CHILDREN'S PRIVACY POLICY
StoryLoft
Effective Date: June 3, 2026 Last Updated: July 17, 2026
NOTICE TO PARENTS AND GUARDIANS
This Children's Privacy Policy describes how StoryLoft ("Company," "we," "us," or "our") collects, uses, and discloses personal information from children under 13 years of age through the StoryLoft mobile application (iOS and Android) and web dashboard at storyloft.net (collectively, the "Service"). This policy is designed to comply with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. Section 6501 et seq., and its implementing regulations at 16 CFR Part 312, including amendments effective April 22, 2026.
Important: Please read this policy carefully. If you are a parent or guardian and have questions about your child's privacy, please contact us at rogersmi87@gmail.com.
1. OVERVIEW
1.1 What This Policy Covers
This policy applies to personal information collected from children under 13 through:
- ☑ StoryLoft iOS App (App Store — com.rogersmi87.readwise)
- ☑ StoryLoft Android App (Google Play — com.rogersmi87.Storyloft)
- ☑ StoryLoft Web Dashboard (storyloft.net)
- ☑ StoryLoft Class Quiz Pages (storyloft.net/class-quiz/*)
1.2 Age Verification
We use the following methods to determine if a user is a child:
- ☑ Age screening at registration — Parents create accounts and explicitly designate child profiles with an age range (Ages 4–6, Ages 7–10, or Ages 11–14). Children do not create their own accounts.
- ☑ Neutral age screening — When a parent adds a child profile, they select an age range that does not encourage false reporting.
Important design note: Children under 13 do not independently create accounts on StoryLoft. All accounts are created by parents or guardians (or, in a classroom context, by teachers). Children interact with the Service through profiles created and managed by adults.
1.3 Definitions
- "Child" means an individual under 13 years of age.
- "Parent" includes a legal guardian.
- "Child Profile" means a reader profile created by a parent within a parent account.
- "Personal Information" means individually identifiable information about an individual collected online.
2. INFORMATION WE COLLECT FROM CHILDREN
2.1 Information Collected Directly
Design note on names: The app is designed to collect a child's first name only (or first name plus last initial). Name fields are labeled accordingly and guide adults not to enter full last names. We do not require or request a child's full last name.
| Information Type | Collected | Purpose |
|---|---|---|
| First name (or first name + last initial) | ☑ Yes | Displayed in the app to identify the child's reading profile |
| Full last name | ☐ No | Not requested; name fields guide adults to use first names only |
| Email address | ☐ No | Not collected from children; only from parent accounts |
| Profile picture | ☐ No | Not collected; children select from pre-built avatar options |
| Date of birth | ☐ No | Only age range is collected (4–6, 7–10, 11–14) |
| User-generated content | ☑ Yes | Written answers to open-ended quiz questions (text only; stored to display quiz results to parent) |
| Audio/voice recordings | ☐ No | Not collected |
| Photos/videos | ☐ No | Not collected |
| Precise geolocation | ☐ No | Not collected |
| Reading quiz results | ☑ Yes | Book titles, quiz scores, XP earned, completion dates — used to display progress to the parent and generate reading recommendations |
| Age range | ☑ Yes | Used to calibrate quiz difficulty (e.g., "Elementary Ages 7–10") |
| Faith/virtue preference | ☑ Yes | Optional flag set by parent indicating whether faith-and-virtue question content should be included |
2.2 Information Collected Automatically
| Information Type | Collected | Purpose |
|---|---|---|
| Device type | ☑ Yes | Support internal operations, display correctly on device |
| Operating system | ☑ Yes | Support internal operations |
| IP address | ☑ Yes | Support internal operations, security |
| App usage data | ☑ Yes | Support internal operations, identify errors |
| Persistent identifiers | ☑ Yes | Support internal operations only (session management via Clerk authentication) |
☑ We use persistent identifiers solely for internal operations support. We do not use cookies or device identifiers for behavioral advertising or tracking children across third-party websites.
2.3 Information Collected from Third Parties
☑ We do not collect children's personal information directly from third parties. Child profile information is provided by parents when setting up the Service.
