Privacy Policy for AI Safety Adventures
Effective Date: January 31, 2026
Last Updated: January 31, 2026
COPPA Compliance: Updated for COPPA 2025 requirements
Introduction
AI Safety Adventures ("we," "our," or "us") operates adventures.ethis.ai (the "Service"). This Privacy Policy explains how we collect, use, and protect information when you use our educational platform. We are committed to complying with the Children's Online Privacy Protection Act (COPPA) and protecting the privacy of children under 13.
COPPA NOTICE: Our Service is designed for use in educational settings under teacher supervision. We collect minimal information from children and use privacy-protective practices including anonymous student identifiers.
Information We Collect
Teacher Accounts
When teachers create accounts, we collect:
- Email address
- Name
- Google account information (if using Google Sign-In)
- Classroom and student management data
- Payment information (processed securely by Stripe; we do not store credit card numbers)
Student Information
We prioritize student privacy and collect minimal information:
- Anonymous tokens only - Students are identified by randomly generated tokens, not personal information
- Progress data and quiz responses linked to anonymous tokens
- No names, emails, or personally identifiable information is collected from students
Automatic Information
We may collect:
- Usage data and analytics through Google Analytics and Vercel Analytics
- Device information, browser type, and IP addresses
- Cookies for authentication and analytics purposes
How We Use Your Information
We use collected information to:
- Provide and maintain the Service
- Enable teacher accounts and classroom management
- Track student progress through anonymous tokens
- Improve our educational content and user experience
- Analyze usage patterns through analytics tools
- Communicate with teachers about their accounts
Data Retention
We follow strict data retention policies in compliance with COPPA 2025 requirements:
Student Data (Anonymous)
- Active classroom lifetime + 30-90 days after classroom deletion
- Automatic deletion when classroom is removed by teacher
- Parent/guardian request: Deleted within 5 business days
Teacher Data
- Account lifetime + 30 days after account deletion
- Billing data: 7 years (legal requirement for tax purposes)
- Teachers may request account deletion at any time: privacy@ethis.ai
System Logs
- Server logs: 30 days, then automatically deleted
- Error tracking: 90 days, then automatically deleted
- Audit logs: 2 years for compliance verification
Full details: See our complete Data Retention Policy
Children's Privacy (COPPA Compliance)
Our Service is designed for students ages 8-13 and complies with the Children's Online Privacy Protection Act (COPPA) as updated in 2025. We take children's privacy seriously and follow strict data protection practices.
What Information We Collect from Children
We use a minimal data collection approach:
- Anonymous tokens ONLY - Students are identified by cryptographically random tokens that cannot be linked to their real identity
- Learning progress data - Lessons completed, quiz scores, achievement badges (linked to anonymous tokens only)
- Display names (optional) - If enabled by teacher, reviewed for safety, pseudonymous only
- NO personal information - We do not collect names, email addresses, photos, precise locations, or any PII from students
Parental Rights
Parents and legal guardians have the following rights under COPPA:
- Review: Request to review the child's information via the teacher
- Delete: Request deletion of the child's data at any time
- Refuse collection: Refuse further collection or use of the child's information
- Consent: Schools act as intermediaries providing consent for educational use
To exercise these rights, contact: privacy@ethis.ai or contact your child's teacher
School Consent Model
We operate under the "school consent" exception under COPPA. Schools and teachers may provide consent on behalf of parents for the use of our Service in an educational context. We:
- Collect only information necessary for educational purposes
- Do not use student information for commercial purposes
- Do not share student information with third parties (except as required for Service operation)
- Notify schools of our data practices
Data Retention for Student Information
Student data is retained as follows (see our full Data Retention Policy):
- Active classroom: Data retained while student is enrolled
- After classroom deletion: 30-90 days (varies by data type)
- Parent request: Deleted within 5 business days
- Inactivity: Data reviewed after 365 days of no use
We Do NOT
- Sell or rent student information to anyone
- Use student information for targeted advertising
- Create profiles of students for non-educational purposes
- Share student information with data brokers
- Require children to provide more information than necessary to use the Service
Third-Party Services
We use the following third-party services to operate our Service. Student information (anonymous tokens only) is NOT shared with advertising or marketing services.
| Service | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting & CDN | Server logs (no PII) |
| Vercel Postgres | Database storage | All application data (encrypted) |
| Stripe | Payment processing | Teacher billing only (no student data) |
| Sentry | Error tracking | Error traces (no PII) |
| Google OAuth | Teacher authentication | Teacher email only (optional) |
We do NOT use:
- Google Analytics or other tracking for students
- Advertising networks
- Social media tracking pixels
- Data brokers or third-party marketing services
These services have their own privacy policies. We require all service providers to comply with COPPA and maintain appropriate security measures.
