Privacy Policy
Last updated: May 24, 2026 · Version 2026-05-24
Pico Parade, Inc. ("we", "us", or "our") operates the Pico Parade attendance tracking application ("Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.
1. Information We Collect
Account Information
- Name and email address (providers and guardians)
- Facility name, address, and licensing details (e.g., SSPS number)
- Authentication credentials (passkeys; passwords are stored only as cryptographic hashes)
- Profile photos uploaded by providers and guardians, and facility photos uploaded by facility owners
Child Information
- First and last name
- Date of birth
- Enrollment status
- Associated guardians and their relationship
- Selected child avatar identifier, when a guardian chooses one
Attendance Records
- Check-in and check-out timestamps (server-generated)
- Identity of the adult who performed the check-in or check-out
- Authentication method used (e.g., passkey, signature)
- Digital signature data (when applicable)
Technical Information
- Browser and device information used during authentication (e.g., WebAuthn attestation data)
- Session data necessary to keep you logged in
- Server logs, including IP addresses, request paths, and error data, retained for diagnostic and security purposes
Record of Acceptance
- The date, time, and version of the Terms of Service and Privacy Policy you have accepted
2. How We Use Your Information
We use the information we collect to:
- Provide the attendance tracking Service;
- Generate compliance records to help facilities meet Washington State DCYF requirements;
- Authenticate users and maintain account security, including investigating suspicious activity;
- Send essential service communications (account verification, password resets, invitations, security notices);
- Diagnose, debug, and improve the Service, including during the beta period;
- Comply with our legal obligations.
We do not use your information for advertising, ad targeting, or profiling, and we do not use child information for any purpose other than providing the Service.
3. Information About Children
Pico Parade collects information about children from their authorized daycare providers and guardians. We do not collect information directly from children, and children do not interact with the Service.
Providers and guardians may upload profile photos for their own accounts, and facility owners may upload photos for their facility. Photo uploads are not permitted for children. Guardians may choose from a fixed list of generated avatars for children linked to their account. We store only the selected avatar identifier, not a photo of the child. Avatar seeds are predefined by Pico Parade and are not derived from child names, birth dates, or other child information.
The Service is not an educational record system and is not intended to fall within the scope of the Family Educational Rights and Privacy Act ("FERPA"). Information about children is used solely to provide attendance tracking and to generate required state compliance records.
We do not use child information for facial recognition, face embeddings, automated identity matching, AI tagging, advertising, or model training.
4. Data Sharing
We do not sell, rent, or share your personal information with third parties for marketing, advertising, or profiling purposes.
We may share information only in these limited circumstances:
- With your explicit consent;
- To comply with legal obligations, court orders, subpoenas, or lawful government requests;
- To protect the rights, property, or safety of Pico Parade, our users, or the public, including investigating potential violations of our Terms;
- With service providers who assist in operating the Service, under data processing terms that limit their use of the information (see below);
- In connection with a merger, acquisition, or sale of all or part of our business, in which case we will provide notice before your information is transferred and becomes subject to a different privacy policy.
5. Service Providers
We rely on a small number of third-party providers to operate the Service. These providers may process limited information on our behalf and only for the purposes of delivering their services to us:
- Cloud hosting and database infrastructure — used to host the Service and store your data
- Transactional email delivery — used to send account verification, password reset, and invitation emails
- Error monitoring and logging — used to diagnose technical problems with the Service
- File storage and CDN — used to store uploaded profile and facility photos, and to display selected child avatars. We use predefined avatar identifiers for children and do not send child names, birth dates, or photos to the avatar provider.
We maintain a current list of named subprocessors and will provide it on request to privacy@picoparade.com. We will notify registered users by email of any material change to our subprocessors.
6. Data Security
- All data is encrypted in transit using TLS, and at rest using industry-standard encryption;
- Passwords are cryptographically hashed and never stored in plaintext;
- Authentication uses WebAuthn/passkeys where available;
- Access to attendance records is restricted to authorized facility owners and linked guardians;
- We maintain internal access controls so that only authorized personnel can access production systems, and only when necessary to operate or support the Service.
No method of transmission or storage is perfectly secure. While we work to protect your information, we cannot guarantee absolute security.
7. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users without unreasonable delay, and in any case within the timeframes required by applicable law, including the Washington Data Breach Notification Act (RCW 19.255). Where required by law, we will also notify the Washington State Attorney General and other applicable regulators.
Notifications will describe, to the extent known: the nature of the incident, the types of information involved, the steps we have taken in response, and steps you can take to protect yourself.
8. Data Retention
- Attendance records: Retained for a minimum of five (5) years to support Washington State recordkeeping requirements (WAC 110-300-0455).
- Account data: Retained while your account is active. Deleted upon request after account closure, subject to legal retention requirements for any attendance records associated with your account.
- Guardian data: Soft-archived when removed from a facility; permanently deleted upon facility owner request, subject to legal retention requirements.
- Uploaded photos: Profile photos (providers and guardians) and facility photos are retained while the account or facility is active. Deleted upon account closure or facility deletion request.
- Child avatars: Retained only while the avatar remains selected on the child's profile. A linked guardian can change or clear the avatar in account settings.
- Server logs: Retained for a limited operational period (typically no longer than 90 days) unless extended retention is required for security investigation.
9. Your Rights
You have the right to:
- Access your data — request a copy of all information we hold about you or your facility;
- Correct inaccurate information in your account or records;
- Export your attendance data in a standard format (CSV);
- Delete your account and associated data (subject to legal retention requirements for attendance records).
- Delete uploaded photos from your own profile or your facility;
- Change or remove child avatars for children linked to your guardian account.
Who Can Exercise Rights for Child Records
Because the Service is used by multiple authorized adults on behalf of a child, requests relating to a child's records are handled as follows:
- A facility owner may request access, correction, export, or deletion of records associated with their facility;
- A guardian may request access to or export of records of children to whom they are linked in the Service;
- For requests to delete a child's records, or for disputes between guardians, we will generally defer to the facility owner who manages the child's enrollment, and we may require documentation. We do not adjudicate custody or guardianship disputes.
To exercise any of these rights, contact us at privacy@picoparade.com. We may need to verify your identity before fulfilling a request.
10. Cookies and Tracking
Pico Parade uses only essential session cookies required for authentication and login functionality. We do not use advertising cookies, third-party analytics trackers, or third-party tracking scripts. We do not respond to Do Not Track signals because we do not perform the kind of tracking those signals are designed to control.
11. Communications From Us
We send only essential service communications: account verification, password resets, invitations, security notices, notices required by law, and notices of material changes to these documents. We do not send marketing or promotional email. If we ever introduce optional communications in the future, we will provide a way to opt out before sending them.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least thirty (30) days before the changes take effect, and we will require affirmative re-acceptance the next time you access the Service. The "Last updated" date and version at the top of this Policy will always reflect the most recent revision.
13. Contact
Questions or concerns about this Privacy Policy, or wish to exercise your rights? Contact us at privacy@picoparade.com.