How we handle your family's data

Five promises

COPPA — the federal children's privacy law

COPPA (15 USC §6501; 16 CFR §312) is the federal law governing how online services may collect personal information from children under 13. Here's how we comply with each section.

• §312.4 — Notice. Our Privacy Policy describes every category of information we collect, what we do with it, and who else sees it. Parents receive direct notice during signup.
• §312.5 — Verifiable parental consent. We obtain consent at the moment a parent creates a paid account by requiring a valid payment card. Per FTC guidance (78 FR 3972), charging a credit or debit card is a recognized method of verifiable parental consent for the purposes of operating an educational service.
• §312.6 — Parental rights. Parents can review, delete, and refuse further collection of their children's information at any time. Functional UI in the parent dashboard at Settings → Privacy; the underlying API is documented at /api/parent/child-data.
• §312.7 — Conditioning. We never condition a child's use of the service on disclosing more personal information than is reasonably necessary.
• §312.8 — Confidentiality, security, and integrity. Data is encrypted in transit (TLS 1.3) and at rest. Production system access is restricted to authorized engineering staff under least-privilege principles. We log access for audit.
• §312.10 — Data retention. We retain children's information only as long as reasonably necessary to provide the service. After a parent cancels, we retain data for 90 days to allow reactivation, then delete it automatically. Parents may request earlier deletion.

State student-privacy laws

Several states impose additional obligations on operators of educational online services. We meet them too.

• California SOPIPA(Bus. & Prof. Code §22584): We do not engage in targeted advertising to students, do not use information to amass a profile for non-educational purposes, and do not sell student information.
• New York Education Law §2-d: Where required, we will enter a data-sharing agreement with school districts that use our service through a homeschool umbrella organization. We support the "Parents' Bill of Rights for Data Privacy and Security."
• Colorado HB 16-1423, Illinois SOPPA, Connecticut SB 949, Utah HB 363: We meet the parallel requirements in each of these state laws — limited collection, no profile-building for non-educational purposes, published subprocessor list, deletion on parent request.
• California CCPA/CPRA: Residents have the right to know, delete, correct, and limit use of their personal information. Children under 16 must affirmatively opt in to data sales — but since we don't sell data, this right is automatically satisfied.
• Virginia VCDPA, Connecticut CTDPA, Utah UCPA: Comprehensive state privacy laws — we honor the same rights described under CCPA above for residents of those states.

Auto-renewal and cancellation (ROSCA, California §17602)

Before any subscription charge, parents see a clear, separate disclosure of the renewal price, renewal frequency, and exact cancellation method. The acknowledgment screen meets the "clear and conspicuous" standard of California Bus. & Prof. Code §17602(a)(1) and the federal Restore Online Shoppers' Confidence Act (15 USC §8403). Our full cancellation procedure and the limited circumstances under which we issue refunds are documented in the Cancellation & Refund Policy.

Subprocessors

These are every third party with which Hearthslate shares any user data, in any amount, for any reason. Each is bound by a data-protection agreement. We update this list within 30 days of adding or removing a vendor.