CRIA LogoCRIA

    Privacy Policy

    Your privacy is important to us. Learn how CRIA collects, uses, and protects your data.

    Effective Date: May 12, 2025

    CRIA is committed to protecting your privacy and managing personal information in accordance with applicable laws, including the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”) and British Columbia’s Personal Information Protection Act (“PIPA”). We also recognize the sensitive nature of children’s personal information and adhere to childcare-specific obligations (such as privacy expectations under the Community Care and Assisted Living Act and its regulations). This Privacy Policy explains what personal data we collect, how we use and share it, and the measures we take to safeguard it. By using CRIA, you consent to the practices described here.

    1. Personal Information We Collect

    CRIA is a platform for childcare providers and parents to manage children’s information. As such, we collect two broad categories of personal information: User Information (about the adults using our system, e.g., providers and parents) and Child Information (about the children enrolled or tracked in the system). We also collect some technical data when you use the Service. Below is a breakdown of the types of information we collect:

    • Account and User Information: When you register or use CRIA, we collect information about you, such as:
      • Parents/Guardians: Name, email address, phone number, and relationship to the child.
      • Childcare Providers: Name, email, phone, role/title, and organization (daycare/center name). We may also collect business contact information like the daycare’s address.
    • Authentication Information: Login credentials (which are stored in an encrypted form) and any identity verification info if we ever require it.
    • Child Profile Information: This is information about children entered by their parent/guardian or by the childcare provider. This typically includes:
      • Child’s full name and possibly date of birth or age.
      • Attendance records (e.g., dates/times of check-in and check-out).
      • Allergies, dietary restrictions, or other health notes (e.g., “peanut allergy” or “uses inhaler as needed”). These health notes are intended to be limited to information relevant to daily care and emergencies, not detailed medical records.
      • Emergency contact information for the child (e.g., alternate contacts, doctor’s name/phone) as provided.
      • Notes on the child’s day or behavior (e.g., nap times, mood, activities) and any incident reports (e.g., minor injuries or accidents).
      • Photos or images: If the Service allows uploading a child’s photo or daily activity pictures, those images constitute personal information as well. (Photos may be used internally by the provider and parents to, for example, see the child’s activities, and are not public.)
    • Usage Data and Device Information: Like many services, we automatically collect technical data when you use CRIA:
      • Device and Software: Information about the device you use (e.g., phone, tablet, or computer model, operating system version, unique device identifiers).
      • IP Address and Logs: Your IP address, browser type (if using web), app version, and timestamps of usage. We log actions like when you log in, or when data is added/edited, for security and auditing.
      • Cookies and Similar Technologies: If you access CRIA via a web browser, we use cookies or similar technologies to maintain your session (e.g., keep you logged in) and track site usage. These cookies are generally essential or functional; we do not use third-party advertising cookies. (In an app, analogous tokens or local storage might be used for session management.)
    • Support Inquiries: If you contact us for support or feedback, we will collect the information you choose to provide in that communication (such as your contact information and a description of the issue). We may also record the correspondence for future reference.

    We limit our collection to information that is necessary for providing the Service. CRIA does not directly collect any information from children themselves, and the Service is not directed to children to use on their own. All children’s data on CRIA is provided by authorized adults (parents or providers) with the appropriate consent.

    2. How We Use Personal Information

    We use the collected information to provide, maintain, and improve the CRIA Service, as well as to fulfill legal obligations. Specifically, we use personal information for the following purposes:

    • Providing the Service: We use the information input into CRIA to facilitate the core functionality of the app – which is to help childcare providers and parents manage and share information about children’s care. For example, the child’s profile information is used to display to the parent and provider the relevant details (attendance history, allergies, etc.). Attendance data is used to generate daily reports or timesheets. Health notes are used to alert caregivers of allergies or special needs.
    • Enabling Communication: CRIA may use contact information (like parent email or app push notifications) to send you updates or communications. For example, a daycare provider might send a message or an incident report to a parent through CRIA, and the system will use the parent’s contact info to notify them. We also might send administrative communications, such as confirmations of account changes or technical alerts.
    • Improving and Developing the Service: We may analyze usage data (e.g., which features are used most, or aggregated statistics on attendance) to understand how our users interact with CRIA. This helps us identify areas to improve or new features to develop. Any analytics we perform will use deidentified or aggregated data whenever possible to protect privacy. For instance, we might look at overall app usage patterns rather than focusing on any specific child’s data, unless needed to assist that user.
    • Customer Support: If you reach out with a question or issue, we will use your information (like your contact info and problem description) to assist you. We might review your account data or activity to troubleshoot, and then guide you or fix the issue.
    • Safety and Security: We use information (especially usage and log data) to maintain the security of the Service and our users. This includes monitoring for suspicious activity or violations of our Terms. For example, we may detect repeated failed login attempts or unusual data access patterns and take steps to protect the account.
    • Legal Compliance: We may use or disclose personal information as necessary to meet our legal obligations. For example, we keep certain logs to comply with PIPEDA’s accountability principles. If we receive a lawful subpoena or request from authorities, we might need to use and disclose relevant data (as described in “Disclosures” below). We also retain records as required by law; for instance, childcare regulations might require certain data retention which we facilitate (see Data Retention below).
    • Aggregate Insights: We may compile aggregated data that contains no identifiable personal information to publish overall insights or statistics. For example, “X% of childcare centers using CRIA log allergies information.” Such aggregated data cannot be traced back to individual children or users and may be used for marketing or research about our service usage.

