Privacy Policy

General Data Protection Policy

This Privacy Policy describes how KidsLoop Group and websites owned by KidsLoop Group (collectively “KidsLoop Group”) collect and process personal data and/or information (“personal data”) through KidsLoop websites, devices, products, services, online and physical stores, and applications (“KidsLoop Services”) that reference this Privacy Policy. By using KidsLoop Services, you are consenting to the practices described in this Privacy Policy. KidsLoop Group strictly complies with all provisions of GDPR and relevant regulations as described in this Privacy Policy.

For the purpose of data protection of its subjects (“Data Subject”) (members of KidsLoop Group), KidsLoop Group records processing activities (Article 30 of General Data Protection Regulation (“GDPR”), articles hereinafter are reference to GDPR unless otherwise specified), designates a Data Protection Officer (DPO) to operate its business in accordance with GDPR (Article 37), implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39).

KidsLoop Group formulates legal framework to process personal data including sensitive information (Articles 6 and 9) and has the explicit consent to the data processing from a data subject (Article 7). It also has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8). Additionally, in case of overseas transfer of the data, the company concludes a contract under standard contractual clauses adopted by a supervisory authority and approved by the Commission (Article 46.2 (c)), and has the explicit consent of a data subject (Article 49).

KidsLoop Group allows a data subject to exercise his or her rights guaranteed by GDPR as follows: the right to consent (Article 7), the right to receipt of his or her data (Articles 13 and 14), the right to access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right to automated individual decision-making including profiling (Article 22).

The company is in compliance with the obligations of data protection by design and by default (Article 25) and implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32). It notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).  

About Privacy Notice

KidsLoop Group notifies a data subject of the Privacy Notice within the reasonable period not later than one month in order to explain the methods and procedures of processing his or her data including his or her certain data if it collects such personal data from the data subject or any third party discloses such personal data.

KidsLoop Group notifies Data Subject of this Privacy Notice as follows:

This Privacy Policy explains our practices, including your choices, regarding the collection, use, and disclosure of certain information, including your personal data, by the KidsLoop Group (www.badanamu.co.kr and www.kidsloop.net).

Contacting Us

If you have general questions about your account or how to contact customer service for assistance, have questions specifically about this Privacy Policy, or use of your personal data, cookies or similar technologies, you can contact our Data Protection Officer, Ethan, HeeSeob Jeong by email at calm_privacy@calmid.com.

The data controller of personal data is KidsLoop Group. If you contact us for assistance, for your safety and ours, we may need to authenticate your identity before fulfilling the request.

Collection of Personal Data

We receive and store your personal data based on the principles of GDPR (i.e. Article 5) and relevant regulations such as:

•  Personal Data provided by you: We collect personal data you provide to us which includes:

– Name, email, gender, birth date, ID, telephone number, nationality, language, Connection Information (CI), Duplication Information (DI), payment method(s), etc. (For minors, information of their legal representative (name, date of birth, CI, DI, etc. of the legal representative)) for Internet membership service

– Member name, address, age, registered organization, and email, Detail of subscription and KidsLoop Group content use (content classification (books, applications and videos), content titles, time of using the content by hour, day and month, Detail of taking class (class classification, class titles, schedule, achievement and member evaluation) for Analysis of how members use the content & service suggestion

– Pictures, audio and videos for Application service

– Name, telephone number for Service of providing learners with development history and analytic results according to the Learning Lab use

• Personal Data collected while you are using the services: Besides the personal data directly provided by you, the KidsLoop Group can collect personal data while you are using the KidsLoop Group’s KidsLoop Group services.

– Equipment information such as Records on the use of and access to KidsLoop Group services, verification records, access IP information, unique number for equipment identification (example, equipment ID), OS information (country, language), application version, etc.

– Log information such as IP address, log data, use time, search words input by you, internet protocol address, cookies and web beacons, etc.

