Last updated and effective from 29 July 2020.
SuperAwesome Trading Limited (Company Number: 03885555) is a private limited company incorporated in England, having its registered office at 8 Duncannon Street, London, England WC2N 4JF, United Kingdom, (referred to herein as “SuperAwesome,” “us”, “our” or “we”).
Table of Contents
1. About Us
SuperAwesome Trading Limited (referred to herein as “SuperAwesome,” “us”, “our” or “we”) is a private limited company incorporated in England (Company Number: 03885555), having its registered office at 8 Duncannon Street, London, England WC2N 4JF, United Kingdom.
About Kids Web Services
Kids Web Services (“KWS” or “Kids Web Services”) is a parental consent management platform for publishers of children’s websites and mobile applications. KWS enables publishers to comply with children’s data privacy laws such as the Children’s Online Privacy Protection Act, as amended (“COPPA”) and General Data Protection Regulation (EU) 2016/679 (“GDPR”). KWS is designed for use by:
- publishers, who use KWS to configure and operate the parental consent and permissioning process for their mobile application or website
- parents/guardians, who use KWS to manage permissions for their child who uses such mobile applications or websites
When a child signs up for a KWS-managed website or mobile application, they may be required to provide the email address of a parent or guardian who, after verification by KWS, can use KWS to manage their child’s permissions and activities on the website or app.
Our contact details
Full name of legal entity: SuperAwesome Trading Limited
Email address: email@example.com
Postal address: 8 Duncannon Street, London, England, WC2N 4JF, United Kingdom
Telephone number: + 44 (0) 203 668 6677
These terms relate to the people who use KWS:
- “Publisher” – a publisher of a children’s website or mobile application that uses KWS for parental consent management
- “Authorised User” – a KWS Control Panel user, working on behalf of a Publisher
- “End User” – a person, typically a child, who engages with a Publisher’s mobile application or website
- “Parent” – the parent or legal guardian of an End User
- “Users” – all KWS users; i.e. Authorised Users, End Users, and Parents
These terms relate to the ways people interact with KWS:
- “Publisher Site” – a Publisher’s child-directed mobile application or website which uses KWS to manage parental consent
- “KWS Control Panel” – KWS’ interface for Authorised Users to manage the Publisher Site’s permissions to process End User’s data in compliance with privacy laws
- “KWS Parent Portal” – KWS’ interface for Parents to manage and give consent to the online activities of their children who are the End Users of a Publisher Site
These terms relate to Users’ data and how KWS interacts with it:
- “data” – information about a User, both technical and personal
- “technical data” – data observed from a User’s device. For example:
- user agent string
- operating system (OS)
- internet protocol (IP) address
- “personal data” – defined in the GDPR as follows:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
- date of birth
- email address
- IP address
Note that some data elements are both “technical data” and “personal data”; for example, IP address.
- “to process”/”processing” – the GDPR definition is as follows:
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
4. General information about how we process Users’ data
This section sets out how we process the data of all Users, including that of child End Users. A “child” is a person under the age of digital consent (i.e. 13 in the U.S. and between 13 and 16 in the E.U., depending on each Member State’s implementation of GDPR’s Article 8).
Our right to process Users’ data
We only process Users’ data when we have a legal basis to do so, in any of the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with a Publisher
- Where it is necessary for our legitimate interests and the User’s interests and fundamental rights do not override those interests
- Where we need to comply with a legal obligation
Note that we may process a User’s data for more than one lawful basis, depending on the specific purpose for which we are using their data. For more information, contact us at firstname.lastname@example.org.
For more information on how Publishers process the personal data of a child, please contact them directly.
When we refer to our ‘legitimate interests’, we mean the interest of our company (SuperAwesome) in conducting and managing our business to enable us to give Users the best service/product and the best and most secure experience.
We make sure we consider and balance any potential impact (both positive and negative) on Users and Users’ rights before we process their data for our legitimate interests. We do not process a User’s data for activities where our interests are overridden by the impact on the User (unless we have their consent or are otherwise required or permitted to by law).
For further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities, contact us at email@example.com.
Special category data
KWS does not process any special categories of personal data (as defined in GDPR) about Users; for example, information about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, genetic or biometric data, and criminal convictions or offences.
Change of purpose
We will only process a User’s data for the purposes for which we originally intended, unless we reasonably consider that we need to process it for another reason and that reason is compatible with the original purpose.
For an explanation of how the processing of your data for a new purpose is compatible with the original purpose, contact us at firstname.lastname@example.org.
We may process a User’s data without their knowledge or consent where this is required or permitted by law.
