COPPA Policy

1. Overview

COPPA is a U.S. federal law that protects the privacy of children under 13 years old. HeroMe is a platform for parents that creates personalized stories for children ages 4-12, so COPPA compliance is central to how we operate. This policy reflects the 2025 COPPA amendments (effective April 22, 2026).

Key Principle: HeroMe is a service for parents. Only parents create accounts and interact with the platform. Children do not have accounts and do not provide any information directly to HeroMe. All information about children is provided by their parent or legal guardian.

2. Information We Collect About Children

We collect only the minimum information necessary to provide our service:

3. Information We Do NOT Collect

We explicitly do NOT collect:

• Last names or full names of children
• Home addresses or school information
• Phone numbers of children
• Email addresses of children
• Photos, videos, or audio recordings of children
• Social Security numbers or government IDs
• Precise geolocation data
• Persistent identifiers for behavioral advertising
• Any information directly from children

4. Parental Consent

How We Obtain Consent

Before collecting any information about a child, we require verifiable parental consent:

1. A consent notice is displayed before any child information is requested
2. Parent creates an account using their own email address and verifies via one-time code
3. Parent explicitly checks separate consent boxes: one for data collection and one for AI processing of their child's information
4. Parent enters the child's information themselves
5. Credit card validation confirms the parent is an adult with a valid payment method

Consent Verification

We use credit card verification as our primary method of verifiable parental consent (VPC), which is recognized by the FTC as an approved consent mechanism. The parent's card is validated through Stripe to confirm they are an adult. We also record the consent timestamp and IP address for our records.

Separate Consent for AI Processing

In accordance with the 2025 COPPA amendments, we obtain separate consent for AI processing of your child's information. You may consent to our collection and internal use of your child's information without consenting to disclosure to third-party AI services. However, AI processing is necessary to generate personalized stories, so declining AI consent means stories cannot be created.

5. Parental Rights Under COPPA

As a parent or guardian, you have the right to:

Review Information

Request a description of the types of information collected about your child and review the actual information. Access your child's profile anytime through your account dashboard.

Delete Information

Request deletion of your child's information at any time. Use the "Delete Profile" option in Settings or contact us at privacy@herome.ai.

Refuse Further Collection

Refuse to allow any further collection or use of your child's information. Note that this may require us to delete the child's profile and associated stories.

Withdraw Consent

Withdraw your consent at any time by closing your account or contacting us.

6. How We Use Children's Information

Children's information is used ONLY to:

• Generate personalized stories
• Provide age-appropriate content and pacing
• Track reading progress within the family's account
• Improve our story generation algorithms (using anonymized, aggregated data only)

We NEVER use children's information for:

• Advertising or marketing to children
• Behavioral targeting or profiling
• Sale to third parties
• Any purpose unrelated to providing our service

7. Third-Party Sharing

We share children's information only with service providers who are:

• Necessary to provide our service (e.g., cloud hosting, AI processing)
• Bound by contractual obligations to protect children's privacy
• Prohibited from using the information for any other purpose
• Required to maintain appropriate security measures

Our service providers include:

• Supabase: Database hosting (data encrypted at rest). Stores profile data, stories, and account information. Operates under a Data Processing Agreement.
• Vercel: Application hosting and privacy-focused analytics (aggregate page views only, no PII, no cookies). Operates under a pre-signed Data Processing Agreement.
• Google Gemini (paid API): AI story text generation. Your child's name is pseudonymized (replaced with a placeholder) before any data is sent to Google. Google receives the child's age range, challenge category, and story context — but never the child's real name. Google does not use paid API data to train models and retains prompts for up to 30 days for abuse monitoring only. Operates under Google Cloud's Data Processing Addendum.
• Replicate: Story illustration generation. Only age-range hints (e.g., "young child") and visual scene descriptions are sent. No names, personal details, or identifiable information is included in image prompts.
• Stripe: Payment processing. Handles parent payment data only — no children's information is shared with Stripe. Operates under Stripe's Data Processing Agreement.

All service providers operate under written data processing agreements that require them to maintain the confidentiality, security, and integrity of any data they process on our behalf (per COPPA 16 CFR 312.8). None of our service providers use children's data to train AI models.

We do not condition your child's participation in our service on the collection of more personal information than is reasonably necessary to provide personalized stories.

8. Data Security

We maintain strict security measures to protect children's information:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls limiting who can view children's data
• Regular security audits and vulnerability assessments
• Employee training on COPPA compliance
• Incident response procedures for potential breaches

9. Data Retention Policy

In accordance with the 2025 COPPA amendments (16 CFR 312.10), we maintain this written data retention policy addressing: (a) the purposes for which children's personal information is collected, (b) the business need justifying retention of that information, and (c) a specific timeline for deletion once the business need no longer exists.

We retain children's information only as long as reasonably necessary to fulfill the purpose for which it was collected. Below are our retention periods, the purpose of collection, and the business justification for each:

Deletion Timelines

• Deleted profiles: All child data permanently deleted within 30 days
• Closed accounts: All data permanently deleted within 30 days (except consent records retained for legal compliance)
• Inactive accounts: Accounts with no login for 12 months receive a notification; if no response within 30 days, all data is deleted

When data is deleted, it is permanently removed from our databases and all service provider systems. We do not retain copies for analytics or any other purpose.

10. Not Medical or Therapeutic Services

HeroMe is an AI-powered storytelling platform for entertainment and educational purposes only. It is not a medical device, therapeutic intervention, or healthcare service. Information collected about children is used solely to personalize stories and does not constitute a clinical assessment, diagnosis, or treatment. Parents and guardians are solely responsible for all decisions regarding their child's health, wellbeing, and development. For concerns about your child's health or behavior, consult a qualified healthcare professional.

11. Contact Us

For questions about our COPPA compliance or to exercise your parental rights:

We will respond to all COPPA-related requests within 48 hours.

12. FTC Information

For more information about COPPA, visit the Federal Trade Commission's website at ftc.gov/coppa.

To file a complaint about a potential COPPA violation, contact the FTC at ftc.gov/complaint.