Privacy Policy

Last updated: May 1, 2026

1. Introduction

KidMoat (“KidMoat,” “we,” “us,” or “our”) is a parental control application and related website published by ZYNATY TECHNOLOGIES (OPC) PRIVATE LIMITED (“Zynaty”), a One Person Company incorporated under the Companies Act, 2013 (India). This Privacy Policy describes how we collect, use, store, share, and protect personal information of parents and children who use KidMoat. By installing or using KidMoat, you agree to the practices described in this policy.

2. Who We Are

We are a technology company based in India and act as the Data Fiduciary for personal data collected through KidMoat under India's Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the Data Controller under the EU/UK General Data Protection Regulation (“GDPR”). For users elsewhere, we comply with applicable local data protection laws and act as the equivalent of a data controller under those frameworks.

  • Legal name: Zynaty Technologies (OPC) Private Limited
  • Registered office: C/O Arabinda Ghosh, Ward No. 4, Master Para, Katwa, Bardhaman – 713130, West Bengal, India
  • Privacy contact: kidmoat@gmail.com

3. Information We Collect

We collect only the information necessary to provide parental monitoring features that you, as a parent or legal guardian, choose to enable.

Parent Account Information

  • Name, email address, and password (stored as a salted hash)
  • Subscription status and billing identifiers (we do not store card numbers)

Child Device Information

  • Location: GPS coordinates, last-known location, and entry/exit events for parent-defined geofences
  • Screen time & app usage: List of installed apps, foreground app changes, per-app duration, and total screen-on time
  • Web activity: Domains visited (e.g., example.com) for category-based filtering. We do not store full URLs, page content, or browsing history
  • Notification metadata: The name of the app posting a notification and a timestamp. We do not store notification text, message content, or attachments by default
  • Device health: Battery level, connectivity status, and the on/off state of permissions required for KidMoat to function

Device & Technical Identifiers

  • Device model, manufacturer, and Android version
  • Firebase Cloud Messaging (FCM) token used to deliver push alerts
  • Diagnostic and crash data (stack traces, error codes) used solely to fix bugs

Information from Website Visits

  • IP address, browser type, and request timestamps
  • Privacy-friendly, cookie-less analytics — see Section 11

4. Sensitive Permissions We Use

KidMoat requests the following sensitive Android permissions on the child's device. Each permission is requested only after we explain its purpose and ask the parent to grant it. None of the data accessed through these permissions is used for advertising, profiling, or sold to any third party.

Location (Foreground & Background)

Used to show the child's real-time location to the parent and to trigger entry/exit alerts for geofences the parent has created (e.g., “School,” “Home”). Background location is required so that location updates and geofence events continue to work when the child's app is not in the foreground.

Usage Access

Used to read which apps are running and for how long, so that the parent can see accurate screen-time reports and enforce per-app or per-category time limits. We read only app names and durations — not the content displayed inside any app.

Accessibility Service

KidMoat operates an Accessibility Service called ScreenTimeAccessibilityService on the child's device. This service is used solely to enforce the parental rules a parent has configured:

  • Detect when a blocked or time-limited app moves to the foreground, so KidMoat can immediately show the block screen and return the child to the home screen.
  • Detect in-app purchase or app-store dialogs, so the parent receives an alert if the child attempts an unauthorised purchase.

The Accessibility Service does not record keystrokes, capture passwords, read messages, take screenshots, or transmit on-screen content to our servers. Data accessed via the Accessibility API is never used for advertising or sold to third parties. The parent can disable this service at any time from the child's Android Settings › Accessibility menu, which will turn off real-time app blocking.

Notification Access

Used to detect when monitored apps post notifications (for example, to count social-app activity). KidMoat reads only the posting app's package name and timestamp by default. We do not store the body or sender of notifications unless the parent explicitly enables a feature that requires it and consents to the additional processing.