We collect, use and share aggregated data such as statistical or demographic data to improve KWS. We may derive aggregated data from Users’ data. However, because this data has been through a process (e.g. hashing or encryption) to irreversibly de-identify personal data (so that it can no longer be associated with a person) the aggregated data cannot directly or indirectly reveal the identity of an Authorised User, End User, or Parent.
For example, we may aggregate usage data to calculate the percentage of Users accessing a specific Publisher Site feature.
We do not normally send KWS marketing materials to Parents. From time to time Parents may receive service information updates via the KWS Parent Portal.
If you are a Parent, and a Publisher sends you marketing materials that you do not wish to receive, contact them directly or change your preferences in the KWS Parent Portal, if marketing preference options have been provided there.
SuperAwesome uses Amplitude Inc. to provide it with analytics on Authorised Users’ use of the KWS Control Panel and Parents’ use of the KWS Parent Portal.
Data control responsibilities
For the purposes of GDPR, the Publisher is the data controller of any personal data submitted to the KWS Control Panel by Authorised Users. The Publisher is responsible for informing SuperAwesome of any authorisation or credential changes required, should an Authorised User’s access need to be added or revoked.
What Authorised Users’ data do we process?
The following table describes the Authorised Users’ data which we may process to enable them to access and use the KWS Control Panel:
|When we process Authorised Users’ data||How we describe that data in this policy||Description of the data||What the data includes|
|When an Authorised User signs up to use KWS||KWS Control Panel Access Data||Authorised Users’ data required to gain access to the KWS Control Panel||First name, last name, email address and password|
|When an Authorised User interacts with the KWS Control Panel||Technical Data||Technical data about Authorised Users’ equipment, browsing actions and usage patterns on KWS, collected using cookies, server logs and other similar technologies||Internet protocol (IP) address, login data, browser type and version, time zone setting, country and language, browser plug-in types and versions, operating system and platform|
What is our legal basis for processing Authorised Users’ data?
The following table describes the ways we may process Authorised Users’ data, the legal bases we rely on to do so, and what our legitimate interests are, where appropriate.
|Type of data processed by KWS||Purpose of processing data||Lawful basis for processing data|
|KWS Control Panel Access Data||To enable an Authorised User to use the KWS Control Panel||The performance of our contractual obligations with Publishers|
|Technical Data||To use data analytics to improve our Publisher relationships and Authorised Users’ experience||Necessary for our legitimate interests to operate, maintain and improve KWS|
SuperAwesome processes the data of End Users (who are children) on behalf of Publishers.
A “child” is a person under the age of digital consent (i.e. 13 in the U.S. and between 13 and 16 in the E.U., depending on each Member State’s implementation of GDPR’s Article 8).
Data control responsibilities
When a Publisher enters into a contract with SuperAwesome to use KWS, the Publisher is (under the GDPR) the data controller responsible for the processing of personal data of End Users (who may be Children) who access or use the Publisher Site.
How do we safeguard children’s privacy?
KWS has been certified as compliant with COPPA by two FTC-approved COPPA Safe Harbor Programs: the Entertainment Software Rating Board’s (ESRB’s) Privacy Certified Program and KidSAFE. KWS is subject to audits and other enforcement and accountability mechanisms as part of this certification.
As with all SuperAwesome’s products and services, KWS is subject to periodic technical and legal review through its own Compliance Committee comprising our Chief Privacy Officer, Chief Technology Officer and its Information Security and Legal teams.
What End User data do we process?
The following table describes the End User data that we may process on behalf of the Publisher:
|When we process End Users’ data||How we describe that data in this policy||Description of the data||What the data includes|
|When an End User signs up to use a Publisher Site||Standard Site User Data||Data of an End User who uses a Publisher Site||The End User’s username, password and KWS system-generated user ID|
What is our legal basis for processing End User’s data?
The following table describes the ways we may process End User’s data, the legal bases we rely on to do so, and what our legitimate interests are, where appropriate:
|Type of data processed by KWS||Purpose of processing data||Lawful basis for processing personal data|
|Standard Site User Data||To enable End User registration and age gate processes on the Publisher Site||The performance of our contractual obligations with Publishers|
|Bespoke Site User Data||For Publisher Site functionality requirements||The performance of our contractual obligations with Publishers |
Consent (obtained in accordance with Art. 8 of GDPR)
7. What do we do with Parents’ data?
Data control responsibilities
- When a Parent registers with SuperAwesome to use a KWS Parent Portal account, SuperAwesome is the data controller (under GDPR) responsible for the processing of their data in connection with administering their account.
It is important that the data we hold about Parents is accurate and current. If you are a Parent, please keep us informed if your data changes during your relationship with us.
What Parents’ data do we process?
