Iowa Consumer Data Protection Act (ICDPA) Compliance

Overview

The Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025, provides Iowa residents with comprehensive privacy rights regarding their personal data. Kids on the Yard is committed to protecting the privacy of Iowa residents and complying with all ICDPA requirements.

What is the ICDPA?

The Iowa Consumer Data Protection Act is a comprehensive privacy law that grants Iowa consumers fundamental rights regarding their personal data and requires businesses to implement responsible data protection practices. The law applies to businesses that conduct business in Iowa or produce products or services targeted to Iowa residents and meet specific data processing thresholds.

Your Rights Under the ICDPA

As an Iowa resident, you have the following rights under the ICDPA:

Right to Confirm and Access

You have the right to confirm whether we are processing your personal data and to access such personal data. This includes the right to obtain:

• Categories of personal data we collect about you
• Purposes for processing your personal data
• Categories of sources from which personal data is collected
• Categories of third parties with whom we share personal data
• Specific pieces of personal data we have collected about you

Right to Correct

You have the right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes for processing such data.

Right to Delete

You have the right to delete personal data concerning you, subject to certain exceptions including:

• Completing the transaction for which personal data was collected
• Detecting security incidents and protecting against fraudulent or illegal activity
• Complying with legal obligations
• Exercising free speech rights or ensuring others can exercise free speech rights
• Engaging in public or peer-reviewed scientific research in the public interest

Right to Data Portability

You have the right to obtain your personal data in a portable and readily usable format that allows you to transmit the data to another business without hindrance from us.

Right to Opt-Out

You have the right to opt out of:

• Processing of personal data for purposes of targeted advertising
• Sale of personal data to third parties
• Profiling in furtherance of decisions that produce legal or similarly significant effects

How We Comply with ICDPA

Data Protection Principles

Kids on the Yard complies with ICDPA through:

Data Minimization and Purpose Limitation

• Limited Collection: We collect only personal data that is adequate, relevant, and reasonably necessary for disclosed purposes
• Purpose Specification: We process personal data only for disclosed, specific, and legitimate purposes
• Retention Limits: We retain personal data no longer than reasonably necessary for stated purposes
• Regular Review: We periodically assess and update our data collection and retention practices

Transparency and User Empowerment

• Clear Privacy Notices: We provide accessible, comprehensive information about our data collection and processing practices
• Processing Records: We maintain detailed records of processing activities, purposes, and legal bases
• User Controls: We provide intuitive tools for Iowa residents to manage their privacy preferences
• Regular Communication: We keep users informed about changes to our privacy practices and legal requirements

Consumer Rights Implementation

We have established robust processes to:

• Identity Verification: Authenticate requests using secure, multi-factor verification methods to prevent unauthorized access
• Timely Response: Process verified consumer requests within 45 days of receipt
• Clear Communication: Provide requested information in accessible, plain-language formats
• Non-Discrimination: Ensure no adverse treatment or service degradation for exercising privacy rights
• Quality Control: Maintain high standards for response accuracy, completeness, and user satisfaction

Categories of Personal Data We Process

Under the ICDPA, we collect and process the following categories of personal data from Iowa residents:

Personal Identifiers and Contact Information

• Full name, email addresses, phone numbers, mailing addresses
• Account usernames, encrypted passwords, and multi-factor authentication credentials
• Government-issued identification numbers (when legally required for verification)
• Emergency contact information and authorized representative designations

Educational and Academic Information

• Student academic records, performance data, grade histories, and progress tracking
• Learning assessments, skill evaluations, standardized test scores, and educational goal setting
• Tutoring session recordings, detailed notes, recommendations, and curriculum advancement data
• Parent/guardian communications regarding educational services, student needs, and academic planning

Financial and Transaction Information

• Payment card information, billing addresses, and preferred payment method details
• Comprehensive transaction histories, subscription details, payment records, and billing cycle information
• Refund and dispute information, failed payment logs, account adjustments, and credit applications
• Financial assistance information, scholarship applications, promotional discount records, and payment plan arrangements

Technical and Usage Information

• Device information including IP addresses, browser types, operating system details, and hardware specifications
• Comprehensive website navigation patterns, service usage data, session duration, feature utilization, and interaction logs
• Customer support communications, help desk tickets, technical issue reports, and user feedback submissions
• Platform preferences, account settings, accessibility configurations, and personalization choices

Communication and Engagement Data

• Email correspondence, live chat conversations, messaging histories, and communication logs
• Phone call records, voicemail messages, call duration data, and communication preferences
• Survey responses, feedback forms, product testimonials, reviews, and user-generated content
• Marketing communication consent records, preference settings, and opt-out status tracking

Sensitive Personal Data Protection

When we process sensitive personal data as defined by ICDPA (including precise geolocation data, biometric identifiers used for identification, health information, or data concerning children under 13), we implement enhanced protection measures:

Enhanced Safeguards and Controls

• Explicit Consent: We obtain clear, informed, opt-in consent for all sensitive data processing activities
• Enhanced Security: We implement additional layers of technical and organizational security measures
• Limited Processing: We restrict processing to strictly necessary purposes with clear legal justification
• Access Controls: We implement role-based access controls with detailed audit trails and monitoring
• Special Procedures: We follow enhanced protocols for sensitive data storage, transmission, sharing, and deletion

Comprehensive Consent Management

For sensitive personal data processing, we:

• Provide detailed explanations of specific purposes and categories of sensitive data involved
• Offer easy-to-understand information about potential risks, benefits, and alternatives
• Provide simple, accessible mechanisms to withdraw consent at any time
• Regularly review and reconfirm consent as appropriate based on processing changes
• Maintain comprehensive, auditable records of all consent grants and withdrawal requests