3. HOW WE USE CHILDREN'S INFORMATION
3.1 Permitted Uses
| Purpose | Description |
|---|---|
| Provide the Service | Display child's reading history, quiz results, XP, and Hoot pet progress to parent and child |
| Respond to Requests | Respond to parent support requests regarding their child's account |
| Quiz Generation | Send book title and child's age range to our AI service (Anthropic) to generate age-appropriate reading comprehension questions. No child-identifying information is sent. |
| Reading Recommendations | Generate book recommendations based on quiz history (book titles and scores only) |
| Internal Operations | Maintain, analyze, and improve service functionality |
| Safety and Security | Protect children and ensure a safe experience |
| Legal Compliance | Comply with applicable laws including COPPA |
3.2 Prohibited Uses
We do NOT use children's personal information to:
- ☑ Condition participation on disclosure of more information than necessary
- ☑ Target advertising to children based on personal information
- ☑ Create profiles for behavioral advertising
- ☑ Sell children's personal information
- ☑ Share information with third parties for their marketing purposes
4. DISCLOSURE OF CHILDREN'S INFORMATION
4.1 Service Providers
We disclose children's personal information only to the following service providers, each of which is contractually prohibited from using the information for any other purpose:
| Service Provider | Purpose |
|---|---|
| Railway (PostgreSQL hosting) | Database hosting for quiz results, child profiles, and reading lists |
| Anthropic (Claude API) | AI quiz and game generation — receives book title and age tier only; no child-identifying information |
| Expo / EAS | Mobile app hosting and over-the-air updates |
| Netlify | Web dashboard hosting |
| Clerk | Parent account authentication and session management |
| RevenueCat | Subscription management for parent accounts only |
4.2 Other Disclosures
We may disclose children's personal information:
- ☑ To comply with applicable law or legal process
- ☑ To protect the safety of a child
- ☑ To protect the security of our website or service
- ☑ With verifiable parental consent
4.3 No Sale or Sharing
- ☑ We do NOT sell children's personal information
- ☑ We do NOT share children's personal information for cross-context behavioral advertising
- ☑ We do NOT disclose children's information to third parties for their marketing purposes
5. PARENTAL CONSENT
5.1 Consent Requirements
Under COPPA, we obtain verifiable parental consent before:
- ☑ Collecting personal information from a child (the parent account creation and child profile setup constitutes this consent)
- ☑ Using personal information for purposes other than internal operations
- ☑ Disclosing personal information to service providers
5.2 Verifiable Parental Consent Methods
We use the following method to obtain verifiable parental consent:
-
☑ Account Creation by Parent: Parents create and verify their own account (via email verification or Apple/Google sign-in) before they can create any child profiles. By creating a child profile, the parent explicitly consents to data collection for that child. Children cannot independently create accounts or profiles.
-
☑ Email Plus: Parent email is verified through Clerk's authentication system prior to any child profile creation. This verification step confirms the parent's identity before data collection begins.
5.3 Exceptions to Consent Requirement
- ☑ We collect parent contact information solely to obtain consent
- ☑ We use persistent identifiers solely to support internal operations
6. PARENTAL RIGHTS
6.1 Your Rights Under COPPA
Right to Review: Parents may review all information collected about their child by logging into their StoryLoft account and viewing the child's profile, quiz history, and reading list.
Right to Delete: Parents may delete a child's profile at any time by long-pressing the child's profile in the app or by submitting a deletion request to rogersmi87@gmail.com. Profile deletion removes all quiz results, reading lists, and profile data within 30 days.
Right to Refuse: Parents may refuse further data collection at any time by deleting the child's profile or contacting us.
Right to Revoke: Parents may revoke consent by contacting us at rogersmi87@gmail.com.
6.2 How to Exercise Your Rights
Email: rogersmi87@gmail.com Mail: StoryLoft, 3955 Green Valley Road, Lebanon, VA 24266 Data Deletion Request Page: https://readwise-backend-production.up.railway.app/delete-request.html
When contacting us, please provide:
- ☑ Your name and relationship to the child
- ☑ The child's name and profile name as it appears in the app
- ☑ Your contact information
6.3 Response Timeline
We will respond to your request within 30 days of receipt and will process deletions within 30 days of verification.
7. DATA SECURITY
7.1 Security Measures
- ☑ Encryption of data in transit (TLS/HTTPS for all API communications)
- ☑ Database hosted on Railway with access controls
- ☑ Authentication managed by Clerk (SOC 2 compliant)
- ☑ Access controls limiting personnel access to production data
- ☑ Secure data disposal procedures upon deletion request
7.2 Data Breach Response
In the event of a security incident affecting children's personal information, we will promptly investigate, notify parents as required by applicable law, and take appropriate remedial measures.
8. DATA RETENTION
8.1 Retention Period
We retain children's personal information only for as long as reasonably necessary to:
- ☑ Provide the reading progress tracking service
- ☑ Comply with legal obligations
8.2 Deletion
- ☑ We delete children's personal information when a parent requests deletion or closes their account
- ☑ Parents may request deletion at any time (see Section 6)
- ☑ Upon deletion request, we will delete or anonymize information within 30 days
9. THIRD-PARTY SERVICES AND LINKS
9.1 Third-Party Services
- ☑ We review third-party services for appropriate privacy protections before integration
- ☑ We require third parties to maintain appropriate privacy protections under data processing agreements
Our Service does not include links to third-party social networks or external websites accessible to children.
9.2 Social Features
StoryLoft does not include social features such as public chat, forums, or content sharing between users. Children cannot communicate with or share information with other children through StoryLoft.
