Effective Date: March 30, 2026 · Last Updated: March 30, 2026
SparkForge is operated by SparkForge LLC ("we," "us," or "our"). SparkForge is a gamified AI learning platform designed for children ages 7–16.
SparkForge LLC (an Illinois limited liability company)
Mailing address: [MAILING ADDRESS — to be finalized before production launch]
Telephone: (773) 629-2320
Privacy email: privacy@sparkforge-labs.com
For privacy inquiries, parental rights requests, or COPPA-related questions, contact us using any method above.
Disclosure pursuant to 16 CFR § 312.4(d)(1) (COPPA operator identification).
This Privacy Policy describes our practices regarding the collection, use, and disclosure of personal information from children and parents/guardians who use SparkForge. We comply with the Children's Online Privacy Protection Act (COPPA) and the 2025 COPPA Rule Amendments (16 CFR Part 312).
We collect only the minimum information necessary to provide the SparkForge learning experience. Children are never required to disclose more information than is reasonably necessary to participate in any activity.
Consistent with 16 CFR § 312.7, SparkForge does not condition a child's participation in any game, lab, activity, or feature on the child disclosing more personal information than is reasonably necessary for that activity. For example, gameplay in any of the 35 labs is available without the child providing free-text input; the Prompt Lab game (which does accept free-text input) is limited to age band C (ages 14–16) and is never a prerequisite for earning XP, leveling up, or completing any lab.
| Data Type | Purpose |
|---|---|
| Parent email & password | Account authentication, password recovery, account-related communications |
| Child display name & age band | In-app personalization, age-appropriate content delivery |
| Game progress & XP | Track learning progress, award achievements, provide parent reports |
| Session duration | Enforce parent-set time limits, display in parent dashboard |
| Prompt Lab text | Generate educational AI responses (sent to Anthropic API, moderated, auto-purged daily) |
| Stripe customer ID | Process subscription payments (parent accounts only) |
We share limited data with the following third-party services solely to operate SparkForge. No child data is shared with advertisers, data brokers, or any party for the purpose of targeted advertising or profiling.
Parents may consent to our collection and use of a child's information without consenting to disclosure to third parties, except where disclosure is integral to the service (e.g., Supabase for data storage).
SparkForge requires verifiable parental consent before collecting any personal information from children under 13. Our consent process:
If we do not receive verifiable parental consent, we will not collect personal information from the child and will delete any parent contact information collected during the consent process within a reasonable time.
SparkForge uses the "email-plus" method of Verifiable Parental Consent permitted under 16 CFR § 312.5(b)(2)(iii). The process is:
Under COPPA 16 CFR § 312.5(b)(2), the email-plus method is valid only when a child's personal information is used solely for internal operations and is not disclosed to third parties other than service providers acting on SparkForge's behalf under written agreements with equivalent safeguards (see Section 4).
As amended by the FTC in 2025, COPPA requires separate verifiable parental consent before any third-party disclosure of a child's personal information that is not covered by a service-provider relationship (e.g., targeted advertising, cross-service profiling, disclosure to data brokers). SparkForge does not currently engage in any such disclosures and therefore does not seek separate VPC beyond the email-plus method above. If this ever changes, we will obtain separate affirmative parental consent using a higher-bar VPC method (such as a verified payment-card transaction, government-ID match, or live video-call verification) before the new disclosure begins, and we will update this Privacy Policy and notify existing parents in advance.
Parents and legal guardians have the following rights under COPPA. You may exercise these rights at any time.
Review your child’s information
Log in to your Parent Dashboard to view all child profile data, progress, badges, and session history.
Request deletion of your child’s data
Delete a child profile from the Parent Dashboard. All associated data (progress, sessions, prompt history, badges) is permanently removed via cascading deletion.
Refuse further collection
Delete the child profile or contact us to deactivate data collection while preserving the account.
Revoke consent
Contact privacy@sparkforge-labs.com or delete the child profile. We will cease all collection and delete existing data.
Manage content filters and time limits
Use the Parent Dashboard to set daily time limits, content filters, and review game activity.
To verify your identity when exercising parental rights, we may ask you to confirm account credentials or respond to a verification email sent to your registered email address.
Per the 2025 COPPA amendments, we maintain a written data retention policy. We do not retain children's personal information indefinitely.
| Data Category | Retention Period | Reason |
|---|---|---|
| Parent account data | Duration of account + 30 days after deletion | Account recovery grace period |
| Child profile & progress | Duration of profile + immediate deletion on removal | Learning continuity; deleted on parent request |
| Prompt Lab history | Automatically purged daily (pg_cron job) | COPPA minimization; AI responses are ephemeral |
| Session logs | 90 days | Parent dashboard reporting, time limit enforcement |
| Demo session data | Deleted at session expiry (1 hour maximum) | Demo data is ephemeral by design |
| Error monitoring (Sentry) | 30 days (Sentry default retention) | Bug detection; child PII is stripped before transmission |
Absolute maximum retention. Consistent with 16 CFR § 312.10 (as amended in 2025), no category of children's personal information is retained indefinitely. Except where a longer period is required by a specific legal obligation (for example, Stripe invoice records that must be retained for tax-audit purposes), the maximum retention for any child's personal information is three (3) years from the last active use of the associated account, after which the data is deleted or irreversibly de-identified.