This table describes the Parents’ data that we may process:
|When we process Parents’ data||How we describe that data in this policy||What the data includes|
|When a Parent responds to KWS’s request to complete the verification process||Parent Verification Data||The data required from a Parent varies by region:Brazil: CPF number and date of birth; Mexico: CURP and full name; US: Full name, last four digits of social security number, date of birth, and mailing address; All other regions: Parent’s credit card number, CVV, expiry date.|
|When a Parent successfully completes the verification process||Verification Status||A combination of a one-way hashed email address, verified status and method, and the timestamp for the verification provided.|
|When a Parent registers as a user of the KWS Parent Portal||KWS Parent Portal Access Data||Email address and a system-generated ID number.|
|When a Parent interacts with KWS using the KWS Parent Portal. We collect this data from their device using cookies, server logs and other similar technologies.||Technical Data||Data about the Parent’s equipment, browsing actions and usage patterns on KWS.May include internet protocol (IP) address, login data, browser type and version, time zone setting country and language, browser plug-in types and versions.|
|When a Parent submits a general support query||Parent Contact Data||Name, email address and telephone number|
What is our legal basis for processing Parents’ data?
The following table describes how we may use Parents’ data, the legal bases we rely on to do so, and what our legitimate interests are, where appropriate:
|Type of data processed by KWS||Purpose of processing data||Lawful basis for processing data|
|Parent Verification Data||To obtain Parent verification||Consent to initiate the Parent verification process|
|Verification Status||To determine if a Parent has previously been verified, so that their data need not be collected again||Legitimate interests|
|KWS Parent Portal Access Data||To facilitate Parent registration and access to the KWS Parent Portal||Legitimate interests to provide Parents with access to the KWS Parent Portal|
|Technical Data||For the efficient operation of KWS||Legitimate interests|
|Parent Contact Data||To respond to support queries from a Parent||Legitimate interests to provide information and assistance to a Parent|
8. What do we do with enquiry and subscribers’ data?
When someone enquires about our products or services, subscribes to our service or publications, or gives us feedback, we process the data they have provided (e.g. name and email address) to respond to them.
9. How do we share Users’ data?
Sharing Users’ data with third-party providers
As with most service providers, KWS uses third parties to help us provide KWS. Some of these providers may process Users’ data on our behalf, for the purposes set out in the sections above.
The KWS Control Panel and KWS Parent Portal use third-party data processors, some of whom may process User’s data. For example, we use a third party to host the KWS platform and we use third-party tools to help us better understand how Publishers navigate around the KWS Control Panel.
We enter into contractual arrangements with our service providers to ensure that they are only processing data in a lawful manner.
We maintain a current list of the providers that KWS uses here. To learn more about how our third-party data processors use Users’ data, please refer to their privacy policies.
Sharing Users’ data within SuperAwesome
Sharing Users’ data for other reasons
We may disclose Users’ data for any of the following reasons:
- in the good faith belief that we are required to do so by law
- if doing so is reasonably necessary to comply with legal process
- to permit us to pursue available remedies, including commencing or responding to any claims
- to enforce the terms and conditions of KWS
- to protect the rights, property, or personal safety of SuperAwesome or the public
- to prevent other illegal activity
- for risk management purposes
10. How do we transfer Users’ data internationally?
We may transfer Users’ data in the following ways:
- We share Users’ data within the SuperAwesome group of companies. This involves transferring Users’ data outside the European Economic Area (EEA).
- Some of our third-party data processors are based outside the EEA so their processing of Users’ data may involve a transfer of Users’ data outside the EEA.
Whenever we authorise a transfer of Users’ data outside of the EEA, we ensure a similar degree of protection is afforded to it by using specific contracting frameworks approved by the European Commission which give the data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries. If you require further information on the specific mechanism used by us when transferring Users’ data out of the EEA, contact us at email@example.com.
Back to top
11. How do we secure Users’ data?
SuperAwesome values your trust and strives to maintain adequate security measures for all areas of our business and our services. Because KWS is a service that operates digitally, SuperAwesome is continuously reviewing and improving its security measures to prevent data breaches and security incidents.
- We have put in place appropriate security measures to prevent Users’ data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
- We limit access to Users’ data to those employees, agents, contractors and other third parties strictly on a “need to know” basis. They only process Users’ data on our instructions and are subject to a duty of confidentiality.
- We have put in place procedures to deal with any suspected personal data breach and will notify Users and any applicable regulator of a breach where we are legally required to do so.
- Some of the correspondence Users receive from us may contain links to third-party websites, online services or mobile applications that are not affiliated with or operated by us, including those of the Publishers who use KWS.
While SuperAwesome tries to link only to websites that share our high standards and respect for privacy, we are not responsible and accept no liability for the content, security or privacy practices of those other websites. To find out how your personal data may be used by third-party websites, refer to the privacy and cookie policies displayed on those websites.
