Privacy Policy

Last Updated: June 22, 2026  ·  Effective: June 22, 2026

Summary: We collect only the data we need to run Tija Kids, and we never sell your personal information or use children's data for advertising. Children's accounts are created and controlled by a parent or guardian. We treat anyone under 18 as a child under Kenyan law and protect their data with extra care. You can access, correct, export, or delete your data at any time, and you may complain to Kenya's Office of the Data Protection Commissioner (ODPC) if you believe we have mishandled it.

1. Introduction & Who We Are

Tija Kids ("we," "our," or "us") operates the Tija Kids mobile application and website at tija.kids (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it.

For the purposes of applicable data protection law, Tija Kids is the data controller responsible for your personal data. We are based in Nairobi, Kenya, and you can reach our data protection contact at privacy@tija.kids. (Where Tija Kids is operated through a registered legal entity, that entity is the data controller; its details will be stated here once registration is finalised.)

We are committed to handling personal data lawfully, fairly, and transparently, in line with:

  • Kenya's Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021
  • The Children Act, 2022 and the Constitution of Kenya, which treat every person under 18 as a child
  • The U.S. Children's Online Privacy Protection Act (COPPA), including the 2025 amendments to the COPPA Rule
  • The EU General Data Protection Regulation (GDPR) and UK GDPR, where they apply to you

If you use the Service from outside Kenya, the data protection laws of your country may also apply, and we honour the stronger protection where laws differ.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Parent/guardian name, email address, and a password (stored only as a salted hash, never in plain text)
  • Profile Information: Profile pictures, display names, and household settings
  • Child Information: A child's first name or nickname, age or birth month/year, and avatar preferences — created and entered by a parent or guardian, not by the child
  • Activity Data: Tasks, chores, savings goals, rewards, badges, and virtual-currency (TijaBucks) balances within your household
  • Communication Data: Support tickets, feedback, and correspondence with us

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, app version, and unique device identifiers
  • Usage Data: Features used, time spent, and interaction patterns
  • Log Data: IP address, browser type, access times, and pages viewed
  • Analytics Data: Aggregated, de-identified usage statistics used to improve the Service

We do not collect precise geolocation, contacts, biometric identifiers, or government ID numbers, and we do not use children's data to build advertising profiles.

2.3 Information from Third Parties

  • Authentication providers (Google Sign-In), which share your name and email when you choose to sign in with them
  • Analytics and infrastructure providers (Firebase) for the technical operation of the Service

3. Lawful Basis for Processing

Under Section 30 of Kenya's Data Protection Act (and Article 6 of the GDPR), we only process personal data where we have a lawful basis to do so:

  • Consent: For optional features, marketing emails, and the processing of children's data (given by a parent or guardian). You may withdraw consent at any time.
  • Performance of a contract: To create your account and deliver the Service you have signed up for.
  • Legal obligation: To meet tax, accounting, and other legal requirements.
  • Legitimate interests: To secure the Service, prevent fraud and abuse, and improve our product — balanced against your rights and never overriding the interests of a child.

4. How We Use Your Information

  • Provide, maintain, and improve the Service and your household account
  • Send administrative messages, security alerts, and important Service updates
  • Respond to your questions and support requests
  • Send promotional communications, only with your consent and never to children
  • Monitor and analyse usage to keep the Service safe and reliable
  • Detect, prevent, and address fraud, abuse, and technical issues
  • Comply with our legal obligations

5. Children's Privacy

Important: Child accounts are created and controlled by parents or guardians only. A child never enters their own personal details and accesses the app with a PIN, not an email or password.

Tija Kids is a family service, and protecting children is at the heart of how we operate. Under Kenyan law a child is any person under the age of 18, and we apply that standard:

  • We process a child's personal data only with the verifiable consent of a parent or guardian, and only where it is in the best interests of the child (Section 33, Data Protection Act, 2019).
  • For users in the United States, we additionally comply with COPPA for children under 13, including the 2025 COPPA Rule requirement of separate consent before any disclosure of a child's data to third parties.
  • Parents and guardians can review, correct, export, or delete their child's information at any time from the app or by contacting us.
  • We collect the minimum data needed for the app to work — typically a first name or nickname, an age band, and in-app activity.
  • We do not show behavioural or targeted advertising to children, and we do not sell or share children's data for marketing.
  • Because we process children's data, we maintain a Data Protection Impact Assessment (DPIA) and review it regularly, as required by the Data Protection (General) Regulations, 2021.

If you believe a child has provided us data without parental consent, contact privacy@tija.kids and we will delete it promptly.

6. Data Sharing and Disclosure

We do not sell your personal information. We share it only in the limited circumstances below, and our service providers are bound by data processing agreements that restrict them to acting on our instructions.

