Skip to main content

Privacy Policy

Effective Date: March 26, 2026

This Privacy Policy describes how Ten Dollars, LLC ("Company," "we," "us," or "our") collects, uses, shares, and protects information when you use kiddinglab.com (the "Website").

By accessing or using the Website, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Website.

1. Information We Collect

We collect different types of information depending on how you interact with the Website.

a. Information You Provide When Creating an Account

When you register for an account, we collect:

  • Email address (required)
  • Password (required; stored only as a cryptographic hash — we never store or have access to your plaintext password)
  • Display name (optional; may be a real name, nickname, or alias)
  • Account type (parent or provider)

b. Planning Profile Information

Parents and guardians may create planning profiles for the key features of camps they are looking for based on their child and the child's interests. For each planning profile, we collect:

  • Name (required; may be a nickname, initials, or alias — we do not require or recommend using a child's legal name)
  • Birth month and year (optional; we intentionally do not collect a day of birth, to limit the precision of age information we store)
  • Category interests (optional; categories such as "sports," "arts," or "music" to help match camp types)

This information is entered by the parent or guardian, not by a child. Children do not use the Website or provide information directly.

c. Reviews and Ratings

When you submit a review, we collect:

  • Star rating (1–5, required)
  • Review title (optional)
  • Review body (optional)
  • Associated camp (determined by the listing you review)

Published reviews are publicly visible and associated with your display name (or "Anonymous" if you have not set one).

d. Saved Sessions and Registration Alerts

When you save a camp session, we store:

  • Which session you saved
  • The name of the planning profile that you associated it with (optional)
  • Any notes you added (optional)

When you configure registration alerts on a saved session, we additionally store:

  • Alert preferences (which types of reminders you selected, such as "when registration opens" or "1 week before close")
  • Registration dates (if you entered registration open or close dates that we did not already have)
  • Custom reminder dates (if you set a custom reminder date)

We also store in-app notifications generated by your alerts, including the notification title, body, and read status. Notifications auto-expire and are treated as read after the associated registration date has passed.

e. Village Connections and Invitations

When you use the village feature, we collect:

  • Your connections with other users (including connection status)
  • Email addresses of people you invite who do not yet have accounts
  • Your sharing preferences and any per-user sharing exceptions

f. Provider Organization and Camp Claims

When a provider claims an organization or individual camp, we collect:

  • The organization or camp being claimed
  • The verification email used to confirm the claim
  • Claim status and verification tokens (which expire after 72 hours)
  • Booking method preference (whether the provider uses exclusive kiddinglab booking or requests a third-party integration)

When a provider submits a new organization that is not yet listed, we additionally collect:

  • Organization name and organization URL (required)

g. Sync Setup Requests

When a provider submits a sync setup request to integrate their website data with KiddingLab, we collect:

  • Contact name (required)
  • Contact title (optional)
  • Contact email (required)
  • Contact phone (optional)
  • Questionnaire responses about how the provider updates their website, any specialized software used, whether updates are handled in-house or by a third party, and any additional relevant details

This information is sent to our team at info@kiddinglab.com via webhook for follow-up coordination on website data synchronization. The request data is stored in our database to track integration inquiries and facilitate provider onboarding.

h. School Calendar Imports

When you upload a school calendar file to import closure days, we collect:

  • School or district name (required; entered by you to identify the calendar)
  • Calendar file content (ICS or PDF format; processed in memory to extract dates and discarded immediately — we do not store the original file)
  • Closure day selections (which dates you included or excluded from the parsed calendar)

The extracted closure day data (dates, labels, and types) is stored as a community calendar resource visible to other authenticated users who select the same school. Other users can see the dates and labels but not who uploaded the calendar. Individual date selections from multiple users are aggregated to verify accuracy through community consensus. See Section 2 for how community calendars are used.

i. Search and Browsing Data (All Visitors)

For all visitors, including those without accounts, we may collect:

  • Search criteria: Zip codes and filters applied (such as child age or grade level)
  • Location data: If you use "Use My Location," we process your precise latitude and longitude to find nearby camps. We do not store your precise location — it is converted to a zip code for our records.
  • Engagement data: Which listings you view and which external links you click (including the destination URL).