Back to top
12. How long do we retain Users’ data?
We retain Users’ data only for as long as is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
We may retain a User’s data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation with respect to our relationship with them.
To determine the appropriate retention period for Users’ data, we consider:
- the amount, nature and sensitivity of the data
- the potential risk of harm from unauthorised use or disclosure of the data
- the purposes for which we process the data and whether we can achieve those purposes through other means
- applicable legal, regulatory, tax or accounting requirements
If a Parent deletes their KWS Parent Portal account, we retain their Verification Status for future verification purposes involving KWS. This eliminates the need to re-verify the Parent’s identity and minimises personal data collection. Parents may exercise their rights in accordance with section
Back to top
13. Your legal rights
Under certain circumstances, you have other rights under data protection laws in relation to your personal data. For example, you may have rights to:
Review/access/delete/restrict the collection of your child’s personal data. Under COPPA, a Parent has certain rights over how we handle the personal data of an End User who is their child. This includes the right for a Parent to review, access, or delete the personal data that has been collected by us from that End User, and to refuse at any time to permit the collection from that End User of such personal data.
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You may also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You may also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent as the legal basis upon which to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, contact us at firstname.lastname@example.org.
If you are a California resident, refer to the California residents section below for more information on your legal rights.
No fee usually required
You do not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Do Not Track disclosure
Your browser may allow you to set a Do Not Track (DNT) signal indicating that you do not wish your online activity to be tracked. Currently, KWS does not support and does not act on DNT signal headers that we may receive.
Back to top
14. Location-specific rules
Depending on where you are resident, specific rules apply:
UK and EU
If you are concerned that we have not complied with your legal rights or applicable privacy laws, you may contact the Information Commissioner’s Office (www.ico.gov.uk) which is the regulator responsible for data protection in the United Kingdom, where SuperAwesome Trading Limited is registered (Registration number Z8630714).
If you are located outside of the United Kingdom, you may contact your local data protection authority. You can find contact details here.
If you are a resident of the United States and believe that we have not responded to your inquiry or your inquiry has not been satisfactorily addressed, please contact ESRB Privacy Certified at email@example.com or by using their online contact form at: https://www.esrb.org/privacy/contact.
For the purposes of this section, “Personal Information” and “Service Provider” have the meanings assigned to them under the California Consumer Privacy Act of 2018, (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations (CCPA).
In the past 12 months, SuperAwesome, or its third parties, have collected the following categories of Personal Information using the categories enumerated in the CCPA:
- IP address and device ID
- Name, email address or telephone number of people who contacted SuperAwesome with an inquiry
- First name, last name, corporate email address and device information of Authorised Users
We use and share this Personal Information as disclosed in sections 4. General information about how we process Users’ data and 9. How do we share Users’ data?.
We have not sold any California resident’s Personal Information.
Right to know and access
If you are a California resident, you may submit, free of charge, but no more than twice in a 12-month period, a verifiable request for the following information:
- The specific pieces of Personal Information we have collected about you during the last 12 months
- The categories of Personal Information we collected, sold or disclosed for a business purpose about you within the last 12 months
- The categories of sources from which the Personal Information was collected
- The purposes for which the information was collected or sold
- The categories of third parties to whom the information was sold, disclosed for a business purpose, or otherwise shared
Because SuperAwesome is a Service Provider, we may not be able to respond directly to your request; in this case, we will direct you to contact the Publisher for additional information. Where possible, we will provide this information to you in a readily usable format that allows transmission to another entity.
To submit a request, click here to access our online web form or email us at firstname.lastname@example.org. We will confirm your request within 10 days of receipt.
Right to delete
Because SuperAwesome is a Service Provider, we may not be able to respond directly to your request; in this case, we will direct you to contact the applicable third party for additional information. If you are a California resident, you may submit a verifiable request for us to delete any personal information we have collected about you.
To submit a request, email us at email@example.com or use this webform.
Requests for access to or deletion of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested and pursuant to relevant CCPA requirements, limitations, and regulations. If we need additional information to verify your identity, we will contact you to request that information.
Right to be free from discrimination
We will not discriminate against you because you have chosen to exercise your rights, including, for example, by denying you access to our online services or charging you different rates or prices for the same online services, unless that difference is reasonably related to the value provided by your data.
Exercising your rights
To submit a verifiable request or to otherwise contact us for more information about how to exercise your rights, follow the instructions above. If you would like to designate an authorized agent to make a request on your behalf, please be sure the agent is able to:
- demonstrate you have provided written permission for the agent to submit the request on your behalf
- provide proof of his or her own identity
If the agent does not satisfy both these requirements, we will deny the request.
California residents “Shine the Light” law
We do not share your personal information with any unaffiliated third parties for their own marketing purposes.
Last updated: 29 July 2020