BLOG

Privacy, Security & Data Protection at Kindo - A CTO's Note to Schools & Families

A note from Simon Hartley (Kindo CTO), on how we handle your information, what our legal privacy documents mean in practice, and why we’ve built our approach this way.

Simon Hartley
June 8, 2026

Why I'm writing this

Over the past year, the same themes come up again and again: caregivers and schools want to know their student's data is secure and protected and, increasingly, what role AI does (and does not) play.

Where is my child's data stored? Who at Kindo can see it? Is AI involved? Are you selling any of this?

Those are fair questions, and they deserve a clear answer from the people responsible for keeping your data safe. I’m Simon Hartley, CTO at Kindo, my team and I are responsible for where your data lives, who can access it, what we encrypt, what we monitor, and which third parties we trust with any of it.

The following is a short summary of the key points. If you want to go deeper, the rest of this article explains how we handle data in practice, and the reasoning behind our approach.

What Kindo does (and what we deliberately don't do)

Before anything else, here are three things I'd like to be clear on.

1. We are not an advertising platform. Kindo’s job is to make payments simple for caregivers, and to take administrative burden off schools, covering everything from fees to, lunch orders to activities and trips. We only collect the data necessary to make it easy to pay, and nothing more. We don't and won’t sell your data. We don't share it with advertisers. We don't profile you or your child for anyone, including ourselves.

2. We take a careful, standards-led approach to privacy and security. We’re serious about privacy and security, and we build against recognised standards and best practice. We are a registered Financial Services Provider, have been assessed against Safer Technology 4 Schools (ST4S) and are on the approved vendors list from the Ministry of Education in NZ. This programme for ST4S involves an annual assessment and commitment to privacy and security.

3. Your data is not used to train AI models. Not ours, not our vendors'. This is a contractual restriction with every AI tool we use, not a promise of best-effort. Where our payment providers uses machine learning to spot potentially fraudulent transactions, which is an improvement to your security and privacy, a human at Kindo still reviews any contested outcome. In the future we will assess where AI can best help caregivers and schools, but we’ll only expand its use when we can do so with strong privacy and security controls and clear boundaries.

If those three points are all you read, you’ve got the key information. Keen to learn more? Read on.

Want the 2-page version? Download our overview here.

The information we hold, and where it comes from

The information Kindo holds depends on how you use the service. In broad terms, it falls into four categories.

Account Holder details: This includes things like your name, email, phone number, and password. Your password is stored as a one-way cryptographic hash, never in readable form. Even Kindo staff cannot see your password.

Member details: The student or organisation (school) you're purchasing for. This typically includes their name, room number, year level, group/team memberships (where applicable) and reaches us via your school's student management system.

Order and payment information: What you've ordered, what's been charged or refunded, answers to questions, and a non-sensitive reference for any saved payment method. We never store full credit card numbers; those live with our payments provider, not with us. We are PCI-DSS compliant as a level 3 merchant.

Technical information: IP addresses, device and browser information are collected automatically when you use the service. We use this to keep the service running, to identify problems, and to spot suspicious activity.

Most of this reaches us in one of two ways. You provide it directly when you create an account, place an order, or update your details. Your school provides a small amount of it ahead of time, typically the caregiver's name and email so that when you sign up, your child can be linked to your account without you having to type everything in twice. Schools share this kind of information with us so we can deliver the services they've asked us to provide, and the arrangement is consistent with Information Privacy Principle 3A of the Privacy Act 2020, which covers situations where personal information is collected indirectly.

Where we store your data, and why

Kindo runs on Amazon Web Services (AWS), in their Sydney region.

New Zealand does not currently have a native hyperscale cloud region that meets the requirements we've set for ourselves. Sydney is the closest jurisdiction with privacy protections comparable to New Zealand's, and AWS is the infrastructure that major banks, government agencies and healthcare providers rely on. We pay a premium to keep your data in-region rather than letting it default to a US availability zone, because we think that matters.

Where personal information is transferred or processed outside New Zealand, we take steps to make sure it remains protected by safeguards comparable to the Privacy Act 2020, as required by Information Privacy Principle 12.

How we keep it safe

This is the part of the document that the team and myself are most directly responsible for. There are six layers worth describing.

Encryption, everywhere it matters. Information moving between your device and Kindo is encrypted in transit using TLS, the same technology that secures online banking. Information stored in our systems is encrypted at rest using AES-256, an industry-standard cipher used by governments and financial institutions worldwide. Backups are encrypted using the same standard.

Tightly controlled access. Kindo staff only get access to the information they need to do their job, and nothing more. All staff access requires multi-factor authentication. Access is reviewed regularly, logged, and removed promptly when someone changes role or leaves the company.

Continuous monitoring. Our systems are continuously monitored for unusual activity. We run regular vulnerability scans, apply security updates promptly, and have alerts ready to wake a human up if something looks wrong outside business hours.

Payments handled by specialists. Card payments are processed securely  by Stripe, a PCI-DSS Level 1 compliant payment provider. Kindo never sees, processes or stores your full card number. We deliberately do not handle card data and believe the safest way to protect card data is to never hold it in the first place.

Reliable backups. Your data is backed up regularly so that, in the unlikely event something goes wrong, we can restore it. Backups are encrypted, held on a rolling basis, and we test restoration as part of our normal disaster-recovery practice  because a backup you've never tested isn't really a backup.