    We do not use children’s personal information for any marketing or advertising purposes. We do not sell or rent personal information to third parties. All uses of personal data are limited to delivering and improving CRIA and as otherwise described above.

    3. Disclosure of Personal Information (How We Share Data)

    CRIA understands that children’s information is sensitive. We only share personal information in a few limited circumstances, outlined below. In all cases, we share the minimum necessary data and ensure any third-party recipients are bound to protect it.

    • Between Authorized Users (Parents and Providers): The primary sharing that occurs in CRIA is between parents/guardians and childcare providers for a given child. For example:

      • A daycare provider may enter a child’s attendance and notes, and that information is then made available to that child’s parent or authorized guardian via the app.
      • Conversely, if a parent updates their child’s profile (e.g., adds a new allergy or emergency contact), the provider will see that update.

      This sharing is controlled and intentional — it happens only among the people who are connected through the child’s enrollment. CRIA’s design ensures that one parent cannot see another family’s data, and one daycare cannot see data for children not in their care. Access is permission-based.

    • Within a Childcare Organization: If a childcare center has multiple staff members using CRIA, the data about the children in that center is shared among those staff users as needed. For instance, a teacher and a center director might both have access to the attendance records. All such users are bound by confidentiality obligations (both through CRIA’s Terms and likely through their own employment agreements under CCALA regulations about privacy).

    • Service Providers (Third-Party Processors): CRIA may use reputable third-party companies to help us run the Service (for example, cloud hosting providers, data backup services, or email delivery services). These service providers might process personal information on our behalf as part of providing their services (e.g., storing our database, or sending out an email notification you triggered). We do not permit these providers to use personal data for their own purposes. They can only access and use data to the extent necessary to perform their functions for us. We have agreements in place with such providers to ensure they protect personal information with standards comparable to our own and consistent with Canadian privacy laws. (We do not name specific providers here, and we do not share data with any social media companies or advertisers.)

    • Legal Requirements and Safety: We may disclose personal information if required by law or a legal process, or if we have a good-faith belief that such disclosure is necessary to:

      • Comply with applicable laws or respond to valid legal requests (e.g., a court order, subpoena, or government demand). For example, a regulator or licensing authority under the CCALA might lawfully require certain records, and if those records are stored in CRIA, we may be compelled to provide them.
      • Protect and defend the rights or property of CRIA, or the safety of CRIA, our users, or the public. For instance, if necessary to prevent or investigate fraud, security breaches, or other harm.

    • Business Transfers: If CRIA is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or some of our business/assets, personal information may be transferred to a successor or affiliate as part of that transaction. We would ensure the new entity continues to honor the privacy commitments we have made. You would be notified, for example via email or a notice on our site, of any change in ownership or control of personal data.

    • With Consent: Apart from the above, if we ever want to share your or your child’s personal information in a way not covered by this Privacy Policy, we will seek your explicit consent. For example, if a parent wanted us to send data to a third-party specialist or service, we would only do so with clear permission from the parent and provider.

    Importantly, CRIA does not share children’s personal information with any external parties for marketing or advertising. The sharing that occurs is mostly internal (within a childcare circle) or with trusted processors for infrastructure purposes. We treat all children’s data as confidential.

    4. Data Storage and Retention

    Storage Location

    The personal information collected through CRIA is stored electronically on secure servers. While our company is based in Canada, the servers or cloud services we use may be located in other jurisdictions (for example, in the United States or other countries). This means your data might be transferred to or accessed from outside of your province or country. Regardless of where data is stored, CRIA will ensure that your information is protected with appropriate safeguards meeting the standards of Canadian privacy law. If data is stored outside of Canada, it may be subject to the laws of that foreign jurisdiction (for instance, accessible by lawful orders of foreign courts), but we contractually require that any service providers maintain confidentiality and security consistent with our policies.

