Last updated 2026-05-14 · Policy version 2026-05-14

Privacy Policy

1. Who we are

Lumi is operated by Digital Boutique AI ("we", "us"). Contact privacy@lumikids.dev. Lumi is an educational service directed to children under 13 in the United States and elsewhere; this policy is governed primarily by the Children's Online Privacy Protection Act (COPPA), the FTC's 2025 amended COPPA Rule, and applicable state child-privacy laws.

2. Plain-language summary

We collect a small amount of information about parents (email, name) and an even smaller amount about children (first name, age, interests, and what they did in the app). We never use child data for advertising or AI model training. You can export or delete everything in one click.

3. Information we collect about parents

Name, email, Google account ID, consent records, hashed IP, device user-agent. Lawful basis: contract + consent.

4. Information we collect about children

First name, age (year only), interests (tags chosen by parent or child at onboarding), learning attempt data (which task, correct/incorrect, response time), voice preference, mastery state, tutor episodic memory (short text-only summaries of activity).

We do NOT collect: last name, address, phone number, voice recordings, photos, geolocation beyond country, persistent advertising identifiers, biometric identifiers, browsing history outside Lumi, or contact lists.

5. Verifiable parental consent (VPC)

The parent signs in with their own Google account, then accepts this policy and the Terms of Service with an explicit checkbox stamped with the current version. An email receipt is sent to the same Google address via Resend. Parents have the right to refuse, review, and revoke at any time. Method: google_oauth_plus_explicit.

6. How we use information

To deliver the learning experience, personalize tutor responses, track progress, send weekly parent summaries, fix bugs, improve the product, and comply with law. We do not use child data for advertising, behavioral profiling, model training, or any non-integral purpose.

7. Third-party recipients

This list is generated from src/lib/coppa/data-inventory.ts, the single source of truth shared with the Compliance hub.

Anthropic, PBCpolicy

Tutor model inference (Claude)

Receives: redacted student_state (first name, age, interests, recent task outcomes, confusion partners); recent tutor memory summaries (text only)

Last reviewed 2026-05-14 · SOC 2 Type II

ElevenLabs Inc.policy

Text-to-speech synthesis

Receives: tutor utterance text; voice ID

No child identifiers reach this recipient.

Last reviewed 2026-05-14 · SOC 2

Neon, Inc.policy

Managed Postgres hosting

Receives: all application data, encrypted at rest

Last reviewed 2026-05-14 · SOC 2 Type II, ISO 27001

Vercel, Inc.policy

Application hosting + Blob storage of pre-generated audio

Receives: HTTP requests + logs (PII-scrubbed); audio files keyed by sha256 hash (no child identifiers in filenames)

No child identifiers reach this recipient.

Last reviewed 2026-05-14 · SOC 2 Type II, ISO 27001

Google LLCpolicy

OAuth identity provider for parent sign-in only

Receives: parent email; Google subject identifier (sub)

No child identifiers reach this recipient.

Last reviewed 2026-05-14 · SOC 2, ISO 27001

Resend, Inc.policy

Transactional email (consent receipts, weekly summaries, deletion confirmations)

Receives: parent email address; summary content

No child identifiers reach this recipient.

Last reviewed 2026-05-14

PostHog, Inc.policy

Product analytics on PARENT routes only (never on /play)

Receives: parent page views; parent action events from an allow-list

No child identifiers reach this recipient.

Last reviewed 2026-05-14 · SOC 2 Type II

Sentry (Functional Software, Inc.)policy

Error monitoring with PII allow-list scrubber

Receives: application errors with PII stripped by allow-list

No child identifiers reach this recipient.

Last reviewed 2026-05-14 · SOC 2 Type II, ISO 27001

8. No advertising, no model training, no sale of data

We do not permit any recipient to use child data to train AI models, build behavioral profiles, target advertising, or sell or share for cross-context behavioral advertising (CCPA/CPRA term).

9. Retention schedule

attempts.prompt_payload / response_payload: 90 days → redact to aggregate counters; keep is_correct + reaction_ms
audio_assets (unused): 180 days → delete from Blob; remove row
events: 30 days → delete row
mastery_state + tutor_memories: account life → retain until deletion request
On account deletion: ≤30 days → hard-delete everything; retain audit record 7y

10. Security

TLS in transit, AES-256 at rest (Neon/Vercel defaults), least-privilege access, designated security coordinator (founder), annual risk review, breach notification within 72 hours where required.

11. Parent rights

Review (dashboard), export (one-click JSON), delete (one-click cascade), revoke consent (deletes account), contact privacy@lumikids.dev for anything not self-serve.

12. Children's rights

Same as parent rights; exercised through the parent.

13. International

Lumi is hosted in the US. If you use Lumi from outside the US, you consent to US data processing. We honor EU GDPR Article 8 child consent thresholds where they apply.

14. State-specific disclosures

California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), California AB 1394, New York SAFE for Kids Act, and any other state with applicable kids' privacy laws.

Do Not Sell or Share My Personal Information: We do not sell or share personal information. Click here for confirmation.

15. Changes to this policy

We notify parents by email and require re-consent for material changes affecting child data.

16. Contact + Safe Harbor

Email privacy@lumikids.dev. FTC: 2030 K Street NW, Washington, DC 20580. kidSAFE Safe Harbor application status: pending (Phase 2).