For logged-in users, this browsing data is associated with your account. For visitors without accounts, we generate a random session identifier in memory to group related browsing events during a single visit. This identifier is not stored persistently and does not persist across browser sessions or site visits.

i. Information Collected Automatically

When you visit the Website, our hosting infrastructure automatically receives standard technical information, including your IP address, browser type, and referring page. We do not independently log or store IP addresses, but our infrastructure providers (see Section 4) may temporarily process this information in the normal course of delivering the service.

j. Payment Methods and Booking Information

When you book a camp session through the Website, we collect:

  • Booking details (session selected, child name, planning profile association, booking status)
  • Payment method selection (bank transfer or credit/debit card)
  • Billing address state (used only for surcharge compliance — we do not collect your full billing address)
  • Payment confirmation data (transaction status, payment amounts, deposit and balance information)
  • ACH authorization mandates (for bank transfer payments, an authorization mandate is created and stored by Stripe; we store only a reference identifier linking your booking to the mandate)
  • Auto-charge authorization (if you authorize automatic balance payments, we store the authorization status on your booking)

Consent Records

When you make a deposit booking, we create immutable consent records documenting:

  • The exact text of each disclosure or authorization you agreed to or declined
  • Consent type (email reminder consent, auto-charge authorization, or auto-charge revocation)
  • Whether consent was granted or declined/revoked
  • Your IP address at the time of consent
  • Your browser user agent at the time of consent
  • Timestamp of the consent action

These records are stored for a minimum of two years as required by payment network rules (NACHA) and cannot be modified or deleted by any user. They serve as legal proof of your authorization for payment-related actions.

If you choose to save a payment method for future use, we store:

  • Bank accounts: Bank name, last 4 digits of account number, and a non-reversible fingerprint
  • Cards: Card brand (e.g., Visa, Mastercard), last 4 digits, and a non-reversible fingerprint

We do not store full account numbers, routing numbers, or full card numbers. Full payment credentials are stored exclusively by our payment processor, Stripe (see Section 4).

k. Shopping Cart Data

When you add camp sessions to your cart, we store:

  • Cart items (session selected, child name, planning profile association, date added)

Cart data is used to facilitate multi-camp checkout. Cart items are automatically removed after checkout. Abandoned cart items may be removed after 30 days of inactivity.

l. DMCA and Copyright Notices

If you submit a DMCA takedown notice or counter-notification, we collect the information you provide, which may include:

  • Contact information (name, mailing address, telephone number, email address)
  • Description of the copyrighted work and the allegedly infringing material
  • Statements required by the DMCA (good faith belief, penalty of perjury)
  • The full text of your notice or counter-notification

This information is required by 17 U.S.C. § 512 and is necessary for us to process your copyright claim.

2. How We Use Information

We use the information we collect to:

  • Provide the service: Create and maintain your account, display any search profiles, publish your reviews, manage your village connections, and personalize camp recommendations.
  • Moderate content: Screen review text for violations of our content standards using automated AI tools and human review.
  • Send transactional emails: Deliver account verification, organization and camp claim verification, village invitation emails, registration alert notifications, and organization submission status notifications.
  • Analyze and improve the service: Understand how the Website is used, identify popular camps and search patterns, and improve features.
  • Provide engagement reporting: Share anonymized, aggregated data with camp providers. Participating camp providers may access an analytics dashboard showing aggregated metrics for their own camp listings, such as page views, outbound click counts, and search sources. This data does not identify individual users.
  • Share community school calendars: When you upload a school calendar, the extracted closure day data is made available to other authenticated users who select the same school. Other users can see the dates and labels but not who uploaded the calendar. Individual date selections from multiple users are aggregated to verify accuracy through community consensus.
  • Process payments: Calculate fees, execute payment transactions, manage deposits and balance payments, and process refunds for camp bookings.
  • Detect and prevent payment fraud: Monitor booking patterns to identify potentially suspicious activity. Detected anomalies generate internal alerts for human review — they do not automatically block transactions. A trust score is maintained based on your successful payment history and any dispute history to inform disbursement timing to camp providers.
  • Send payment-related notifications: Deliver booking confirmations, payment processing updates, ACH pre-debit reminders, refund notifications, and balance payment reminders (7 days before, 1 day before, and on the due date) via email and in-app notifications. For deposit bookings, you consent to receive these balance reminders at the time of deposit payment.
  • Process authorized automatic payments: If you authorize automatic balance payments at checkout, we will charge your saved payment method on the scheduled due date. You can revoke this authorization at any time from your bookings page.
  • Process provider sync requests: When providers submit integration inquiries, we use their contact information and questionnaire responses to evaluate integration opportunities, initiate technical discussions, and coordinate data synchronization setup.
  • Process copyright notices: Review and act on DMCA takedown notices and counter-notifications, disable access to allegedly infringing content, notify affected parties, and maintain records required for legal compliance.
  • Enforce our Terms: Detect and prevent fraud, abuse, fake reviews, and other violations.

We do not sell your personal information. We do not use your information for advertising or marketing by third parties.

3. Content Moderation

Reviews that include text (title or body) are automatically screened by an AI content moderation system before publication. Here is how this works:

  • Your review text is sent to OpenAI's moderation API, which evaluates it against categories including violence, harassment, hate speech, self-harm, sexual content, and spam.
  • If the review passes moderation, it is published immediately.
  • If the review is flagged, it is placed in a moderation queue for human review by our team. You will see a notice that your review is pending review.
  • Rating-only reviews (no text) are published immediately without moderation screening.

