Privacy Policy

Effective Date: April 24, 2026  ·  Last Updated: April 24, 2026
🔒 COPPA Compliant — Children's Data Protected
These are legally informed templates, not legal advice. We recommend having this reviewed by qualified legal counsel familiar with childcare regulations in your state.

1. Overview

CradleDesk ("we," "us," or "our") provides a cloud-based management platform for childcare centers at cradledesk.com. This Privacy Policy describes how we collect, use, share, and protect information — including sensitive data about children and families — in connection with our Service.

CradleDesk serves two types of users:

  • Childcare Centers ("Customers") — the organizations that create and manage CradleDesk accounts
  • Families — parents, guardians, and children whose information is managed by the centers using our platform

CradleDesk is a data processor. The childcare center is the data controller — they determine what data is collected and how it is used to manage their center. We process data only to provide and improve the Service.

2. Data We Collect

We collect data you provide directly when setting up and using CradleDesk, as well as operational data generated through use of the Service.

2.1 Center & Administrator Data

  • Center name, address, state, license number, and contact information
  • Administrator name, email address, and password (hashed)
  • Subscription plan, billing history, and subscription status
  • Center preferences and configuration settings

2.2 Staff Data

  • Staff name, email address, phone number, and role
  • PIN codes used for kiosk check-in/check-out
  • Time clock records: punch-in/out times, break records
  • Certifications and professional development records (if entered)
  • Payroll summary data (hours worked, calculated pay)

2.3 Children's Data

This is the most sensitive category of data in CradleDesk. It is collected by the childcare center in the course of managing enrolled children:

  • Child's full name, date of birth, and photo
  • Enrollment status, classroom assignment, and enrollment dates
  • Health information: immunization records, vaccine dates, health conditions, allergies, medications, and doctor information
  • Incident and accident reports
  • Developmental milestone records and learning assessments
  • Meal records and dietary restrictions
  • Attendance records and daily logs
  • Documents uploaded to the child's profile (health forms, permission slips, etc.)

2.4 Parent & Guardian Data

  • Parent/guardian name, email address, phone number, and relationship to child
  • Authorized pickup persons and their photos
  • Financial information: billing rates, payment history, outstanding balances
  • Payment method information (processed and stored by Stripe — not stored by CradleDesk)
  • Communication preferences

2.5 Billing & Payment Data

  • Subscription billing information for childcare centers (processed via Stripe)
  • Family billing records: invoices, payments, credits, and balances
  • Payment method type (card, cash, check, bank transfer) — card details handled by Stripe

2.6 Usage & Technical Data

  • Login timestamps and session data
  • Feature usage patterns (to improve the Service)
  • Error logs and diagnostic information
  • IP addresses and browser information

3. COPPA Compliance & Children's Data

🔒 Children's Online Privacy Protection Act (COPPA)

CradleDesk handles personal information of children under 13 as part of providing childcare management services to licensed centers. This section explains our COPPA compliance framework.

3.1 The Center Is the Operator

Under COPPA, the childcare center is the "operator" with direct relationships with the children and families in their care. The centers have obtained (or are responsible for obtaining) verifiable parental consent for collecting and managing children's personal information as part of their enrollment and licensing process.

CradleDesk is a "service provider" — we process children's data only to provide the platform the center uses to manage their operations.

3.2 How CradleDesk Handles Children's Data

  • No direct collection from children. CradleDesk does not have direct interfaces with children. All children's data is entered by center staff or parents/guardians.
  • No advertising or profiling. We do not use children's data for advertising, behavioral profiling, or any purpose beyond providing the Service to the center.
  • No selling. We never sell children's personal information to any third party.
  • Minimal sharing. Children's data is accessible only to the center's authorized users. It is not shared with other centers, other users, or third parties except as described in Section 6 (Third-Party Services).
  • Data isolation. Each center's data is logically isolated — other centers cannot access your children's records.

3.3 Center Responsibilities Under COPPA

Childcare centers using CradleDesk are responsible for:

  • Obtaining appropriate parental or guardian consent before entering children's personal information into the platform
  • Providing parents with notice about what information is collected and how it is used
  • Responding to parent requests to access, correct, or delete their child's information
  • Complying with applicable state childcare licensing privacy requirements

3.4 Parent Rights for Children's Data

Parents and guardians may exercise rights regarding their child's data. See Section 9 for details.

4. How We Use Data

We use the data we collect for the following purposes:

Purpose Description
Service Delivery Operating, maintaining, and improving the CradleDesk platform
Account Management Creating and managing accounts, authentication, billing
Communications Sending service notifications, security alerts, and product updates
Parent Updates Generating AI-powered daily update emails sent by centers to parents
Support Responding to support requests and troubleshooting issues
Legal Compliance Complying with applicable laws and legal obligations
Security Detecting fraud, abuse, and security incidents
Product Improvement Anonymized/aggregated usage analytics to improve the Service

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for their own marketing purposes.

5. Data Storage & Security

5.1 Where Data Is Stored

CradleDesk data is stored on servers hosted by Neon (PostgreSQL cloud database) and Render (application hosting), both located in the United States. File uploads (documents, photos, health records) are stored via Cloudflare R2 (U.S. storage).