– Other personal data such as Preference, visited pages, etc. regarding your KidsLoop Group service use, time of playing videos and audios, time of using activities, information on the read pages, quiz results, places where a photo is taken, date of creating files, etc. for Application services, unique ID for each sentence and word, record time for Bada Pen Service

• Personal Data provided by Partners: KidsLoop Group receives personal data from the other companies with which you have made a contract (hereinafter referred to as the “Partners”). The Partners include offline class companies furnishing the Learning Lab services, such as Learning Park, Kindergarten Solution, etc. The information that the Partners provide for the KidsLoop Group can differ depending on the nature of the Partners’ services and include as follows:

– Name and birth date of learners (children)

– Name and phone number of their legal representative

– Pictures of Learners(children) for Social Feed Service

• Personal Data from other sources: KidsLoop Group also obtain personal data from other sources. The KidsLoop Group protects this personal data according to the practices described in this Privacy Policy, plus any additional restrictions imposed by the source of the data. These sources vary over time, but could include:

– payment service providers who provide us with payment information, or updates to that information, based on their relationship with you;

• Transfer of Personal Data (including overseas): KidsLoop Group also obtain personal data from you to transfer your data to third parties including companies and subsidiaries overseas. These personal data include:

– Name, age, gender, country, phone number, email (parents’ email for students), preferred language, date of registration, Connection Information (CI), Duplication Information (DI),

– Profile photo of teacher/student, video / audio (including a children’s voice, face and motion), class schedule, organization/school/class where children belong to, device information (type of device / udid / OS information), legal representative’s information in case of a minor (the name, birth date, CI, DI, etc. of a legal representative) and log information.

Method of Collection

KidsLoop Group collects your personal data in the following manner based on GDPR (Article 6(1)(a)) and relevant regulations:

• Collection through websites, applications and mobile devices with your prior consent

Use of Personal Data

We use personal data to provide, analyze, administer, enhance and personalize our KidsLoop Group services and marketing efforts, to process your registration, your orders and your payments, and to communicate with you on these and other topics. For example, we use personal data based on the principles of GDPR (i.e. Article 5) and relevant regulations to:

• To detect and prevent unauthorized or fraudulent use of or abuse of the KidsLoop Group services such as member management, identification, etc.;
• To perform contractual obligations and facilitate the payment and settlement of KidsLoop Group service fees in relation to the services demanded by you;
• To improve the existing services and develop new services;
• To notify a change, if any, in the Policy or functions of the KidsLoop Group’s website or applications;
• To use your personal data with your prior consent (for example, utilization of marketing advertisement, etc.);
• To allow you to search, be notified of and automatically register, your friends whose contact information is saved on your mobile phone, or to search and be notified of other users you might know;
• To make statistics on the KidsLoop Group service use of yours, to provide KidsLoop Group services and place advertisements based on the statistical properties;
• To provide personal data on promotional events and opportunities to participate therein; or
• To comply with applicable law or legal obligations

Disclosure of Personal Data

We disclose your personal data for certain purposes and to third parties based on the principles of GDPR (i.e. Article 5) and relevant regulations, as described below:

• Service Providers: We use/employ other companies, agents or contractors (“Service Providers”) to perform services on our behalf or to assist us with the provision of services to you. For example, we engage Service Providers to provide marketing, advertising, communications, infrastructure and IT services, to personalize and optimize our service, to process credit card transactions or other payment methods, to provide customer service, to collect debts, to analyze and enhance data (including data about users’ interactions with our service), and to process and administer consumer surveys. In the course of providing such services, these Service Providers may have access to your personal or other data. We do not authorize them to use or disclose your personal data except in connection with providing their services.
• Partners: You may have a relationship/transaction with one or more of our Partners, in which case we may share certain data with them in order to coordinate with them on providing the service to you and providing personal data about the availability of the service. For example, depending on what Partner services you use, we may share personal data:

– in order to facilitate Partner collection of payment for the KidsLoop Group service for distribution to us;

– with Partners who operate voice assistant platforms that allow you to interact with our service using voice commands;

– so that content and features available in the KidsLoop Group service can be suggested to you in the Partner’s user interface. For you, these suggestions are part of the KidsLoop Group service and may include customized and personalized viewing recommendations;

– such as pictures from Learner (Children) that Partners provided to Teacher and/or educational institutions for the Social Feed service;

– with Partners who distribute, promote and cooperate KidsLoop Services overseas.

