Privacy Policy
Effective Date: [LAUNCH DATE] Last Updated: [LAUNCH DATE]
Vibbber Tech FCZO (“Vibbber Tech,” “we,” “us,” or “our”) operates the Kung Fu Family platform, including the application at app.kungfu.family and the website at kungfu.family (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our Service.
By creating an account and accepting this Privacy Policy during onboarding, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Name or display name
- Authentication credentials (via Google OAuth — we do not store your Google password)
1.2 Child Profile Data
When you create a child profile, we collect information you provide about your child, including:
- Nickname or initials (we encourage pseudonyms rather than real names)
- Age
- Temperament characteristics
- Behavioral strengths and challenges
- Specific situations or concerns you describe
Important: Child profile data is provided by you (the parent or legal guardian), not by the child. The Service is restricted to users aged 18 and older. Children do not interact with or provide data to the Service directly.
1.3 Conversation and Interaction Data
When you use the Parenting Companion, we collect:
- Questions and situations you describe
- Strategies and guidance delivered to you
- Your feedback on whether strategies worked, partially worked, or did not work
- Timestamps of interactions
1.4 Community Data
When you participate in the Parent Community, we collect:
- Posts, comments, and replies you create
- Reactions and interactions with other users’ content
1.5 Usage and Technical Data
We automatically collect:
- Device type and operating system
- Browser type and version
- IP address
- Pages visited and features used
- Session duration and frequency
- Referring URLs
- Cookies and similar identifiers (see our Cookie Policy)
2. How We Use Your Information
2.1 Providing the Service
- Delivering personalized parenting strategies matched to your child’s profile
- Learning and adapting recommendations based on your feedback
- Displaying your posts in the Parent Community
- Authenticating your account
Legal basis (GDPR): Performance of our contract with you.
2.2 Third-Party AI Processing of Child Data
To provide personalized guidance, your child’s profile data and your conversation content are sent to third-party AI service providers for processing. These providers generate responses in real-time and do not retain your data for their own model training (see Sub-Processors for details and our zero-retention configuration).
This processing requires your separate, explicit consent, which is requested during onboarding independently from your acceptance of these Terms. You may withdraw this consent at any time by contacting privacy@vibbber.com, though this will limit the Service’s ability to provide personalized guidance.
Legal basis (GDPR): Explicit consent.
2.3 Improving the Service
- Training and improving our recommendation system using anonymized, aggregated data (see Section 5)
- Analyzing usage patterns to improve features and user experience
- Identifying and fixing technical issues
Legal basis (GDPR): Legitimate interests (improving the Service), balanced against your rights. You may opt out via cookie settings or Global Privacy Control (see Section 8).
2.4 Communication
- Sending service-related notifications (account changes, security alerts, material policy changes)
- Responding to your support requests
Legal basis (GDPR): Performance of our contract with you (service notices); consent (marketing, if any).
2.5 Safety
- Detecting and preventing abuse, fraud, or violations of our Terms of Service
- Enforcing our Community Guidelines
Legal basis (GDPR): Legitimate interests (safety and security).
3. How We Share Your Information
3.1 Third-Party AI Service Providers
To provide personalized guidance, your child profile data and conversation data are processed by third-party artificial intelligence service providers. This means the information you share about your child and your parenting situations is sent to external AI systems for processing.
All AI processing is performed via API with zero data retention enabled. Your data is processed in real-time to generate the immediate response and is not stored by these providers for model training or any other purpose.
A current list of our AI and infrastructure sub-processors is maintained at Sub-Processors.
3.2 Infrastructure Providers
We use third-party services for hosting, authentication, database storage, and analytics. These providers process your data on our behalf under data processing agreements.
3.3 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request.
3.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.
3.5 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information or your child’s profile data to third parties for their marketing purposes.
4. Children’s Privacy
4.1 Age Restriction
The Service is available only to individuals aged 18 and older. We do not knowingly allow anyone under 18 to create an account. If we discover that an account has been created by someone under 18, we will terminate the account and delete all associated data.
4.2 Data About Children
The Service collects information about children as provided by their parents or legal guardians. This data is used solely to personalize parenting guidance for the account holder.
We encourage parents to use nicknames or initials rather than children’s real names when creating child profiles.