10. ADVERTISING
10.1 Advertising Practices
- ☑ StoryLoft displays no advertising of any kind
- ☑ We do NOT engage in behavioral/targeted advertising directed at children
- ☑ We do NOT track children across third-party websites for advertising purposes
- ☑ We do NOT create advertising profiles of children
11. CONNECTED DEVICES AND TOYS
Not applicable. StoryLoft does not involve connected devices or toys.
12. SCHOOLS AND EDUCATIONAL SERVICES
12.1 School Context Use
StoryLoft offers a Classroom plan for teachers and educational institutions.
- ☑ In a school context, we may rely on school/teacher consent in lieu of individual parental consent for educational purposes, consistent with COPPA's school authority exception
- ☑ Information collected about students in a classroom context (name, age range, quiz results) is used only for educational purposes — specifically, to generate reading comprehension quizzes and display results to the teacher
- ☑ Teachers may review, modify, and delete student information at any time through the Teacher Dashboard
- ☑ We comply with FERPA requirements when the Service is used in a school context
12.2 Roster Entry
Teachers may add students individually or by entering a class roster in bulk. In all cases, the only student information collected is a first name (or first name + last initial) and an age range. StoryLoft does not import, request, or store student last names, student ID numbers, emails, or any data synced from a school's Student Information System.
12.3 Teacher Responsibilities
When using StoryLoft in a school context, teachers and schools act as operators under COPPA and are responsible for:
- Obtaining necessary parental consent for students under 13
- Ensuring appropriate data governance under FERPA
- Providing parents access to student data upon request
13. INTERNATIONAL USERS
- ☑ Our Service is primarily intended for users in the United States
- ☑ If used internationally, we comply with applicable local children's privacy laws
14. STATE-SPECIFIC PROVISIONS
14.1 California
- ☑ We comply with the California Consumer Privacy Act (CCPA/CPRA)
- ☑ Parents of children may request deletion under CCPA
- ☑ We do not sell children's personal information
14.2 Other States
- ☑ We comply with applicable state children's privacy requirements
- ☑ We do not engage in targeted advertising to children
- ☑ We honor deletion requests from parents
15. UPDATES TO THIS POLICY
If we make material changes to this policy, we will:
- ☑ Post a prominent notice on our app and website
- ☑ Provide direct notice to parents via email
- ☑ Obtain new verifiable parental consent if required by law
For non-material changes, we will update the "Last Updated" date at the top of this policy.
16. CONTACT INFORMATION
Email: rogersmi87@gmail.com Mail: StoryLoft, 3955 Green Valley Road, Lebanon, VA 24266 Data Deletion Request: https://readwise-backend-production.up.railway.app/delete-request.html FTC Complaint: www.ftc.gov/complaint | 1-877-382-4357
17. OPERATOR INFORMATION
| Field | Information |
|---|---|
| Operator Name | StoryLoft |
| Address | 3955 Green Valley Road, Lebanon, VA 24266 |
| rogersmi87@gmail.com | |
| App (iOS) | com.rogersmi87.readwise |
| App (Android) | com.rogersmi87.Storyloft |
| Website | https://storyloft.net |
- ☑ We are the sole operator of this app and service
APPENDIX A: PARENTAL CONSENT — HOW WE OBTAIN IT
StoryLoft uses an account-based consent model:
- A parent or guardian creates a StoryLoft account using their own email address (verified by our authentication provider, Clerk)
- The parent then creates a child profile within their account, specifying the child's name and age range
- By creating the child's profile, the parent provides explicit consent for data collection as described in this policy
- Children under 13 cannot independently create accounts or profiles
To revoke consent or request deletion at any time: rogersmi87@gmail.com
APPENDIX B: DIRECT NOTICE TO PARENTS (TEMPLATE)
Subject: Your child's StoryLoft reading profile
Dear Parent/Guardian,
You have created a reading profile for [child's name] on StoryLoft.
Information we collect for this profile:
- Child's name (as entered by you)
- Age range (as selected by you: 4–6, 7–10, or 11–14)
- Quiz results: book titles, scores, XP earned, and completion dates
- Written answers to open-ended quiz questions
How we use it:
- To display your child's reading progress to you
- To generate age-appropriate reading comprehension quizzes
- To recommend books based on reading history
Who we share it with:
- Our database provider (Railway) for storage
- Anthropic's AI service (book title and age range only — no child-identifying information) for quiz generation
Your rights:
- Review your child's information at any time in the app
- Request deletion: rogersmi87@gmail.com or https://readwise-backend-production.up.railway.app/delete-request.html
- Revoke consent at any time by deleting the child's profile or contacting us
Sincerely, StoryLoft
This policy was prepared based on StoryLoft's actual data practices as of June 2026. It should be reviewed by qualified legal counsel before use as a formal compliance document. COPPA compliance requires careful attention to specific requirements.