Kipup

Privacy Policy

Last updated: February 28, 2026

1. Introduction

Kipup ("we", "us", or "our") operates the Kipup application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

This policy is designed to comply with the Brazilian General Data Protection Law (LGPD), the European General Data Protection Regulation (GDPR), and the United States Children's Online Privacy Protection Act (COPPA), as applicable.

2. Information We Collect

We collect the following categories of personal information:

Account information: When you create an account, we collect your email address, display name, and password. Your password is securely hashed and never stored in plain text.

Profile preferences: We store your language preference (English, Portuguese, or Spanish) to personalize the Service.

Family information: When you create a family, we collect the family name and timezone setting.

Children's information: When you add children to your family, we collect the child's name or nickname and, optionally, an avatar image. We encourage the use of nicknames and illustrated avatars (monsters, robots, drawings) rather than legal names or real photographs that could visually identify the child. Children do not create accounts or provide their information directly.

Usage data: We store task lists, task completions, point transactions, rewards, and related activity created within the Service by parents or guardians.

Device sessions: When you connect a TV or phone device, we generate a session token stored as a cookie to maintain the device connection.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and secure your account
  • Display personalized content in your preferred language
  • Enable family management features (children, tasks, points, rewards)
  • Maintain device connections (TV and phone modes)
  • Communicate with you about your account when necessary

We do not use your information for advertising, profiling, or automated decision-making. We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: You provide consent when you create an account and voluntarily submit your information.
  • Contract performance: Processing is necessary to provide the Service you have requested.
  • Legitimate interest: We process certain data to maintain the security and proper functioning of the Service.

5. Children's Privacy

Kipup is designed for use by parents and guardians. Only adults (18 years or older) may create accounts. Children's profiles are created and managed exclusively by their parent or guardian, who must provide explicit consent at the time of each child profile creation or edit.

Children do not create accounts, do not provide personal information directly, and do not have access to the Service independently unless through a device session configured by the parent or guardian.

The only children's data we store is their name or nickname and an optional avatar image, both provided by the parent or guardian. We do not collect children's email addresses, location data, or any other personal information from children.

Parents and guardians may at any time view, edit, or delete their children's information through the Service. If you believe a child's data has been collected without proper parental consent, please contact us and we will promptly delete it.

6. Third-Party Service Providers

We use the following third-party services to operate the Service:

  • Supabase: Provides our database (PostgreSQL) and authentication service. Data is stored on Supabase's infrastructure. Privacy policy.
  • Vercel: Provides hosting for our application and blob storage for uploaded avatar images. Privacy policy.

These providers act as data processors on our behalf and are contractually obligated to protect your data. We do not use any analytics, advertising, or tracking services.

7. International Data Transfers

Our service providers (Supabase and Vercel) may process data in the United States or other countries outside your country of residence. When this occurs, we ensure that appropriate safeguards are in place, including standard contractual clauses and the providers' compliance with applicable data protection regulations.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Securely hashed passwords
  • Row-Level Security (RLS) policies in our database to ensure users can only access their own family's data
  • Secure session management with HTTP-only cookies

While we take reasonable measures to protect your data, no system is completely secure. We cannot guarantee absolute security of your information.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data and account.
  • Portability: Request your data in a structured, commonly used format.
  • Withdraw consent: Withdraw your consent to data processing at any time.
  • Object: Object to data processing based on legitimate interest.
  • File a complaint: Lodge a complaint with your local data protection authority.

Data export: You can download a complete copy of your data at any time through your account settings. Data is exported in JSON format, including profile, families, children, transactions, tasks, rewards, and consent logs.

Account deletion: You can request deletion of your account through account settings. Upon requesting deletion, your account will be deactivated immediately and data will be permanently removed after 30 days. You will receive an email with instructions to cancel the deletion if you change your mind during this period.

To exercise any other right, please contact us at contact@hello.gokipup.com. We will respond within 15 business days (LGPD) or 30 days (GDPR), as applicable.

10. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. When you delete your account, your account is deactivated immediately and all personal data is permanently deleted after a 30-day grace period.

Anonymized audit logs: We maintain anonymized audit logs of actions performed on the Service (such as task creation, point transactions, and reward requests) for up to 5 years after account deletion. These logs use cryptographic identifiers (hashes) that do not allow direct identification of users, and are retained exclusively for the following legally supported purposes:

  • Compliance with legal or regulatory obligations (LGPD Art. 16, I / GDPR Art. 17.3(b))
  • Establishment, exercise, or defense of legal claims (LGPD Art. 16, III / GDPR Art. 17.3(e))
  • Exclusive use by the controller with anonymized data (LGPD Art. 16, IV)
  • Prevention of Service abuse and child protection

We may retain non-anonymized personal data for longer periods if required by court order or for compliance with legal obligations.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the Service or via email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Email: contact@hello.gokipup.com