Third-Party Data Sharing and Processing

We may share personal data with carefully vetted third parties for legitimate business purposes:

Service Providers and Data Processors

• Cloud hosting and data storage providers with industry-leading security certifications and compliance frameworks
• Payment processing companies and financial institutions with full regulatory compliance and PCI-DSS certification
• Customer support platforms and communication service providers with comprehensive data protection agreements
• Educational content providers, curriculum developers, and assessment platforms with appropriate privacy safeguards

Strategic Business Partners

• Technology integration partners and software platform providers with privacy-by-design practices
• Analytics and performance monitoring services with strong privacy commitments and data anonymization capabilities
• Educational research organizations and accredited academic institutions (with appropriate institutional approvals)
• Marketing partners and advertising platforms (only with explicit user consent and opt-in preferences)

Legal and Regulatory Compliance Requirements

• Law enforcement agencies (when required by valid legal process, court orders, or emergency circumstances)
• Regulatory authorities and government agencies (as mandated by applicable state and federal laws)
• Legal counsel, professional advisors, external auditors, and compliance consultants
• Court-ordered disclosures, litigation support services, and regulatory investigation support

We do not sell personal data to third parties for monetary consideration under any circumstances.

Comprehensive Data Security Framework

We implement multi-layered security measures to protect Iowa residents' personal data:

Advanced Technical Security Controls

• Encryption Standards: Military-grade encryption for data at rest and industry-standard encryption for data in transit
• Access Control Systems: Multi-factor authentication, biometric verification, and role-based access controls
• Network Security: Advanced firewalls, intrusion detection systems, behavioral analysis, and real-time threat monitoring
• Secure Development: Privacy and security by design principles integrated throughout all system development lifecycles

Comprehensive Administrative Controls

• Privacy Training: Regular, mandatory, comprehensive training for all personnel with access to personal data
• Policy Framework: Detailed, regularly updated policies covering data handling, retention, deletion, and incident response
• Vendor Management: Rigorous security assessments, ongoing monitoring, and contractual requirements for third-party processors
• Regular Audits: Periodic internal audits, external security assessments, and compliance reviews by qualified professionals

Robust Physical Security Measures

• Facility Security: Multi-layered controlled physical access to data centers and processing facilities
• Media Protection: Secure storage, handling, transportation, and certified destruction procedures for physical storage media
• Environmental Controls: Advanced climate monitoring, fire suppression systems, backup power, and disaster recovery capabilities
• Access Monitoring: Comprehensive logging, video surveillance, and real-time monitoring of physical access to sensitive areas

How to Exercise Your ICDPA Rights

Iowa residents may exercise their privacy rights through multiple convenient and secure channels:

Submit a Comprehensive Privacy Request

• Secure Online Portal: Visit our dedicated Privacy Request Center with encrypted submission
• Direct Email: Send detailed requests to [email protected] with "ICDPA Request" in the subject line
• Dedicated Phone Line: Call our specialized privacy hotline at International: +1 786-382-2000
• Postal Mail: Send written requests to our business address with delivery confirmation

Required Information for Efficient Processing

To verify your identity and process your request efficiently and securely, please provide:

• Your complete legal name and current contact information
• Email address associated with your Kids on the Yard account (if applicable)
• Proof of Iowa residency (current utility bill, driver's license, voter registration, or similar official documentation)
• Specific and detailed description of your privacy request and desired outcome
• Any additional information that may help us locate, verify, and process your personal data request

Detailed Response Timeline and Procedures

• Initial Acknowledgment: We confirm receipt of all requests within 10 business days via your preferred contact method
• Identity Verification: Comprehensive verification process typically completed within 5-15 business days using secure methods
• Response Period: We provide complete responses to verified requests within 45 days of receipt
• Complex Requests: May require up to 90 days with advance written notification and detailed explanation of complexity
• No Charge Policy: We provide up to two comprehensive responses per calendar year at no cost to Iowa residents
• Excessive Requests: May incur reasonable administrative fees for repetitive, manifestly unfounded, or excessively burdensome requests

Appeals Process and External Review Mechanisms

If you are not satisfied with our response to your privacy request under ICDPA:

Internal Appeal Process

1. Submit Appeal: Email [email protected] with "ICDPA Appeal" in the subject line
2. Include Complete Documentation: Provide your original request reference number and detailed explanation of specific concerns
3. Thorough Review Period: We will conduct comprehensive review of appeals and respond within 60 calendar days
4. Detailed Appeal Response: We will provide comprehensive written explanation of our decision and any corrective actions taken

External Review and Enforcement Options

If you remain unsatisfied with our internal appeal response, you may pursue external remedies:

• Contact the Iowa Attorney General's Office Consumer Protection Division for complaint filing and investigation
• File complaints with relevant state consumer protection agencies and privacy enforcement authorities
• Consult with qualified legal counsel regarding your privacy rights under Iowa law and potential legal remedies
• Explore other legal remedies and enforcement mechanisms available under applicable state and federal law

Contact Information

For questions about our ICDPA compliance or to exercise your privacy rights:

Privacy Team Kids on the Yard Limitless Virtue LLC 9701 NE 2nd Ave, Suite #1069 Miami Shores, Florida 33138 U.S.A Email: [email protected] Phone: International: +1 786-382-2000

Iowa Residents Privacy Hotline: Available Monday-Friday, 9 AM - 5 PM CST

Last Updated: January 1, 2025

For more information about the Iowa Consumer Data Protection Act, visit: https://www.legis.iowa.gov/legislation/BillBook?ga=90&ba=SF262