    Security Measures

    We use a combination of administrative, technical, and physical safeguards to protect personal information:

    • Data in transit (e.g., between your device and our servers) is encrypted using HTTPS/TLS protocols.
    • Sensitive data (like passwords) are stored in encrypted or hashed form.
    • Our databases and servers have access controls; only authorized personnel or subprocessors with a legitimate need can access personal data, and they are bound by strict confidentiality.
    • We maintain security monitoring to detect and respond to potential vulnerabilities or breaches.

    Despite our robust measures, it is important to note that no method of transmission or storage is 100% secure. We strive to protect your personal information, but we cannot guarantee absolute security. Users also play a role in security – please keep your password confidential and notify us immediately if you suspect any unauthorized access to your account.

    Retention Period

    CRIA’s approach is to retain personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by law. In practice, this means:

    • Default Retention: We retain your account data and children’s records indefinitely to provide a continuous service. Childcare records can be important for many years, and parents or providers may wish to reference past data (e.g., attendance history or health notes). Our system is designed to serve as a long-term record-keeping tool, so we do not routinely purge data after a set period.
    • Deletion Requests: You have the right to request deletion of personal information (see Section 6 on Your Rights). Upon a legitimate deletion request, we will securely delete or anonymize the requested personal data from our active databases, unless we are required or permitted to keep it for legal reasons.
    • Legal Retention Requirements: Childcare providers are often required by law to retain certain records for minimum periods. For example, in BC, child care licensing regulations mandate that records like attendance, immunization, and incident logs be kept for at least two years after a child leaves the facility. CRIA’s indefinite retention policy assists providers in exceeding such minimum requirements. If a provider needs to remove data after the legal retention period, they can do so by request. Conversely, if a parent requests deletion of data that a provider legally must retain, the provider may need to export and archive that data outside of CRIA before we delete it from our servers. We encourage providers to understand their record-keeping duties under CCALA and related regulations.
    • Backup Copies and Logs: Even after deletion of data from active use, residual copies may persist temporarily in our backup systems. We periodically cycle through and securely delete old backups. In any case, such residual data will remain protected and will not be used or shared except if required for system integrity or legal purposes.

    In summary, we keep your data while your account is active so that you have a complete archive of information. If you stop using CRIA or request deletion, we will honor that request (after verifying your identity and permissions) and will only retain what is necessary for legal compliance or legitimate business purposes (e.g., outstanding billing issues or dispute resolution). When personal information is no longer needed, we will destroy it securely.

    5. Consent and Children’s Privacy

    Consent Basis: CRIA operates on the basis of consent for the collection, use, and disclosure of personal information, particularly when it comes to children’s data. Canadian law (PIPEDA/PIPA) requires that consent be “meaningful” – individuals must understand what they are consenting to. Given that our Service deals with young children’s information, special considerations apply:

    • Parental/Guardian Consent for Children: In general, children under the age of 13 cannot provide meaningful consent on their own, so consent must be obtained from a parent or legal guardian. CRIA’s policy is that any personal information about a child that is entered into our system must have the authorization of the child’s parent or guardian. This is typically obtained in one of two ways:

      • Direct Parent Input: A parent/guardian who uses CRIA to manage their child’s information inherently consents by entering that data themselves.
      • Provider Obtains Consent: A childcare provider using CRIA must obtain written or documented consent from each child’s parent/guardian to input that child’s personal information into CRIA. We strongly encourage providers to include CRIA in their enrollment or privacy consent forms. By agreeing to our Terms (Section 3 above), providers explicitly confirm they have obtained the needed consent from parents for any child data they add.

    • Providers Acting as Agents: When a provider enters child information, in privacy law terms, the provider may be considered an “agent” of the parent for the purposes of conveying the parent’s consent (since the parent entrusted the child’s care and information to the provider). Regardless of the terminology, CRIA will assume that proper consent has been secured by the user submitting the child’s data. If we are informed that data was added without appropriate consent, we will take steps to remedy this (for example, deleting the data if consent cannot be obtained promptly, and potentially suspending the non-compliant user).

    • Age of Child Users: CRIA is not aimed at children to use themselves. We do not knowingly allow minors to create their own accounts. If in the future an aspect of CRIA is designed for older youth (e.g., a teen helper or a feature for older students), we will adjust consent practices according to age – for instance, requiring parental consent up to a certain age and then a transition to the youth’s consent when appropriate, in line with PIPEDA’s guidance for ages 13–18. But as of now, only adults (providers or guardians) have accounts and logins.

    • Withdrawal of Consent: A parent or guardian has the right to withdraw consent for further collection/use of their child’s information. Practically, this might mean they decide to unenroll from CRIA and request deletion of the child’s data. If this occurs, we will work with both the parent and provider to carry out the request, while respecting any record-keeping laws (as noted in Retention above). Withdrawing consent may mean that certain services (like digital record access) can no longer be provided for that child.