4.3 COPPA Compliance (United States)
Because the Service is restricted to users aged 18 and older and does not collect information directly from children, the Children’s Online Privacy Protection Act (COPPA) does not apply to the Service as a “service directed at children.” However, we voluntarily apply COPPA-level protections to all child profile data, including:
- Obtaining separate consent before child profile data is processed by third-party AI services (see Section 2.2)
- Providing full access, correction, and deletion rights for all child data (see Section 4.4)
- Not retaining child profile data longer than necessary (see Section 5.3)
- Maintaining a written security program for child data (see Section 7)
4.4 Parental Rights
As the account holder, you may at any time:
- View all child profile data you have provided
- Edit or update any child profile
- Delete any child profile and all associated data
- Delete your entire account and all associated data (see Section 5)
5. Data Retention and Deletion
5.1 Active Accounts
We retain your data for as long as your account is active and as needed to provide the Service.
5.2 Retention Schedule
| Data Type | Retention Period |
|---|---|
| Account information | Duration of active account |
| Child profiles | Duration of active account |
| Conversation history | 24 months from creation, then automatically anonymized |
| Feedback records | Duration of active account |
| Community posts | Duration of active account |
| Payment/transaction records | 7 years after transaction (legal/tax requirements) |
| Usage and technical data | 26 months |
5.3 Account Deletion
When you delete your account:
- Permanently deleted within 30 days of your request: Your account information, child profiles, conversation history, community posts, feedback records, and all data that could identify you or your child. A 7-day grace period is included within this window, during which you may cancel the deletion by logging back in.
- Retained (anonymized): Aggregated, anonymized usage data that cannot be linked back to any individual. This includes anonymized records such as temperament category, age range, strategy identifier, and outcome rating — stripped of all identifying information including user ID, child nickname, free-text fields, and specific timestamps. This anonymized data is used solely to improve our recommendation system for all users.
5.4 Anonymization Standard
Our anonymization process removes all data that could reasonably be used to re-identify an individual, either directly or in combination with other data. Anonymized data is no longer considered personal data and is not subject to deletion requests.
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
6.1 All Users
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (see Section 5)
- Portability: Request your data in a portable format
6.2 European Economic Area, UK, and Switzerland (GDPR)
In addition to the rights above:
- Restrict processing: Request that we limit how we use your data
- Object to processing: Object to our processing of your data, including for direct marketing
- Withdraw consent: Where processing is based on consent (including consent for third-party AI processing of child data), withdraw that consent at any time
- Lodge a complaint: File a complaint with your local data protection authority
6.3 California (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected, used, and shared
- Delete personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your rights
6.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@vibbber.com. We will respond within 30 days.
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- Access controls limiting who can access personal data
- Regular review of our security practices
- A written security program for child profile data, including documented procedures for data handling, access control, and incident response
No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
8. Global Privacy Control and Do Not Track
8.1 Global Privacy Control (GPC)
We honor Global Privacy Control signals. When we detect a GPC signal (Sec-GPC: 1 header or navigator.globalPrivacyControl), we treat it as a valid opt-out request for the sale or sharing of personal information, as required by applicable state privacy laws. We disable all non-essential cookies and tracking for that session.
8.2 Do Not Track (DNT)
Some browsers send a “Do Not Track” signal. When we detect a DNT signal, we disable non-essential cookies for that session, equivalent to selecting “Essential only” in our cookie consent.
9. Data Breach Notification
In the event of a data breach that affects your personal information:
- Notification to you: We will notify affected users without undue delay, and in any case within the timeframe required by applicable law (72 hours to relevant authorities under GDPR; 30 days to affected individuals under applicable US state laws).
- Notification content: The nature of the breach, the categories of data affected, the likely consequences, the measures we have taken or propose to take, and how to contact us for more information.
- Child data breaches: Any breach involving child profile data will be treated as high-risk by default, triggering individual notification regardless of technical severity assessment.
- Regulatory notification: We will notify relevant data protection authorities as required by applicable law, including within 72 hours under GDPR (Article 33).
10. International Data Transfers
Vibbber Tech FCZO is based in Dubai, United Arab Emirates. Your data may be transferred to and processed in countries other than your own, including the UAE and countries where our sub-processors operate (see Sub-Processors).
Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent measures recognized by applicable data protection laws.
11. Changes to This Policy
We may update this Privacy Policy from time to time.
- Minor changes (clarifications, formatting, non-substantive updates): We will post the updated policy and update the “Last Updated” date.
- Material changes (changes to how we collect, use, or share your data; changes affecting child profile data processing; new categories of data collection): We will notify you via email at least 30 days before the changes take effect. Where material changes affect the processing of child data, we may request renewed consent.
Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with material changes, you may delete your account before they take effect.
12. Contact Us
For privacy-related questions, requests, or complaints:
Email: privacy@vibbber.com
Entity: Vibbber Tech FCZO Floor 04, Sheikh Rashid Tower Dubai World Trade Center Dubai, United Arab Emirates