Privacy Notice
Last updated: 20 May 2026
1. Who we are
Kindotter Ltd ("Kindotter", "we", "us") is a company registered in the United Kingdom. We are the data controller for personal data processed through the Kindotter service. Contact: contact@kindotter.com.
2. Who Kindotter is for
Kindotter is a support tool for parents and legal guardians of autistic children. It is not designed for, marketed to, or intended for use by children under 18. Account holders must be 18 or older and the parent or legal guardian of any child described in the account.
3. Personal data we collect
- Account data: email address, hashed password (or Google OAuth identifier), account creation date.
- Child profile data (provided by the parent): the child's first name or nickname, pronouns, age, diagnoses, sensory profile, known triggers, calming strategies, strengths, therapies, safety notes, and emergency contact. You control what you enter.
- Conversation content: messages you send to the Kindotter AI, the AI's replies, and behaviour log entries.
- Subscription and billing data: handled by our payment provider Paddle (Merchant of Record). Kindotter stores only the subscription status, plan, and a Paddle customer reference.
- Technical data: IP address, browser type, basic device information, and essential session cookies.
4. How we use your data and our legal basis
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Providing the Kindotter service (account, chat, profile, logs) | Performance of a contract |
| Generating AI responses tailored to your child profile | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract |
| Securing the service and preventing fraud or abuse | Legitimate interests |
| Responding to support requests | Legitimate interests |
| Complying with legal obligations (tax, accounting, legal requests) | Legal obligation |
5. Who we share data with
- Lovable AI Gateway, processes your prompts and child profile context to generate AI responses. Prompts are not used to train third-party models.
- Supabase, managed database and authentication hosting (EU region where available).
- Paddle.com Market Ltd, Merchant of Record for all purchases; handles payments, tax, invoicing, refunds, and chargebacks. See Paddle's Privacy Policy.
- Professional advisers (legal, accounting) where strictly necessary.
- Authorities when required by law.
We do not sell your data, share it for advertising, or use third-party advertising trackers.
6. International transfers
Some processors (e.g. AI model providers) may process data outside the UK/EEA. Where this happens, transfers are protected by the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or an adequacy decision.
7. How long we keep data
- Account, profile, chat, and behaviour log data: until you delete your account.
- Billing records: 7 years (UK tax law).
- Server logs: up to 90 days.
After deletion, residual backups are purged on rolling cycles within 30 days.
8. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Port your data to another service.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
You can export or delete all your data at any time from Your Data inside your account, or email contact@kindotter.com. We respond within one month.
9. Children's privacy (COPPA & UK Children's Code)
Kindotter does not knowingly collect personal data directly from children under 13 (COPPA) or operate as a service likely to be accessed by children under 18 (UK Age Appropriate Design Code). Information about a child is entered by their parent or legal guardian as part of an adult-managed account.
We ask parents to enter only the information necessary to receive useful support (e.g. first name or nickname, not full legal name, address, school, or photographs). If you believe a child has created an account, contact us and we will delete it immediately.
10. Cookies
We use a small number of essential cookies needed to keep you signed in and to remember your cookie preferences. We do not use advertising or cross-site tracking cookies. Manage your preferences at any time via the cookie banner.
11. Security
We use industry-standard technical and organisational measures including encryption in transit (TLS), encryption at rest, row-level database security, and least-privilege access controls.
12. Changes
We will notify you of material changes by email or in-app notice at least 14 days before they take effect.
13. Contact
Kindotter Ltd, United Kingdom, contact@kindotter.com.