Children's Privacy Policy

PolicifyAI is a B2B (business-to-business) compliance software platform. It is designed exclusively for adult business operators, compliance managers, developers, agency professionals, and entrepreneurs who need to generate, manage, and publish legal policy documents for their own websites and applications.

Our service is strictly for users aged 18 and over. We have no features, content, or marketing directed at children. We do not produce child-oriented content, we do not advertise on platforms primarily used by children, and we do not knowingly permit any person under the age of 18 to register for or use our platform.

• Our marketing is targeted exclusively at business decision-makers, developers, and legal/compliance professionals.
• Our product features — policy generation, embed scripts, DSAR management, CMP configuration — are commercial tools with no child-oriented equivalent.
• Our pricing tiers, invoicing, API access, and Terms of Service all presuppose adult legal capacity to enter contracts.
• Our blog, documentation, and learning content is written for adult professionals and discusses complex legal and regulatory topics.
• We do not use animated characters, simplified language, games, or other design conventions associated with child-directed services.

The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC's implementing Rule (16 C.F.R. Part 312, as amended in 2013 and proposed for further amendment in 2024) impose specific requirements on operators of websites and online services directed to children under 13, or operators that have actual knowledge they are collecting personal information from children under 13. Because PolicifyAI is not directed at children and does not knowingly collect their personal data, the substantive COPPA obligations that would otherwise require verifiable parental consent, parental notice, and data minimisation do not apply to us in relation to our own data collection practices.

We do, however, take our obligations under COPPA seriously in the sense that we have implemented processes to prevent children from accessing our platform and to promptly delete any child data we inadvertently receive. This policy documents those processes transparently.

This Children's Privacy Policy applies to all data processing by PolicifyAI, operated by L. Bone trading as PolicifyAI, in connection with the website at policifyai.com, our web platform, REST API, embed script, and all related services. It supplements our main Privacy Policy.

The following laws and regulations are relevant to children's privacy in the jurisdictions where our users are located, and inform the standards we adopt even where the law does not directly apply to PolicifyAI as a service not directed at children:

• Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506— prohibits the collection, use, or disclosure of personal information from children under 13 without verifiable parental consent, where the operator's service is directed at children or the operator has actual knowledge of collecting from a child under 13.
• FTC COPPA Rule, 16 C.F.R. Part 312— the implementing regulation issued by the Federal Trade Commission, which defines “personal information,” “operator,” and “directed to children,” and sets out requirements for privacy notices, parental consent mechanisms, and data security.
• Children and Teens' Online Privacy Protection Act (KOSA) / Kids Online Safety Act — proposed federal legislation that would expand protections for minors. We monitor its legislative progress and will update our practices accordingly if enacted.
• CCPA/CPRA — minors' opt-in — under the California Consumer Privacy Act and California Privacy Rights Act, businesses may not sell or share the personal information of consumers under 16 without affirmative authorisation. Since we do not sell personal information at all, this provision is satisfied by our baseline practices.

• UK GDPR Article 8 — when processing personal data of a child in connection with information society services on the basis of consent, the processing is only lawful in respect of a child aged 13 or older (the UK having applied the minimum age of 13 under Art 8(1)). For children under 13, parental or guardian consent is required.
• Data Protection Act 2018, s.9— gives effect to the UK's derogation under Art 8 by setting the UK age of digital consent at 13.
• ICO Age Appropriate Design Code (Children's Code)— while primarily applicable to services likely to be accessed by children under 18, we note the Code's standards of data minimisation, privacy-by-default, and avoidance of nudge techniques, which we apply as general design principles.

• EU GDPR Article 8 — sets the age of digital consent at 16by default, but allows member states to lower it to a minimum of 13. The child's age threshold therefore varies by EU member state (e.g. 13 in Germany, 14 in Austria and Italy, 15 in France, 16 in the Netherlands). In all cases, processing the personal data of a child below the applicable threshold for information society services requires parental consent.
• EU GDPR Recital 38— specifically recognises that children merit “specific protection” because they may be less aware of the risks, consequences, and safeguards involved in data processing.

• DPDP Act, s.9 — requires a Data Fiduciary to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child (under 18). It also prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
• Given that India defines a “child” as a person under 18 — a higher threshold than COPPA or UK/EU GDPR — our blanket 18+ service requirement aligns with and exceeds this standard.

Various other jurisdictions have enacted or are developing children's privacy protections, including Australia (Privacy Act 1988, Online Safety Act 2021), Canada (PIPEDA and proposed Bill C-27), Singapore (PDPA 2012), and Brazil (LGPD, Arts. 14–16). Our 18+ service requirement and no-child-data policy represents a single coherent approach that satisfies the most protective standards across all major jurisdictions.

