Legal

Data Protection Impact Assessment (Summary)

Budgii PTY LTD (ABN 50 696 945 169 | ACN 696 945 169)

Effective Date: 24 April 2026 | Version 1.0

A public summary of the internal Data Protection Impact Assessment conducted for budgii. The full DPIA is an internal document; this summary is published for transparency and to assist customers conducting their own risk assessments.

1. Purpose of this summary

Under UK GDPR Article 35 and equivalent obligations under the EU GDPR, a Data Protection Impact Assessment (DPIA) is required where processing is likely to result in a high risk to the rights and freedoms of individuals. Processing children’s data at scale is one of the categories expressly requiring a DPIA.

budgii conducts a DPIA before launch and updates it whenever the scope or nature of processing materially changes. This page is a summary of the current DPIA, published voluntarily for transparency. The full internal DPIA document is available to supervisory authorities, enterprise customers, and qualified researchers on request.

2. System description

2.1 What is processed

The budgii service collects and processes Personal Data concerning:

  • Adult household leaders: name, email, login credentials, IP address, subscription status, billing identifiers handled by Stripe.
  • Children: first name or nickname, age bracket, avatar, activity data (to-dos, Coins, Chain, rewards, app engagement), and Parent-selected development goals.
  • No special category data is intentionally processed. No location, biometric, voice, or image data is collected by default.

2.2 Purposes of processing

  • Operating the budgii app and delivering the subscription service to the household.
  • Generating monthly Nest Reports for Parents, summarising the Child's behavioural patterns in plain language.
  • Supporting customer service, billing, and security.

2.3 Categories of data subjects

  • Adult household leaders (primarily aged 25-50).
  • Children within those households (primarily aged 5-17).
  • Prospective customers interacting with the website prior to signup.

3. Necessity and proportionality

The processing is necessary to provide the Services as contracted. Each category of data collected corresponds to a specific function of the product:

TermMeaning
Age or age bracketNecessary to calibrate reward mechanics and Nest Report language to developmentally appropriate levels.
Activity dataNecessary to provide the Chain, Coins, and Nest Report features that are the core of the service.
Development goalsNecessary to tailor the Nest Report to what the Parent wants to support in their Child's growth.
Email, login credentialsNecessary to authenticate access and deliver account communications.
IP addressNecessary for security monitoring (limited retention as set out in the Data Retention Policy).
Billing dataNecessary for subscription billing. Handled by Stripe as independent Controller.

We have reviewed and rejected alternatives that would collect less data (for example, generating Nest Reports without age or goals) on the basis that they would produce materially worse outcomes for the Child and Parent.

4. Risks identified

The DPIA identifies the following principal risks:

4.1 Unauthorised access to children's data

Risk of a malicious actor gaining access to household accounts and therefore Children’s behavioural data.

4.2 Misinterpretation of the Nest Report

Risk that a Parent treats a Nest Report as clinical or diagnostic advice, leading to inappropriate conclusions about the Child’s health or development.

4.3 AI output safety

Risk that the AI producing Nest Reports generates content that is clinical, inaccurate, judgemental, or otherwise inappropriate for the Parent and, by implication, for interpretation about the Child.

4.4 Cross-border transfer risk

Risk associated with transferring Personal Data, including Children’s data, outside the UK, EEA, Australia, or New Zealand for cloud hosting or AI processing.

4.5 Disputes between adult account holders

Risk arising in split households or family disputes, where two adults with equal access to the account disagree about the Child’s use of budgii or the withdrawal of consent.

4.6 Data retention exceeding necessity

Risk of retaining Personal Data for longer than necessary, contrary to the storage-limitation principle.

4.7 Profiling and behavioural inference

Risk that patterns inferred from Children’s activity data are used outside the scope of the service or disclosed inappropriately.

4.8 Coercive use by an adult

Risk that the reward system is used to withhold essential needs from a Child as a disciplinary mechanism.

5. Mitigations applied

TermMeaning
Encryption and access controlAll Personal Data encrypted at rest using AES-256 and in transit using TLS 1.2+. Multi-factor authentication required for all budgii personnel accessing production. Role-based access with least-privilege defaults. Full audit logging of internal data access.
No clinical framing (Nest Report)Automated safety validation layer blocks any report containing clinical terminology, diagnostic claims, or references to medical, religious, political, or harmful content. Blocked reports are replaced with a safe fallback. Detailed in the AI Transparency Notice.
Report is Parent-facing onlyChildren never see AI-generated content about themselves. The report is explicitly positioned to Parents as observational, not diagnostic.
AI provider controlsData sent to the AI provider (Anthropic) is limited to behavioural summary data. The API contract prohibits the use of budgii data to train models. No identifying personal details (name, location, school, etc.) are included in AI prompts.
Cross-border transfer safeguardsStandard Contractual Clauses and the UK IDTA addendum in place with all relevant sub-processors. Transfer impact assessments conducted and reviewed. Supplementary measures including encryption and access restrictions.
Dispute handlingEither adult account holder can withdraw consent for any Child on the account. Budgii will act on the first request. Court orders regulating the Child's care are honoured where provided. Budgii does not arbitrate family disputes.
Minimum retentionWritten Data Retention & Deletion Policy with specific periods by data category. Automated deletion after account closure. Backup retention capped at 120 days.
No profiling outside the ServiceChildren's behavioural data is used only to operate the Service and generate the Nest Report for the Parent. It is not sold, shared for advertising, or used to build external profiles. No targeted advertising is run inside the app.
Anti-coercion by designThe Acceptable Use Policy expressly prohibits using budgii to withhold essential needs (food, shelter, hygiene, medical care) from a Child. Reports of this conduct may be referred to child welfare authorities.
Transparency toolingPrivacy Policy, Privacy for Kids, Parental Consent document, AI Transparency Notice, Data Retention Policy, and this DPIA summary, all publicly available.

6. Residual risk

After the mitigations in Section 5, the remaining residual risks are assessed as low. The highest residual risk relates to inherent uncertainty in AI-generated text, for which the safety validation layer and the Parent-facing (not Child-facing) framing of the Nest Report are the principal controls.

No residual risk has been assessed as requiring prior consultation with a supervisory authority under UK GDPR Article 36 or equivalent provisions.

7. Consultation

In the course of preparing the DPIA, the following consultation was undertaken:

  • Internal review by the budgii product and engineering team.
  • Review of current guidance from the Information Commissioner's Office (UK), the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner (NZ), and the US Federal Trade Commission's COPPA guidance.
  • Reference to the ICO's Age Appropriate Design Code (Children's Code) in designing child-facing flows.
  • Legal review, the results of which will be reflected in the next revision of this summary.
The content of this summary is subject to legal review. Qualified legal counsel is engaged to review the DPIA and all documents in the Legal directory, and revisions following that review will be reflected in future versions.

8. Review and update

The DPIA and this summary are reviewed at least annually, and additionally whenever:

  • A new category of Personal Data is collected.
  • A new Sub-processor is introduced.
  • A new AI feature is released, or a material change is made to existing AI-enabled features.
  • A Personal Data Breach or near-miss provides new information about a risk.
  • Applicable Data Protection Laws materially change.

9. Contact

Questions about this DPIA summary, or requests for the full internal DPIA document from a supervisory authority, enterprise customer, or qualified researcher:

legal@budgii.io

Budgii PTY LTD
ABN 50 696 945 169 | ACN 696 945 169
Sydney, New South Wales, Australia