Privacy Policy

1. Introduction

KidColoro is operated by PRESSWAY Bartłomiej Paluch, Zarzecze 268, 38-220 Dębowiec, Poland (NIP: PL6852340178) (the "Operator", "we", "us", or "our"). We operate the website kidcoloro.com and the KidColoro mobile application (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website or mobile application. Because our Service is designed primarily for children aged 3-12 (though it may also be used by older children and adults), we take privacy especially seriously and treat all users as children for privacy purposes.

We are committed to complying with the Children's Online Privacy Protection Act (COPPA, including the 2025 amendments), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

Data Controller: PRESSWAY Bartłomiej Paluch, Zarzecze 268, 38-220 Dębowiec, Poland (NIP: PL6852340178). Email: contact@kidcoloro.com.

2. What Data We Collect

2.1 Data We Collect (Website)

• Contact form data: Name, email address, and message content - only when you voluntarily submit the contact form
• Ratings and favorites: Your coloring page ratings and favorites, linked to a browser session (no account required)
• Automatically collected: IP address, browser type, operating system, referring URLs, pages visited, time and date of visit, language preference

2.2 Data We Collect (Mobile Application)

Data	Purpose	Storage
Device identifier (UUID)	Session identification, favorites, AI credits, subscriptions	Server, until deletion request
Device token	API authorization	Encrypted on device (SecureStore)
Platform (iOS/Android)	Feature compatibility	Server
App version	Compatibility and updates	Server
Device language	Content translation	Server
AI generation prompts	Generating coloring pages via AI	Server, until deletion request
Favorites and settings	Personalization	Device (locally)
Coloring progress	Continuing your work	Device (locally)

2.3 What We Do NOT Collect

We do not collect:

• Child's name, email, or any personally identifiable information
• Precise location or GPS data
• Photos from camera or photo library
• Contacts or phone numbers
• IDFA (advertising identifier) or any advertising identifiers - the app does not use App Tracking Transparency
• Biometric data (fingerprints, face data, etc.)
• Passwords or login credentials (no user accounts required)
• Payment or credit card information (all purchases handled by Apple/Google)

3. How We Use Your Data

• Device identifier: To manage AI generation credits, favorites, ratings, and subscription status
• AI generation prompts: To create coloring pages using AI (Google Imagen). Prompts from free users may be moderated and the resulting images published anonymously as coloring pages on our website
• Device token: To securely authorize API requests and prevent unauthorized access
• Contact form data: To respond to your inquiries and support requests
• Analytics data: To understand usage patterns and improve our Service

Your data is not used for behavioral profiling, user tracking across apps, or targeted advertising.

3.1 Legal Basis for Processing (GDPR)

Processing Activity	Legal Basis
Device identifier for app functionality (favorites, credits, subscriptions)	Legitimate interest (service functionality and internal operations)
Contact form submissions	Consent (user voluntarily submits the form)
AI prompt processing	Contract performance (providing the requested service)
Analytics and usage statistics	Legitimate interest (service improvement)
Website advertising (AdSense)	Legitimate interest with child-safe settings (website only, not in mobile app)
Subscription and purchase management	Contract performance

3.2 Persistent Identifiers Under COPPA

The anonymous device identifier (UUID) used by our app constitutes a "persistent identifier" as defined by COPPA. This identifier is used solely for internal operations of the Service, as defined in 16 CFR 312.2, including: maintaining or analyzing the function of the app, performing network communications, authenticating users, serving contextual advertisements, and fulfilling user-requested functions (favorites, ratings, AI credits). We do not use this identifier to contact a specific individual, or for any purpose beyond internal operations.

4. Cookies and Tracking Technologies

4.1 Website

• Essential cookies: Required for the website to function (session management, language preference)
• Preference cookies: Remember your language and favorite coloring pages
• Analytics cookies: Anonymous, aggregated data to understand how visitors use our website

4.2 Mobile Application

The mobile application does not use cookies. Local data is stored on your device using secure storage mechanisms.

4.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. Disabling cookies may affect website functionality.

5. Advertising

• The mobile application does not display third-party advertisements
• The website may display advertisements through Google AdSense with child-safe settings
• We do not use any advertising SDKs in the mobile application
• We do not collect IDFA (advertising identifier) or any advertising identifiers
• The app does not use App Tracking Transparency (ATT) as no tracking occurs
• We do not track users for ad targeting, behavioral profiling, or cross-app tracking

6. Third-Party Services

Service	Purpose	Data Shared	Privacy Policy
Google Imagen (AI)	AI coloring page generation	Prompt text (via our server, not directly)	Link
OpenAI (GPT)	Prompt translation and content moderation	Prompt text (via our server, not directly)	Link
Apple App Store	In-App Purchases	Transaction token (handled by Apple)	Link
Google Play Store	In-App Purchases	Transaction token (handled by Google)	Link

AI data handling: AI generation prompts are sent from our server to Google Imagen and OpenAI for processing. No personal information (device identifier, IP address, or any identifying data) is included in these API requests. Only the text of the prompt is transmitted.

