COPPA Parental Consent Disclosure

1.Purpose of This Disclosure

This document is provided pursuant to the Children's Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506, and the FTC's implementing rule, 16 C.F.R. Part 312. Its purpose is to inform parents and legal guardians about our data collection and use practices before any information relating to a child under the age of 13 is collected. We provide this disclosure so that you can make an informed decision about whether to permit your child's participation in our Service.

The Tooth Fairy Department (“we,” “our,” or “us”) operates toothfairydept.com. This Service creates personalized, in-character fairy files for children based on tooth-loss events, as reported and managed entirely by parents and legal guardians (“Parents”).

2.Information We Collect from Children

We do not collect any information directly from children. Children never create accounts, complete forms, or submit personal information of any kind on our Service. All child data in our system is provided exclusively by an authenticated Parent through a verified parent account.

The following child information may be provided by a Parent on their child's behalf:

• Child's first name — used to personalize fairy reports and in-character content. We do not collect last names.
• Child's age — used to calibrate the tone and content of AI-generated fairy reports.
• General geographic region — derived from a zip code entered by the Parent during setup. The zip code itself is converted to a broad region name (for example, “San Francisco Bay Area”) immediately upon submission and is never stored, logged, or transmitted in any form. Only the region label is retained in our database.

Children access the Service only by entering a non-personal case code (a random word-based identifier automatically generated by the system) and a visual icon sequence chosen by the Parent. Neither the case code nor the icon sequence constitutes personal information and neither is associated with the child's identity.

3.How We Use Child Information

Information provided by Parents about their child is used solely for the following purposes, all of which are in service of providing the entertainment and educational experience the Parent has requested:

• Personalized fairy reports: The child's first name, age, tooth history, and any optional notes provided by the Parent are used to generate in-character fairy inspection reports and flight log entries via the Anthropic Claude AI API.
• Tooth collection tracking: Tooth event data entered by the Parent is displayed in the child's secure fairy file, including collection history, condition ratings, and payment records.
• Printable tracking slips: A PDF tracking slip may be generated from the child's tooth data for the Parent's personal use and keepsake purposes.
• Fairy character assignment: A fairy character is assigned to the child's file based on general region, adding to the personalization of the experience.

We do not use child information for advertising, behavioral profiling, interest-based targeting, or any purpose beyond delivering the Service to the Parent.

4.Third-Party Operators

We disclose information to the following third-party service providers solely as necessary to operate the Service. We do not sell, rent, or share child information with any third party for their own purposes.

Anthropic (Claude API): We transmit the child's first name, age, tooth event data, and any optional Parent-provided notes to Anthropic's Claude API for the purpose of generating personalized fairy content. This transmission is governed by Anthropic's data processing agreement. Anthropic does not use data submitted via the API to train its models, and does not retain or share this data for any independent purpose.

Stripe: Stripe processes Parent payment information for subscription or per-event fees. Stripe never receives child data of any kind. Payment data is governed entirely by Stripe's privacy policy and is not stored on our servers.

Vercel: Vercel provides website hosting and infrastructure. Standard server-level access logs may be maintained by Vercel in accordance with their privacy policy. No child-specific data is surfaced at the hosting layer beyond what is incidental to serving web requests.

We do not use advertising networks, social media plug-ins, behavioral analytics platforms, or any other third-party service on child-facing pages of the Service.

5.Parental Rights Under COPPA

As the parent or legal guardian who has provided child information to our Service, you have the following rights under COPPA at any time:

• Review: You may review all personal information we have collected about your child by logging into your account dashboard, where all child data is visible and downloadable.
• Refuse further collection: You may refuse to allow further collection or use of your child's information by ceasing to add new tooth events and, if desired, deleting the child's profile.
• Request deletion: You may request the complete deletion of all information associated with your child at any time. Upon receiving a verified deletion request, we will permanently delete all child data from our systems within 30 days. This includes the child's name, age, region, tooth history, AI-generated fairy content, case codes, and icon sequences.
• Contact us with questions: You may contact us at any time with questions about your child's data or this disclosure. See Section 6 for contact details.

Deletion of a child's profile does not affect your Parent account or any other children's profiles associated with your account.

6.How to Exercise Your Rights

Parents may exercise any of the rights described in Section 5 through either of the following methods:

Dashboard controls: Your account dashboard provides direct controls to view, edit, or delete individual child profiles, as well as a full account deletion option. These controls take immediate effect and initiate the deletion process without requiring you to contact us separately.

Email request: You may contact us directly at [email protected]. Please include “COPPA Request” in your subject line and the name associated with your Parent account so we can locate and verify your records. We will respond to all COPPA-related requests within 10 business days.

We will verify your identity as the account holder before processing any request to review or delete child data.

7.Verifiable Parental Consent Mechanism

No child information is collected until verifiable parental consent has been obtained. Our consent process works as follows:

Authenticated parent account: A Parent must first create an account using a valid email address, which is verified via a confirmation email before the account becomes active. Account creation is not available to minors; the registration flow asks the user to confirm that they are at least 18 years of age.

Explicit guardianship confirmation: When a Parent registers a child's profile for the first time, the registration flow presents an explicit consent screen. The Parent must affirmatively check a box confirming: “I am the parent or legal guardian of this child and I consent to their first name and age being used to create this personalized experience.” This consent is logged and associated with the child's profile.

No data collected before consent: No child data is written to our database prior to the Parent completing this consent step. If the Parent closes the registration flow before confirming consent, no record is created.

8.Data Security Measures

We implement the following technical and organizational security measures to protect child information:

• HTTPS/TLS: All data transmitted between your browser and our Service is encrypted in transit using HTTPS and TLS. There are no unencrypted HTTP endpoints on any page of the Service.
• Hashed credentials: Parent account passwords and icon sequences are stored using one-way cryptographic hashing. We cannot retrieve a plain-text password or icon sequence from our database.
• Rate-limited access: Child-facing pages enforce strict rate limiting and account lockout on repeated failed access attempts to protect against unauthorized access to a child's fairy file.
• No analytics on child pages: Child-facing pages load no third-party analytics scripts, tracking pixels, advertising tags, or any other external resources that could expose child activity to outside parties.

No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security of information transmitted over the internet.

9.Changes to Data Practices

If we make a material change to our data collection or use practices with respect to children's information, we will notify all Parents by email at least 30 days before the change takes effect. The notification will describe the nature of the change and, where required by COPPA, will provide Parents the opportunity to withdraw consent and request deletion of their child's information before the new practices apply.

“Material change” means any change that affects what information is collected, how it is used, or with whom it is shared. Routine service improvements that do not affect data practices do not trigger this notification requirement.

10.Contact Information

If you have questions about this COPPA disclosure, wish to review your child's data, or wish to exercise any parental right described in this document, please contact us:

Please include “COPPA Request” in the subject line of any email inquiry related to this disclosure. We will acknowledge receipt within 2 business days and respond fully within 10 business days.