General Data Protection Policy
For the purpose of data protection of its subjects (“Data Subject”) (members of KidsLoop Group), KidsLoop Group records processing activities (Article 30 of General Data Protection Regulation (“GDPR”), articles hereinafter are reference to GDPR unless otherwise specified), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37), implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39).
KidsLoop Group formulates legal framework to process personal data including sensitive information (Articles 6 and 9) and has the explicit consent to the data processing from a data subject (Article 7). It also has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8). Additionally, in case of overseas transfer of the data, the company concludes a contract under standard contractual clauses adopted by a supervisory authority and approved by the Commission (Article 46.2 (c)), and has the explicit consent of a data subject (Article 49).
KidsLoop Group allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to consent (Article 7), the right to receipt of his or her data (Articles 13 and 14), the right to access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right to automated individual decision-making including profiling (Article 22).
The company is in compliance with the obligations of data protection by design and by default (Article 25) and implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).
About Privacy Notice
KidsLoop Group notifies a data subject of the Privacy Notice within the reasonable period not later than one month in order to explain the methods and procedures of processing his or her data including his or her certain data if it collects such personal data from the data subject or any third party discloses such personal data.
KidsLoop Group notifies Data Subject of this Privacy Notice as follows:
The data controller of personal data is KidsLoop Group. If you contact us for assistance, for your safety and ours, we may need to authenticate your identity before fulfilling the request.
Collection of Personal Data
We receive and store your personal data based on the principles of GDPR (i.e. Article 5) and relevant regulations such as:
– Name, email, gender, birth date, ID, telephone number, nationality, language, Connection Information (CI), Duplication Information (DI), payment method(s), etc. (For minors, information of their legal representative (name, date of birth, CI, DI, etc. of the legal representative)) for Internet membership service
– Member name, address, age, registered organization, and email, Detail of subscription and KidsLoop Group content use (content classification (books, applications and videos), content titles, time of using the content by hour, day and month, Detail of taking class (class classification, class titles, schedule, achievement and member evaluation) for Analysis of how members use the content & service suggestion
– Pictures, audio and videos for Application service
– Name, telephone number for Service of providing learners with development history and analytic results according to the Learning Lab use
– Equipment information such as Records on the use of and access to KidsLoop Group services, verification records, access IP information, unique number for equipment identification (example, equipment ID), OS information (country, language), application version, etc.
– Log information such as IP address, log data, use time, search words input by you, internet protocol address, cookies and web beacons, etc.
– Other personal data such as Preference, visited pages, etc. regarding your KidsLoop Group service use, time of playing videos and audios, time of using activities, information on the read pages, quiz results, places where a photo is taken, date of creating files, etc. for Application services, unique ID for each sentence and word, record time for Bada Pen Service
– Name and birth date of learners (children)
– Name and phone number of their legal representative
– Pictures of Learners(children) for Social Feed Service
– payment service providers who provide us with payment information, or updates to that information, based on their relationship with you;
– Name, age, gender, country, phone number, email (parents’ email for students), preferred language, date of registration, Connection Information (CI), Duplication Information (DI),
– Profile photo of teacher/student, video / audio (including a children’s voice, face and motion), class schedule, organization/school/class where children belong to, device information (type of device / udid / OS information), legal representative’s information in case of a minor (the name, birth date, CI, DI, etc. of a legal representative) and log information.
Method of Collection
KidsLoop Group collects your personal data in the following manner based on GDPR (Article 6(1)(a)) and relevant regulations:
Use of Personal Data
We use personal data to provide, analyze, administer, enhance and personalize our KidsLoop Group services and marketing efforts, to process your registration, your orders and your payments, and to communicate with you on these and other topics. For example, we use personal data based on the principles of GDPR (i.e. Article 5) and relevant regulations to:
Disclosure of Personal Data
We disclose your personal data for certain purposes and to third parties based on the principles of GDPR (i.e. Article 5) and relevant regulations, as described below:
– in order to facilitate Partner collection of payment for the KidsLoop Group service for distribution to us;
– with Partners who operate voice assistant platforms that allow you to interact with our service using voice commands;
– so that content and features available in the KidsLoop Group service can be suggested to you in the Partner’s user interface. For you, these suggestions are part of the KidsLoop Group service and may include customized and personalized viewing recommendations;
– such as pictures from Learner (Children) that Partners provided to Teacher and/or educational institutions for the Social Feed service;
– with Partners who distribute, promote and cooperate KidsLoop Services overseas.
Disclosure of Personal Data
The personal data provided by you is the requirement for KidsLoop Group use contract between you and KidsLoop Group so that KidsLoop Group provides you with great services. You may be restricted to use KidsLoop Group’s KidsLoop Services unless you give consent to the collection of required personal data while you can use KidsLoop Services except the services which require the consent to the collection of the optional personal data if you refuse to give consent to the collection of such optional personal data.
Disclosure of Personal Data for Legal Reasons
We will share personal data outside of KidsLoop Group if we have a good-faith belief that access, use, preservation or disclosure of the personal data is reasonably necessary to:
Overseas Transfer of Personal Data
Rights of Data Subject
Data Subject or their legal representatives, as main agents of the personal data, can exercise the following rights regarding the collection, use and disclosure of personal data by KidsLoop Group:
Upon the request from Data Subject, KidsLoop Group takes actions as follows:
Also, the Data Subject or their legal representatives have the right to file a complaint with a supervisory authority (Article 13(2), Article 14(2)(e)).
