GptKiddo — Privacy Policy
Effective date: 2026-05-21 Version: 2026-launch-v1 Applies to: the GptKiddo mobile application and related services ("GptKiddo", the "App", the "Service").
1. Who we are
GptKiddo is operated by Ömer Karaküçük, a sole proprietor (şahıs işletmesi) registered in Türkiye ("we", "us", "our"), the data controller responsible for your information.
- Address: Fenerbahçe Mah. İğrip Sk. No: 13 İç Kapı No: 1, Kadıköy / İstanbul, Türkiye
- General contact: [email protected]
- Privacy contact: [email protected]
GptKiddo is a subscription-based, parent-controlled application that lets children aged 7–15 have safe, moderated conversations with an artificial-intelligence assistant. Safety of children is our first design principle.
This Privacy Policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you and your child have.
2. A note for parents — how GptKiddo is designed
GptKiddo is created and controlled by a parent or legal guardian. An adult creates the account, sets up each child's profile, and sets a parent PIN that protects all settings. Children do not create accounts themselves.
Because an adult sets up and pays for the Service, the parent is in control of, and consents to, the limited data processing described here on behalf of their child. See Section 9 (Children's Privacy).
3. Information we collect
We practise data minimisation — we collect only what the Service genuinely needs.
3.1 Account information (the parent)
- Email address, provided by Google Sign-In or Sign in with Apple when the parent signs in.
- The authentication provider used and the unique identifier that provider gives us.
- Preferred language and country/region (used to determine the App Store billing region and content language).
- The parent PIN — stored only as a one-way cryptographic hash, additionally encrypted; we cannot read it.
3.2 Child profile information
- A display name (nickname) chosen by the parent — required; we ask for a nickname, not a full name.
- A real name — optional; if a parent chooses to provide one it is stored encrypted.
- A preset avatar selection.
- Age information — either a birth month and year (we never collect the day) or an age band (7–9, 10–12, 13–15).
- The child's preferred language.
3.3 Conversation content
- The messages your child sends and the AI assistant's replies, organised into conversations, and automatically generated short conversation titles.
3.4 Safety and moderation data
- The results of automated moderation checks performed on messages.
- Content that automated moderation flags as potentially unsafe, stored encrypted so a parent can review it.
- Matches against word filters that a parent has configured.
3.5 Usage information
- Message counts, conversation counts, and subscription-credit usage, used to operate the Service and enforce plan limits.
3.6 Subscription and payment information
- Subscription status, plan tier, and store transaction identifiers.
- Purchase receipt data, stored encrypted for verification.
- We do not receive or store credit-card numbers or bank details. All payments are processed by Apple or Google under their own terms.
3.7 Device and technical information
- A device identifier, device platform, and app version.
- Device-integrity ("attestation") data from Apple App Attest or Google Play Integrity, used to confirm requests come from a genuine, untampered app.
- A push-notification token, if you enable notifications.
- Session data, IP address and user-agent string, used for security and to operate the Service.
3.8 Security records
- Audit logs and security-incident records.
3.9 Information we deliberately do NOT collect
We do not collect precise/GPS location, phone numbers, photographs, contacts, biometric identifiers, government identifiers, or a child's exact date of birth. GptKiddo contains no third-party advertising and no behavioural ad tracking.
4. How the AI and web search work
Your child's messages are sent to our AI providers to generate replies and to run safety moderation (see Section 6). When a question benefits from current information, the assistant may search the web — but only across a curated allow-list of vetted, child-appropriate educational and reference websites. The assistant cannot browse the open web freely.
5. Why we use your information (purposes and legal bases)
| Purpose | Legal basis |
|---|---|
| Provide the AI chat service and your subscription | Performance of a contract |
| Keep children safe (content moderation, flagged-content review, word filters) | Legitimate interest in child safety; legal obligation |
| Give parents visibility and control (dashboard, activity, notifications) | Performance of a contract |
| Secure the Service (attestation, fraud and abuse prevention, audit logging) | Legitimate interest; legal obligation |
| Process payments and manage subscriptions | Performance of a contract |
| Send push notifications you have enabled | Consent |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
We do not use children's personal data for behavioural advertising or profiling, and we do not sell personal data.
