Privacy policy applies to all personal information, gathered either on this website, in our application or services. We may change this privacy policy from time to time to be able to follow current trends and threats. By using our website, services or application, you will automatically agree with the most current version of our privacy policy through the statement you are currently reading.
The purpose of data protection policy is to
-
safeguard the rights and privacy of Kidous’ users, customers, employees and other stakeholders,
-
ensure compliance with GDPR when processing personal data and
-
to ensure the rights and responsibilities of the data controller (Client) and data processor (TopForge).
In the process of data protection, special attention is paid to the confidentiality of personal data and to the fact that no unauthorized persons have access to the data.
Data lifecycle and usage
Personal data will only be processed for the defined use and for as long as it is necessary for the intended purpose. Once data is no longer needed for its intended purpose, the data will be properly destroyed. Topforge will delete all user information one year after the Client contract has ended, unless the Client wants the information deleted earlier.
We collect your personal information when you use our website, use or register into our products and services or otherwise interact with us. When you create an account, use our products and services, the mandatory information that we collect are username, password and email. The Client as data controller is able to register/ save in Kidous: pictures, videos, audio, basic information about kids (date of birth, date of arrival, caregiver contact details, daily routines, family habits, personality), personal curricula, personal observations (description, pictures, videos and audio), observation categories, skill levels, areas of interest, observation descriptions, portfolio entries, message to parents, calendar entries, and discussion blogs.
Topforge processes personal data for providing products and services, developing and managing products and communications.
The information is only used for the purpose stated in the Terms of Service. The information will not be disclosed unless requested by proper authorities, due to legal reasons or if you give us an explicit consent. The information will not be transferred outside the country in which the system or service is based at. Information can be transferred to another country if required by the law or we have an explicit consent from you.
Topforge will ensure that chosen partners as well as Clients will comply with this privacy policy. The outsourcing of personal data processing is always the subject of a written agreement defining the parties' responsibilities and obligations.
We take reasonable steps to keep the personal data we process accurate and to delete incorrect or unnecessary personal data.
Ensuring Data Protection
Privacy and security are key considerations in the creation and delivery of our products and services. We have assigned specific responsibilities to address privacy and security related matters. We enforce our internal policies and guidelines through an appropriate selection of activities, including risk management, security and privacy policies, training and assessments. We take appropriate steps to address online security, physical security, risk of data loss and other such risks taking into consideration the risk represented by the processing and the nature of the data being protected. Also, we limit access to our data bases containing personal data to authorized persons having a justified need to access such information.
If data protection is suspected or found compromised, it will be investigated without delay. In addition, a data subject whose data protection has been compromised, shall be informed promptly, provided that such disclosure is appropriate for the purpose of remedial action or limitation of the damage.
All actions on personal data, that are contradicting this privacy policy and privacy laws and regulation, are considered a risk to our privacy policy.
If we assess the activity to be of criminal nature or otherwise against laws and regulations, we will issue the matter to the proper authorities for examination.
Data Security
TopForge has implemented the following technical measures to ensure data security of Kidous:
Server / Database Security
Kidous cloud-service provider has a 99.99% Uptime SLA. Kidous cloud-service provider datacenters are audited and certified (ISO 27001 and PCI-DSS) by various internationally-recognized compliance standards to provide highly secure and trustful service. Each datacenter is staffed 24/7/365 with onsite security and to protect against unauthorized entry. EU customers data will not be transferred outside EU area.
Website security
All the information on Kidous-platform is stored behind an SHA512 encrypted password. This means that information is only available to the school/daycare and the parents/guardians of the children with the proper privileges. All the data inside Kidous-platform is transmitted over Secure Sockets Layer (HTTPS) with 128 bit encryption to make sure that transferred data stays safe and secure.
Information Privacy
Kidous is not owning any of the personal information about the children which is stored on Kidous servers, including photos or videos. Kidous will never share Personal Data with any third parties. Personal Data will not be used for marketing or advertising purposes without written consent.
Access Policy
The purpose of this policy is to maintain an adequate level of security to protect data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of information systems.
This policy applies to all computer and communication systems owned or operated by Topforge. Similarly, this policy applies to all platforms (operating systems) and all application systems.
Only authorized users are granted access to Kidous systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
Entity authentication includes:
- Unique user identifier
- Password
- (two-factor authentication procedure, upon request)
Approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and functions for which they have been authorized.
Users will be granted access to information on a “need-to-know” basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs.
User’s who access Kidous must sign a compliance statement (Privacy Policy and Terms of Service) prior to issuance of a user-ID. A signature on this compliance statement indicates the user understands and agrees to abide by these policies and procedures related to computers and information systems. Additional confirmations will be required upon updating the policies and terms.
Password Policy
The purpose of this policy is to ensure that only authorized users gain access to Kidous. Kidous will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled.
Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls.
All user-chosen passwords must contain at least one alphabetic and one non-alphabetic character. The length of the password must be at least 14 characters. All users must be automatically forced to change their passwords appropriate to the classification level of information. To obtain a new password, a user must present suitable identification.
All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. All users must be forced to change their passwords at least once every 180 days.
The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After three unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or (c) if dial- up or other external network connections are involved, disconnected.
Other
According to EU GDPR, processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. Topforge encourages clients NOT to collect aforementioned information belonging to special categories. If client collects any of the aforementioned information, Topforge cannot be held responsible in any way.