KidsLoop Group takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32).
– To transmit your personal data by an encrypted communication zone
– To keep encrypted essential information such as passwords
– Authentication security strategy: Authentication Sessions
– Hashing user password in the database
– SSL certificate managed with AWS Certificate Manager
– To install a system in the zone to which the external access is strictly restricted so as to prevent your personal data from leakage or damage by hacking or computer viruses
– To conduct regular internal audit (once a quarter) to safely process personal data
– To keep minimal the number of employees processing personal data and educate them
– To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing
– To keep the documents, storage devices, etc. which include personal data in a safe place with a lock
– To designate a physical place of storing personal data to restrict the access by unauthorized persons and to establish and operate such access control procedure
– Rest API Security with AWS: API Gateways
– DynamoDB user data security with AWS: Databases
Personal Data Breach Escalation and Checklist
It is specified in Articles 33 and 34 of GDPR that in case of a personal data breach, the controller should without undue delay notify the personal data breach to Data Subject and a supervisory authority. To this end, KidsLoop Group responds to personal data breach before and after the occurrence of an incidence in accordance with the following checklist:
– To know how to recognize a data breach;
– To have prepared a response plan for addressing any personal data breaches that occur;
– To have allocated responsibility for managing breaches to a dedicated person or team; and
– To train staff to knows how to escalate a security incident to the appropriate person or team in its organization to determine whether a breach has occurred
– To have in place a process to assess the likely risk to individuals as a result of a breach;
– To have a process to notify the Information Commissioner’s Office (ICO) and/or relevant supervisory government authority (“Supervisory Authority”) of a breach within 72 hours of becoming aware of it;
– To have Breach Notification Form to be submitted to the Supervisory Authority if a data breach occurs;
– To have a process to inform affected individuals about a breach without undue delay;
– To know what information about a breach the company must provide to individuals, and to provide advice to help them protect themselves from its effects; and
– To document all breaches
– To contact the relevant Supervisory Authority of a breach within 72 hours after having become aware of it;
– To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and
– To have Breach Notification Form to the Supervisory Authority and Breach Notification Form to Data Subject
Personal Data of Children
In principle, KidsLoop Group does not collect any personal data of children under 13 or those of minimum age under relevant law (“Children”). However, if KidsLoop Group collects, from the Learning Lab or KidsLoop Services, any personal data of the Children for the Learning Lab or KidsLoop Service use, it will comply with the following procedure for the protection of Children’s personal data (Article 8):
Automated individual decision-making, including profiling
KidsLoop Group may use your personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide you with better KidsLoop Services, for example, providing you with customized content of KidsLoop Services by analyzing what attracts you the most regarding KidsLoop Group and KidsLoop Services, and how you use the services. In addition, KidsLoop Group uses the personal data for the following purposes: to create user clusters to identify your interest in the KidsLoop Services; to analyze the market and statistics or; to enhance the KidsLoop Services (all websites, etc.). It may integrate the personal data provided by all its websites and applications with your personal data provided by Learning Lab and KidsLoop Services. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22).
Personal Data Retention Policy
For the purpose of protecting your personal data, KidsLoop Group complies with the principle of Data Minimization (Article 5) where the processing of personal data should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed. To this end, KidsLoop Group abides by the following retention policy:
Cookies and Internet Advertising
KidsLoop Group may collect personal data through ‘cookies’ or ‘web beacons’.
Cookies are substantially small text files to be sent to the browser of yours by the server used for the operation of KidsLoop Group’s websites and are stored in hard-disks of your computers.
Web beacons are a small quantity of code which exists on websites and e-mail. By using web beacons, we can identify whether you have interacted with certain webs or the contents of email.
These functions are used for evaluating, improving services and customizing your experience so that KidsLoop Group provides way improved KidsLoop Services for you.
The items of cookies to be collected by KidsLoop Group and the purpose of such collections are as follows:
– To retain the personal data entered in an order form while searching other webpages during the web browser session
– To retain the purchased services for the webpage of products and checkout
– To verify whether you log onto the website
– To ensure that you are connected to a correct service on the v’s website if the KidsLoop Group makes any change in the operation of the KidsLoop Group’s website.
– To connect you to a certain application or server of the services
– Web analysis: to provide statistical data on how to use the website;
– Advertisement response fee: to confirm the effect of KidsLoop Group’s advertisement;
– Tracing affiliates; to provide KidsLoop Group with the feedback of anonymous personal data that one of the visitors to KidsLoop Group’s website has visited any other affiliate’s website;
– Error management: to identify errors which have occurred in order to improve KidsLoop Group’s website; or
– Design testing: to test other designs of KidsLoop Group’s website
– To store changed set-ups such as layout, text size, basic set-up and colors; or
– To store the survey which has been conducted by KidsLoop Group and completed by you.
You have the following options for cookie installation: accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies. However, such refusal by you may result in the limit to the part of KidsLoop Services.
The latest update date: November 3, 2020
Copyright © 2020 KidsLoop Co., Ltd. All rights reserved.