VPN Service (On-Device Only)

Used to filter web traffic on the child's device against parent-selected content categories (e.g., adult content, gambling). KidMoat establishes a local, on-device VPN that processes domain lookups locally; we do not route the child's internet traffic through any external KidMoat server. We do not log full URLs, page content, request bodies, or HTTPS payloads. Only the domain name of blocked requests is recorded so the parent can review filtering decisions.

Device Administrator

Used as uninstall protection — a parent-controlled safeguard that prevents the child from removing KidMoat without the parent's PIN. Device Administrator privileges are limited to this purpose; we do not use them to wipe data, change passwords, or remotely lock the device.

Other Permissions

KidMoat also uses standard Android permissions such as Internet, Post Notifications, Camera (only for scanning the parent's pairing QR code), Display Over Other Apps (for the block screen), and Receive Boot Completed (so that monitoring resumes after a device restart). These permissions do not access additional personal data beyond what is described above.

5. How We Use Information

We use the information we collect to:

  • Provide the parental monitoring features the parent has enabled — screen-time management, location tracking, geofence alerts, app controls, and web filtering
  • Send the parent timely alerts (tamper detection, in-app purchase attempts, geofence events, screen-time limit reached)
  • Generate usage reports, weekly summaries, and gamified streaks for the family
  • Provide customer support, deliver service announcements, and respond to privacy-related requests
  • Detect and prevent fraud, abuse, and violations of our Terms of Service
  • Improve product reliability through aggregate, de-identified diagnostics

We do not use any data collected through KidMoat for advertising, marketing to children, or building behavioural profiles for sale.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area and the United Kingdom, we process personal data on the following legal bases:

  • Consent (Art. 6(1)(a)): The parent provides explicit consent during account creation and for each monitoring feature enabled. Consent can be withdrawn at any time.
  • Contract (Art. 6(1)(b)): Processing necessary to deliver the subscription services the parent has purchased.
  • Legitimate Interest (Art. 6(1)(f)): Service security, fraud prevention, and aggregate product improvement, balanced against the rights and freedoms of the data subject.

7. Children's Data

KidMoat exists to help parents protect their children online. We treat children's data with particular care:

  • We collect data about a child only after the parent or legal guardian has provided verifiable consent in the KidMoat app. Children cannot create their own KidMoat account.
  • Child data is used solely for the parental monitoring features the parent has enabled and is visible only to the parent and authorised co-parent(s).
  • We do not show advertising to children, profile children for marketing, or share children's data with advertisers, data brokers, or third-party marketers.
  • We follow data-minimisation principles: we collect only what is needed for the feature in use, and we delete child data when it is no longer needed.
  • The parent can view, export, or delete the child's data at any time from the Settings section of the KidMoat app, or by contacting us.

In jurisdictions that have child-specific privacy frameworks (such as the United States Children's Online Privacy Protection Act and DPDP Act §9), KidMoat complies with the applicable consent and disclosure requirements.

8. How We Share Information

We share personal data only with the categories of service providers listed below, and only to the extent necessary to operate KidMoat. All providers are bound by confidentiality and data-protection obligations.

  • Application servers & primary database: Hetzner Online GmbH, Helsinki, Finland (eu-central region) — hosts the KidMoat backend, parent and child account data, and monitoring activity
  • Authentication & user identity: Firebase Authentication (Google LLC)
  • Push notifications: Firebase Cloud Messaging (Google LLC) — used solely to deliver alerts to the parent's device
  • Crash & reliability diagnostics: Firebase Crashlytics (Google LLC) — no personal content of children is included in crash reports
  • Payment processing: Google Play Billing — Google does not share your full card details with us

Where We Process Your Data

KidMoat is operated from India, but our application servers and primary database are hosted in the European Union (Helsinki, Finland) — a region the European Commission recognises as providing an adequate level of personal-data protection.

  • For users in India: personal data is transferred to the EU. We rely on the cross-border transfer permission under Section 16 of the DPDP Act 2023; the EU's General Data Protection Regulation provides protections at least equivalent to those required under Indian law.
  • For users in the EU, EEA, or UK: personal data is processed within the European Union.
  • For users in other jurisdictions: personal data is processed in the EU under appropriate safeguards, including Standard Contractual Clauses approved by the European Commission where applicable.

