfer will occur only with appropriate legal safeguards — such as Standard Contractual Clauses (SCCs) or equivalent mechanisms in line with applicable data protection laws.

8. Data Security

We take all reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, disclosure, alteration, or destruction.

Security measures include (but are not limited to):

• Encryption of data in transit (TLS/HTTPS) and at rest (AES-256 where applicable)
• Role-based access control following the "least privilege" principle
• Password authentication with optional two-factor authentication (2FA)
• Regular backups and tested data restoration procedures
• Access logging and monitoring to detect unauthorized activities
• Data access limited to trained and authorized personnel only
• Cooperation with Hetzner Online GmbH, certified under ISO 27001 and ISO 27018
• Periodic testing and evaluation of security controls

In case of a data breach that may pose a risk to individuals, we will notify both the supervisory authority and affected users within 72 hours, as required by the GDPR.

9. Data Retention

Data about children, parents, and employees are retained for as long as the contractual relationship with the preschool remains active.

Upon termination of service or contract, all personal data are deleted or irreversibly anonymized within 30 days, unless longer retention is legally required (e.g. tax or accounting purposes).

Deletion involves permanent removal from active databases and backups within prescribed timelines.

Users may request deletion of their data at any time, except where legal obligations require retention.

10. User Rights

As a Kiddly user, you have the following rights under applicable data protection laws:

10.1 Right to access data

To know whether we process your data and to obtain a copy.

10.2 Right to Rectification

To correct or complete inaccurate or outdated data

10.3 Right to Erasure ("Right to be Forgotten")

To request deletion when data are no longer needed, consent is withdrawn, or processing is unlawful.

10.4 Right to Restrict Processing

To request limited use of your data in certain cases (e.g. while accuracy is being verified).

10.5 Right to Withdraw Consent

To withdraw consent at any time without affecting other services.

10.6 Right to Object

To object to processing based on legitimate interest, including for direct marketing.

10.7 Right to Data Portability

To receive your data in a structured, commonly used, machine-readable format and transfer it to another controller.

10.8 Right to Lodge a Complaint

To the competent supervisory authority if you believe your data are processed unlawfully.

In Serbia, the competent authority is: Commissioner for Information of Public Importance and Personal Data Protection Bulevar kralja Aleksandra 15, 11000 Belgrade, Serbia Email: office@poverenik.rs

You may exercise your rights by contacting us at: office@hefesgroup.com.

We will respond within 30 days of receiving your request, or inform you if additional time is required due to complexity or volume.

11. Cookies

We use strictly necessary cookies essential for the Kiddly platform to function properly (e.g. secure login, navigation, and session management). These are automatically set and cannot be disabled.

With your explicit consent, we may also use analytical cookies to gather aggregated data about platform usage to:

• Understand which features are most used
• Improve user experience
• Optimize system performance

Analytical cookies do not contain personally identifiable information and are processed in aggregate form.

You can adjust or withdraw your cookie preferences at any time through app settings or your browser options.

Disabling analytical cookies will not affect the platform's core functionality.

12. Changes to This Policy

We reserve the right to update this Privacy Policy periodically to reflect changes in legislation, technical developments, or service improvements.

All updates will take effect upon publication on our platform, unless otherwise required by law. For any significant changes affecting your rights or how we process your data, we will notify you via the app, our website, or your registered email address at least 15 days before the changes take effect (where feasible).

We recommend reviewing this Policy periodically to stay informed about how we protect your data.

13. Contact