Privacy Policy

This Privacy Policy describes how Kria Kala with Hila (“Kriakala,” “we,” “us”) handles information when you use our website (kriakala.com) and our mobile application (the “App”). The App is designed for young children (approximately ages 4–7) and their parents or guardians.

Data controller: The operator of the Kria Kala service. Contact: support@kriakala.com. If you need our full legal entity name and postal address for data protection requests, ask us at this email and we will respond within a reasonable time.

1. Scope

This policy applies to visitors of our website and users of the App. It is intended to meet transparency expectations under the EU/UK GDPR, the Israeli Privacy Protection Law, 5741-1981 (and related regulations), and U.S. children’s privacy rules (COPPA) where applicable. It should be read with our Cookie Policy and Terms of Service.

2. Information we process

Children using the App without parent sign-in: We do not knowingly ask children to provide personal information for core learning use. Children can use the App without creating an account.

Parents / guardians: If you choose optional features (such as Google Sign-In to sync purchases), we may process identifiers associated with your account as described by Google and our systems. Purchases are handled by Apple App Store and/or Google Play (and, where applicable, payment processors such as Stripe) under their terms.

Website visitors: If you opt in to analytics cookies on our website, we use Google Analytics as described in our Cookie Policy. We also process information you send us (for example, support emails).

3. Lawful bases (GDPR Article 6)

Where GDPR applies, we rely on the following legal bases:

Processing activity	Lawful basis
Providing the App and website; account-related processing for parents who choose sign-in	Performance of a contract (Art. 6(1)(b)); legitimate interests in operating a secure service (Art. 6(1)(f)), balanced against your rights
Optional Google Sign-In for parents	Consent (Art. 6(1)(a)) through the sign-in flow and Google’s controls
Website analytics (Google Analytics), if you opt in via our cookie banner	Consent (Art. 6(1)(a))
Responding to support requests; legal compliance	Legitimate interests (Art. 6(1)(f)) and/or legal obligation (Art. 6(1)(c)) where applicable
Processing related to payments and receipts via app stores	Performance of a contract (Art. 6(1)(b)); compliance with tax/accounting obligations where applicable (Art. 6(1)(c))

Children (GDPR Article 8): Where information society services are offered directly to children and consent is required, parental consent is obtained in line with applicable age thresholds and our parental gate for account and purchase flows. Core App use without sign-in does not rely on collecting personal data from the child.

4. Verifiable parental consent & parent gate (COPPA / children’s services)

Before a parent can access certain parent-only features (such as Google Sign-In or purchases), the App presents a parent verification step that is not intended for young children to complete alone. The mechanism is designed to be reasonably calculated to ensure that an adult is approving the action—for example, by combining an age declaration with a short challenge or gate appropriate to the platform, together with platform parental controls for payments where applicable.

We describe this at a high level here for transparency; we do not publish step-by-step details that would reduce the effectiveness of the gate.

5. COPPA — parental rights & direct notice

Under COPPA, parents have the right to:

Review personal information we have collected from their child (to the extent any is collected in a parent account context);
Request deletion of such information where appropriate;
Refuse further collection or use of their child’s information.

To exercise these rights, email support@kriakala.com. We will respond within reasonable timelines. Where Google Sign-In or app stores hold identifiers or purchase history, we may need to direct you to those services for certain account-level actions.

Where we collect a parent’s email in connection with an account or support, we may provide notices about privacy practices as required by law.

6. Your GDPR rights (Articles 15–21)

Depending on your location and the facts, you may have the right to:

Access your personal data (Art. 15);
Rectification of inaccurate data (Art. 16);
Erasure (“right to be forgotten”) in certain cases (Art. 17);
Restriction of processing (Art. 18);
Data portability for data you provided, where processing is based on consent or contract and is automated (Art. 20);
Object to processing based on legitimate interests (Art. 21);
Withdraw consent at any time, where processing is consent-based, without affecting prior lawful processing.

Submit requests to support@kriakala.com. You may also lodge a complaint with a supervisory authority—in the EU, with your local DPA; in Israel, with the Privacy Protection Authority.

7. Israeli Privacy Protection Law (PPL)

We respect rights under Israeli law, including rights of access and correction regarding data in databases we control, where applicable. For complaints in Israel, you may contact the Privacy Protection Authority at the link above. Legal developments (including amendments introducing further GDPR-like obligations) may apply over time; we will update this policy when appropriate.

8. Processors & international transfers

We use service providers to operate the App and site. They process data on our instructions (as processors under GDPR Article 28) or as independent controllers as described in their policies. Examples include:

Google (e.g., optional Google Sign-In; Google Play; in some cases Google Analytics on the website if you consent): data may be processed in the United States and other regions. Where GDPR applies, we rely on appropriate safeguards such as the EU Commission Standard Contractual Clauses (SCCs) and/or Google’s documented transfer mechanisms.
Apple (App Store, in-app purchases): processing under Apple’s terms; may involve transfers outside your country.
Stripe or other payment providers where applicable: subject to their privacy policy and contractual terms.

Copies of relevant processing terms (including DPAs offered by large providers) are available from those vendors’ trust and legal pages.

9. Retention

We retain information only as long as needed for the purposes above, unless a longer period is required by law:

Cookie / consent records (website): as described in the Cookie Policy;
Support emails: typically up to 24 months unless we need to retain longer for legal claims or compliance;
Account / sync identifiers (if any): for as long as the parent account is used and a reasonable period after, unless deletion is requested;
Store purchase records: subject to Apple/Google/Stripe retention and legal/tax requirements.

10. Security & breach notification

We implement appropriate technical and organizational measures to protect personal data. If we become aware of a personal data breach that is likely to result in risk to individuals, we will notify supervisory authorities as required (including within GDPR’s 72-hour window where it applies) and communicate to affected individuals when required.

11. No ads in the App

The App does not serve third-party advertising. Website analytics, if enabled, is limited to what you consent to on the cookie banner.

12. Changes

We may update this Privacy Policy. We will adjust the “Last updated” date and, where changes are material, provide additional notice as appropriate (for example, on the website or by email for account holders).

COPPA Compliant — Zero Child Data Collection

Questions About Privacy?