Klaebo AITM
Privacy Policy
Version 1.0 - Effective: 04/20/2026 - O-Zone Technologies Ltd
This Privacy Policy covers both the parent/guardian account and the child account. The Children's Privacy Addendum in Section 11 specifically addresses how we handle data for users under 13 (and under the applicable age of digital consent in your country). Please read both sections.
1. Who We Are and How to Contact Us
O-Zone Technologies Ltd ("Klaebo", "we", "us") is the data controller for personal data processed through klaebo.ai and kids.klaebo.ai platform.
Data Protection Contact: support@o-zone.io
2. Data We Collect - Parent / Guardian Account
| Data Type | Purpose and Legal Basis |
|---|---|
| Email address (via Google Sign-In) | Account authentication and consent trail. Legal basis: Contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)). |
| Full name (typed signature) | Parental consent record. Legal basis: Legal obligation (Art. 6(1)(c)) - COPPA / GDPR-K requirement. |
| Date of birth | Age verification (18+ confirmation). Legal basis: Legitimate interests (Art. 6(1)(f)). |
| IP address and user agent | Consent audit trail and fraud prevention. Retained for 7 years. Legal basis: Legal obligation (Art. 6(1)(c)). |
| Payment card data | Spend cap verification ($0 auth). Processed by Stripe - we do not store full card details. Legal basis: Contract (Art. 6(1)(b)). |
| Consent record | Full record of checkboxes, timestamps, and consent document version. Retained for account lifetime plus 7 years. Legal basis: Legal obligation (Art. 6(1)(c)). |
3. Data We Collect - Child Account
| Data Type | Purpose and Legal Basis |
|---|---|
| Age band (e.g. 4-7, 8-12) | Age-appropriate content delivery. DOB is NOT stored. Legal basis: Contract (Art. 6(1)(b)). |
| Username (chosen by child) | In-platform identity. Not a real name. Legal basis: Contract (Art. 6(1)(b)). |
| Avatar configuration | Platform personalisation. Legal basis: Contract (Art. 6(1)(b)). |
| World save data | Preserving the child's created content. Legal basis: Contract (Art. 6(1)(b)). |
| Session data (duration, feature usage) | Platform improvement - aggregate and anonymised. Retained for 90 days maximum. Legal basis: Legitimate interests (Art. 6(1)(f)). |
| Preset message log (message IDs only) | Parent dashboard visibility and safety audit. Retained 30 days. Legal basis: Legitimate interests (Art. 6(1)(f)). |
| Currency balance | In-platform economy. Legal basis: Contract (Art. 6(1)(b)). |
4. Data We Do Not Collect
- Child's real name
- Child's email address or phone number
- Child's photograph or any biometric data
- Child's precise geolocation
- Free-text messages (preset message IDs only are logged)
- Behavioural or interest profiles for advertising purposes
- Any data for the purpose of targeted advertising - ever
5. How We Use Your Data
- Create and maintain your account and your child's account
- Deliver the Klaebo platform and its features
- Comply with our legal obligations under COPPA, UK GDPR, EU GDPR, and other applicable laws
- Maintain a verifiable consent audit trail
- Detect and prevent fraud and abuse
- Improve the platform using anonymised and aggregated data
- Send you transactional communications (consent confirmation, spend alerts, policy updates)
6. Who We Share Data With
We do not sell your data or your child's data. We do not share data with advertisers. We share limited data only with:
| Recipient | Purpose and Safeguards |
|---|---|
| Google (OAuth) | Authentication only. Governed by Google's Privacy Policy and standard contractual clauses. |
| Stripe | Payment card verification ($0 auth). PCI DSS compliant. We receive only a token - no raw card data stored. |
| Cloud infrastructure provider | Hosting and data storage (EU/UK region). Standard contractual clauses in place. |
| Transactional email provider | Sending verification and consent emails to parent. Data processing agreement in place. |
| Regulatory authorities | Where legally required - e.g. response to lawful court order or regulatory investigation. |
7. International Data Transfers
We are based in the United Kingdom. If data is transferred outside the UK or European Economic Area, we ensure adequate protection is in place through one of the following: UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), or adequacy decisions. A record of our transfer mechanisms is available on request at support@o-zone.io.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Parental consent record and audit trail | Account lifetime + 7 years post-deletion (legal requirement) |
| Parent account data | Account lifetime + 30 days post-deletion |
| Child profile, worlds, avatar, currency | Deleted within 30 days of account deletion request |
| Session and behavioural data | Maximum 90 days, then auto-purged |
| Preset message log | 30 days, then auto-purged |
| Payment verification token (Stripe) | Until account deletion or card replacement |
9. Your Rights
Under UK GDPR, EU GDPR, and applicable international laws, you (as parent/guardian) have the following rights in respect of both your own data and your child's data:
| Right | How to Exercise |
|---|---|
| Access (Subject Access Request) | Request a full export of all data held. Email: support@o-zone.io. Fulfilled within 30 days (UK/EU) or as required by local law. |
| Rectification | Correct inaccurate data by emailing support@o-zone.io. |
| Erasure ("right to be forgotten") | Request deletion of your child's account and all associated data by emailing support@o-zone.io. Hard delete within 30 days. Consent records retained 7 years. |
| Restriction of processing | Request that we restrict processing of specific data in defined circumstances. Email: support@o-zone.io. |
| Data portability | Receive your data in a structured, machine-readable format (JSON or CSV). Available by emailing support@o-zone.io. |
| Object to processing | Object to processing based on legitimate interests. Email: support@o-zone.io. |
| Withdraw consent | Withdraw parental consent at any time by emailing support@o-zone.io. Withdrawal does not affect the lawfulness of prior processing. |
| Lodge a complaint | UK users: UK Information Commissioner's Office (ico.org.uk). EU users: your local supervisory authority. |
10. Security
- TLS encryption for all data in transit
- Encryption at rest for all personal data
- Append-only audit log table - no deletion or modification possible by application
- Role-based access controls - staff access to personal data is logged and restricted to minimum necessary
- Regular security assessments and penetration testing
- Data breach notification procedures - we will notify you and relevant regulators within 72 hours of becoming aware of a breach that poses a risk to your rights
11. Children's Privacy Addendum
This section specifically addresses how we handle personal data for child users and fulfils our obligations under COPPA (USA), UK GDPR-K, EU GDPR Article 8, South Korea PIPA, China PIPL Children's Measures, India DPDPA, and other applicable children's data protection laws.
