Privacy Policy

KidForge is a family fintech platform that helps parents teach children about money through gifting, saving, earning, and supervised investing. We take the privacy and security of your family’s data extremely seriously — especially when it comes to children.

This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have. It applies to all users of the KidForge platform, including parents, guardians, children, and gift-giving relatives.

To help you understand this policy, here are the key terms we use throughout:

Parent

— The adult who creates and manages a KidForge family account. This includes guardians and other legal caregivers.

Child

— A minor user (typically ages 6–18) who uses KidForge under parental supervision.

Family

— The group of users connected under one parent account, including the parent, children, and optionally invited relatives.

Personal Data

— Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).

Service

— The KidForge platform, web application, and all related services we provide.

The data controller responsible for the processing of your personal data is:

We follow the principle of data minimisation — we only collect what is strictly necessary to operate KidForge. We deliberately collect less data from children than from parents.

We use your personal data for specific, legitimate purposes only. We never sell your data or use it for targeted advertising.

Under GDPR, we must have a valid legal basis for processing your personal data. Here are the bases we rely on:

KidForge is designed for use by children, and we take special care to protect their data. We comply with GDPR Article 8 (conditions applicable to child’s consent in relation to information society services).

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers, under strict contractual obligations:

KidForge stores data primarily in the European Union via Supabase (EU region). When data is transferred outside the EU, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where available (e.g., EU-US Data Privacy Framework)
• Data Processing Agreements (DPAs) with all service providers

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy.

Under GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of all data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data (“right to be forgotten”)
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time, without affecting prior processing
• Right to complain — lodge a complaint with a supervisory authority (CNPD in Portugal)

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data is transmitted over TLS 1.3
• Encryption at rest: Database encryption using AES-256
• Password hashing: bcrypt with salt rounds, never stored in plaintext
• Row Level Security (RLS): Database policies ensure users can only access data from their own family
• PIN protection: Parent accounts require a PIN for sensitive operations
• Audit logging: Immutable, append-only audit trail of all financial and administrative actions
• Input validation: All inputs validated with Zod schemas to prevent injection attacks
• Regular security reviews: Periodic code audits and dependency vulnerability scans

For a comprehensive overview of our security practices, see our Security page.

KidForge uses only essential cookies required for the platform to function:

• Authentication cookies: To keep you signed in securely
• Session cookies: To maintain your session state
• CSRF tokens: To protect against cross-site request forgery

We do not use advertising cookies, analytics trackers, social media pixels, or any third-party tracking technologies. For full details, see our Cookie Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

You also have the right to lodge a complaint with the Portuguese supervisory authority: