DiGiKiNDi is a service provided by Dr. Lukas Twardon. I take the protection of your data and the data of your children seriously. I treat personal data as confidential and in accordance with the law. This data policy explains what happens to your data when you use the DiGiKiNDi app with your children or visit the website.
The data controller according to Art. 4(7) EU General Data Protection Regulation (GDPR) is
Dr. Lukas Twardon
Phone: +49 521 94594201
Compliance with children's privacy protection rules
Privacy protection rules such as GDPR and COPPA require that parents provide consent when online services collect, use, or disclose personal information from children. By design, DiGiKiNDi complies with such rules because only parents can create an account and verify it with their email address as well as create profiles for their children. During registration, to confirm that you are a parent and can give consent, you must provide your date of birth (will not be stored) and answer a security question. DiGiKiNDi is meant to be used by parents and their children together. Encryption and private invitation codes keep your child's data safe. Additionally, when using the app, you must answer a security question before you or your child can share information that might be personally identifiable.
How your data is processed
DiGiKiNDi collects and processes data from its users which is necessary to provide the service. Some of the data (especially those mentioned under Parent accounts and Children's profiles) are stored permanently until you delete them. Other data (especially content shared by you / your children) will be stored on the server only for a limited period of time and then automatically deleted (see How long your data is stored on the server). This content can be accessed by friends and is then stored permanently only on the friends' devices. In general, all children's profiles and posts are only visible to friends with a private invitation code.
Children's profiles consist of the child's given name and optionally a profile picture and the date of birth. If the date of birth is provided, friends will receive a notification on the child's birthday. Also, information about the associated parent account, friends, and group memberships is stored.
Parents can invite friends to a group or invite individual friends using private invitation codes. Invitation codes are valid for one week and will be deleted afterwards. Invitations are not possible within the DiGiKiNDi app, but can be shared via email or other social networks. DiGiKiNDi has no information about and no control over how external services process these data.
Content shared by you / your children
Users can share various kinds of content with their friends through the DiGiKiNDi app. Possible types of content and the associated data are listed below. The time limits for erasure can be found in the section on How long your data is stored on the server.
- Voice messages: encrypted voice message file, sender and recipient IDs, time of creation, public keys and session keys
- Photo challenges: image file, challenge name, creator ID, and time of creation
- Paintings: image file, image type, creator ID, and time of creation
- Actions (What have you already done today?): date of last entry per child and action
- Jigsaw puzzles: puzzle status, date of last draw, duplicate and available pieces with expiration date, swap requests
- Parent board posts: category, text content, image file (if available), target group (if specified), creator ID, and time of creation
All data are transmitted via HTTPS which uses TLS encryption. This means that data sent from the mobile device to the server or vice versa cannot be read by third parties. Voice messages are additionally end-to-end encrypted using modern methods (hybrid encryption with ECDH and AES-GCM). This means that nobody except the sender and receiver - not even DiGiKiNDi - can listen to the messages. The private keys, which are needed to encrypt and decrypt the messages, never leave the user's device.
Log files and session data
DiGiKiNDi is hosted by an external service provider (Hetzner Online GmbH) whose certified data centers are located exclusively within the EU. In the hoster's log files, the anonymized IP address of the user, the browser used (if transmitted), the operating system used, and the time of the request are stored. In order to ensure data protection-compliant processing, a data processing agreement (DPA) has been concluded with the hoster. In addition to the hoster's log files, session data are stored, in particular, the IDs of the logged-in child profile and the associated parent account, a session ID, the language used, and the time and frequency of server requests.
How long your data is stored on the server
The table below provides an overview of how long the data detailed above are stored on the server. In some cases, a distinction is made between the time limit for invalidation and actual deletion. Also, backups of the data are created and stored for 14 days.
|Datum||Time limit for invalidation (deletion)|
|parent accounts, children's profiles||permanent (until deleted by the user)|
|invitation codes||1 week (9 days)|
|voice messages||4 weeks (30 days)|
|images (photo challenges, paintings), parent board posts||4 weeks (30 days or until deleted by the user)|
|actions, puzzle status||as long as necessary to provide the service|
|session data||until logout (+ up to 2 days)|
The DiGiKiNDi app requires the following permissions on the user's device:
- internet access
- read and write access to device storage
- start background services to receive notifications
- record audio
- use the camera
The user grants most of these permissions when installing the app. Starting with Android 6.0, other permissions, especially for using the microphone, are granted by the user at runtime.
DiGiKiNDi uses Google AdMob to display advertisements on the app's parent board. The provider of Google AdMob is Google Ireland Limited. As DiGiKiNDi is aimed at families and children, Google does not display personalized ads, use remarketing, or create user profiles. Mobile ad identifiers may be used for frequency capping, aggregated ad reporting, and to combat fraud and abuse. For data transfers to the U.S., Google relies on model contract clauses which have been approved by the European Commission as a means of ensuring adequate protection when transferring data outside of the EU. For more information, please visit https://policies.google.com/privacy
Google Play and the SuperParent subscription
In-app purchases and subscriptions such as the SuperParent subscription are billed through Google Play. The provider is Google Ireland Limited. DiGiKiNDi has no control over how Google processes your data. You can find information about this at https://policies.google.com/privacy
The website can generally be used without providing personal data. The statements about log files and TLS encryption apply as made above. No cookies are used.
Social media pages
According to the EU General Data Protection Regulation (GDPR), you have the following rights as a data subject:
- Right of access: You have the right to obtain from me as the controller access to personal data concerning you and further information as per Art. 15 GDPR.
- Right to rectification: You have the right to obtain from me the rectification or completion of personal data concerning you that is inaccurate or incomplete.
- Right to erasure: You have the right to obtain from me the erasure of personal data concerning you if one of the grounds referred to in Art. 17 GDPR applies.
- Right to restriction of processing: You have the right to obtain from me restriction of processing if one of the conditions referred to in Art.18 GDPR applies.
- Right to be informed: You have the right to obtain from me the communication of any rectification, erasure, or restriction of processing of personal data concerning you to each recipient to whom personal data have been disclosed, unless this is impossible or involves disproportionate effort. You also have the right to obtain from me information about these recipients.
- Right to withdraw your consent: You have the right to withdraw your consent to the processing of your personal data at any time.
- Right to data portability: You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format, or to request that it be transmitted to another controller.
- Right to object: You have the right to object at any time to the processing of personal data concerning you which is based on Art. 6(1) e or f GDPR.
- Right to object to automated processing You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
Changes to the data policy
I reserve the right to change this data policy. The current version is always available in the DiGiKiNDi app and on the website.
Last modified: 01/22/2021