Privacy Policy

Your data, your record.

This Privacy Policy explains how De Kind collects, uses, and protects your personal data. We've written it in plain English. If anything is unclear, contact us.

Effective: 1 January 2026Last reviewed: 9 May 2026Version: 1.0
01

Who we are

De Kind is operated by Nexus-Sectech Ltd, a company registered in England and Wales (Company No. 17126982), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

For the purposes of UK GDPR, Nexus-Sectech Ltd is the Data Controller for your personal data. We are registered with the Information Commissioner's Office (ICO).

You can contact our Data Protection point of contact at hello@nexus-sec.tech.

02

What we collect

We collect the minimum data needed to operate De Kind. We do not sell your data and we do not run ads.

CategoryWhat we collectSource
Account dataEmail, display name, bcrypt-hashed password, optional mobileYou, at registration
Household dataHousehold name, children's first names, invite code, paired parent IDsYou, during onboarding
Record dataCustody log entries, requests sent/received with timestamps, cost entries with receiptsYou, while using the app
Billing dataSubscription status, plan tier, Stripe customer IDStripe (we never see your card details)
Technical dataIP address, browser type, error logs, basic anonymous analyticsYour device, automatically

What we do NOT collect: credit card numbers (handled by Stripe), location data, your contacts, your browsing history outside De Kind, or any data from third-party social media.

03

Why we collect it

Every piece of data we collect serves a specific operational purpose:

  • Account data — to let you sign in and identify you to the other parent in your household
  • Household data — to operate the shared record and pair two parent accounts
  • Record data — this is the product. Without it, De Kind doesn't function.
  • Billing data — to process subscription payments and send receipts
  • Technical data — to keep the service running, detect abuse, and fix bugs

We do not use your record data to train AI models, target ads, or build profiles. We do not sell, rent, or barter your data to anyone.

04

Legal basis for processing

Under UK GDPR, we rely on the following legal bases:

  • Contract (Article 6(1)(b)) — to provide the service you signed up for, including authentication, the shared record, and exports
  • Legitimate interests (Article 6(1)(f)) — to keep the service secure, prevent abuse, and improve the product. You can object to this at any time.
  • Legal obligation (Article 6(1)(c)) — to comply with UK law (e.g. tax records, court orders)
  • Consent (Article 6(1)(a)) — for optional features like marketing emails, which you can withdraw at any time
05

How long we keep it

We keep your data only as long as needed for the purpose it was collected. After that, we delete or anonymise it.

TypeRetention period
Active account dataFor as long as your account exists
Record data (custody, requests, costs)Indefinitely, until you or the other parent deletes the household
Deleted account data30 days (recovery window), then permanently deleted
Billing records7 years (UK tax law)
Technical / error logs90 days, then anonymised
Backup snapshots30 days rolling, then deleted

When you delete your account, your personal identifiers are removed permanently after 30 days. Your contributions to the shared household record (e.g. custody entries you logged) remain in the household — anonymised — so the other parent's record is not corrupted. They will appear as "Removed parent" in any export.

06

Who we share it with

We share your data only with the following processors, all of whom are bound by data protection agreements:

  • Supabase Inc. — database, authentication, and file storage. EU/UK data hosted in Frankfurt region.
  • Vercel Inc. — application hosting. Some traffic may transit US servers under UK-US Data Bridge.
  • Stripe Inc. — payment processing. Stripe handles your card data directly; we never see it.
  • Resend — transactional email delivery (welcome, password resets, notifications)

We do not share data with advertisers, data brokers, social media platforms, or analytics services that build user profiles. We do not respond to general data requests from third parties without a valid UK court order.

Within a household, the other parent you are paired with will see all entries you log — this is the whole point of a shared record. You can see exactly what's visible in your Settings → Household page.

07

How we protect it

De Kind takes data protection seriously. Our security measures include:

  • AES-256-GCM application-level encryption for all record content (request descriptions, custody notes, cost descriptions, receipt URLs). The encryption key never leaves our hosting environment.
  • AES-256 at rest for the underlying database storage (independent layer)
  • TLS 1.3 for all data in transit
  • Postgres Row Level Security enforced at the database level — you can only access your own household's data
  • Immutability triggers that prevent records from being modified after the other parent has acknowledged them
  • Bcrypt password hashing — we never see, store, or log plaintext passwords

In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours, as required by UK GDPR Article 33.

08

Your rights

Under UK GDPR you have the following rights:

  • Right of access — download a JSON copy of everything we hold on you instantly via Settings → Privacy & data
  • Right to rectification — correct inaccurate data in Settings
  • Right to erasure — delete your account self-service in Settings → Danger zone. Flow: confirmation code by email → 7-day cooling-off window during which you can cancel → permanent deletion. Your contributions to the shared household record stay in place with your identifier blanked.
  • Right to data portability — export your data in JSON via Settings → Privacy & data (free, instant). Court-formatted PDF/CSV exports of your record are available with Premium.
  • Right to object — opt out of any processing based on legitimate interests by emailing us
  • Right to restrict processing — request limited processing while we investigate any complaint
  • Right to withdraw consent — for any processing relying on consent (e.g. marketing emails)

To exercise these rights, email hello@nexus-sec.tech. We will respond within one month.

If you are unhappy with our response, you have the right to complain to the Information Commissioner's Office: ico.org.uk or 0303 123 1113.

09

Cookies

De Kind uses a small number of cookies, all strictly necessary for the service to function:

  • Session cookies — to keep you signed in (Supabase Auth)
  • CSRF tokens — to protect against cross-site request forgery
  • Preference cookies — to remember your interface choices (e.g. month view on the calendar)

We do not use tracking cookies, advertising cookies, or third-party analytics that build profiles. Because all our cookies are strictly necessary or based on your account, we don't need a cookie consent banner under the PECR regulations.

10

Changes to this policy

We may update this policy from time to time. Significant changes will be notified to you by email at least 30 days in advance. Minor clarifications (typos, formatting) will be made silently with the "Last reviewed" date updated above.

You can always see the latest version at dekind.app/privacy. We keep a public changelog of substantive changes available on request.

11

Contact us

For any data protection question, request, or complaint:

Data Protection
hello@nexus-sec.tech

Or by post: Nexus-Sectech Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. Please mark correspondence "Data Protection — Privacy Request" so we can route it correctly.

For any general support question, please use our contact page instead.