When Our child’s daycare center switched to Kaymbu, it appeared like this app was made by a kid who just learned HTML. Turns out it really is just a wrapper around a bad website. Digging deeper, I quickly found out that there was no thought put into how the site was made, or how families would use it. All of the data about your child is stored on publicly accessible URL’s. Any data added by your school/childcare center, including child’s location, pickup/drop off times, photos, videos, and anything else your school uploads, is accessible on the web without a password. Security by obscurity for your child… Furthermore, upon leaving the center, I requested all data to be exported, and removed from Kaymbu servers. The childcare center also made this request, as somehow they have all of the rights to your child’s digital data when using these apps. Kaymbu has not exported the data, and is now ignoring all follow-up requests to do so. (2 months after both parties requested).
Update to developer response: the security of the URL’s was brought up to the childcare center in July 2021 to which the members of your team responded “the engineering team is actively looking into this and they are hoping to have a clear answer for you soon”. The issue was quietly “resolved” many months later with no update. I put “resolved” in quotes because I’m speculating that the URL’s are now just hidden from parents, but still universally accessible. This would make sense since there has been no change to the authentication process, which would likely be needed to secure the URL’s.
Even if the issue was resolved, my point still stands that the initial implementation of this app did not take security or the end-user’s privacy or usability into account.
As far as my data deletion request goes, it has now been “resolved” after several months of emailing your team almost weekly. And as a side note: somehow they were able to re-gain access to the deleted data (they forgot to export it prior to “deleting”) after confirming it was completely removed from the servers. I have zero confidence that the data has actually been removed, or any changes have been made to the app (website) that would change my original review in any way.