4. Third-Party Service Providers

We use the following third-party services to operate the Website. These providers process data on our behalf and are subject to their own privacy policies:

ProviderWhat They ProcessPurpose
SupabaseAccount data, search profiles, reviews, saved sessions, village connections, database contentDatabase hosting, user authentication, server-side functions
VercelHTTP requests, browser metadataFrontend hosting and delivery
OpenAIReview text (title and body only)Automated content moderation
GooglePDF calendar file content (transiently, for extraction only)AI-assisted extraction of school closure dates from uploaded PDF calendars (Gemini API)
ResendRecipient email addresses, sender display namesTransactional email delivery (verification, invitations, registration alerts)
StripePayment method tokens, bank account metadata (name, last 4), card metadata (brand, last 4), transaction amounts, customer identifiersPayment processing for card and ACH bank transfer payments, refund execution, and provider payouts via Stripe Connect
Stripe Financial ConnectionsBank account holder name, routing number, account number (transmitted directly to Stripe during instant verification — not stored by kiddinglab)Instant bank account verification for ACH payments of $99 or more, enabling immediate payment processing without micro-deposit delays
N8N Webhooks (n8n.kiddinglab.com)Sync setup request contact details and questionnaire responsesWebhook delivery of provider integration requests for processing and follow-up coordination

We do not share personal information with third parties for their own marketing or advertising purposes.

5. Data Sharing

Beyond the service providers listed above, we may share information in the following circumstances:

  • Public reviews: Published reviews are visible to all Website visitors and are associated with your display name.
  • Village activity: If you have enabled sharing with your village, your connections may see your reviews, saved sessions, and (if you opt in) search profile-session associations, according to your sharing preferences.
  • Aggregated data: We may share anonymized, aggregated statistics with camp providers. Participating camp providers may access an analytics dashboard for their own camp listings showing metrics such as page views, outbound clicks, and search sources. This data does not identify individual users.
  • Provider payment data: When you book a camp session, we share transaction details (booking amount, fee breakdown, payment status) with the camp provider through their provider dashboard. We do not share your full payment credentials, bank account numbers, or card numbers with providers. Providers receive disbursements of booking revenue through Stripe Connect.
  • Legal requirements: We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. We will notify users of any such change.

6. Your Rights and Choices

Because you have an account, your data is identifiable and you have the following rights:

Access and Review

You can view your account information, search profiles, reviews, saved sessions, village connections, and sharing preferences at any time by logging into your account.

Correction

You can edit your display name, search profiles (name, birth month/year, interests), reviews, saved session notes, and sharing preferences directly in the app.

Deletion

  • Account deletion: You may delete your account, which will permanently remove your profile and all associated data including reviews, search profiles, saved sessions, registration alerts, notifications, village connections, sharing preferences, and moderation queue entries. Search and engagement analytics data associated with your account is anonymized (your user identifier is removed) rather than deleted, so the event data is retained in aggregate but can no longer be linked to you.
  • Individual items: You may delete individual search profiles, reviews, saved sessions, and village connections at any time without deleting your entire account.

Sharing Controls

You control what is shared with your village through your sharing preferences. You can:

  • Toggle sharing on or off for each category (reviews, saved sessions, search profile-session associations).
  • Exclude specific village members from seeing your shared activity.
  • Remove village connections entirely.

Data Portability

We do not currently offer an automated data export feature. If you would like a copy of your data, please contact us at legal@kiddinglab.com.

Exercising Your Rights

To exercise any of these rights, you may use the in-app controls or contact us at legal@kiddinglab.com.

7. State-Specific Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information. We do not sell personal information.
  • Not be discriminated against for exercising your privacy rights.

To know what personal information we collect, use, and disclose, read this policy. To exercise your right to delete your personal information, delete your account through the app. We do not sell personal information and we do not discriminate against you for exercising your privacy rights. You may contact us at legal@kiddinglab.com.

Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, and other states with consumer privacy laws may have similar rights. To exercise your rights, contact us at legal@kiddinglab.com.

8. Children's Privacy

kiddinglab.com is designed for use by parents, guardians, educators, and camp providers who are at least 18 years old. Children do not create accounts, log in, or interact with the Website.

Parents and guardians may voluntarily provide information about their children (name, birth month/year, and interests) within search profiles. This information is:

  • Entered and managed exclusively by the parent or guardian.
  • Used to personalize camp recommendations and organize saved sessions.
  • Not shared publicly (search profiles are visible only to the parent, and optionally to village connections if the parent enables sharing).
  • Deletable at any time by the parent.