    In summary, obtaining lawful consent is a joint obligation: CRIA obtains consent from the adult users (through agreement to this policy) and relies on childcare providers to have obtained consent from parents for any child data they handle. We are committed to children’s privacy and follow all legal requirements to protect it. If you have any concerns about a child’s personal information on CRIA, please contact us (see Section 7, Contact).

    6. Your Rights and Choices

    We strive to ensure transparency and control for users regarding their personal information (and their child’s information). Under Canadian privacy laws, and reflected in our policies, you have the following rights and choices:

    • Access Your Information: You have the right to request a copy of the personal information we hold about you or your child. In most cases, much of this information is directly accessible by logging into your CRIA account (for example, you can see and review the child’s profile, attendance records, etc., through the app). If you need a comprehensive export or have difficulty accessing something, you can contact us to request it. We will provide the information, provided we can verify your identity/authority, within the timeframe required by law.

    • Correct or Update Information: If any personal information about you or your child is inaccurate or incomplete, you have the right to request a correction. Parents and providers can directly edit many details in the app (such as updating an address, fixing a misspelled name, or correcting allergy info). For any fields you cannot edit yourself, you may contact us or ask the record-holder (e.g., a provider might update a child’s file at a parent’s request). We will correct any verified inaccuracies promptly and notify any third parties as required by law.

    • Withdraw Consent / Delete Information: You can withdraw your consent to our continued use or retention of personal information. This includes the right to request deletion of personal data. For example:

      • A parent can ask to delete their account and their child’s personal information from CRIA.
      • A provider can ask us to delete certain records that are no longer needed (perhaps after a child leaves and after any mandatory retention period).

      We will honor deletion requests to the extent possible: We may need to retain certain data if required by law or for legitimate purposes (e.g., maintaining transaction records, or if a legal issue is pending). We will explain if any data cannot be fully deleted. Deletion of a child’s data likely requires coordination between provider and parent, as noted earlier, to ensure it’s okay to remove. Once deleted, data may persist in backups for a short time but will be removed in accordance with our retention policy.

    • Portability: If you need a structured electronic copy of the data you provided to CRIA (data portability), we will work with you to provide an export in a common format (for instance, CSV or PDF reports of your child’s records). This can be useful if you are moving to a different service.

    • Account Settings: Where applicable, you can adjust your account settings to control certain preferences: for instance, opting out of non-essential communications. If we ever send newsletters or optional updates, we will provide an unsubscribe mechanism. (Note: You cannot opt out of critical service or legal notices while you have an account, except by discontinuing use, because those are integral to our relationship with you.)

    • Complaints: If you believe your privacy rights have been violated or you have a complaint about CRIA’s handling of personal information, you have the right to lodge a complaint with us (we take all complaints seriously and will investigate promptly). You also have the right to escalate concerns to relevant privacy regulators. For example:

      • In Canada, you can contact the Office of the Privacy Commissioner of Canada (OPC) for PIPEDA issues.
      • In British Columbia, you can contact the Office of the Information and Privacy Commissioner for BC (OIPC) under PIPA.

      We would appreciate the opportunity to address your concerns directly first, but you are not obligated to approach us before contacting regulators.

    To exercise any of these rights, please refer to the Contact section below. We may need to verify your identity (and/or authority, if you are making a request on behalf of someone else like your child) before fulfilling the request. This is to ensure we don’t disclose personal data to an unauthorized person. There is no fee for making such requests, except in exceptional cases as allowed by law (and even then, it would be minimal and explained to you).

    7. Contact Us

    CRIA, Inc. is the organization responsible for the Service and the handling of personal information within it (we are the "organization" under PIPA/PIPEDA). If you have any questions, concerns, or requests regarding these Terms of Service or the Privacy Policy, please contact us:

    • Email: info@mycria.com – for general inquiries or support. (For privacy-specific questions, you can also address it to "Privacy Officer" in the subject line.)
    • Mail: CRIA, Inc. – #1803-838 W Hasting Street, Vancouver, BC, Canada (V6C 0A6).

    Privacy Officer

    In compliance with PIPA, we have a designated Privacy Officer who is accountable for our compliance with privacy laws and this policy. You may reach them through the contact info above (please specify that your inquiry is for the Privacy Officer).

    We aim to respond to all legitimate inquiries without undue delay and at most within the timeframes required by law (generally within 30 days). If you contact us to exercise a rights request (access, correction, etc.), we will guide you through any verification steps and then process your request. If we need an extension or cannot fulfill your request for some lawful reason, we will explain the situation to you.

    Thank you for reading CRIA’s Terms of Service and Privacy Policy. We value your trust and are dedicated to providing a safe, compliant, and useful service for managing childcare information. By using CRIA, you help streamline childcare record-keeping and communication, and we are committed to upholding our obligations to you under these terms and the law.