Data Security
We implement industry-standard technical and organizational measures to protect your information:
- Encryption in transit: HTTPS/TLS 1.3
- Encryption at rest: AES-256 for all databases
- Secure authentication: NextAuth.js with bcrypt password hashing
- Rate limiting: Protection against brute force attacks
- Security headers: CSP, HSTS, X-Frame-Options
- Dependency scanning: Automated vulnerability detection (Dependabot)
- Regular security assessments: Quarterly security reviews
However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
Data Breach Notification
In the unlikely event of a data breach affecting student information, we will:
- Notify the FTC: Within 10 business days (as required by COPPA 2025)
- Notify schools: Within 48 hours of discovery
- Notify parents: Via schools within 72 hours (if PII was exposed)
- Notify affected individuals: Via email for teacher accounts
- Provide details: Nature of breach, data affected, remediation steps
We maintain an Incident Response Runbook for rapid response to security incidents.
Your Rights
Depending on your location, you may have rights including:
- Access to your personal information
- Correction of inaccurate information
- Deletion of your account and associated data
- Objection to certain data processing
- Data portability
To exercise these rights, contact us at mike@ethis.ai.
International Users
If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Sending email notifications to registered teachers for material changes
COPPA Compliance & Enforcement
We are committed to full compliance with COPPA as enforced by the Federal Trade Commission (FTC). Key commitments:
- FTC Registration: We have provided required operator information to the FTC
- Verifiable Parental Consent: Obtained through schools under the "school official" exception
- Data Minimization: We collect only information necessary for educational purposes
- Transparency: This policy clearly explains our data practices in plain language
- Reasonable Security: We maintain appropriate safeguards for children's information
Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
Privacy & COPPA Inquiries: privacy@ethis.ai
General Questions: mike@ethis.ai
Data Deletion Requests: privacy@ethis.ai
Security Concerns: security@ethis.ai
Website: https://adventures.ethis.ai
Response Time: We respond to privacy inquiries within 5 business days.
Cookie Policy
We use cookies and similar tracking technologies to:
- Maintain user sessions
- Remember user preferences
- Collect analytics data
- Improve Service functionality
You can control cookies through your browser settings, though some features may not function properly if cookies are disabled.
Data Processing Legal Basis (GDPR)
For users in the European Economic Area (EEA), our legal basis for processing personal information includes:
- Consent: When you provide explicit consent (e.g., creating an account)
- Legitimate Interests: To operate and improve our Service
- Legal Obligations: To comply with applicable laws
California Privacy Rights
CCPA (California Consumer Privacy Act)
California residents have additional rights under the CCPA:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising privacy rights
SOPIPA (Student Online Personal Information Protection Act)
For California students, we comply with SOPIPA by:
- Not using student information for targeted advertising
- Not creating profiles for non-educational purposes
- Not selling student information
- Maintaining reasonable security procedures
- Deleting student information upon request
To exercise these rights, contact privacy@ethis.ai.
FERPA Compliance (Educational Records)
For schools subject to the Family Educational Rights and Privacy Act (FERPA), we act as a "school official" with legitimate educational interests. We:
- Use student information only for authorized educational purposes
- Do not share student information with unauthorized third parties
- Maintain security standards consistent with FERPA requirements
- Cooperate with schools' FERPA compliance obligations
State Student Privacy Laws
We comply with state student privacy laws including:
- California: SOPIPA, AB 1584 (privacy policy requirements)
- New York: Education Law 2-d (data security and privacy)
- Texas: Student Data Privacy Act
- Connecticut: Student Data Privacy Act (PA 16-189)
Schools may request a Data Processing Agreement (DPA) for additional contractual protections.
AI Safety Adventures is operated by Ethis.AI
© 2025 Ethis.AI. All rights reserved.