Because children do not use the Website directly and we do not collect information directly from children, COPPA's verifiable parental consent requirements do not apply. Nonetheless, we take the privacy of children's information seriously and limit its collection, use, and visibility as described above.

If you believe a child under 13 has somehow provided us with personal information directly, please contact us at legal@kiddinglab.com and we will promptly delete it.

9. Data Retention

  • Account data is retained for as long as your account is active.
  • All associated data (search profiles, reviews, saved sessions, registration alerts, notifications, connections, sharing preferences) is permanently deleted when you delete your account.
  • Village invitations expire after 30 days.
  • Verification tokens (for organization and camp claims) expire after 72 hours.
  • Moderation queue entries are retained until reviewed by an administrator. If your account is deleted, associated queue entries are also deleted.
  • Registration alerts are retained until sent or until the associated saved session is removed. Sent alerts are retained for historical reference but are no longer active.
  • In-app notifications are retained indefinitely but auto-expire (treated as read) after the associated registration date has passed. Notifications are deleted when the associated account is deleted.
  • Anonymized search and engagement data may be retained indefinitely for analytics purposes. When you delete your account, your user identifier is removed from any associated analytics events; the anonymized event data is retained for aggregate analysis but can no longer be linked to you.
  • DMCA notices and counter-notifications are retained indefinitely as required for legal compliance and tracking under 17 U.S.C. § 512.
  • Booking and payment data is retained for as long as your account is active. Transaction records (amounts, dates, statuses) are retained for accounting and tax compliance purposes even after account deletion. Saved payment methods are deleted when you remove them or delete your account. Trust scores are deleted when you delete your account.
  • Consent records (auto-charge authorizations, email consent, revocations) are retained for a minimum of two years after the last action, as required by NACHA rules. These records cannot be deleted by users and survive account deletion due to legal retention requirements.

10. Data Security

We implement reasonable technical and organizational measures to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest: Our database is encrypted at rest by our hosting provider (Supabase).
  • Password security: Passwords are cryptographically hashed and never stored in plaintext.
  • Access controls: Row-level security policies ensure that users can only access their own data through the application.
  • Token security: Verification and invitation tokens are single-use and time-limited.
  • Server-side secrets: API keys and service credentials are stored as server-side environment variables and are never exposed to client browsers.

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

11. Data Breach Notification

In the event of a security breach that involves your personal information, we will notify affected users without unreasonable delay and no later than 45 days after discovering the breach, consistent with Maryland law and the needs of law enforcement.

We will provide notification by email to the address associated with your account and, where appropriate, by posting a prominent notice on the Website. Our notification will include:

  • A description of what happened, including the date or estimated date of the breach.
  • The types of personal information that were or may have been involved.
  • Steps we are taking in response to the breach.
  • Steps you can take to protect yourself.
  • Contact information for questions or further assistance.

If the breach affects more than 1,000 individuals, we will also notify relevant state attorneys general and, where required, consumer reporting agencies, as required by applicable law.

12. Cookies and Similar Technologies

  • Authentication cookies: We use secure, HTTP-only cookies to maintain your login session. These cookies contain authentication tokens that are short-lived (approximately 1 hour) and are refreshed automatically while you are active. They expire after 8 hours of inactivity. These cookies are essential for site functionality and cannot be disabled while logged in.
  • No tracking cookies: We do not use third-party tracking cookies or advertising pixels.
  • Analytics session identifiers: For visitors without accounts, we generate a random session identifier in memory to group related browsing events during a single visit. This identifier is not stored persistently and does not persist across browser sessions.
  • First-party technical identifiers: We may use short-lived, first-party technical identifiers to support site functionality and prevent abuse.

13. Third-Party Links

Our Website contains links to external camp websites and other third-party sites. Once you leave kiddinglab.com, we are not responsible for the privacy practices or content of those sites. We encourage you to read their privacy policies.

Camp providers may collect additional information directly through their own websites or registration systems. That information is governed by the provider's privacy policies, not this Privacy Policy.

14. International Use

The Website is operated in the United States and is intended for users located in the United States. We do not target or direct our services to individuals outside the United States. If you access the Website from outside the United States, you do so at your own initiative and understand that any information you provide will be transferred to and processed in the United States.

15. Email Communications

The Company does not send marketing emails unless users explicitly opt in.

16. Changes to This Policy

We may update this Privacy Policy periodically. We will update the "Effective Date" at the top of this page. Your continued use of the Website after changes are posted constitutes your acceptance of the revised policy.

This Privacy Policy is governed by the laws of the State of Maryland, without regard to its conflict of laws principles.

17. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us:

Ten Dollars, LLC
11140 Rockville Pike, Ste 100 #A299
Rockville, MD 20852
United States

General support & payment inquiries:support@kiddinglab.com
Legal & privacy inquiries:legal@kiddinglab.com
Website:https://www.kiddinglab.com