Privacy Policy

Our commitment to your privacy

Piko is based in the United Kingdom. We take privacy seriously — especially when it comes to children. This policy explains what data we collect, why we collect it, and how we protect it.

We are fully GDPR compliant and designed with the Age Appropriate Design Code (AADC) in mind.

Who we are

Piko is the data controller for your personal data. This means we decide how and why your data is processed.

• Contact: privacy@heypiko.co.uk
• Website: heypiko.co.uk

We will respond to any data protection requests within 30 days, as required by law.

What data we collect

Providing this information is necessary to create an account and use Piko. If you choose not to provide it, we won't be able to offer you the service.

Account information

• Parent/guardian email address
• Payment information (processed securely by our payment provider)
• Child profile names and ages (first names only)
• Selected school for donations

Usage data

• What videos your child watches
• How long they watch
• When they watch (timestamps)
• PikoStyle preferences and interactions
• Reset Moment usage

Why we collect this data

• To personalise the experience: Recommend content that matches your child's interests and mood
• To show you what they're watching: Full viewing history available in Piko Parent
• To improve our service: Understand what content works well for different age groups
• To process payments: Manage your subscription
• To send donations: Route £1/month to your selected school's PTA

Legal basis for processing

Under GDPR, we must have a lawful basis for processing your data. Here's how we justify each type:

• Contract performance: Processing your account data, payments, and providing the Piko service you've subscribed to
• Legitimate interest: Improving our service, preventing fraud, and ensuring security
• Legal obligation: Complying with tax, financial, and data protection regulations
• Parental consent: Processing children's viewing data and preferences — you provide this consent when creating a child profile

You can withdraw consent for your child's data at any time by deleting their profile in Piko Parent.

What we never do

• We never sell your data — to anyone, ever
• We never share data with advertisers — there are no ads in Piko
• We never create advertising profiles — for you or your children
• We never use third-party tracking — no cookies from ad networks
• We never contact your children directly — all communication goes to parents

How we protect your data

• All data is encrypted in transit (TLS) and at rest (AES-256)
• Your data is stored on Supabase infrastructure in the EU
• Access to personal data is strictly limited to essential personnel
• We regularly review and update our security practices
• Payment details are handled by Stripe, a PCI-DSS Level 1 certified payment processor — we never see your full card number
• Website analytics are processed by PostHog in the EU — no personal data is collected

In the unlikely event of a data breach affecting your personal data, we will notify you and the Information Commissioner's Office within 72 hours, as required by law.

Your rights

Under GDPR, you have the right to:

• Access your data: See what we hold about you and your children
• Correct your data: Fix any inaccuracies
• Delete your data: Remove your account and all associated data
• Export your data: Download your data in a portable format
• Object to processing: Ask us to stop processing your data in certain circumstances
• Restrict processing: Ask us to limit how we use your data while a concern is resolved
• Withdraw consent: Stop us processing your data (this may mean closing your account)

To exercise any of these rights, contact us at privacy@heypiko.co.uk. We will respond within 30 days.

Complaints

If you're unhappy with how we've handled your data, please contact us first and we'll do our best to resolve your concern. If you're still not satisfied, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

Data retention

We keep your data for as long as you have an active account. If you cancel your subscription, we retain your data for 30 days in case you change your mind. After that, it's permanently deleted.

You can request immediate deletion at any time by contacting us.

Cookies & Analytics

We don't use tracking cookies. No cookie banners, no consent pop-ups, no following you around the web.

For analytics, we use PostHog in cookieless mode. This helps us understand how people use our website (which sections are helpful, where people get stuck) without identifying or tracking individual users. Your data stays in the EU and is never shared with third parties like Google or Meta.

The Piko app uses essential storage only — the minimum required to keep you logged in and remember your preferences.

Video playback (YouTube)

Videos in Piko are delivered via YouTube's privacy-enhanced embed mode (youtube-nocookie.com). When a video plays, YouTube may collect:

• IP address
• Device and browser information
• Video playback data (what was watched, for how long)

We use the "nocookie" option specifically to minimise tracking — no YouTube cookies are set until a video is played, and tracking is significantly reduced compared to standard embeds.

For details on what YouTube collects, see Google's Privacy Policy.

International data transfers

Your Piko account data is stored in the EU. However, when you watch videos, YouTube (operated by Google LLC, USA) processes some data to deliver content. Google participates in the EU-US Data Privacy Framework, which provides adequate protection for data transferred to the United States under GDPR.

Children's privacy

Piko is designed for children aged 4-11, used under parental supervision. We take extra care with children's data, in line with the Age Appropriate Design Code (Children's Code):

Age verification

We verify that account holders are adults by requiring a valid payment method during registration. Only adults with payment authority can create accounts and child profiles.

What we collect from children

• First name (for profile identification)
• Age (to serve age-appropriate content)
• Viewing history and preferences (to personalise recommendations)
• PikoStyle and Weather interactions (to match content to their mood)

What we never collect from children

• Photos or profile pictures
• Voice recordings
• Biometric data
• Precise location (GPS)
• Contact lists or social connections
• Full name or surname
• School name (only parents select this for donations)

How we protect children

• Children cannot create accounts — only parents can
• We never contact children directly — all communication goes to parents
• All parental controls are managed by adults via PIN-protected access
• Children's data is never used for advertising or sold to third parties
• Recommendations are based on interests and wellbeing, not engagement maximisation

Automated recommendations

Piko uses automated systems (PikoStyle and Weather) to recommend content based on your child's interests and current mood. These recommendations are designed to benefit your child's wellbeing — not to maximise screen time. They don't have any legal or similarly significant effects. You can see and adjust these preferences in Piko Parent at any time.

Email communications

We'll email you about:

• Account updates — subscription confirmations, payment receipts, password resets (required)
• Service announcements — important changes to Piko, security notices (required)
• Product news — new features, tips for getting the most out of Piko (optional)

You can unsubscribe from optional emails at any time via the link in any email or in your account settings. We'll never share your email address with third parties or email your children.

Changes to this policy

If we make significant changes to this policy, we'll notify you by email before they take effect. Minor clarifications may be made without notice.

Contact us

Questions about privacy? Get in touch:

• Email: privacy@heypiko.co.uk
• General enquiries: hello@heypiko.co.uk