Privacy Policy

1. Overview

ZuKeepr Inc. ("ZuKeepr," "we," "our," or "us") helps parents find and manage applications to licensed childcare providers. This Privacy Policy explains what information we collect, how we use it, how we share it, how long we keep it, and the rights you have over your data.

By using ZuKeepr you agree to the practices described here. All amounts referenced are in U.S. dollars (USD) unless otherwise stated.

This Privacy Policy supplements our other privacy-related documents:

• Children's Privacy Notice — additional protections for information about children;
• Cookie Policy — how we use cookies and similar technologies;
• Data Processing Agreement — applies to daycares regarding parent and child information;
• Subprocessor List — public list of third-party service providers, available at zukeepr.com/subprocessors.

Where this Privacy Policy conflicts with the Children's Privacy Notice on matters specific to children's information, the Children's Privacy Notice controls.

2. Who We Are

ZuKeepr Inc. is a corporation registered in British Columbia, Canada, with its registered office at 914 Graythorpe Place, Victoria, BC. For the purposes of Canadian privacy law (including PIPEDA and the British Columbia Personal Information Protection Act) and applicable U.S. state privacy law, ZuKeepr Inc. is the entity responsible — whether described as "controller," "business," or otherwise under your jurisdiction's terminology — for the personal information described in this Policy.

3. Information We Collect

3.1 Account Information

• Email address and password (passwords are stored as bcrypt hashes — we never see your plain-text password);
• Contact name and phone number;
• Home address, province or state, and city;
• Account role (parent or daycare) and related preferences.

3.2 Sensitive Child Information (Parents Only)

When you create or update a child profile on ZuKeepr, you provide us with information about that child. We treat the following categories of information as sensitive and apply additional safeguards (including limited internal access and exclusion from analytics tools):

• Full name and date of birth;
• Allergies, medical information, and immunization records;
• Doctor or clinic information;
• Emergency contacts and pick-up authorizations;
• Care schedule preferences;
• Primary and secondary languages.

Information about children is provided exclusively by parents and legal guardians, who confirm at signup that they have legal authority and that no court order or custody arrangement prevents such use of the Platform. ZuKeepr does not allow children to create accounts or submit information directly. Our handling of children's information is described in detail in our Children's Privacy Notice.

Where reasonably possible, certain sensitive child fields (such as medical information) are collected closer to the enrollment acceptance stage rather than at initial application, in keeping with our data minimization approach.

3.3 Daycare Information

If you create a Daycare account, we collect:

• Business name, contact information, and operating address;
• Childcare license number and a copy of the license document (uploaded as part of administrative verification);
• Banking information collected by Stripe for payouts (handled by Stripe, not stored by ZuKeepr);
• Facility description, photos, capacity, hours, services, and pricing.

3.4 Payment Information

Payment card and ACH details are collected and processed by Stripe (https://stripe.com/privacy), our payment processor, and are never stored on ZuKeepr servers. Stripe is PCI DSS Level 1 certified and handles all sensitive payment information directly. We retain transaction records (described in Section 11).

3.5 Communications

Messages exchanged between parents and daycares through the Platform's messaging tools. Messages may be reviewed by ZuKeepr only for safety, fraud, abuse, legal compliance, support, dispute, or product-integrity purposes. Default retention is up to thirteen (13) months from the date of the message; longer retention applies only where required for safety, fraud prevention, disputes, legal holds, regulator requests, or other legal obligations.

3.6 Usage and Analytics Data

We use Microsoft Clarity to capture aggregated session interactions (page views, click patterns, scroll behaviour) for product analytics. Clarity is configured to:

• Mask all form fields by default;
• Exclude child profile pages, medical-information pages, payment pages, message-entry pages, and account settings from recording;
• Limit data retention to Microsoft's standard analytics retention window.

Clarity does not have access to plain-text passwords, payment card numbers, or sensitive child information. See our Cookie Policy for details, and our Subprocessor List for Microsoft Clarity's role.

3.7 Device and Technical Information

• IP address, browser type and version, device type, and operating system — captured for security, fraud prevention, and consent audit purposes;
• Cookies and similar technologies as described in our Cookie Policy.

