Privacy Policy

Effective date: [EFFECTIVE DATE]

This Privacy Policy explains how [OPERATOR LEGAL NAME] ("Life Skills School," "we," "us") collects, uses, and protects information when a parent or guardian uses our website and learning program (the "Service"). We built this for families, and we designed it to collect as little about your child as possible.

1. The account belongs to a parent

Life Skills School is a tool for parents and guardians. The account holder must be 18 or older. The parent is the only person who logs in. There are no separate child accounts and no child logins. Your child learns using your session, in a "kid mode" you control. Because we collect personal information from you (the parent), not from your child, we are able to keep a very light data footprint for the child.

2. Information we collect

From you, the parent:

• Your name and email address, and a password (handled by our authentication provider).
• Your scheduling preferences and the settings you choose.
• If and when paid plans launch: billing details, which are processed by our payment provider (Stripe). We never store full card numbers on our servers.

About your child (entered by you):

• A first name or nickname and an age. That's it. We do not collect a child's last name, email, photo, voice, location, or other contact information.
• Optional interests you choose, used only to tailor examples.
• Your child's own learning data: lesson progress, quiz attempts, flashcard review state, and any notes they write in the private "curiosity journal."

Automatically:

• Basic device and usage information needed to run and secure the Service.
• De-identified product analytics (opaque account or profile IDs plus lesson and progress events). Analytics never includes a child's name or any free text. We do not use session recording or input autocapture, so journal and form text is never captured.

3. How we use information

• To provide the lessons, save progress, and tailor the plan to your schedule.
• To communicate with you, the parent (for example, account and, if you opt in, progress or reminder emails).
• To process payments, if you choose a paid plan.
• To keep the Service secure, debug problems, and comply with law.

We do not sell or rent your or your child's information, show your child advertising, build advertising profiles of your child, or use your child's data for any purpose other than running the Service.

4. Children's privacy (COPPA and state teen-privacy laws)

Protecting children is a first-class requirement for us, not an afterthought.

• We minimize: the only data about a child is a first name or nickname and an age, plus that child's own learning progress.
• Any identifiers used to save your child's progress are used only for the internal operation of the Service (authenticating the session and saving that child's work). They are never used for advertising, profiling, or sharing with third parties.
• We apply this same conservative, no-ads, no-profiling, no-selling posture across the entire 7 to 13 age range, so it satisfies both COPPA and state teen-privacy laws.
• The curiosity journal is private to your child and you, is never sent to any third party, and each entry can be deleted. A gentle in-product note reminds your child not to write private personal details.
• As the parent, you can review, edit, and delete your child's data, and close the account, at any time (see Section 7).

5. How we share information (sub-processors)

We share information only with service providers ("sub-processors") that help us run the Service, under contracts that require them to protect it. Our current sub-processors are:

• Supabase — database and authentication.
• Vercel — website hosting.
• Resend — transactional and (opt-in) parent email. (used when email is enabled)
• Stripe — payment processing. (used only if and when paid plans launch)

We may also disclose information if required by law, to protect rights and safety, or as part of a business transfer, in which case we will honor the commitments in this policy. (We keep an up-to-date sub-processor list and update this section as it changes.)

6. Data retention and deletion

We keep your child's data only while your account is active. When you delete a child profile or your account, we hard-delete or irreversibly anonymize that child's personal data within [30] days, accounting for routine backups. You can request deletion at any time at [privacy@your-domain.com].

7. Your choices and rights

As the parent and account holder you can:

• Review, edit, or delete your child's first name/nickname, age, interests, and learning data from your dashboard, or by contacting us.
• Close your account, which removes the associated child data per Section 6.
• Access or correct your own account information.
• Opt out of non-essential (marketing) email at any time via the unsubscribe link; you may still receive essential account messages.

Depending on where you live, you may have additional rights under your state or provincial privacy law. Contact us at [privacy@your-domain.com] to exercise them.

8. Security

We use encryption in transit, sensible encryption at rest, least-privilege access, regular backups, and an incident-response plan. No method of storage or transmission is perfectly secure, but we work to protect your family's data.

9. Email

We send email only to the parent. Marketing email (if any) follows CAN-SPAM (US) and CASL (Canada), including a working unsubscribe link and our mailing address. Essential account and billing messages are not marketing.

10. Where we operate

The Service is offered to families in the United States and Canada, and data is processed in those regions or by the sub-processors listed above. We are not currently directed at the EU or UK.

11. Changes to this policy

If we make material changes, we will update the effective date and, where appropriate, notify you by email. Continued use after an update means you accept the revised policy.

12. Contact us

Questions, requests, or concerns: [privacy@your-domain.com]
[OPERATOR LEGAL NAME], [MAILING ADDRESS]