5.2 Security Measures

We implement industry-standard security practices to protect your data:

  • Encryption in transit: All data is transmitted over HTTPS/TLS
  • Encryption at rest: Database encryption for sensitive fields
  • Password hashing: Staff and admin passwords are hashed using bcrypt — we never store plain-text passwords
  • Token security: OAuth and session tokens are encrypted using AES-256-GCM
  • Access controls: Role-based permissions limit who can see what data within a center
  • Isolated environments: Each center's data is logically separated

5.3 Data Breach Response

In the event of a data breach affecting your center, we will notify you promptly — and in all cases within the timeframe required by applicable law. We will provide information about what data was affected, what we are doing, and what steps you may wish to take.

6. Third-Party Services

CradleDesk uses a limited set of third-party services to operate the platform. Each is bound by their own privacy policies and data processing agreements:

6.1 Stripe (Payment Processing)

We use Stripe to process subscription payments from childcare centers and family payments. Credit card numbers and payment details are transmitted directly to Stripe and stored by Stripe — CradleDesk never stores card numbers. Stripe's privacy policy is available at stripe.com/privacy.

6.2 Postmark (Email Delivery)

We use Postmark to send transactional emails — account notifications, password resets, and parent daily updates. Postmark processes email addresses and message content for delivery purposes only.

6.3 OpenAI (AI Features)

CradleDesk uses OpenAI to generate personalized daily update emails for parents. Activity log data from your center may be sent to OpenAI for this purpose. OpenAI does not use API-submitted data to train their models by default. You can disable AI-generated emails at any time in your center settings.

6.4 No Other Marketing or Analytics Sharing

We do not integrate third-party advertising platforms, behavioral analytics tools, or social media trackers. We do not share your data with data brokers or marketing companies.

7. Data Retention

7.1 Active Accounts

We retain your data for as long as your CradleDesk account is active. You can export your data at any time using the built-in export tools.

7.2 After Cancellation

When you cancel your subscription, your data is retained for 90 days. During this period, you can request a full export. After 90 days, your center's data — including all children's records, staff records, and family records — is permanently deleted from our systems.

Important: Childcare licensing regulations in many states require retaining children's records for several years after a child leaves care. Export your records before cancelling to meet these requirements.

7.3 Backup Retention

Database backups may retain data for up to 30 additional days after the deletion period. After this window, data is unrecoverable.

7.4 Legal Holds

We may retain data longer if required by applicable law, court order, or legal proceedings.

8. Your Rights (Center Administrators)

As a CradleDesk customer, you have the following rights regarding your data:

  • Access: You can access all data in your CradleDesk account at any time through the platform.
  • Export: You can export your data in standard formats (CSV, PDF) from the platform.
  • Correction: You can update or correct any information in your account.
  • Deletion: You can request deletion of your account and all associated data by contacting us. See Section 7.2 for retention timelines.
  • Portability: Your data is available in export formats designed for portability.

To exercise these rights, contact us at info@cradledesk.com.

9. Parent & Guardian Rights

Parents and guardians have rights regarding the personal information of their children stored in CradleDesk by their childcare center.

9.1 Access to Your Child's Records

You have the right to access the personal information the childcare center has entered about your child in CradleDesk. This is primarily managed through your relationship with the center. The CradleDesk parent portal also provides access to information the center shares with you directly.

9.2 Requesting Correction or Deletion

To request correction or deletion of your child's information:

  • First, contact the childcare center directly — they are the data controller and can update or remove records.
  • If the center cannot help or you have concerns about how your child's data is being handled, you may contact us at info@cradledesk.com.

9.3 Opting Out of AI-Generated Parent Updates

If your childcare center uses CradleDesk's AI-powered daily updates, you can ask the center to disable this feature for your family, or you can opt out of the parent email updates altogether.

9.4 Data Deletion Request Process

To request deletion of your child's data from CradleDesk:

  • Submit your request in writing to info@cradledesk.com with the subject line: "Data Deletion Request — [Child's First Name]"
  • Include the name of the childcare center and your relationship to the child
  • We will verify your identity and coordinate with the center to process your request
  • Requests are processed within 30 days

Note: Deletion requests may be limited by the center's legal obligations — for example, childcare licensing laws may require retaining certain records for regulatory compliance.

10. State-Specific Considerations

10.1 Childcare Licensing Data

Many states require childcare centers to maintain specific records as a condition of their license — including children's immunization records, attendance logs, incident reports, and staff certifications. CradleDesk provides tools to help centers meet these requirements. Centers remain responsible for compliance with their specific state licensing requirements.

10.2 CACFP Program Data

Centers participating in the USDA Child and Adult Care Food Program (CACFP) may use CradleDesk's meal tracking features to generate CACFP reports. Meal records entered for CACFP purposes are stored in CradleDesk subject to this Privacy Policy. Centers are responsible for any additional CACFP reporting and record-keeping obligations imposed by their state agency.

10.3 California Residents

California residents may have additional rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). To exercise any CCPA/CPRA rights, contact us at info@cradledesk.com. We do not sell personal information as defined by CCPA.

10.4 FERPA

To the extent CradleDesk is used by a center that qualifies as an educational institution under FERPA, the center is responsible for managing FERPA compliance, including parent rights to access education records. CradleDesk supports this by providing export and access tools.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — particularly those that affect how we handle children's data — we will:

  • Notify center administrators via email at least 14 days before changes take effect
  • Display a notice in the CradleDesk admin dashboard
  • Update the "Last Updated" date at the top of this page

We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

Privacy questions, data requests, or concerns? Reach out:

CradleDesk — Privacy Team

Email: info@cradledesk.com

Subject line for data requests: "Privacy Request — [Your Center Name]"

Website: cradledesk.com

We respond to all privacy inquiries within 2 business days and complete data requests within 30 days.