Skip to content

COPPA Compliance

Children's privacy, by design.

Playprint is built to comply with the Children's Online Privacy Protection Act (COPPA). This page explains exactly how we handle accounts for players under 13 — from registration to deletion.

The law

What is COPPA?

COPPA is a US federal law that protects the personal information of children under 13. It requires operators of online services to obtain verifiable parental consent before collecting, using, or disclosing a child's personal information.

Verifiable parental consent

Before collecting any personal information from a child, operators must notify parents and obtain their verifiable consent.

Direct notice to parents

Parents must be told what data is collected, how it will be used, and who it will be shared with — before consent is requested.

Parental rights

Parents have the right to review their child's data, refuse further collection, revoke consent, and request deletion at any time.

Data minimisation

Operators may only collect the minimum personal information necessary to provide the service.

Our process

How Playprint accounts work

We use a neutral age gate at registration. Your date of birth determines which account flow applies — no tricks, no workarounds.

Neutral age gate

Every new player provides their date of birth during registration. We don't ask "are you over 13?" — we collect a neutral date of birth and calculate age ourselves. Per FTC guidance, once a minor date of birth is entered, the same browser session cannot retry with a different date.

Adult (13+)

Standard registration

  1. 1 Player enters display name, date of birth, and email
  2. 2 System confirms age is 13 or older
  3. 3 Account created and immediately active
  4. 4 Player can start using Playprint right away
Child (under 13)

COPPA-compliant registration

  1. 1 Player enters display name, date of birth, and parent email
  2. 2 System detects age is under 13
  3. 3 Account created in pending status — not yet usable
  4. 4 Parent receives direct notice with full disclosures
  5. 5 Parent verifies consent via secure link
  6. 6 Only then is the child account activated

Consent flow

How parental consent works

We use the FTC-approved “email plus” method for verifiable parental consent.

1. Direct notice sent to parent

When a child registers, we immediately send the parent a direct notice email. This email contains: what data we collect, how it's used, our third-party sharing practices, and the parent's rights under COPPA.

2. Parent reviews disclosures

The parent receives a secure link to review all COPPA-required disclosures, including the specific data collected about their child, our data retention policy, and their rights.

3. Parent grants or denies consent

The parent clicks the link and then confirms their decision on our website — this is the "plus" in "email plus". They can grant consent to activate the account or deny consent to delete it.

4. Account activates or is deleted

If consent is granted, the child account becomes active. If consent is denied — or if the parent doesn't respond within 72 hours — the account and all associated data are permanently deleted.

Security measures

  • Consent tokens are cryptographically generated and hashed (SHA-256) before storage — the raw token is never persisted
  • Tokens expire after 72 hours if unused
  • Expired tokens trigger automatic deletion of the pending account and all PII
  • Minor age-gate re-attempts are blocked for 30 minutes to prevent circumvention

Data practices

What we collect — and what we don't

We follow strict data minimisation. Here's exactly what data exists for each account type.

Child account data

  • Display name (chosen by parent)
  • Gameplay decisions and session metadata

Child email is never collected. Parent email is stored solely for consent verification and parental rights.

Adult account data

  • Display name
  • Email address
  • Date of birth
  • Gameplay decisions and session metadata

Data we never collect — from any account

Real name or identity

Location or IP address

Device identifiers

Voice, audio, or video

Photos or likeness

Chat messages

Third-party sharing

We do not share your child's data with any third parties.

Your rights

Parental rights

Parents and guardians have full control over their child's account and data. These rights are available at any time.

Review data

View all data held about your child — including display name, gameplay data, account creation date, and consent details.

Refuse further collection

Stop any additional data collection. Your child can continue using the service with their existing data — nothing new is gathered.

Revoke consent

Withdraw your consent entirely. Your child's account will be suspended immediately and no data will be accessible.

Delete account

Request complete, permanent deletion of your child's account and all associated data. Deletion is immediate and irreversible.

To exercise any of these rights, contact us at playprint.ai/contact with your child's account ID and the parent email address on file.

Retention

Data retention and deletion

We don't keep data longer than necessary. Here's how our retention and cleanup policies work.

Retention period

Account data is retained for a maximum of 365 days from the date of account creation (adults) or consent grant (children). After this period, the account and all associated data are automatically purged.

Expired consent cleanup

If a parent does not respond to a consent request within 72 hours, the pending child account is automatically deleted and all PII is scrubbed. No data is retained from unapproved accounts.

Consent denial

If a parent explicitly denies consent, the child account and all associated personal information are immediately and permanently deleted.

Manual deletion

Parents can request deletion of their child's account at any time. Adults can delete their own account at any time. Deletion is immediate and permanent — all PII is scrubbed from the record.

Accountability

Audit trail

Every action on an account is logged for compliance and accountability.

Playprint maintains a timestamped audit log for every account. This log records:

  • Account creation and registration type
  • Consent requests sent to parents
  • Consent granted, denied, or revoked
  • Changes to data collection scope (refuse further collection)
  • Account suspension and deletion events
  • Automated cleanup actions (expired tokens, retention expiry)

Each entry records who performed the action (system, parent, or admin) and when it occurred. This trail is available for regulatory review upon request.

This page describes our technical implementation and design approach to COPPA compliance. It is not legal advice. For specific legal questions about children's privacy regulations, consult qualified legal counsel.

Questions about our privacy practices?

We're happy to walk through our compliance approach, answer questions from parents, or discuss our architecture with your legal team.

Talk to us Safety & Privacy