We do not knowingly collect, use, store, or disclose personal data from any person under the age of 13. We also do not knowingly collect personal data from persons aged 13–17. Because our service requires users to be at least 18, the intended minimum age exceeds the COPPA threshold of 13 and the DPDP Act threshold of 18.

• Full name, email address, and account credentials — our registration form is not open to users under 18. We require confirmation of the 18+ age requirement during signup and within our Terms of Service.
• Contact information — we do not collect postal addresses, phone numbers, or other contact details from any user, including children.
• Persistent identifiers— including cookies, IP addresses, session tokens, device identifiers, or similar persistent identifiers that could be linked to a child's online activities over time. Our strictly necessary cookies are functional for authenticated adult users only; analytics cookies require explicit consent.
• Geolocation data — we do not collect precise geolocation from any user, including children.
• Photos, audio, or video — we do not collect media files from users, including children.
• Health, biometric, or other sensitive data — we do not collect any special category data, including from children.
• Online activity and usage data for third-party advertising — we do not build advertising profiles, engage in behavioural targeting, or share user data with ad networks. This applies universally, including with respect to any child whose data we might inadvertently receive.

We do not design, market, or configure any aspect of our platform to attract users under 18. We do not offer features (such as games, avatars, friend networks, or simplified interfaces) that would be of particular appeal to minors. Our entire feature set — policy generation, embed scripts, CMP configuration, DSAR management — is directed at B2B commercial use cases.

We rely on a combination of contractual requirements, account controls, and design choices to prevent persons under 18 from accessing the platform.

Our registration flow includes an explicit confirmation that the user is at least 18 years old. Users must acknowledge this requirement before creating an account. This confirmation is logged as part of the account creation record.

Our Terms of Service explicitly state that the Service is available only to persons aged 18 and over, and that by accessing or using the Service, the user represents and warrants that they meet this age requirement. Persons under 18 are contractually prohibited from using the platform. Accounts found to be in breach of this requirement are subject to immediate termination.

The nature of our product itself acts as a practical barrier to underage access. PolicifyAI requires users to:

• Have a business name, website URL, and understanding of their organisation's data practices in order to use the core generation feature.
• Enter billing information (credit/debit card or PayPal) to access paid tiers — minors generally cannot independently enter into payment contracts in most jurisdictions.
• Understand regulatory terminology such as GDPR, CCPA, DPA, DPO, and lawful bases for processing — vocabulary typical of adult professionals rather than minors.

We intentionally maintain a professional design with no gamification elements, reward systems, social networking features, or other characteristics known to attract underage users. Our interface is dense with legal and technical content that serves as a further de facto barrier to minors.

Like most online services, we rely primarily on self-declaration and contractual terms rather than documentary identity verification for age assurance. We do not verify government-issued ID at signup. If we receive a credible report that an account holder is under 18, we will investigate and take appropriate action as described in Section 5 below.

Notwithstanding our best efforts, it is possible that a person under the age of 13 (or under 18) could circumvent our controls and create an account. If we discover — whether through our own review, a report from a parent or guardian, or any other means — that we have collected personal data from a child under 13, we will take immediate action.

Upon identifying or receiving a credible report of an account held by a person under 13, we will immediately suspend the account to prevent any further data collection or use. No new data will be ingested while the account is under review.

We will delete all personal data associated with the affected account from our live systems as quickly as reasonably practicable — ordinarily within 5 business days of confirmed identification. This includes:

• Account credentials (email address, password hash, name, profile photo)
• Any policy generation inputs submitted during the session
• Any generated policy documents stored in the account
• Session and access log data linked to the account (to the extent technically separable from aggregate logs)
• Subscription and billing records, where no legal obligation requires retention

Deleted data will be removed from active databases and storage immediately. Encrypted database backups are retained for a limited rolling period for disaster recovery purposes; data deleted from the live system will be overwritten in backups as the backup rotation cycle completes (ordinarily within 30 days). We do not restore deleted child data from backups unless compelled by a valid legal order.

Where we have shared any of the child's data with a sub-processor (for example, where generation inputs were transmitted to an AI provider), we will notify that sub-processor and request deletion or confirmation of zero-retention under their existing data processing agreements.

Where we have been contacted by a parent or guardian who has provided their contact details, we will notify them once deletion is confirmed. We will not retain the parent's contact information beyond what is necessary to complete the deletion process and confirm it to them.

Where applicable law requires us to notify a supervisory authority of a child data incident (for example, under UK GDPR Article 33 or COPPA's FTC notification obligations), we will do so within the required timeframe. Any such breach would also be assessed under our general data breach response procedure.