• Promotional offers: We may offer joint promotions that, in order for your participation, will require us to share your personal data with third parties. In fulfilling these types of promotions, we may share your name and other personal data. In this case, these third parties are responsible for their own privacy practices.
• Protection of KidsLoop Group and others: KidsLoop Group and its Service Providers may disclose and otherwise use your personal data where we or they reasonably believe such disclosure is needed to (a) satisfy any applicable law, regulation, legal process, or governmental request, (b) enforce applicable terms of use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address illegal or suspected illegal activities (including payment fraud), security or technical issues, or (d) protect against harm to the rights, property or safety of KidsLoop Group, its users or the public, as required or permitted by law.
• Business transfers: In connection with any reorganization, restructuring, merger or sale, or other transfer of assets, we will transfer information, including personal data, provided that the receiving party agrees to respect your personal data in a manner that is consistent with our Privacy Policy.

Whenever in the course of sharing personal data we transfer personal data to countries outside of the European Economic Area and other regions with comprehensive data protection laws, we will ensure that the personal data is transferred in accordance with this Privacy Policy and as permitted by the applicable laws on data protection. Personal data transferred (such as name and contact information) may be saved electronically on servers operated by our Service Providers for record keeping purposes and other purposes as set out in this Privacy Policy.

Disclosure of Personal Data

The personal data provided by you is the requirement for KidsLoop Group use contract between you and KidsLoop Group so that KidsLoop Group provides you with great services. You may be restricted to use KidsLoop Group’s KidsLoop Services unless you give consent to the collection of required personal data while you can use KidsLoop Services except the services which require the consent to the collection of the optional personal data if you refuse to give consent to the collection of such optional personal data.   

Disclosure of Personal Data for Legal Reasons

We will share personal data outside of KidsLoop Group if we have a good-faith belief that access, use, preservation or disclosure of the personal data is reasonably necessary to:

• Meet any applicable law, regulation, legal process or enforceable governmental request. We share personal data about the number and type of requests that we receive from governments.
• Enforce applicable Terms of Service, including investigation of potential violations.
• Detect, prevent or otherwise address fraud, security or technical issues.
• Protect against harm to the rights, property or safety of KidsLoop Group, our users or the public as required or permitted by law.

Overseas Transfer of Personal Data

KidsLoop Group may transfer your personal data to the companies/subsidiaries located in other countries or other companies for any purpose specified in this Privacy Policy. It will take reasonable measures to the companies/subsidiaries where the personal data is transmitted, retained or processed in order to protect the personal data. KidsLoop Group discloses your personal data in accordance with the documents including standard clauses of personal data protection approved or adopted by the recipient of personal data or European Committee (Article 46).

Rights of Data Subject

Data Subject or their legal representatives, as main agents of the personal data, can exercise the following rights regarding the collection, use and disclosure of personal data by KidsLoop Group:

• the right to consent of Data Subject (Article 7)
• the right to access by Data Subject (Article 15)
• the right to rectification (Article 16)
• the right to erasure (Article 17)
• the right to restriction of processing (Article 18)
• the right to data portability (Article 20)
• the right to object (Article 21)
• automated individual decision-making, including profiling (Article 22)
• to request the withdrawal of prior consent (Article 7(3))

Upon the request from Data Subject, KidsLoop Group takes actions as follows:

• To take actions for Data Subject’s request after asking proof of his or her ID (or his or her legal representative);
• To ask if Data Subject requires the personal data to be provided in writing or whether he or she will accept it in an electronic form;
• To have a standard process for the company to effectively inspect all relevant systems and to communicate with other departments;
• To notify Data Subject if there is no personal data that he or she has requested;
• To formulate reasonable criteria to determine whether to correct or disclose personal data if the personal data requested by Data Subject includes the personal data of other individuals; provided however, such data can be disclosed if the other individuals explicitly give the consent thereto. The company should consider the impact of such disclosure and the possible breach of others’ personal data if no explicit consent is available, in which case, it should document the justification of such disclosure;
• To take actions in accordance with the request of Data Subject in such a manner as he or she can understand, including the requirements under Article 15 of GDPR;
• To make no available the transfer system which can be traceable in case of providing Data Subject with the personal data he or she has requested. Such personal data should be disclosed in a safe electronic means if individually agreed upon with Data Subject; or
• To document the actions which have been taken for the request of Data Subject

Also, the Data Subject or their legal representatives have the right to file a complaint with a supervisory authority (Article 13(2), Article 14(2)(e)).

Security

KidsLoop Group takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32). 