Independent assurance. As mentioned earlier, we've been independently certified by Safer Technology 4 Schools (ST4S), the body that New Zealand and Australian education authorities use to assess ed-tech vendors against agreed privacy, safety and security standards. ST4S certification is not something a vendor can self-assert, it requires evidence, and it carries weight with the schools that rely on it. In addition, we engage approved third-party security firms to perform regular security penetration tests of our systems. An attestation letter is available to schools on request. We’re also a registered Financial Services Provider (FSP) and  follow strict guidelines against money laundering activities.

Security is not a static thing. The threats change, and so do the tools available to defend against them. We continuously review and improve our security and privacy controls in light of new threats and better technologies, and we expect to be doing things differently in two years than we do today.

AI in Kindo

Kindo uses a small number of AI-powered tools, and they are all there to help our  Account Holders find their way around the service and get answers to common questions.

What our AI tools do. They help you navigate Kindo, point you to the right page, and answer common questions drawn from our own help content.

What our AI tools don't do. They don't make decisions about you, your child, your payments, or your account. They aren't directed at children, and they don't try to identify or profile child users.

What happens to your data. Customer data is not used to train our AI tools or those of our vendors. Our AI providers are contractually restricted from doing so.

Transparency. Responses from our AI tools are clearly identified as AI-generated. A human support representative is always one email or phone call away.

We also think it's worth being honest about where we set the bar for future AI features. We want to make life easier for our users, however any new AI tool we consider has to clear a checklist before it goes anywhere near a customer-facing workflow: data minimisation, no-training clauses, data residency in a comparable jurisdiction, and a human-in-the-loop on anything that could materially affect a person. For anything that would touch a student-facing workflow, the bar is higher again, and no AI vendor has yet cleared it. If that ever changes, we'll inform you.

What happens if something goes wrong

No system is perfect, and any company who tells you otherwise is selling something.

Kindo has a written breach response plan. If a privacy breach occurs that could cause serious harm, we'll notify the affected people and the Office of the Privacy Commissioner, as required under Part 6 of the Privacy Act 2020.

In practice, that means: within the first few hours of identifying a serious incident, we contain it, we assess what data was affected, and we begin notifying. We don't wait until we have a complete picture, we'd rather tell you something useful early and follow up with detail than wait until we have a polished story.

Your rights, and how to use them

Under the New Zealand Privacy Act 2020 you have two key rights over the personal information we hold about you.

The right to ask for a copy of your information. You can ask what we hold about you and we'll provide it.

The right to correct anything that's wrong. If something we hold is inaccurate or incomplete, you can ask us to correct it. If we decide not to make a correction, you can ask that a statement of the correction you sought be attached to the information.

We aim to respond to all privacy enquiries within 20 working days.

For information about a student, your school is usually the best first point of contact, because the school is the source of that information. But if you're not sure where to start, email us anyway — we'll work with your school to get you what you need.

To make a privacy request, contact our Privacy Officer at privacy@kindo.co.nz.

How you can keep your account safe

Security works best when we look after it together. There are a few simple things that make a real difference.

  • Use a strong, unique password. Don't reuse a password you've used elsewhere. If a password from another site is compromised, you don't want your Kindo account to fall with it. I recommend the use of a password manager that makes this so easy you never have to remember a password again. (Apple Passwords, Google Password Manager, LastPass, 1Password)
  • Keep your login to yourself. Your Kindo login is for you. Sharing it, even with family or school staff, means we can't tell who is using the account.
  • Watch out for suspicious messages. If you get an email or text asking you to log in or share your account details, take a moment to check if it's really from us. We will never ask for your password.
  • Keep your device up to date. A screen lock and current operating system updates are two of the best defences against someone else getting into your account.
  • Tell us if something looks off. If you think someone else has accessed your account, or you spot anything unusual, contact us straight away at helpdesk@kindo.co.nz.

What good looks like, two years out

The expectations on services like Kindo are rising, and that's a good thing. Parents are asking sharper questions. Schools are demanding clearer evidence. Regulators are tightening the rules and AI is emerging as new attack vector.

We expect to keep raising our own bar in step. Better authentication. Clearer in-product transparency about what AI is doing and where. More independent assurance, not less. Transparency is the key to ensuring trust together with a risk based approach to managing new threats.

If something in this document doesn't sit right with you, or you have a question I haven't answered, I'd like to know. You can reach our Privacy Officer at privacy@kindo.co.nz, or you can write to me directly.

Simon Hartley
Chief Technology Officer, Kindo

Blog & Article

Latest news, tips & articles from kindo.

STORIES
The Hidden Costs of Manual Payment Processing: Why Schools Are Switching to Cashless
July 30, 2024
4
MIN READ
STORIES
Maximising School Resources: How Payment Automation Frees Up Staff Time
August 4, 2024
4
MIN READ
STORIES
Building Stronger School Communities Through Transparent Financial Management
August 14, 2024
4
MIN READ

Ready to get started?

Book a zero-obligation walkthrough of the Kindo platform with one of our specialists, to find out how we can boost revenue, reduce admin and eliminate bad debt for your school.

Thank you! We'll be in touch ASAP!
Oops! Something went wrong while submitting the form.

Make school payments simple with kindo.

Transform the way your school transacts with parents. The all-in-one payment platform for NZ schools. Boost revenue, slash admin time, and eliminate bad debt.

STFS Badge
Resources
Join the teamBlogKindo TermsmyKindo TermsPrivacy Policy
Learn More
How it worksBook a demoFAQPartnersContact Us
0508 4 KINDO or +64 9 869 5200
|   © The Growth Collective 2026