Privacy Policy

1. Information We Collect

We collect the following types of information:

• Account Information: When a parent registers, we collect basic information such as name, email address, and the child's first name.
• Verification Data: From 1 January 2026, when a parent completes age and identity verification, our verification partner (currently Didit Ltd) processes limited information to confirm adult and parental status. Stamplo only stores the verificationstatus and timestamp—never ID documents or images.
• Pen Pal Information: When children add a pen pal, we collect and store the invite code and pen pal details (e.g., name, country).
• Communication Data: We store the content of letters sent between pen pals, including any media (like photos) attached to the letters. All letters are stored encrypted; status fields (e.g., flaggedByChild) are recorded to track child reporting.
• Preferences and Flags: Parent settings for features such as Friend Finder, image permissions, and AI mascot access, as well as any flag/reason reason provided when a child reports a letter.
• Manual Review: In rare cases where verification fails (for example, poor lighting, incorrect angle, or suspected under-age attempt), a Stamplo safeguarding officer may view the verification media (such as the liveness video or document image) directly within our verification provider’s secure dashboard. We never download, store, or copy this material, and all access is logged for safety and accountability.

2. How We Use Your Information

• To Provide Our Service: Facilitating pen pal connections and letter exchanges.
• Child Reporting: Enabling children to flag letters that worry them; updating letter status and notifying parents via email with a secure review link.
• Escalation: If a parent escalates a flagged letter, we temporarily decrypt its content for our support team and send an email notification to support@stamplo.kids.
• Parent Supervision: Ensuring all letters are reviewed by parents before final delivery.
• Improvements: Using aggregated, anonymized data to improve Stamplo's services and user experience.
• Safeguarding and Verification Review: When a verification attempt fails, we may conduct a manual safety review by viewing the verification media directly inside our verification provider’s secure platform. This ensures only genuine adults create parent accounts. Stamplo does not store these images or videos; access is limited, audited, and used solely for safeguarding purposes.

3. Legal Basis for Data Processing

Under GDPR, we process personal data based on:

• Consent (e.g., account creation, communication, sponsored participation)
• Contractual Necessity (providing Stamplo's services)
• Legal Obligation (compliance with laws and regulations)

4. How We Protect Your Data

• Encryption: All personal information is encrypted during transmission and at rest.
• Access Control: Only authorized parents can manage their children's accounts, with double parental approval required for letter exchanges.
• Data Minimization: We collect only the minimum information necessary to operate Stamplo.

5. Sharing Your Information

We do not sell, rent, or share your personal information except:

• Parents: We share decrypted letter content only with the parent(s) who own that child account when a letter is flagged or being reviewed.
• Support Team: When a letter is escalated, we share temporary decrypted access with our internal support atsupport@stamplo.kids under strict confidentiality.
• Legal Requirements: If required by law.
• Service Providers: With trusted providers under strict confidentiality agreements, only when necessary to operate Stamplo.

6. Data Retention

We retain personal information only as long as needed to fulfill our service obligations or comply with legal requirements.

• When an account is deleted, all associated parent and child data is permanently deleted immediately.
• Letters and attached media are retained for up to 12 months after they are fully delivered or resolved. Flagged or escalated letters follow the same retention policy.

7. Your Rights Under GDPR

As a user, you have the right to:

• Access: Download your personal and family data via your account settings.
• Rectification: Correct inaccuracies in your data.
• Erasure: Delete your account and all related data (“Right to be Forgotten”).
• Restriction of Processing: Request limits on data use.
• Data Portability: Obtain your data in a machine-readable format.
• Object: Object to certain types of processing, including marketing communications.

8. How to Exercise Your Rights

To exercise any rights, please contact us at support@stamplo.kids. We will respond within 30 days and may request verification of identity to protect your privacy.