• To encrypt personal data

– To transmit your personal data by an encrypted communication zone

– To keep encrypted essential information such as passwords

– Authentication security strategy: Authentication Sessions

– Hashing user password in the database

– SSL certificate managed with AWS Certificate Manager

• To formulate countermeasures against hacking

– To install a system in the zone to which the external access is strictly restricted so as to prevent your personal data from leakage or damage by hacking or computer viruses

• To establish and implement internal management plans

– To conduct regular internal audit (once a quarter) to safely process personal data

– To keep minimal the number of employees processing personal data and educate them

• To install and operate access control systems

– To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing

– To keep the documents, storage devices, etc. which include personal data in a safe place with a lock

– To designate a physical place of storing personal data to restrict the access by unauthorized persons and to establish and operate such access control procedure

– Rest API Security with AWS: API Gateways

– DynamoDB user data security with AWS: Databases

• Take measures to prevent forgery or alteration of access records

Personal Data Breach Escalation and Checklist

It is specified in Articles 33 and 34 of GDPR that in case of a personal data breach, the controller should without undue delay notify the personal data breach to Data Subject and a supervisory authority. To this end, KidsLoop Group responds to personal data breach before and after the occurrence of an incidence in accordance with the following checklist:

• Monitoring for a data breach

– To know how to recognize a data breach;

– To have prepared a response plan for addressing any personal data breaches that occur;

– To have allocated responsibility for managing breaches to a dedicated person or team; and

– To train staff to knows how to escalate a security incident to the appropriate person or team in its organization to determine whether a breach has occurred

• Managing a data breach

– To have in place a process to assess the likely risk to individuals as a result of a breach;

– To have a process to notify the Information Commissioner’s Office (ICO) and/or relevant supervisory government authority (“Supervisory Authority”) of a breach within 72 hours of becoming aware of it;

– To have Breach Notification Form to be submitted to the Supervisory Authority if a data breach occurs;

– To have a process to inform affected individuals about a breach without undue delay;

– To know what information about a breach the company must provide to individuals, and to provide advice to help them protect themselves from its effects; and

– To document all breaches

• Notifying of a data breach

– To contact the relevant Supervisory Authority of a breach within 72 hours after having become aware of it;

– To directly contact the individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms; and

– To have Breach Notification Form to the Supervisory Authority and Breach Notification Form to Data Subject

Personal Data of Children

In principle, KidsLoop Group does not collect any personal data of children under 13 or those of minimum age under relevant law (“Children”). However, if KidsLoop Group collects, from the Learning Lab or KidsLoop Services, any personal data of the Children for the Learning Lab or KidsLoop Service use, it will comply with the following procedure for the protection of Children’s personal data (Article 8):

• To verify if the Children are subject to the parent’s or guardian’s (“legal representative”) consent and such guardian is authorized, within the scope of reasonable efforts;
• To have the consent from the Children’s legal representative to collect the Children’s personal data or to provide the Children with product information and KidsLoop Group’s services directly;
• To notify legal representative of KidsLoop Group ‘s privacy policy for the Children, including the items, purpose and disclosure of collected personal data;
• To grant the Children’s legal representative the right to access, correct or delete or temporally suspend the processing of, the Children’s personal data or the right to withdraw the prior consent of legal representative; and
• To limit the collection of personal data to the extent solely required for the participation in online activities

Automated individual decision-making, including profiling

KidsLoop Group may use your personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of identifying how to provide you with better KidsLoop Services, for example, providing you with customized content of KidsLoop Services by analyzing what attracts you the most regarding KidsLoop Group and KidsLoop Services, and how you use the services. In addition, KidsLoop Group uses the personal data for the following purposes: to create user clusters to identify your interest in the KidsLoop Services; to analyze the market and statistics or; to enhance the KidsLoop Services (all websites, etc.). It may integrate the personal data provided by all its websites and applications with your personal data provided by Learning Lab and KidsLoop Services. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22).  

