Privacy Policy

← Back to Home

1. Data Controller

The data controller for personal data processed through the KumbukTree platform is:

When childcare centers use our platform, KumbukTree acts as a data processor on behalf of the childcare center (the data controller) for the personal data of enrolled children, guardians, and staff. For KumbukTree's own account holders and website visitors, we act as the data controller.

2. Data We Collect

We collect the following categories of personal data in connection with the Service:

2.1 Account Data

Information provided during registration and account setup:

• Organization name, address, and licensing information
• Administrator name, email address, phone number, and role
• Billing contact and payment information (processed by Stripe — we do not store full payment card numbers)

2.2 Operational Data

Data entered by childcare centers during normal use of the platform:

• Child profiles (name, date of birth, enrollment date, allergies, medical notes, emergency contacts)
• Guardian/parent profiles (name, email, phone, relationship to child, authorized pickup status)
• Staff profiles (name, email, phone, certifications, schedule, employment dates)
• Attendance records (check-in/check-out timestamps, authorized pickup logs)
• Activity logs (meal records, nap times, daily reports, incident reports)
• Invoicing and payment history

2.3 Technical Data

Data collected automatically when you interact with our platform:

• IP address, browser type and version, operating system
• Device identifiers, screen resolution
• Pages visited, features used, timestamps, session duration
• Error logs and performance diagnostics

3. How We Use Data

We process personal data for the following purposes:

Purpose	Examples
Service Delivery	Processing attendance records, generating daily reports, managing child profiles
Transactional Notifications	Sending check-in confirmations, activity reports, incident alerts, invoices, receipts, and system notices via email
Billing & Payments	Generating invoices, processing subscription payments, issuing receipts
Security & Fraud Prevention	Monitoring for unauthorized access, detecting anomalous activity, maintaining audit logs
Product Improvement	Analyzing aggregated, anonymized usage patterns to improve platform features
Legal Compliance	Meeting regulatory obligations related to childcare licensing, tax reporting, and data protection laws
Customer Support	Responding to inquiries, troubleshooting issues, managing account changes

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data based on the following legal grounds:

• Performance of a Contract: Processing necessary to fulfill our service agreement with childcare centers (e.g., attendance tracking, notifications, billing)
• Legitimate Interest: Processing necessary for our legitimate business operations (e.g., platform security, product improvement, fraud detection) — balanced against data subjects' rights
• Legal Obligation: Processing required to comply with applicable laws (e.g., tax regulations, childcare licensing requirements, data breach notification obligations)
• Consent: Where specifically required (e.g., optional analytics cookies if ever introduced). Consent may be withdrawn at any time without affecting the lawfulness of prior processing

5. No Data Selling

KumbukTree does not sell, rent, lease, or trade personal data to any third party for marketing, advertising, or any other commercial purpose.

We do not share personal data with data brokers, ad networks, or social media platforms. We do not participate in data marketplaces. This commitment applies to all categories of personal data we process, including data about children.

6. Sub-Processors

We use the following third-party service providers (sub-processors) to deliver the Service. Each sub-processor is contractually obligated to protect personal data in accordance with applicable law:

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure hosting (compute, storage, database)	US (us-east-1)
Mailgun (Sinch)	Transactional email delivery (SMTP relay)	US / EU
Stripe	Payment processing and subscription billing	US

We maintain a current list of sub-processors and will notify affected clients at least 30 days before engaging any new sub-processor that handles personal data.

7. International Data Transfers

Our primary infrastructure is located in the United States. If you are located outside the US, your data may be transferred to and processed in the US. We protect international data transfers through:

• Standard Contractual Clauses (SCCs): We execute EU-approved Standard Contractual Clauses with clients and sub-processors located in the EEA or UK
• EU-US Data Privacy Framework: We monitor developments in the EU-US Data Privacy Framework and will certify when appropriate
• Supplementary Measures: We implement additional technical safeguards (encryption in transit and at rest, access controls, pseudonymization where feasible) to ensure an adequate level of protection

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

Data Category	Retention Period
Account data	Duration of subscription + 30 days for export, then deleted
Child & guardian records	Duration of enrollment + 90 days, then deleted
Staff records	Duration of employment at center + 90 days, then deleted
Attendance & activity logs	3 years (state licensing requirements)
Billing & payment records	7 years (tax and accounting obligations)
Email delivery logs	90 days
System access logs	12 months
Technical/analytics data	12 months (aggregated and anonymized)

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized.

9. Your Rights — GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under GDPR:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
• Right to Restriction: Request that we limit the processing of your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@kumbuktree.com. We will respond within 30 days of receiving your request. We may request identity verification before processing your request.

10. Your Rights — CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which they were collected, the business purposes for collection, and the categories of third parties with whom they are shared
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale: We do not sell personal information. However, you may submit an opt-out request at any time to privacy@kumbuktree.com
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Information: Request limits on how we use sensitive personal information (we use sensitive data only as necessary for the Service)

To submit a request, email privacy@kumbuktree.com or call +1 (470) 389-2174. We will verify your identity and respond within 45 days.

11. Cookies

The KumbukTree platform and website use strictly necessary cookies only:

Cookie	Purpose	Duration
Session cookie	Maintains your authenticated session	Expires when browser closes or after 8 hours of inactivity
CSRF token	Prevents cross-site request forgery attacks	Session duration
Cookie consent	Remembers your cookie banner preference	12 months

We do not use advertising cookies, tracking pixels, social media widgets, or any third-party analytics cookies. No personal data is shared with advertisers or ad networks through cookies.

12. Data Security

We implement robust technical and organizational measures to protect personal data:

• Encryption in Transit: All data is transmitted over TLS 1.3
• Encryption at Rest: All stored data is encrypted using AES-256
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Multi-Factor Authentication: Required for all administrative and employee accounts
• Vulnerability Management: Regular penetration testing and automated vulnerability scanning
• Network Security: Web application firewall (WAF), intrusion detection, and DDoS protection
• Employee Training: Annual security awareness and data-handling training for all staff
• Incident Response: Documented incident-response plan with defined roles and notification timelines

For more details, visit our Trust Center.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, or legal requirements. When we make material changes:

• We will post the updated policy on this page with a new "Last Updated" date
• We will send written notice to account administrators at least 30 days before the changes take effect
• If the changes materially expand data processing, we will obtain consent where required by law

We encourage you to review this page periodically.

14. Contact