11.1 Parental Consent - Our Approach
- Child date-of-birth entry (age band calculated server-side - DOB not stored)
- Parent/guardian Google Sign-In (verified email, adult account signal)
- Guardian declaration checkbox with typed name signature
- Individual timestamped consent checkboxes for each data processing purpose
- Optional: payment card verification for spend-enabled accounts (strongest adult signal)
This combination satisfies the "reasonable efforts" standard under COPPA, the verifiable consent requirement under UK GDPR Article 8, and equivalent standards in the jurisdictions listed above.
11.2 Data Minimisation for Child Users
We apply strict data minimisation to all child account data. We collect only what is operationally necessary. We do not collect real names, email addresses, photographs, biometric data, or precise location data from child users under any circumstances.
11.3 No Advertising or Profiling of Children
We do not use child data for advertising purposes. We do not create behavioural profiles of child users. We do not share child data with any advertising platform, data broker, or third party for commercial purposes. This commitment is unconditional and not subject to parental opt-in or opt-out.
11.4 Communication Safety
Child users can only communicate using our library of 50 pre-approved preset messages. No free-text input, voice, or video communication is available to child users. Preset message IDs (not content) are logged for 30 days for parent visibility and safety purposes.
11.5 Parental Rights Under COPPA
- Review all personal information we have collected about your child - by emailing support@o-zone.io
- Request deletion of your child's personal information at any time
- Withdraw consent for future collection or use of your child's personal information
- Refuse to permit further collection or use of your child's data while retaining the right to retain an account
To exercise any of these rights, contact support@o-zone.io. We will respond within 30 days.
11.6 Jurisdiction-Specific Notices
| USA (COPPA) | We comply with COPPA and the FTC's 2025 Rule amendments. Verifiable parental consent is obtained before any data collection. Parents may review, correct, or delete child data at any time. |
| UK (AADC / UK GDPR) | We comply with the ICO's Age Appropriate Design Code. Privacy settings are set to the most protective level by default. We do not use nudge techniques, dark patterns, or re-engagement mechanics targeting children. |
| EU (GDPR Art. 8) | We obtain parental consent for child users below the age of digital consent applicable in their EU member state (13-16 depending on country). |
| South Korea (PIPA) | Parental consent required for users under 14. Age-appropriate privacy notices provided. |
| India (DPDPA 2023) | Parental consent required for all users under 18. We apply this standard to all Indian users on our platform. |
| China (PIPL / Children's Measures) | Parental consent required for users under 14. Parent notice requirements met. Encryption and access controls applied to children's data as required. |
| Qatar (PDPL) | Data minimisation and consent principles applied. Parent consent required as per our global standard. |
| Vietnam | Dual consent (child + parent) sought for users aged 7 and above, in line with Decree No. 13/2023. |
| Australia | We apply OAIC guidelines on children's privacy and will update our practices as the Online Safety Act is further implemented. |
12. Changes to This Privacy Policy
We will notify parent account holders by email at least 30 days before any material changes to this Privacy Policy take effect. Where changes affect the legal basis for processing your child's data, we will seek fresh consent where required. The consent document version number is stored on your account and updated whenever you re-consent.
13. Contact and Complaints
Privacy enquiries: support@o-zone.io
Data deletion requests: support@o-zone.io - Subject line: "Account Deletion Request"
Post: Data Privacy Team, O-Zone Technologies Ltd, [ADDRESS], United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with:
- UK users: Information Commissioner's Office - ico.org.uk - 0303 123 1113
- EU users: Your local EU data protection supervisory authority
- US users: Federal Trade Commission - ftc.gov/complaint