9. Parent Control and Child Safety

Parents have full control over their child's account settings, including:

• Managing Friend Finder visibility
• Enabling or disabling image sending and receiving
• Controlling access to AI mascot (Twitch) chat features
• Approving or rejecting every pen pal letter

AI Mascot (Twitch) Interactions
Twitch is a pretend character operated by Stamplo - not a real person.
Every message to and from Twitch must be read and approved by the caregiver before the child sees it.
No personal data is shared with the AI provider, and all interactions remain fully sandboxed.

Stamplo staff do not access child messages, including those sent to the mascot character Twitch. Only parents can enable, view, and approve these messages and replies.

10. Cookies and Tracking Technologies

Stamplo uses only essential cookies required for secure login and basic functionality. We do not use analytics, third-party trackers, or personalized advertising cookies. Fonts are hosted locally to protect your privacy, and no external resources are loaded from tracking domains.

We are committed to data minimisation and comply fully with the ICO Children's Code.

11. Data Transfers

We may transfer personal data outside the EEA only when adequate safeguards (such as EU Standard Contractual Clauses) are in place to protect your information.

12. Automated Decision-Making

Stamplo does not use automated decision-making or profiling that affects users' legal rights or significant matters. All approvals and key decisions involve human review.

13. U.S. Families and COPPA Compliance

Stamplo is operated by Stamplo Limited, a UK company regulated under UK GDPR and the ICO Children's Code (Age Appropriate Design Code). These standards provide strong protections for children's privacy and data.

Important Note for U.S. Families: While we require parental involvement at registration (email verification + two-factor authentication), this verification method may not meet COPPA's strictest "verifiable parental consent" standard, which typically requires credit card verification, government-issued ID, or other stronger proof of adult status.

• Parental Control: Parents must create accounts, verify their email, and approve every pen pal connection and letter before children can send or receive communications.
• Data Minimization: We collect only limited information necessary to operate the service (family code, child's first name, country, and letters). We do not use behavioral advertising, analytics tracking, or third-party cookies.
• Rights and Deletion: Parents can access, correct, or delete their child's account and data at any time by contacting support@stamplo.kids.
• Notice to Schools: Stamplo is not intended to replace school district parental consent obligations. Teachers introducing Stamplo in U.S. classrooms must ensure parental consent is obtained consistent with COPPA.

By using Stamplo in the United States, you acknowledge that data is processed in the UK under GDPR and the ICO Children's Code. If you have specific concerns about COPPA compliance, please contact us at support@stamplo.kids.

14. Age and Identity Verification

Starting 1 January 2026, families must complete a one-time age and identity verification before any child can access Stamplo. Verification ensures that the adult creating a family account is a genuine parent or guardian and that children using Stamplo meet the platform’s 7-to-14-year age range.

Stamplo partners with Didit Ltd, an independent verification provider, to perform this check. Didit Ltd acts as a data processor under a written agreement and complies with UK GDPR and the ICO Children’s Code. The verification process may involve presentation of an identity document or other proof of age directly to Didit Ltd. Stamplo receives only a confirmation flag (verified / not verified) and does not receive or store copies of any documents.

In some cases where verification fails (for example due to low lighting, camera angle, or a failed liveness match), a trained Stamplo safeguarding officer may view the verification media directly inside Didit’s secure dashboard to determine whether the attempt was genuine. Stamplo does not download, copy, or store any images, videos, or documents. All access is strictly limited, used only for safeguarding, and recorded in our Audit Log for accountability.

The lawful basis for processing this data is legitimate interest(ensuring child safety and compliance with age-appropriate access standards) and, where required, legal obligation. The information is retained only as long as necessary to confirm verification status and is then deleted or anonymised.

Parents can view their verification status within their dashboard and may request deletion of verification data by contacting support@stamplo.kids.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post any updates here. Continued use of Stamplo after updates indicates your acceptance of the new terms.

16. Contact Us

Data Controller: Stamplo is developed and maintained by “Stamplo Limited” (Co. No. 16555069).

If you have any questions about this Privacy Policy, please contact us at:

support@stamplo.kids