3.8 Consent Records

We record your affirmative acceptance of our Terms of Service, Privacy Policy, Children's Privacy Notice (for parents), your role-specific agreement, and any recurring payment authorization, including the document name, version, date and time of acceptance, your IP address, your user-agent, the user identifier, your role, the exact checkbox text presented, and the route or interface where consent was captured. These records form a consent audit trail.

4. Children's Privacy — COPPA Compliance

ZuKeepr complies with the U.S. Children's Online Privacy Protection Act ("COPPA") and equivalent Canadian privacy law. We do NOT knowingly collect personal information directly from children. All children's data on the Platform is provided by a parent or legal guardian who has given verifiable parental consent before any information is submitted.

Parental rights regarding children's information are described in detail in our Children's Privacy Notice. In summary:

• You may review the children's information we hold at any time through your account dashboard or by contacting us;
• You may correct inaccurate information through your account settings;
• You may request deletion of all children's data, which we will action within thirty (30) days subject to legal retention obligations;
• You may withdraw consent at any time by closing your account or contacting us.

5. How We Use Your Information

We use the information we collect to:

• Operate the Platform — match parents with eligible daycares, process applications, manage enrollments, and process payments;
• Send transactional emails (OTP codes, application updates, invoices, receipts);
• Send marketing communications only to users who have explicitly opted in, with the ability to unsubscribe at any time;
• Maintain Platform security and prevent fraud;
• Investigate safety, fraud, abuse, or legal compliance concerns, including review of Platform messages where necessary;
• Improve our product through limited and masked analytics;
• Comply with our legal obligations, including childcare licensing law and tax law.

We do NOT use your information for targeted advertising. We do NOT sell personal data. We do NOT use children's information for advertising, profiling, or behavioural analytics.

6. Sharing With Daycares: Roles Under Privacy Law

6.1 For information about parents and children that is shared between ZuKeepr and a Daycare through the Platform, the parties' roles under privacy law are as follows:

• Under Canadian privacy law (PIPEDA, BC PIPA): ZuKeepr and the Daycare act as joint controllers, with independent obligations to the affected individuals;
• Under applicable U.S. state privacy law: ZuKeepr and the Daycare may each act as a separate "controller" or "business" with respect to specific portions of the information, and may share controller/business obligations where information is jointly determined;
• Where ZuKeepr stores or processes information solely on behalf of a Daycare (for example, internal attendance logs or daycare-controlled records uploaded to the Platform), ZuKeepr acts as a processor or service provider for that information.

6.2 Sharing happens in two stages, as described in our Children's Privacy Notice and enforced in the Platform:

• Application stage: The daycare you apply to sees a limited profile of you and your child (such as general care needs, age range, and scheduling preferences). Sensitive information (full date of birth, medical and dietary details, emergency contacts, pick-up authorizations) is NOT shared at this stage;
• Enrollment stage: After you accept an offer of enrollment, the full parent and child profile is shared with that specific daycare for the purpose of providing care.

6.3 Daycares are bound by their Daycare Agreement and the Data Processing Agreement to handle parent and child information securely, lawfully, and only for the purpose of providing childcare services.

7. How We Share Your Information

7.1 With Daycares

As described in Section 6, we share parent and child information with daycares you apply to or enroll with, on the two-stage model.

7.2 With Service Providers (Subprocessors)

We share information as needed with service providers that help us operate the Platform. A complete, current list of subprocessors — including vendor name, purpose, data jurisdiction, the categories of data each handles, and the date last updated — is available at zukeepr.com/subprocessors. Material additions to or removals from this list are communicated to users in accordance with our change-management process.

Subprocessors are bound by contract to use information only for the services they provide to ZuKeepr and to maintain appropriate safeguards.

7.3 For Legal Reasons

We may share information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, court order, or valid legal process;
• Cooperate with law enforcement, child protection authorities, or childcare licensing authorities;
• Prevent imminent harm to a child or other person;
• Protect the rights, property, or safety of ZuKeepr, our users, or the public.

7.4 In Connection with a Business Transaction

If ZuKeepr is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. Where reasonably possible, we will notify affected users in advance and provide options consistent with applicable privacy law.