Personal Data Retention Policy

For the purpose of protecting your personal data, KidsLoop Group complies with the principle of Data Minimization (Article 5) where the processing of personal data should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed.  To this end, KidsLoop Group abides by the following retention policy:

• Personal data protected by KidsLoop Group’s retention policy is subject to the all personal data processed by KidsLoop Group;
• Personal data is retained for no longer than is necessary for the purposes for which the personal data is processed. KidsLoop Group will destroy the personal data one year after the expiry of such period. However, the personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by relevant regulation in order to safeguard your rights and freedoms (Article 5.1 (e));
• KidsLoop Group abides by the methods set forth in the ‘Security’ of this Privacy Policy to delete physical and digital data;
• The Data Protection Officer designates the strict retention period regarding the storage of your personal data and does not retain the data more than the period which requires personal data. KidsLoop Group monitors the compliance regarding personal data retention on a regular basis and deletes personal data, if no longer necessary, in a safe manner (Article 39);
• KidsLoop Group schedules regular review of stored data to determine whether the personal data is still required;
• KidsLoop Group immediately destroys especially sensitive personal data including sexual orientation, race, beliefs, health information, etc. and does not retain the sensitive personal data for no longer than is necessary;
• KidsLoop Group takes the actions set forth in the ‘Rights of Data Subject’ of this Privacy Policy if you exercise your right guaranteed by GDPR as Data Subject;
• KidsLoop Group is in compliance with relevant regulations such as GDPR, etc. in relation to the retention of your personal data;
• KidsLoop Group makes sure that all employees are aware of the data retention policy prescribed in this Privacy Policy, GDPR and relevant regulations;
• KidsLoop Group sets this Privacy Policy by documenting a GDPR data retention policy. This Privacy Policy may need to be provided to regulators in the event of an audit or investigation of a complaint; and
• This Privacy Policy may be used as personal data proving that KidsLoop Group complies with the requirements of GDPR and relevant regulations.

Modification of Privacy Policy

KidsLoop Group has the right to amend or modify this Privacy Policy from time to time, in which case, KidsLoop Group will make a public notice on its website (or through individual notice in writing or by fax or e-mail) and acquire your consent if required by relevant regulations.

Cookies and Internet Advertising

KidsLoop Group may collect personal data through ‘cookies’ or ‘web beacons’.

Cookies are substantially small text files to be sent to the browser of yours by the server used for the operation of KidsLoop Group’s websites and are stored in hard-disks of your computers.

Web beacons are a small quantity of code which exists on websites and e-mail. By using web beacons, we can identify whether you have interacted with certain webs or the contents of email.

These functions are used for evaluating, improving services and customizing your experience so that KidsLoop Group provides way improved KidsLoop Services for you.

The items of cookies to be collected by KidsLoop Group and the purpose of such collections are as follows:

• Required cookies: This kind of cookie is indispensably necessary for you to use the functions of the KidsLoop Group’s website. No services such as shopping cart or electronic bill payment can be provided for you unless you accept these cookies. These cookies do not collect any information which can be used for marketing or store the sites that you have visited.

– To retain the personal data entered in an order form while searching other webpages during the web browser session

– To retain the purchased services for the webpage of products and checkout

– To verify whether you log onto the website

– To ensure that you are connected to a correct service on the v’s website if the KidsLoop Group makes any change in the operation of the KidsLoop Group’s website.

– To connect you to a certain application or server of the services

• Performance cookies: This kind of cookie collects personal data of how you use KidsLoop Group ‘s website such as the webpages most frequently visited by you. Such personal data helps the v optimize its website so that you can search more conveniently on its website. Such cookies do not collect any personal data regarding your identification. Any personal data collected by this kind of cookies is anonymous since the personal data is collectively processed.

– Web analysis: to provide statistical data on how to use the website;

– Advertisement response fee: to confirm the effect of KidsLoop Group’s advertisement;

– Tracing affiliates; to provide KidsLoop Group with the feedback of anonymous personal data that one of the visitors to KidsLoop Group’s website has visited any other affiliate’s website;

– Error management: to identify errors which have occurred in order to improve KidsLoop Group’s website; or

– Design testing: to test other designs of KidsLoop Group’s website

• Functionality cookies: This kind of cookie is used to store the set-ups so as to provide services and improve the user experience. No personal data collected by this cookie identifies individual users.

– To store changed set-ups such as layout, text size, basic set-up and colors; or

– To store the survey which has been conducted by KidsLoop Group and completed by you.

You have the following options for cookie installation:  accepting all cookies, making each cookie confirmed whenever it is saved, or refusing the storage of all cookies. However, such refusal by you may result in the limit to the part of KidsLoop Services.

The latest update date: November 3, 2020