A small number of Firebase services (notably Cloud Messaging) are delivered through Google's globally distributed infrastructure. Where Google transfers data outside the EEA, it does so on the basis of the EU Standard Contractual Clauses.

We do not:

  • Sell personal data to any third party
  • Share personal data with advertisers or ad networks
  • Use child data for cross-context behavioural advertising

We may disclose data to a government or law-enforcement authority only when required by a valid legal process, and we will notify the affected parent unless prohibited by law from doing so.

9. Data Retention

  • Active account: Data is retained while your subscription is active.
  • Location history: Retained for 30 days on a rolling basis, then automatically deleted.
  • Usage & activity reports: Retained for 90 days for parent-facing reporting.
  • After cancellation: Child monitoring data is deleted within 30 days of subscription cancellation. Parent account information may be retained for up to 12 months for billing reconciliation, fraud prevention, and legal compliance, after which it is deleted or anonymised.
  • Crash & diagnostic logs: Retained for 90 days, then deleted.

10. Data Security

We use industry-standard security measures to protect personal data:

  • Encryption in transit: All client–server communication uses TLS 1.2 or higher.
  • Encryption at rest: On-device data is encrypted using SQLCipher (AES-256). Server-side data stores are encrypted at rest by the cloud provider.
  • Access controls: Role-based access, audit logging, and least-privilege principles for our internal systems.
  • Regular security reviews and dependency vulnerability monitoring.

No service can guarantee absolute security. If we become aware of a personal-data breach that is likely to result in significant harm, we will notify the affected parents and the relevant authority within the timelines required by applicable law.

11. Your Rights

Under the GDPR (for users in the EEA/UK) and the DPDP Act 2023 (for users in India), you have the following rights regarding your personal data and your child's data:

  • Access: Request a copy of the personal data we hold about you and your child.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal data (the “right to be forgotten”).
  • Portability: Receive your data in a structured, machine-readable format.
  • Withdraw consent: Withdraw your consent for processing at any time. Withdrawing consent does not affect processing carried out before withdrawal.
  • Lodge a complaint: File a complaint with the Data Protection Board of India or your local supervisory authority in the EEA/UK.

To request deletion of your account and child data, please use our online form: kidmoat.com/data-deletion. For any other right listed above, email us at kidmoat@gmail.com. We respond within 30 days.

If you live outside India or the EEA/UK, your local privacy laws may give you similar rights. Where they do, we honor them. Email kidmoat@gmail.com to exercise any right.

12. India DPDP Act 2023 — Grievance Officer

In compliance with the Digital Personal Data Protection Act, 2023, Zynaty Technologies (OPC) Private Limited has appointed a Grievance Officer to address concerns about personal-data processing.

  • Name: Arpita Ghosh
  • Designation: Grievance Officer, Zynaty Technologies (OPC) Private Limited
  • Email: kidmoat@gmail.com
  • Address: C/O Arabinda Ghosh, Ward No. 4, Master Para, Katwa, Bardhaman – 713130, West Bengal, India
  • Response time: Within 30 days of receipt

13. Cookies & Web Analytics

The KidMoat website uses Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not collect personally identifiable information. We do not use advertising cookies, retargeting pixels, or third-party trackers that follow you across the web. The KidMoat application itself does not use cookies.

14. Changes to This Policy & Contact

We may update this Privacy Policy from time to time to reflect changes in the product, the law, or our practices. For material changes, we will notify the parent by email at the address associated with the account at least 15 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

For privacy questions or to exercise your rights, contact us at:

  • Privacy & Grievance Officer: kidmoat@gmail.com
  • Customer support: kidmoat@gmail.com
  • Postal address: Zynaty Technologies (OPC) Private Limited, C/O Arabinda Ghosh, Ward No. 4, Master Para, Katwa, Bardhaman – 713130, West Bengal, India