Privacy Notice

1. Who processes the data

Data controller / operator: ROCKIDS COMPANY, 919 North Market Street, Suite 950, Wilmington, DE 19801, USA.

For privacy questions, support requests, consent withdrawal, deletion requests, or other data-related inquiries, contact support@rockids.school.

2. What data we collect

• Adult contact data: the parent’s, legal guardian’s, or other authorized adult’s email address and related records needed for support, consent tracking, and service communications.
• Child intake and screening data: questionnaire answers, age, sex if shown in the interface, home language, family or educational context fields shown in the screening flow, and related screening inputs.
• Device, browser, and local device storage data: user agent, user agent data, screen characteristics, language, camera technical parameters, stable device and participant identifiers, and limited data stored in the browser on the device used for the service to support session continuity and repeated use on the same device.
• Screening-session telemetry and derived features: timestamps, touch events, normalized interaction coordinates, pre-session / qualification results, FaceMesh / landmark point samples, quality flags, derived features, and related session metadata.
• Service, diagnostic, and security data: access logs, error logs, support records, security logs, and related service diagnostics.

In the current standard configuration, we do not store the full raw video stream or raw audio recording by default. We do store raw session telemetry payloads, related session summaries, and linked screening artifacts described in this Notice.

3. How we use the data

• To provide the screening service: run the screening flow, process the session, calculate the screening result, and send the result to the submitted email address.
• To operate, secure, and support the service: handle support requests, maintain service reliability, investigate errors, prevent abuse, and protect the integrity and security of the platform.
• To provide follow-up functionality where enabled: if a given version of the service enables reminder functionality, we may send service reminders about repeat screening. For children aged 2 to 5 at the latest screening, this may include a reminder approximately every 6 months because screening relevance may change over time.
• To validate, adapt, retrain, and improve models and the screening pipeline: in the current service design, questionnaire data, screening results, raw session telemetry, face-derived point samples, derived features, and related child-session data may be used to validate, test, calibrate, adapt, retrain, monitor, and improve the service’s models and pipeline.
• To send optional materials and product updates: helpful materials, news, and optional product updates are sent only if you separately choose the optional email opt-in where required by law.

Reminder emails, where enabled, are treated as part of the requested follow-up service rather than a separate marketing list. You may still ask us to stop future reminder emails by contacting support@rockids.school.

4. How we do not use face-derived data

5. Legal bases and regional notes

The service is intended primarily for the United States and may be used only by a parent, legal guardian, or another authorized adult acting for a child.

• Screening, result delivery, and related service operations are based on the consent and/or requested-service basis reflected in the intake flow, depending on applicable law.
• Security, support, abuse prevention, and service integrity are based on legitimate interests, equivalent statutory bases, or another basis allowed by applicable law.
• Optional materials and product updates are based on a separate optional email opt-in where required by law.
• Model validation, adaptation, retraining, and improvement are, in the current service design, included in the mandatory screening/service consent described in the intake flow, subject to applicable law.

For child-directed or under-13 use cases in the United States, parent/guardian notice and consent requirements may apply, and we may use additional parent-verification steps in current or future flows.

If EEA / UK law applies to a particular processing activity, additional transparency, rights, and consent rules may also apply. This version of the service is not intended for persons located in Illinois, Texas, Washington, or Russia.

6. Where data is stored and which providers may be involved

The primary service infrastructure is located in Europe. The current primary cloud region is Google Cloud europe-west3 (Frankfurt, Germany). In the current production configuration, this region hosts at least the primary Cloud SQL instance and the primary Cloud Storage bucket used for the service.

Main processors / infrastructure providers may include:

• Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland — cloud hosting, database, storage, secret management, logging, monitoring, and related Google Cloud infrastructure.
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — Google Workspace, email, and collaboration tools, where relevant communications and support workflows are handled through Google.
• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA — related Google group services, global technical support, and other Google operations required under Google’s terms.
• Public CDN providers used to deliver client-side library assets to the browser where enabled.

If a specific operation requires a transfer outside the EEA / UK or another jurisdiction, that transfer will be carried out only when there is an applicable legal mechanism and only to the extent reasonably necessary for the service.

7. How long we keep data

We aim not to keep identifiable data longer than needed for screening, follow-up, support, safety, model improvement, and protection of the company’s rights. The periods below are target operational retention periods. Some deletion requests are currently handled manually through support/privacy workflows.

• Email, intake data, screening results, reminder records, and related participant records — until consent withdrawal, opt-out, deletion request, or no longer than 36 months after the latest screening, unless a longer period is required by law, a dispute, or protection of rights.
• Raw / linked telemetry, raw session payloads, camera-derived telemetry, face-derived samples, and related session data — up to 24 months from collection.
• Pseudonymized derived datasets, internal validation datasets, QA datasets, and model-improvement datasets — up to 5 years from collection, unless a longer period is required by law or to protect rights.
• Access logs and security logs — up to 90 days, unless a longer period is needed for incident investigation, abuse prevention, or protection of rights.
• Consent records, opt-in records, opt-out records, and privacy-request records — up to 5 years after the relevant action or closure of the request.
• Aggregated statistics, irreversibly anonymized statistics, research outputs, and model artifacts may be stored longer if they no longer relate to an identifiable person.

8. Your choices and rights

Depending on applicable law, you may have the right to request access, correction, deletion, restriction, objection to certain processing, withdrawal of consent where consent is the basis, and a complaint to the applicable supervisory authority.

You may also ask us to stop future reminder emails and withdraw the optional email-updates opt-in at any time.

To exercise these rights or make any related request, contact support@rockids.school. We may request additional information reasonably needed to verify the requester’s identity and authority to act for the child.

9. What the intake checkboxes mean

• The required privacy/service checkbox confirms that you have read this Notice and agree to the processing described here, including intake data, email use, result delivery, service messages, future reminder emails where enabled, device and browser data, local browser storage data, raw session telemetry, face-derived point samples, derived features, and the use of relevant session data for model validation, adaptation, retraining, and improvement as described in this Notice.
• The separate required parental-authority checkbox confirms that you are the parent, legal guardian, or another adult authorized to provide the child’s data and consent for use of the service.
• The separate optional email-updates checkbox allows us to send helpful materials and product updates by email. It is not required to use the screening service.

10. Automated processing

The service uses automated processing of screening-session data, telemetry, and derived features to generate a screening result, quality flags, and related operational outputs.

This processing is not intended to provide a medical diagnosis, does not make legally significant decisions about identity, and is used as part of a wellness / educational screening service.

11. Authority of the person providing the child’s data

By using the service and submitting a child’s data, you confirm that you have sufficient authority to act for the child and to provide the relevant consents under applicable law.

If we have reasonable grounds to believe that such authority is missing or invalid, we may suspend access, limit processing, request additional confirmation, or delete relevant data if required by law or reasonably necessary to protect the child, the family, or the company.

12. Changes to this Notice

We may update this Notice from time to time. The new version takes effect from the publication date shown at the top of the document unless the new version states otherwise.

If applicable law requires additional notice, a new consent step, or a change to the consent flow before a new type of processing begins, those steps will be taken before that new processing starts.