Compliance

Kupola GDPR & COPPA Compliance

Last Updated: March 27, 2026

Kupola (“Kupola,” “we,” “us,” or “our”) is committed to protecting the privacy of parents, guardians, and children who use our services. This page explains how Kupola approaches compliance with the General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act (COPPA), and how parents can understand and manage child-related data in the Service.

This page should be read together with our Privacy Policy, Cookies Policy, and Data Retention & Deletion Policy.

1. Our Approach

Kupola is designed to be set up and managed by a parent or legal guardian. We do not permit a child to independently create a parent account.

Our approach is based on the following principles:

  • giving parents clear information about what data is collected and why;
  • requesting parent agreement during setup before child-related features are enabled;
  • limiting data use to the operation of family safety, parental control, and related service features;
  • providing parents with control over child profiles, connected devices, and enabled features;
  • deleting account-linked data when account deletion is completed, subject only to limited third-party retention outside Kupola, such as payment processor records under their own policies.

2. GDPR Compliance

Where the GDPR or similar laws apply, Kupola seeks to process personal data in line with core data protection principles, including transparency, purpose limitation, data minimization, storage limitation, integrity, confidentiality, and accountability.

A. Transparency

During setup, Kupola displays information about the categories of data collected and the reasons those data are used before parent agreement is requested.

Our Privacy Policy explains in more detail:

  • what information we collect;
  • how we use it;
  • how long we keep it;
  • how account deletion works; and
  • how parents can contact us with questions or requests.

Kupola’s web properties may also use analytics, advertising, and measurement technologies, including Google services, to understand website usage and campaign performance. Where required by applicable law, Kupola should provide appropriate choice or consent mechanisms before using non-essential cookies or similar technologies on web properties.

B. Legal Bases

Depending on the circumstances, Kupola may rely on one or more legal bases permitted under applicable law, such as:

  • performance of a contract, to provide the Service requested by the user;
  • consent, where required;
  • legitimate interests, where appropriate and not overridden by applicable rights;
  • legal obligation; or
  • vital interests, where applicable in urgent safety-related situations.

C. Children’s Data Under GDPR

Because Kupola is intended to be set up by a parent or legal guardian, child-related features are designed to be enabled through parent-managed setup and parent agreement.

D. Data Minimization and Storage Limitation

Kupola aims to collect and use only the data needed to provide the selected family safety and parental control features.

Kupola’s retention rules are described in our Data Retention & Deletion Policy. In summary:

  • parent and child profile data are retained until an account deletion request is made;
  • feature-related data is retained for 30 days;
  • support, billing, and account-related records stored by Kupola are retained only while the account remains active;
  • once deletion is completed, Kupola does not retain account-linked data.

3. COPPA Compliance

Kupola is designed for parent-managed setup. A parent or legal guardian sets up the account, connects a child device, and chooses which features to enable.

A. Notice During Setup

During setup, Kupola displays information about what data may be collected and the reasons it is used before child-related setup is completed.

B. Parent Agreement and Consent

Kupola requests parent agreement during setup before enabling child-related features.

Where required by applicable law, Kupola relies on parental authorization or parental consent before collecting or processing a child’s personal information in connection with the Service.

C. Parent Rights

Subject to applicable law and verification, a parent or legal guardian may:

  • review the child information associated with the family account;
  • request correction of certain information;
  • request deletion of account-linked information;
  • disconnect a child profile or device;
  • change settings, permissions, and enabled features.

4. UK Children’s Code Considerations

If Kupola is likely to be accessed by children in the UK, the UK Age Appropriate Design Code may be relevant.

Kupola’s parent-managed model is intended to support child privacy by:

  • placing account control with the parent or legal guardian;
  • limiting child-related setup to parent-managed flows;
  • explaining data use during setup;
  • allowing account deletion requests through the app; and
  • deleting account-linked data when deletion is completed.

5. What Data May Be Involved

Depending on the features enabled by the parent, child-related or family-account data may include:

  • child profile information;
  • device and technical information;
  • current or recent location information;
  • location history;
  • geofence, check-in, checkout, and no-show events;
  • SOS-related information;
  • app and website control events;
  • screen time, schedule, and daily limit activity;
  • installed app review information;
  • task or challenge activity;
  • low-battery alerts;
  • support and communication records connected to the account.

These data categories are described in more detail in our Privacy Policy.

6. Data Retention and Deletion

Kupola’s retention and deletion approach is as follows:

  • Parent and child profile data are kept until an account deletion request is submitted.
  • Feature data is kept for 30 days.
  • Support, billing, and account-related records stored by Kupola are kept only while the account remains active.
  • After a deletion request is submitted, a 7-day grace period begins.
  • During that grace period, the account remains accessible and the Service continues to function normally.
  • The deletion request may be canceled during the grace period.
  • If not canceled, the account and linked data are permanently deleted on the 7th day.
  • Kupola maintains internal backups for up to 7 days for internal operational purposes, but deleted accounts are not recoverable for customer use.
  • Kupola does not retain account-linked data after deletion is completed.
  • Payment processors or platform providers may retain certain records under their own legal or operational requirements and policies.

7. International Users

Privacy rights and child-data rules may vary by jurisdiction.

Kupola’s legal pages are intended to provide a general explanation of our practices, but local requirements may vary.

8. Contact Us

If you have questions about this page or want to submit a privacy-related request, please contact us at:

Email: help@kupola.app