Compliance hub
Lumi's privacy and security posture for parents, schools, and auditors. Last reviewed 2026-05-14.
✓ COPPA-compliant
✓ No advertising
✓ No child data for AI training
✓ No data sales
✓ Encrypted in transit + at rest
✓ Parent-owned data
✓ One-click delete
✓ No third-party trackers on /play
Standards & frameworks
- COPPA + 2025 FTC Amended Rule — compliant
- California AB 1394 (Online Privacy Rights for Children) — compliant
- California Privacy Rights Act (CPRA) — compliant
- New York SAFE for Kids Act — compliant
- GDPR Article 8 (EU child consent) — honored
- FERPA — readiness mode
- SOC 2 Type II — roadmap (Phase 3)
- kidSAFE+ COPPA Safe Harbor — application planned Phase 2
Data inventory
| Table | Field | Purpose | Retention | Accessed by |
|---|---|---|---|---|
| parents | Account identity, email contact | Account life | Google (OAuth), Resend | |
| parents | name | Greeting in emails + dashboard | Account life | — |
| parents | google_sub | OAuth account binding | Account life | Google (OAuth) |
| children | first_name | Personalize tutor voice | Account life | Anthropic |
| children | age | Pace tutor to age-appropriate vocabulary | Account life | Anthropic |
| children | dob_year | Birth year only — used to track grade-band progression | Account life | — |
| children | interests | Personalize examples Lumi uses | Account life | Anthropic |
| children | voice_id | Which ElevenLabs voice to use | Account life | ElevenLabs |
| consents | policy_version + tos_version | Audit trail of which version the parent accepted | 7y audit | — |
| consents | ip_hash | SHA-256 hash only — used for fraud prevention | 7y audit | — |
| consents | user_agent | Audit trail device context | 7y audit | — |
| attempts | skill_code + task_type + is_correct + reaction_ms | Adaptive pacing engine, parent dashboard stats | Account life | — |
| attempts | prompt_payload + response_payload (raw) | Detailed analysis during debugging | 90d → aggregate | — |
| mastery_state | trials, correct, stable_mastery, median_rt_ms, confusion_partners | Drives pacing decisions and parent dashboard | Account life | — |
| tutor_memories | content (text) | Longitudinal memory — Lumi greets the child tomorrow and references yesterday's work | Account life | Anthropic |
| audio_assets | blob_url + text_hash + voice_id + model | Cache pre-rendered audio. Filenames are content-addressed by hash — no child identifiers. | 180d unused | Vercel Blob |
| events | kind + payload | Internal debugging logs | 30d | — |
| data_requests | kind + status + timestamps | Audit trail for export/delete requests | 7y audit | — |
Sub-processors
Anthropic, PBCpolicy ↗
Tutor model inference (Claude)
Receives: redacted student_state (first name, age, interests, recent task outcomes, confusion partners); recent tutor memory summaries (text only)
Certifications: SOC 2 Type II
Last reviewed 2026-05-14
ElevenLabs Inc.policy ↗
Text-to-speech synthesis
Receives: tutor utterance text; voice ID
Certifications: SOC 2
Last reviewed 2026-05-14
Neon, Inc.policy ↗
Managed Postgres hosting
Receives: all application data, encrypted at rest
Certifications: SOC 2 Type II, ISO 27001
Last reviewed 2026-05-14
Vercel, Inc.policy ↗
Application hosting + Blob storage of pre-generated audio
Receives: HTTP requests + logs (PII-scrubbed); audio files keyed by sha256 hash (no child identifiers in filenames)
Certifications: SOC 2 Type II, ISO 27001
Last reviewed 2026-05-14
Google LLCpolicy ↗
OAuth identity provider for parent sign-in only
Receives: parent email; Google subject identifier (sub)
Certifications: SOC 2, ISO 27001
Last reviewed 2026-05-14
Resend, Inc.policy ↗
Transactional email (consent receipts, weekly summaries, deletion confirmations)
Receives: parent email address; summary content
Last reviewed 2026-05-14
PostHog, Inc.policy ↗
Product analytics on PARENT routes only (never on /play)
Receives: parent page views; parent action events from an allow-list
Certifications: SOC 2 Type II
Last reviewed 2026-05-14
Sentry (Functional Software, Inc.)policy ↗
Error monitoring with PII allow-list scrubber
Receives: application errors with PII stripped by allow-list
Certifications: SOC 2 Type II, ISO 27001
Last reviewed 2026-05-14
Security practices
- TLS 1.2+ in transit, AES-256 at rest (Neon, Vercel defaults)
- Least-privilege database roles; no admin keys in client code
- Vercel envs for secret management; CI never echoes secrets
- Dependabot + npm audit on every push
- Sentry PII allow-list scrubber on errors
- PostHog disabled on /play; never loaded for child sessions
- Designated security coordinator: founder
- Annual third-party risk review
- Breach notification within 72 hours where required
AI safety
- Locked tutor persona constraints: ≤12 words per utterance, no jargon, no shame, no claimed emotions.
- Automated filters on tutor output (length, jargon, shame language).
- No model training on child data — contractual with Anthropic, technical via zero-retention API headers where supported.
- Microphone disabled in Phase 1. No voice recordings are captured or transmitted.
Vulnerability reporting
Email security@lumikids.dev. Safe harbor for good-faith security research; 90-day disclosure window.
Retention enforcement
- attempts.prompt_payload / response_payload: 90 days → redact to aggregate counters; keep is_correct + reaction_ms
- audio_assets (unused): 180 days → delete from Blob; remove row
- events: 30 days → delete row
- mastery_state + tutor_memories: account life → retain until deletion request
- On account deletion: ≤30 days → hard-delete everything; retain audit record 7y
Enforced by daily cron /api/cron/retention-purge.