We do not sell or share personal data. We do not share data with data brokers. We do not use data for marketing outside of our Service.

7. Children's Privacy (COPPA & GDPR-K Compliance)

• Our Service is designed for children aged 3 and older
• We comply with the Children's Online Privacy Protection Act (COPPA) and GDPR provisions for children (GDPR-K)
• We do not knowingly collect personal information from children under 13
• The device identifier (UUID) is anonymous and cannot be used to identify a child
• The mobile application does not display any third-party advertisements
• A parental gate protects against accidental purchases and access to external websites
• AI generation prompts do not require any personal information
• Content moderation filters block inappropriate prompts (violence, sexual content, drugs, hate speech) in all 10 supported languages

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at contact@kidcoloro.com so we can take appropriate action.

7.1 Parental Consent

Because our app does not collect personal information from children as defined by COPPA (the anonymous UUID is used solely for internal operations), verifiable parental consent is not required for basic app use. However:

• In-app purchases require parental authorization through Apple/Google's built-in parental controls and our parental gate
• A parent or guardian may request deletion of all data associated with their child's device at any time
• A parent or guardian may refuse further data collection by uninstalling the app

7.2 Age of Consent Across Jurisdictions

In the European Economic Area, the age at which a child can provide consent for data processing varies by country (ranging from 13 to 16 years; in Poland it is 13). Since our app is designed primarily for children under these ages, we treat all users as children for privacy purposes and do not rely on child consent for data processing.

8. Data Security

• All communication with our servers uses HTTPS/TLS encryption
• Device authorization tokens are stored in encrypted secure storage (expo-secure-store / Keychain / EncryptedSharedPreferences)
• We do not store passwords or payment information - all purchases are handled by Apple/Google
• API endpoints are protected by rate limiting, device authentication, and input validation
• Regular security audits and code reviews are performed

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Your Rights

9.1 All Users

• Right to deletion: You can delete all your data directly in the app (Settings > Delete Account) or by emailing contact@kidcoloro.com with your device identifier. We will delete all associated data within 30 days.
• Right to access: Upon request, we will provide information about what data we store about your device.
• Right to object: You can uninstall the application at any time - all local data is deleted automatically.
• Parental rights: A parent or guardian can request deletion of their child's data at any time.

9.2 European Users (GDPR)

If you are located in the European Economic Area (EEA), you additionally have the right to:

• Rectification: Request correction of inaccurate data
• Restriction: Request limitation of data processing
• Portability: Request a copy of your data in a machine-readable format
• Object: Object to processing of your personal data

To exercise any of these rights, contact us at contact@kidcoloro.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland, the relevant authority is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

9.3 California Residents (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• We do not sell personal information as defined by the CCPA/CPRA
• We do not share personal information for cross-context behavioral advertising
• We do not sell or share personal information of children under 16
• You have the right to know what personal information we collect and how it is used
• You have the right to request deletion of your personal information
• You have the right to opt-out of the sale or sharing of personal information (not applicable as we do not sell/share)
• We will not discriminate against you for exercising any of these rights

10. Data Retention and Deletion

• Device data: Automatically deleted after 12 months of inactivity (no API requests from the device). Can also be deleted on demand via in-app feature or email request
• AI generation prompts: Retained for up to 24 months, then anonymized or deleted. Free user prompts may be anonymously published as coloring pages
• Contact form data: Deleted within 90 days of resolving the inquiry
• Subscription/purchase data: Retained for 5 years as required by applicable tax law (Polish accounting regulations)
• Local data (favorites, coloring progress): Deleted when you uninstall the application
• Anonymous aggregated data (page views, download counts): Retained indefinitely as it cannot identify individuals
• Rate limiting data: Automatically purged within 24 hours

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area, including the United States, when AI generation prompts are processed by Google (Imagen) and OpenAI (GPT). These transfers are governed by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The service providers' compliance frameworks and data processing agreements

Only the text of AI prompts is transmitted to these services. No personal information, device identifiers, or IP addresses are included in these API requests. By using our AI generation feature, you acknowledge this transfer.

12. Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (UODO in Poland) within 72 hours as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Take immediate steps to contain and remediate the breach

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices or content of external sites. We encourage you to review the privacy policies of any third-party site you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Significant changes will be highlighted in the app or on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy:

• General support: contact@kidcoloro.com
• Privacy concerns: contact@kidcoloro.com
• Report inappropriate content: contact@kidcoloro.com
• Contact form: Contact page