Between the point of identification and the completion of deletion, we will not use, share, transmit, or process the identified child's data for any purpose beyond what is strictly required to carry out the deletion process itself.

The Children's Online Privacy Protection Act grants parents and legal guardians specific rights with respect to the personal information of their children under 13. Although PolicifyAI is not directed at children and does not knowingly collect their data, we recognise these rights and will honour them in full where applicable.

A parent or legal guardian may request to review the personal information that PolicifyAI has collected from their child under 13. To make such a request, please email [email protected] with the subject line “COPPA Parental Review Request” and include:

• The email address used to create the child's account (if known)
• Your name and your relationship to the child
• Sufficient information for us to verify your identity as the parent or legal guardian

We will respond within 5 business days and provide any personal information we hold, or confirm that we hold no such data.

A parent or legal guardian may request that we delete personal information collected from their child under 13. We will process such requests in accordance with Section 5 above, completing deletion within 5 business days of verifying the parental identity.

A parent or legal guardian may direct us to stop any further collection or use of a child's personal data. Because we will have suspended and closed the account upon discovery, this right is effectively implemented as part of our standard discovery process. If you wish to provide express direction in writing, you may do so by emailing [email protected] and we will confirm acknowledgement within 5 business days.

Because PolicifyAI does not direct its service at children and does not knowingly collect personal data from children under 13, we do not seek verifiable parental consent as a prerequisite to processing. However, if we discover we have inadvertently collected a child's data, we treat the absence of parental consent as a ground for immediate deletion rather than as an occasion to seek retrospective consent.

To protect children's privacy and prevent fraudulent deletion requests, we will take reasonable steps to verify the identity of anyone making a parental rights request. This may include asking for confirmation of:

• The child's full name and date of birth
• The email address or account identifier associated with the account in question
• Your own identity as parent or legal guardian (which may involve providing your own name and confirming relationship)

We will not require you to provide government-issued identity documents for routine requests, but we reserve the right to apply a higher standard of verification for requests involving sensitive or large-scale deletion.

PolicifyAI uses a limited set of third-party sub-processors to deliver the service. None of these sub-processors are configured by us to collect, process, or target data from children. The following summarises our configuration with respect to child data for each relevant third party:

We use Google Analytics 4 (G-HJZPJ8BDC5) with IP anonymisation enabled. We have not enabled Google Signals, demographic reporting, interest-based advertising features, or any Google Analytics feature that would involve building profiles linked to individual users. GA4 is deployed only with user consent via our cookie banner. We have not configured GA4 to collect data from users under 18, and our Data Processing Agreement with Google prohibits Google from using collected data to build advertising profiles for users identified as minors.

We use PostHog deployed in the EU (Frankfurt) region for product analytics. PostHog collects anonymised usage events (feature clicks, page navigation, funnel completion). We have not enabled session recording with personally identifiable overlays, and PostHog is deployed only with user consent. PostHog does not use our collected data for any purpose beyond providing the analytics service to us and is subject to a Data Processing Agreement.

Stripe processes subscription payments. Payment processing requires the user to have the legal capacity to enter into a contract and hold a payment instrument — persons under 18 are generally unable to independently do so in most jurisdictions. Stripe's own terms prohibit use of their services to process transactions for minors without appropriate authority. Our use of Stripe is therefore structurally limited to adult users.

When generating policy documents, user inputs (business name, website URL, industry, jurisdiction, and additional context) are transmitted to Anthropic's Claude API. These inputs relate to the user's business, not to the user themselves. They do not include personal data about the account holder unless the user voluntarily includes personal information in their free-text inputs. Our Data Processing Agreement with Anthropic includes zero-retention and no-training-use provisions. If we discover that an account was held by a child, any generation inputs previously transmitted to Anthropic will be subject to a deletion request under our DPA.

We do not use any third-party advertising SDKs, advertising cookies, or ad exchange integrations. We do not serve behavioural advertising, retargeting ads, or interest-based ads, and therefore we do not share data with advertising technology companies. This means there is no advertising-related vector through which a child's data could be shared with third-party ad networks.

A complete list of our sub-processors, including their locations and transfer mechanisms, is available on our Sub-Processors page.

A key purpose of PolicifyAI is to help our business clients generate COPPA-compliant privacy policies fortheir own websites and applications. This section clarifies the important distinction between:

• PolicifyAI's own data practices — governed by this policy and our main Privacy Policy, and covering how we handle data about our own users (adult business operators).
• COPPA policies we generate for clients — documents that describe how our clients handle children's data on their own platforms, not how we handle data.