7.5 With Your Consent

We may share information for additional purposes with your express consent.

We do NOT share children's information beyond the daycare you have chosen and the service providers described above. See the Children's Privacy Notice for details.

8. Data Retention

Different types of information are retained for different periods, summarized in the table below.

Data Type

Retention Period

After That

Active account data

For the life of your account

Deleted within 90 days of account closure (subject to legal holds)

Children's information

While your account is active

Deleted within 90 days of closure or deletion request, subject to legal holds; daycare-held records are separately retained per their own legal obligations

Messages between parents and daycares

Up to 13 months (default)

Automatically deleted, except where retention is needed for safety, fraud, disputes, legal holds, or regulator requests

Payment and transaction records

7 years

Retained for tax and dispute purposes regardless of account closure

Consent records (TOS, Privacy, COPPA acceptance)

Life of account + 7 years

Retained for legal and audit purposes

Microsoft Clarity analytics

Up to 12 months (set by Microsoft)

Deleted per Microsoft's retention practices

8.1 Legal holds. If we receive a legal request, court order, or are involved in active litigation, we may retain relevant information longer than the periods above for as long as legally required.

8.2 ZuKeepr-held vs. daycare-held records. The retention periods above apply only to information that ZuKeepr holds. A daycare that has received information about you or your child through ZuKeepr retains that information under its own policies and applicable law — including childcare licensing record-retention requirements, which often require daycares to retain certain records for several years. Closing your ZuKeepr account or requesting deletion from ZuKeepr does not, by itself, delete information held by a daycare and does not override the daycare's separate legal retention obligations. To request deletion from a specific daycare, contact that daycare directly. ZuKeepr will assist you in identifying the appropriate contact upon request.

9. Data Security and Breach Notification

9.1 We use industry-standard physical, technical, and administrative safeguards to protect your information, including:

• Encryption of data in transit (TLS) and at rest where reasonably feasible;
• Bcrypt password hashing — we never store passwords in plain text;
• Role-based access controls and authentication mechanisms;
• Logging and monitoring of access to personal information;
• Regular security reviews and prompt remediation of identified vulnerabilities;
• Staff training on privacy and data-handling practices.

9.2 Our primary infrastructure is hosted on AWS in Canada (ca-central-1).

9.3 Breach notification. In the event of a confirmed breach of security safeguards affecting your personal information, we will notify you and applicable authorities as soon as feasible and as required by applicable law. Internally, ZuKeepr targets initial notification within seventy-two (72) hours of confirming the breach. The 72-hour figure is an internal operational target, not an absolute promise; actual timing depends on the facts of the incident, ongoing investigation needs, and applicable law.

10. International Data Transfers

10.1 ZuKeepr is based in Canada, and our primary infrastructure is hosted in Canadian data centres. Some service providers store or process data in the United States or other jurisdictions, as listed at zukeepr.com/subprocessors.

10.2 Where information is transferred internationally, we take reasonable steps to ensure the information remains protected under safeguards comparable to those required by PIPEDA and applicable provincial privacy law, including contractual commitments from service providers.

10.3 You acknowledge that, as a result of these transfers, information about you may become subject to lawful access requests by foreign authorities under the laws of the jurisdiction where the service provider is located.

11. Payment Data

11.1 When you make or receive a payment through ZuKeepr, your payment card and ACH details are collected and processed by Stripe, our payment processor. ZuKeepr does not store full payment card numbers, CVV codes, or raw card or ACH data.

11.2 We retain the following transaction records for accounting, tax, and dispute purposes:

• Transaction amount and currency (USD);
• Payment date and status;
• Name of the daycare receiving funds;
• ZuKeepr platform fee applied;
• Stripe invoice and charge identifiers;
• Where applicable, your acknowledgement of any non-refundable fee or recurring payment authorization at the time of payment, including the version of the applicable Terms or Refund Policy in effect.

11.3 Transaction records are retained for seven (7) years per standard business and tax retention requirements. This retention period applies even after account closure.

11.4 You can request a record of your transactions at any time through your payments dashboard or by contacting privacy@zukeepr.com.

12. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — review the personal information we hold about you;
• Correct — update inaccurate information;
• Delete — request deletion of your personal information, subject to legal retention requirements;
• Port — request a portable copy of your information in a commonly used format;
• Restrict — request that we limit how we use your information in specific circumstances;
• Withdraw consent — for processing based on your consent;
• Object — to certain types of processing, including marketing communications;
• Appeal — request review of a decision we made about your information, where required by applicable law.

To exercise any of these rights:

• Use the self-serve options in your account dashboard;
• Email privacy@zukeepr.com or support@zukeepr.com;
• Write to ZuKeepr Inc., 914 Graythorpe Place, Victoria, BC, Canada.

We will respond to verifiable requests within thirty (30) days. We may request additional information to verify your identity before action. We will not charge a fee for honouring rights requests except where permitted by law for excessive or unfounded requests.

13. Texas and U.S. State Privacy Rights

13.1 If you are a resident of a U.S. state with applicable privacy law (including Texas, California, Virginia, Colorado, and others), you may have specific rights in addition to those described in Section 12. These typically include:

• The right to know what categories of personal information ZuKeepr collects, processes, and shares about you;
• The right to access your personal information;
• The right to correct inaccurate personal information;
• The right to delete personal information ZuKeepr has collected from you, subject to legal retention exceptions;
• The right to obtain a portable copy of your personal information;
• The right to opt out of any "sale" or "sharing" of personal information for advertising purposes — ZuKeepr does not currently sell or share personal information for advertising;
• The right to non-discrimination in the exercise of these rights;
• The right to appeal a decision ZuKeepr makes about a privacy request, where provided by applicable law.

13.2 To exercise any state privacy right, use the channels described in Section 12 and indicate the U.S. state in which you reside. ZuKeepr will respond within the time required by your state's law (typically 30 to 45 days, with possible extensions).

13.3 ZuKeepr does not knowingly collect personal information from children under the age of 13 directly, and does not sell or share children's personal information.

13.4 Where state law requires a designated point of contact for privacy requests, that contact is privacy@zukeepr.com.

14. Cookies and Tracking

14.1 We use strictly necessary cookies to keep you signed in and process payments, and analytics cookies (Microsoft Clarity) to understand how the Platform is used, subject to the masking and exclusion practices described in Section 3.6.

14.2 We do NOT use advertising, retargeting, or cross-site tracking cookies.

14.3 Where required by law, ZuKeepr presents a cookie consent banner allowing you to accept, reject, or customize non-essential cookies, and respects your choice on future visits.

14.4 Full details, including a cookie inventory and instructions for managing your preferences, are in our Cookie Policy.

15. Marketing Communications and Electronic Communications Consent

15.1 We send transactional emails (related to your account, applications, payments, and enrollments) as part of providing the Platform. These cannot be turned off while you have an active account.

15.2 We send marketing communications only to users who have explicitly opted in at signup or through account preferences. You can unsubscribe from marketing emails at any time using the unsubscribe link in any marketing email or through your account settings. Unsubscribing does not affect transactional emails.

15.3 By providing your contact information and creating an account, you consent to receive electronic communications from ZuKeepr in connection with your account, including legal notices, invoices, receipts, policy updates, support replies, and other transactional communications.

16. Changes to This Policy

16.1 We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or in-app notice at least thirty (30) days before they take effect.

16.2 If a change materially expands how we collect, use, or share information about children, we will seek your renewed consent before the change applies to your child's information, as described in the Children's Privacy Notice.

16.3 The version of this Privacy Policy in effect at the time of any given interaction governs that interaction. Prior versions are retained and may be made available on request.

17. Contact

Privacy questions, requests, or concerns can be sent to:

ZuKeepr Inc.

914 Graythorpe Place, Victoria, British Columbia, Canada

support@zukeepr.com

zukeepr.com

privacy@zukeepr.com (privacy-specific) or support@zukeepr.com (general)

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/), the British Columbia Office of the Information and Privacy Commissioner (https://www.oipc.bc.ca/), the U.S. Federal Trade Commission (https://www.ftc.gov/), or your state Attorney General's office in the United States.

─────────────────────────────────────────────────────────────────────────