6. Who we share information with
We share personal data only with the service providers ("sub-processors") needed to run GptKiddo. Each is bound by a data-processing agreement, may use the data only on our instructions, and may not sell it.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| OpenAI | Generates the AI assistant's replies | United States |
| Google (Gemini) | Automated safety moderation of messages | United States |
| Apple / Google | Sign-in, payment processing, push notifications | United States / global |
| Hetzner | Application hosting | Germany |
| Cloudflare | Network security and content delivery | Global edge network |
Our AI providers process API content as data processors only and do not use it to train their models. We may also disclose information where required by law, to protect the safety of a child or any person, or in connection with a merger or acquisition (with continued protection of the data).
7. International data transfers
Because our providers operate outside Türkiye (mainly the United States and Germany), operating GptKiddo involves cross-border transfers of personal data. We protect these transfers with data-processing agreements containing standard contractual protections, and with encryption in transit and at rest. Where the law of your country requires it, your acceptance of this Policy includes your explicit consent to these transfers.
8. How long we keep information
We keep personal data only as long as needed for the purposes above.
- Conversations, profiles and account data — for the life of the account.
- Account deletion — when an account is deleted it enters a 30-day recoverable "soft-delete" period, after which all associated data is permanently erased.
- Flagged content — kept while the account is active so a parent can review it.
- Audit and security logs — up to 2 years (Türkiye); up to 5 years where Brazilian law applies.
- Short-lived technical data (sessions, security challenges) — minutes to weeks, then automatically purged.
- Payment records — retained as required by tax and accounting law.
9. Children's privacy
GptKiddo is intended for children and is built around parental control.
Verifiable parental consent (COPPA). GptKiddo is a paid subscription with no free tier. The parent creates the account and completes a monetary transaction through Apple or Google, whose systems verify that an adult cardholder authorised it. This parent-controlled transaction, together with parental account setup, is how we obtain verifiable parental consent before any child data is collected.
Parents can, at any time, through Parent Mode or by emailing [email protected]:
- review all of their child's conversations and any flagged content;
- correct or delete a child's profile and data;
- export their child's data;
- refuse further collection by deleting the profile or the account.
You may consent to our collection and use of your child's information without agreeing to any disclosure that is not necessary to provide the Service. We collect the minimum data needed, never show children third-party ads, and never use their data for behavioural profiling.
10. Your rights
Depending on where you live, you (and, for a child, the parent on the child's behalf) have rights to: access your data; correct it; delete it; receive a copy in a portable format; object to or restrict certain processing; and withdraw consent.
Exercise these rights in-app via Parent Mode → Settings → Account & Data, or by emailing [email protected]. We respond within the period your law requires (for example, 30 days under KVKK; 15 days under LGPD). We may need to verify your identity through the account email. You may also complain to your data-protection authority.
11. How we protect information
We maintain a written information-security programme. Measures include: encryption of sensitive fields at the application layer (AES-256-GCM); encryption of all data in transit (TLS); strict access controls and tenant isolation; device attestation; certificate pinning and runtime app-protection in the mobile app; audit logging; and a documented data-breach response procedure. If a breach affects your data, we will notify you and the relevant authorities as required by law.
12. Region-specific information
- United States (COPPA). This Policy serves as our online notice; parents also receive direct notice at sign-up. We identify the categories of third parties above and the purpose of each disclosure. We publish our retention practices in Section 8 and maintain a written security programme (Section 11).
- Türkiye (KVKK). Ömer Karaküçük is the data controller (veri sorumlusu). This Policy is also our clarification notice (aydınlatma metni). We will complete VERBİS registration where required. Cross-border transfers and their safeguards are described in Section 7.
- Brazil (LGPD). Processing of the data of children under 12 is carried out in their best interest and on the basis of the parent's consent. LGPD data-subject requests are answered within 15 days.
- Canada (PIPEDA / Quebec Law 25). We rely on meaningful consent and honour the ten fair-information principles; a French-language version of this Policy is provided for Quebec.
- Australia / New Zealand. We handle personal information consistent with the Australian Privacy Principles and the New Zealand Privacy Act, including notifiable-breach obligations.
13. Changes to this Policy
If we make changes we will update the version above. For material changes (such as a new category of data or a new sub-processor) we will ask you to review and re-accept the Policy in the App before continued use. Minor clarifications take effect on posting.
14. Contact us
Questions or requests: [email protected] — Ömer Karaküçük, Fenerbahçe Mah. İğrip Sk. No: 13 İç Kapı No: 1, Kadıköy / İstanbul, Türkiye.