Data policy

DiGiKiNDi is a service provided by Dr. Lukas Twardon. I take the protection of your data and the data of your children seriously. I treat personal data as confidential and in accordance with the law. This data policy explains what happens to your data when you use the DiGiKiNDi app with your children or visit the website.

Data controller

The data controller according to Art. 4(7) EU General Data Protection Regulation (GDPR) is

Dr. Lukas Twardon
Dammwiese 23
33613 Bielefeld
Germany

Phone: +49 521 94594201
E-Mail: mail@digikindi.com

Compliance with children's privacy protection rules

Privacy protection rules such as GDPR and COPPA require that parents provide consent when online services collect, use, or disclose personal information from children. By design, DiGiKiNDi complies with such rules because only parents can create an account and verify it with their email address as well as create profiles for their children. During registration, to confirm that you are a parent and can give consent, you must provide your date of birth (will not be stored) and answer a security question. DiGiKiNDi is meant to be used by parents and their children together. Encryption and private invitation codes keep your child's data safe. Additionally, when using the app, you must answer a security question before you or your child can share information that might be personally identifiable.

How your data is processed

DiGiKiNDi collects and processes data from its users which is necessary to provide the service. Some of the data (especially those mentioned under Parent accounts and Children's profiles) are stored permanently until you delete them. Other data (especially content shared by you / your children) will be stored on the server only for a limited period of time and then automatically deleted (see How long your data is stored on the server). This content can be accessed by friends and is then stored permanently only on the friends' devices. In general, all children's profiles and posts are only visible to friends with a private invitation code.

Parent accounts

Parent accounts consist of a valid email address and a password. During registration, you are also asked for your year of birth. This is used for age verification and will be deleted immediately afterwards. The password is not stored in plain text, but only as a hash value on the server. The email address is used in connection with various app functions, in particular, for verification of the parent account, your consent to use the data, password recovery, to inform you about changes to the terms of use (if necessary) or in case of violation of the terms of use, as well as to send you the surprise in the context of the jigsaw puzzle of the month. The surprise may be digital content provided by DiGiKiNDi or a partner. Personally identifiable data will not be shared with third parties in this process.

Children's profiles

Children's profiles consist of the child's given name and optionally a profile picture and the date of birth. If the date of birth is provided, friends will receive a notification on the child's birthday. Also, information about the associated parent account, friends, and group memberships is stored.

Invitations

Parents can invite friends to a group or invite individual friends using private invitation codes. Invitation codes are valid for one week and will be deleted afterwards. Invitations are not possible within the DiGiKiNDi app, but can be shared via email or other social networks. DiGiKiNDi has no information about and no control over how external services process these data.

Content shared by you / your children

Users can share various kinds of content with their friends through the DiGiKiNDi app. Possible types of content and the associated data are listed below. The time limits for erasure can be found in the section on How long your data is stored on the server.

  • Voice messages: encrypted voice message file, sender and recipient IDs, time of creation, public keys and session keys
  • Photo challenges: image file, challenge name, creator ID, and time of creation
  • Paintings: image file, image type, creator ID, and time of creation
  • Actions (What have you already done today?): date of last entry per child and action
  • Jigsaw puzzles: puzzle status, date of last draw, duplicate and available pieces with expiration date, swap requests
  • Parent board posts: category, text content, image file (if available), target group (if specified), creator ID, and time of creation

Encrypted transmission

All data are transmitted via HTTPS which uses TLS encryption. This means that data sent from the mobile device to the server or vice versa cannot be read by third parties. Voice messages are additionally end-to-end encrypted using modern methods (hybrid encryption with ECDH and AES-GCM). This means that nobody except the sender and receiver - not even DiGiKiNDi - can listen to the messages. The private keys, which are needed to encrypt and decrypt the messages, never leave the user's device.

Log files and session data

DiGiKiNDi is hosted by an external service provider (Hetzner Online GmbH) whose certified data centers are located exclusively within the EU. In the hoster's log files, the anonymized IP address of the user, the browser used (if transmitted), the operating system used, and the time of the request are stored. In order to ensure data protection-compliant processing, a data processing agreement (DPA) has been concluded with the hoster. In addition to the hoster's log files, session data are stored, in particular, the IDs of the logged-in child profile and the associated parent account, a session ID, the language used, and the time and frequency of server requests.

How long your data is stored on the server

The table below provides an overview of how long the data detailed above are stored on the server. In some cases, a distinction is made between the time limit for invalidation and actual deletion. Also, backups of the data are created and stored for 14 days.