When a PolicifyAI client uses our platform to generate a COPPA policy for their website or app, we process the following data:

• The client's business name, website URL, industry, and jurisdiction selections — business information, not personal data of any child.
• The client's account information (email address of the adult user) — the personal data of an adult business operator.
• Any additional context the client enters about their own COPPA compliance situation — again, business information, not child personal data.

At no pointdoes PolicifyAI collect, receive, store, or process personal data about any child in the course of generating a COPPA policy for a client. The generated document is a legal text template. It describes a compliance framework for the client's service; it is not populated with actual data about children.

PolicifyAI is a technology provider, not a law firm. When we generate a COPPA policy for a client:

• We are acting as a data processor on behalf of the client (the data controller) for the limited purpose of generating a document template.
• The client is solely responsible for reviewing the generated policy, ensuring it accurately reflects their actual data practices, obtaining legal advice if necessary, and publishing and maintaining the policy on their platform.
• The client is solely responsible for implementing the COPPA compliance measures described in the generated policy — including obtaining verifiable parental consent where required, providing direct notice to parents, maintaining records, and responding to parental rights requests on their own platform.
• PolicifyAI's generation of a COPPA policy document does not itself constitute COPPA compliance, nor does it transfer any COPPA obligations from the client to PolicifyAI.

Our own compliance scanner is designed to detect COPPA-relevant content on websites. Because policifyai.com contains extensive educational and commercial content about COPPA — including the COPPA policy generator tool itself — the scanner may flag our own site for COPPA-related keywords. This is a false positive in the context of COPPA's applicability to PolicifyAI's own data practices: we are not directed at children, and the COPPA content on our site relates to the policies we generate for clients, not to child data we collect ourselves. This Children's Privacy Policy exists in part to transparently address that scanner output.

PolicifyAI offers a REST API and embed script that allow clients to integrate our policy generation and management features into their own products. The following age-related obligations apply to all API users.

Our API Terms of Service require that all API users confirm they are at least 18 years old and have the legal capacity to bind themselves or their organisation to the terms. API keys are issued only to registered account holders who have accepted the Terms of Service and the 18+ age confirmation.

When a client embeds PolicifyAI's output on their own website or application — including a COPPA policy generated by our platform — the client is solely responsible for:

• Ensuring that the embedded policy accurately describes their own data practices and does not misrepresent their COPPA compliance status.
• Implementing all technical and organisational measures required by COPPA on their own platform, including age gates, parental consent mechanisms, and data deletion processes.
• Not using PolicifyAI's API to process or transmit personal data about children under 13 to our systems. Our API is designed for adult business users and is not intended to receive child personal data.
• Ensuring that their own end-users who interact with any PolicifyAI-powered widget (such as an embedded policy viewer) are not children whose data would be collected by that interaction without appropriate COPPA protections in place on the client's side.

API clients are expressly prohibited by our API Terms from:

• Using the PolicifyAI API to build products or services directed at children under 13 without appropriate parental consent mechanisms in place on their own platform.
• Submitting personal data about children under 13 to our API as part of generation inputs or any other request.
• Representing to their end-users that use of PolicifyAI's API or generated documents alone constitutes compliance with COPPA or any other children's privacy law.

If you believe an API client is using PolicifyAI in a manner that involves children's data or violates our API Terms in relation to children's privacy, please report this to [email protected] and we will investigate promptly.

If you believe that PolicifyAI has collected personal data from a child under 13, or if you are a parent or legal guardian wishing to exercise your COPPA rights, please contact us using the information below. We take all reports seriously and will respond promptly.

• Email (preferred): [email protected] — please use the subject line “COPPA Report” or “COPPA Parental Request”
• General enquiries: [email protected]
• Legal notices: [email protected]

We aim to acknowledge all COPPA-related reports within 24 hours and to complete any required investigation and deletion within 5 business days of receipt of a verified request. We will notify you by email once deletion is confirmed.

To help us investigate efficiently, please provide as much of the following as you can:

• The email address or username associated with the account you are concerned about
• Your name and, if applicable, your relationship to the child
• A brief description of how you believe the account was created or used by a child
• Any other relevant context that may assist our investigation

If you are not satisfied with our response, you have the right to escalate a complaint to the relevant supervisory authority:

• UK — Information Commissioner's Office (ICO): ico.org.uk, telephone 0303 123 1113.
• USA — Federal Trade Commission (FTC): reportfraud.ftc.gov. COPPA complaints may be filed at ftccomplaintassistant.gov.
• EU — your national data protection authority: edpb.europa.eu.