COPPA Policy

Last Updated: June 2, 2026

naru-ai.com ("we," "our," or "us") values the privacy of children and their families. This COPPA Policy explains how we collect, use, disclose, and delete personal information from or about children under 13 in connection with STEMBuddy (the "Service"). It is intended to supplement our Privacy Policy.

STEMBuddy is a parent-and-child consumer science project app for elementary-age learners. For the current launch, a parent or guardian must start or approve setup before a child can create projects or use AI coaching features.

Parent Approval for This Launch

For the current launch, we use a parent sign-in and parent email approval flow before enabling a child account for ongoing use. A parent may start directly with Google or an email link. If a learner starts first, the learner may enter a parent or guardian email address so we can send a link asking the parent to continue setup and complete approval.

We record the approval status, method, and timestamp in our systems. If we need additional information to verify the adult or to comply with law, we may pause access until that review is complete.

If a learner enters a parent or guardian email before approval, we use that email only to contact the adult about account setup, approval, and related service notices.

Data We Collect from or about Children

We limit collection to what is reasonably necessary to provide the Service. Depending on how the account is used, we may collect:

Parent account information, such as the adult email address and authentication identifier used to create or approve the account.
Child profile information, such as a nickname, grade level, interest topics, buddy choices, and avatar selection.
Project and learning data, such as hypotheses, procedures, variables, trial data, conclusions, notes, and completed steps.
AI coaching inputs and outputs, including child questions and draft responses used to provide tutoring inside the app.
Photos or files the family chooses to upload, such as measurement photos.
Usage, security, and device events needed to operate the Service. Our analytics are configured to avoid advertising identifiers and similar cross-service tracking data.

Automatic Information Collection

We automatically collect limited technical and usage information, such as session events, feature usage, and security signals. We do not use children's information for targeted advertising. If a family chooses to share a question to the community Explore area, we may display that question with the child's pseudonymous buddy avatar/name and limited aggregate author stats, such as published question count, total stars, XP, level, and leaderboard rank when available. We do not permit direct child-to-child messaging inside the Service.

How We Use Your Child’s Information

We use child information to:

Provide the Service and let the child create, save, and revisit science projects.
Maintain continuity across sessions using profile information and recent progress, such as completed projects, completed steps, and badges.
Operate AI coaching features inside the app.
Keep the Service safe, secure, reliable, and easier to troubleshoot.
Improve core educational features in aggregate, without using children's information for advertising or unrelated profiling.

AI Processing and Redaction

STEMBuddy uses third-party AI service providers to power tutoring and generation features. Before child free-text inputs are sent for AI processing, we apply automated screening and redaction for likely email addresses, phone numbers, street addresses, social handles, school names, and self-identified names.

We use child AI data to provide the requested feature, maintain continuity, and improve the safety and reliability of the Service. We do not use child project content, chat inputs, or progress data for targeted advertising. We do not use child content to trainSTEMBuddy's own models or to improve unrelated consumer AI products, and we route AI processing through business-use provider integrations rather than consumer sharing features.

Some AI providers retain prompts and responses for a short period (typically up to thirty days) for safety review under their business-use terms. That retention is operational only, is not directed by us, and the providers do not use this data to train models. When a parent deletes the account, we delete every record on our side; we cannot retroactively purge an AI provider's short-term safety logs, but those logs roll over on the provider's own schedule.

Our personalization is grounded in learner profile data and recent progress. We do not use AI coaching to create or surface durable personality profiles from a child's chat sessions for this launch.

Automatic Data Deletion

We delete child data when it is no longer reasonably necessary for the purpose for which it was collected. For the current launch:

Child account, project, chat, buddy/avatar, and progress data are deleted when the account is deleted or after 12 months of inactivity, whichever happens first.
AI-generated audio and most generated illustrations are automatically removed after about 7 days.
AI-generated question illustrations may be kept for up to 30 days if still referenced.
User-uploaded measurement photos on the free plan are removed after 30 days.

When a parent taps "Delete account" in the app, we hold the account in a deactivated state for seven days and email the parent a single-use restore link in case the deletion was a mistake. After seven days the cascade runs: every learner profile, project, journal entry, published codex contribution, uploaded photo, and AI-generated artifact tied to the account is permanently deleted, and the published Explore content is anonymized so the child's pseudonymous buddy name and avatar are removed from public view.

Inactivity-based deletion (12 months) does not include the seven-day grace window — accounts that go silent for that long are reaped on the next daily cycle.

Deleted child records are removed from active production systems at finalize and purged from routine encrypted backups within thirty days as backups roll over. We retain a small, non-personal audit record (deletion timestamp, requester method, row counts, and a cryptographic hash of the parent email) for a limited period to demonstrate our compliance with applicable laws; this record contains no child content.

Parents can review, export, or delete their child's data in the app — Parent Hub → Account → Security includes "Export account data" (JSON download) and "Delete account" — or by contacting us at legal@stembuddy.app.

Service Providers

We share information only with the service providers below, and only as needed to operate the Service. Each is a business-use integration; none uses child content for advertising or to train consumer AI models.

Supabase, Inc. — hosting, authentication, database, file storage, and edge functions. supabase.com/privacy
OpenAI, L.L.C. — AI coach (tutoring and generation) and embeddings. openai.com/policies/privacy-policy
Stripe, Inc. — parent billing and subscription processing (parent data only; no child data). stripe.com/privacy
Resend (Drep, Inc.) — parent transactional email (approval, welcome, project completion). Parent data only. resend.com/legal/privacy-policy
Amplitude, Inc. — de-identified product analytics (usage and feature signals). amplitude.com/privacy
Sentry (Functional Software, Inc.) — de-identified crash and error telemetry. sentry.io/privacy
Google LLC — OAuth sign-in (account creation); text-to-speech narration; and AI processing of redacted child inputs and project content for tutoring, generation, and content normalization. Business-use integration; no advertising and no model training. policies.google.com/privacy
Apple Inc. — OAuth sign-in provider (account creation only). apple.com/legal/privacy

We update this list when we add or remove a provider that touches account data. To request the current list at any time, email legal@stembuddy.app.

Our Practices for Disclosing Children’s Information

We do not sell children's personal information. We may disclose child information only as needed to operate the Service, including to service providers that host the app, process authentication, provide analytics, or process AI features on our behalf, and when required by law, safety needs, or a business transfer.

If a family chooses to publish a shared question to Explore, we may also publicly display the question with the child's pseudonymous buddy avatar/name and the limited aggregate stats described above. We do not publicly show real names, direct contact information, location, or real child photos in that experience.

Social and Communication Features

The Service includes in-app chat with an AI coach only. Shared questions in Explore may show limited public attribution for the author's buddy avatar/name and aggregate stats, but we do not provide searchable child profiles, direct messaging, public personal contact information, or real child photos.

Parental Choices and Controls

Parents may review, correct, export, or delete their child's information. Parents may also ask us to stop collecting additional child information by deleting the account or by contacting us at legal@stembuddy.app. To protect privacy and security, we may verify the requester's identity before we act on a request.

Changes to This COPPA Policy

We may update this COPPA Policy from time to time. If we make a material change to our child-data practices, we will update this page and provide additional notice or seek new parental approval when required by law.

Contact Information

To ask questions about this COPPA Policy or our privacy practices, contact us at legal@stembuddy.app.