Datum Time limit for invalidation (deletion)
parent accounts, children's profiles permanent (until deleted by the user)
invitation codes 1 week (9 days)
voice messages 4 weeks (30 days)
images (photo challenges, paintings), parent board posts 4 weeks (30 days or until deleted by the user)
actions, puzzle status as long as necessary to provide the service
log files permanently
session data until logout (+ up to 2 days)

App permissions

The DiGiKiNDi app requires the following permissions on the user's device:

  • internet access
  • read and write access to device storage
  • start background services to receive notifications
  • record audio
  • use the camera

The user grants most of these permissions when installing the app. Starting with Android 6.0, other permissions, especially for using the microphone, are granted by the user at runtime.

Notifications

DiGiKiNDi uses app notifications to inform you about various events, in particular, new voice messages, accepted invitations, new parent board notices, jigsaw puzzle of the month swap requests, birthdays, changed terms of use (if required), and for a weekly status update. You can disable notifications in Android's app settings, and starting with version 8, you can also deactivate individual categories of notifications. Active polling is used for some of these notifications, others are based on push notifications. For push notifications, the Firebase Cloud Messaging (FCM) service provided by Google Ireland Limited is used. Only meta-data such as the message type, sender, recipient, and message IDs are typically sent via FCM. Content, e.g., images or voice messages, is then downloaded directly from the DiGiKiNDi server. For data transfers to the U.S., Google relies on model contract clauses which have been approved by the European Commission as a means of ensuring adequate protection when transferring data outside of the EU. For more information, please visit https://policies.google.com/privacy

Google AdMob

DiGiKiNDi uses Google AdMob to display advertisements on the app's parent board. The provider of Google AdMob is Google Ireland Limited. As DiGiKiNDi is aimed at families and children, Google does not display personalized ads, use remarketing, or create user profiles. Mobile ad identifiers may be used for frequency capping, aggregated ad reporting, and to combat fraud and abuse. For data transfers to the U.S., Google relies on model contract clauses which have been approved by the European Commission as a means of ensuring adequate protection when transferring data outside of the EU. For more information, please visit https://policies.google.com/privacy

Google Play and the SuperParent subscription

In-app purchases and subscriptions such as the SuperParent subscription are billed through Google Play. The provider is Google Ireland Limited. DiGiKiNDi has no control over how Google processes your data. You can find information about this at https://policies.google.com/privacy

Website digikindi.com

The website can generally be used without providing personal data. The statements about log files and TLS encryption apply as made above. No cookies are used.

Social media pages

The data controller according to the GDPR for the Youtube, Facebook, and Instagram pages of DiGiKiNDi is the respective provider, i.e., Google Ireland Limited or Facebook Ireland Limited, together with me. Data processing in connection with the social media pages is carried out in accordance with Art. 6(1) f GDPR based on my legitimate interest in communication and public relations. Your data (e.g., comments, postings, likes, pictures, or videos) are published by the respective provider. I do not use this data for other purposes. I may share your posts on the respective platform if this feature is available. I also reserve the right to delete content from my social media pages if possible and necessary. Google and Facebook use cookies and similar technologies. For data transfers to the U.S., the providers rely on model contract clauses which have been approved by the European Commission as a means of ensuring adequate protection when transferring data outside of the EU. DiGiKiNDi has very limited control over how Google and Facebook process your data. For more information, please visit https://policies.google.com/privacy, https://facebook.com/privacy/explanation, or https://instagram.com/legal/privacy.

Your rights

According to the EU General Data Protection Regulation (GDPR), you have the following rights as a data subject:

  • Right of access: You have the right to obtain from me as the controller access to personal data concerning you and further information as per Art. 15 GDPR.
  • Right to rectification: You have the right to obtain from me the rectification or completion of personal data concerning you that is inaccurate or incomplete.
  • Right to erasure: You have the right to obtain from me the erasure of personal data concerning you if one of the grounds referred to in Art. 17 GDPR applies.
  • Right to restriction of processing: You have the right to obtain from me restriction of processing if one of the conditions referred to in Art.18 GDPR applies.
  • Right to be informed: You have the right to obtain from me the communication of any rectification, erasure, or restriction of processing of personal data concerning you to each recipient to whom personal data have been disclosed, unless this is impossible or involves disproportionate effort. You also have the right to obtain from me information about these recipients.
  • Right to withdraw your consent: You have the right to withdraw your consent to the processing of your personal data at any time.
  • Right to data portability: You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format, or to request that it be transmitted to another controller.
  • Right to object: You have the right to object at any time to the processing of personal data concerning you which is based on Art. 6(1) e or f GDPR.
  • Right to object to automated processing You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Changes to the data policy

I reserve the right to change this data policy. The current version is always available in the DiGiKiNDi app and on the website.

Last modified: 01/22/2021

App

Download

FAQ

Data policy

Legal notice

basename($_SERVER["REQUEST_URI"])