6.1 With Your Consent

We share information when you explicitly ask us to, such as inviting a co-parent or guardian into your household.

6.2 Service Providers (Data Processors)

  • Firebase / Google Cloud: Authentication, database, hosting, and analytics
  • Brevo: Transactional and (consent-based) email communications
  • Apple & Google: App distribution via the App Store and Google Play

6.3 Legal Requirements

We may disclose information where required by law, court order, or a lawful government request, or to protect the rights, safety, and property of our users, the public, or us.

6.4 Business Transfers

If Tija Kids is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and ensure any successor honours this Privacy Policy.

7. International Data Transfers

Some of our service providers (such as Firebase) store and process data on servers outside Kenya, including in the United States and the European Union. Where we transfer personal data outside Kenya, we rely on a lawful transfer mechanism under Sections 48–49 of the Data Protection Act, 2019, such as:

  • Appropriate safeguards, including Standard Contractual Clauses with our providers;
  • A transfer that is necessary to perform our contract with you; or
  • Your explicit consent, where applicable.

We take reasonable steps to ensure your data receives a comparable level of protection wherever it is processed.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Salted, hashed passwords and PIN codes — never stored in plain text
  • Firestore security rules that enforce per-household access permissions
  • Role-based access controls limiting staff access to personal data on a need-to-know basis
  • Regular security reviews and prompt patching

No method of transmission or storage is completely secure, so while we work hard to protect your data, we cannot guarantee absolute security.

9. Data Breach Notification

If a personal data breach occurs that poses a real risk of harm to you, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of it, as required by Section 43 of the Data Protection Act, 2019, and we will notify affected users without undue delay. Notifications will describe the breach, its likely consequences, and the steps we are taking to address it.

10. Data Retention

We keep personal data only for as long as necessary for the purposes set out in this Policy, under a written retention schedule:

  • Account & Child Data: Retained while your account is active; deleted (or anonymised) after account deletion, subject to the limits below
  • Transaction & Billing Records: Retained for up to 7 years to meet tax and accounting obligations
  • Analytics Data: Aggregated and de-identified, retained for up to 26 months
  • Children's Data: Never retained longer than reasonably necessary to provide the Service, in line with COPPA's data-minimisation requirements

You can request deletion of your data at any time (see Your Rights below and our Delete Account page).

11. Your Rights

Under Kenya's Data Protection Act, and the GDPR/UK GDPR where they apply to you, you have the right to:

  • Be informed about how your data is used (this Policy)
  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict or object to certain processing, including direct marketing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing relies on consent
  • Lodge a complaint with a supervisory authority (see Section 13)

To exercise any of these rights, contact privacy@tija.kids. We will respond within the timeframes set by law (generally within 30 days) and will not charge you for reasonable requests.

12. Automated Decision-Making & Artificial Intelligence

We do not subject you or your children to decisions based solely on automated processing that produce legal or similarly significant effects (Section 35, Data Protection Act, 2019). Any analytics or personalisation we use to improve the Service is reviewable by a human, and we do not use your or your children's personal data to train third-party generative-AI models.

13. How to Complain

If you are concerned about how we handle your data, please contact us first at privacy@tija.kids so we can put things right. You also have the right to complain to a data protection authority, including:

  • Kenya: Office of the Data Protection Commissioner (ODPC) — www.odpc.go.ke, info@odpc.go.ke
  • EU/UK users: your local Data Protection Authority or the UK Information Commissioner's Office (ICO)

14. Cookies and Tracking

Our website uses cookies and similar technologies to remember your preferences, analyse traffic, and improve your experience. You can control cookies through your browser settings; disabling them may affect some features. We do not use advertising cookies on pages intended for children.

15. Third-Party Links

The Service may link to third-party websites. We are not responsible for their privacy practices and encourage you to read their policies.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page, update the "Last Updated" date, and — for material changes — notify you by email or in-app notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

17. Kenya Data Protection Act Compliance

In line with Kenya's Data Protection Act, 2019, we:

  • Process personal data lawfully, fairly, and transparently
  • Collect data for specified, explicit, and legitimate purposes
  • Apply data minimisation and storage limitation
  • Implement appropriate security and breach-notification measures
  • Respect data subject rights, including the rights of children and their parents/guardians
  • Are committed to registering with the Office of the Data Protection Commissioner where we are required to do so, and to operating in compliance with the Act in the meantime

Contact Us

For questions about this Privacy Policy or our data practices, or to exercise your data rights, please contact us:

Data Protection Contact: privacy@tija.kids

Support: support@tija.kids

Address: Nairobi, Kenya