GptKiddo

GptKiddo — Privacy Policy

Effective date: 2026-05-21 Version: 2026-launch-v1 Applies to: the GptKiddo mobile application and related services ("GptKiddo", the "App", the "Service").


1. Who we are

GptKiddo is operated by Ömer Karaküçük, a sole proprietor (şahıs işletmesi) registered in Türkiye ("we", "us", "our"), the data controller responsible for your information.

GptKiddo is a subscription-based, parent-controlled application that lets children aged 7–15 have safe, moderated conversations with an artificial-intelligence assistant. Safety of children is our first design principle.

This Privacy Policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you and your child have.

2. A note for parents — how GptKiddo is designed

GptKiddo is created and controlled by a parent or legal guardian. An adult creates the account, sets up each child's profile, and sets a parent PIN that protects all settings. Children do not create accounts themselves.

Because an adult sets up and pays for the Service, the parent is in control of, and consents to, the limited data processing described here on behalf of their child. See Section 9 (Children's Privacy).

3. Information we collect

We practise data minimisation — we collect only what the Service genuinely needs.

3.1 Account information (the parent)

3.2 Child profile information

3.3 Conversation content

3.4 Safety and moderation data

3.5 Usage information

3.6 Subscription and payment information

3.7 Device and technical information

3.8 Security records

3.9 Information we deliberately do NOT collect

We do not collect precise/GPS location, phone numbers, photographs, contacts, biometric identifiers, government identifiers, or a child's exact date of birth. GptKiddo contains no third-party advertising and no behavioural ad tracking.

4. How the AI and web search work

Your child's messages are sent to our AI providers to generate replies and to run safety moderation (see Section 6). When a question benefits from current information, the assistant may search the web — but only across a curated allow-list of vetted, child-appropriate educational and reference websites. The assistant cannot browse the open web freely.

Purpose Legal basis
Provide the AI chat service and your subscription Performance of a contract
Keep children safe (content moderation, flagged-content review, word filters) Legitimate interest in child safety; legal obligation
Give parents visibility and control (dashboard, activity, notifications) Performance of a contract
Secure the Service (attestation, fraud and abuse prevention, audit logging) Legitimate interest; legal obligation
Process payments and manage subscriptions Performance of a contract
Send push notifications you have enabled Consent
Comply with legal obligations and respond to lawful requests Legal obligation

We do not use children's personal data for behavioural advertising or profiling, and we do not sell personal data.

6. Who we share information with

We share personal data only with the service providers ("sub-processors") needed to run GptKiddo. Each is bound by a data-processing agreement, may use the data only on our instructions, and may not sell it.

Sub-processor Purpose Processing location
OpenAI Generates the AI assistant's replies United States
Google (Gemini) Automated safety moderation of messages United States
Apple / Google Sign-in, payment processing, push notifications United States / global
Hetzner Application hosting Germany
Cloudflare Network security and content delivery Global edge network

Our AI providers process API content as data processors only and do not use it to train their models. We may also disclose information where required by law, to protect the safety of a child or any person, or in connection with a merger or acquisition (with continued protection of the data).

7. International data transfers

Because our providers operate outside Türkiye (mainly the United States and Germany), operating GptKiddo involves cross-border transfers of personal data. We protect these transfers with data-processing agreements containing standard contractual protections, and with encryption in transit and at rest. Where the law of your country requires it, your acceptance of this Policy includes your explicit consent to these transfers.

8. How long we keep information

We keep personal data only as long as needed for the purposes above.

9. Children's privacy

GptKiddo is intended for children and is built around parental control.

Verifiable parental consent (COPPA). GptKiddo is a paid subscription with no free tier. The parent creates the account and completes a monetary transaction through Apple or Google, whose systems verify that an adult cardholder authorised it. This parent-controlled transaction, together with parental account setup, is how we obtain verifiable parental consent before any child data is collected.

Parents can, at any time, through Parent Mode or by emailing [email protected]:

You may consent to our collection and use of your child's information without agreeing to any disclosure that is not necessary to provide the Service. We collect the minimum data needed, never show children third-party ads, and never use their data for behavioural profiling.

10. Your rights

Depending on where you live, you (and, for a child, the parent on the child's behalf) have rights to: access your data; correct it; delete it; receive a copy in a portable format; object to or restrict certain processing; and withdraw consent.

Exercise these rights in-app via Parent Mode → Settings → Account & Data, or by emailing [email protected]. We respond within the period your law requires (for example, 30 days under KVKK; 15 days under LGPD). We may need to verify your identity through the account email. You may also complain to your data-protection authority.

11. How we protect information

We maintain a written information-security programme. Measures include: encryption of sensitive fields at the application layer (AES-256-GCM); encryption of all data in transit (TLS); strict access controls and tenant isolation; device attestation; certificate pinning and runtime app-protection in the mobile app; audit logging; and a documented data-breach response procedure. If a breach affects your data, we will notify you and the relevant authorities as required by law.

12. Region-specific information

13. Changes to this Policy

If we make changes we will update the version above. For material changes (such as a new category of data or a new sub-processor) we will ask you to review and re-accept the Policy in the App before continued use. Minor clarifications take effect on posting.

14. Contact us

Questions or requests: [email protected] — Ömer Karaküçük, Fenerbahçe Mah. İğrip Sk. No: 13 İç Kapı No: 1, Kadıköy / İstanbul, Türkiye.