Per the 2025 COPPA amendments, we maintain a written children's personal information security program with safeguards appropriate to the sensitivity of the data we collect. Our security measures include:
We require all third-party service providers that receive children's data to maintain adequate security measures consistent with this policy.
The 2025 COPPA amendments (16 CFR § 312.8) require operators to establish, implement, and maintain a written children's personal information security program with safeguards appropriate to the sensitivity of the data, the operator's size, and its business activities. Our program includes:
SparkForge does not display advertising of any kind. We do not serve behavioral ads, contextual ads, or sponsored content. Children's data is never sold, licensed, or shared for advertising or marketing purposes. Our sole revenue model is parent-paid subscriptions processed through Stripe.
SparkForge offers a demo mode that allows exploration without account creation. During a demo session:
sparkforge-demo-active) tracks session timing onlyWe may update this Privacy Policy to reflect changes in our practices or applicable law. If we make material changes that affect how we collect, use, or disclose children's personal information, we will:
For privacy-related inquiries, parental rights requests, or COPPA-related questions:
SparkForge LLC — Privacy Team
Mailing address: [MAILING ADDRESS — to be finalized before production launch]
Telephone: (773) 629-2320
Email: privacy@sparkforge-labs.com
Subject line: "COPPA Privacy Request" or "Parental Rights Request"
We will respond to all parental rights requests within 10 business days. You may also file a complaint with the Federal Trade Commission at ftc.gov/complaint.
In addition to the federal protections above, residents of certain U.S. states have additional rights under comprehensive state privacy laws and state-specific children's/teens' codes. The table below summarizes applicability; the California and Maryland subsections below describe rights in greater detail.
| State | Key Law(s) | Resident Rights (adults and minors) |
|---|---|---|
| California | CCPA/CPRA; SOPIPA; AB 1584; AB 2273 (AADC) | Know, access, delete, correct, opt-out of sale/share, limit use of sensitive PI, non-discrimination; under-18 design-code protections. |
| Maryland | MODPA; MD AADC (HB 603) | Know, delete, correct, portability; privacy-by-default for users under 18; DPIA required. |
| Virginia | VCDPA | Access, delete, correct, portability; COPPA-style VPC for known under-13 data. |
| Colorado | CPA; SB 24-041 | Access, delete, correct, portability, opt-out; no targeted ads, profiling, or sale involving users under 18 without proper consent. |
| Connecticut | CTDPA (with minors amendment) | Access, delete, correct, portability; duty of care for users 13–17; ban on targeted ads and sale of teen data regardless of consent. |
| Oregon | OCPA; HB 2008 | Access, delete, correct, portability; targeted-advertising prohibition for ages 13–15 under actual-knowledge / willful-disregard. |
| Texas | TDPSA | Access, delete, correct, portability; heightened disclosures and opt-ins for known minors. |
| Utah | UCPA | Access, delete, portability, opt-out of sale and targeted advertising. |
| Delaware | DPDPA | Access, delete, correct, portability, opt-out; honors Global Privacy Control. |
| New York | SHIELD Act; NY Child Data Protection Act (CDPA) | Reasonable-security obligations; restrictions on processing data of users under 18. |
| Other states | IA, NE, NH, NJ, MN, RI, IN, KY, TN, MT, FL | General access/delete/correct/portability/opt-out equivalents; honored for any resident who requests them. |
California residents (parent account holders and, where applicable, teens aged 13–17 via a parent) have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
Global Privacy Control (GPC): SparkForge honors the GPC browser signal. Because we do not sell or share personal information, GPC has no additional effect on our primary data flows; however, we treat GPC as an opt-out signal for any future analytics or advertising integrations.
Submit California rights requests by email to privacy@sparkforge-labs.com or by the Parental Rights page at /privacy/rights. We will verify identity (as described on that page) and respond within 45 days, extendable once by 45 days when reasonably necessary with notice.
Under the Maryland Age-Appropriate Design Code Act (HB 603), SparkForge configures default privacy settings to the highest level of privacy for users under 18, collects only the minimum personal data needed, does not use dark patterns that encourage minors to weaken privacy settings, and maintains a Data Protection Impact Assessment (DPIA) for features reasonably likely to be accessed by minors.
SparkForge is operated from the United States by an Illinois limited liability company and is primarily intended for users physically located in the United States. Personal information processed by SparkForge is stored in the United States using Supabase-managed infrastructure (AWS US regions). Certain operational telemetry is also processed in the United States by our service providers (see Section 4).
If you access SparkForge from outside the United States, you understand that your personal information will be transferred to and processed in the United States. U.S. data-protection law may differ from the law of your country of residence. By using SparkForge from outside the United States, you consent to this transfer and processing. Where we are required to implement a specific transfer safeguard for your jurisdiction, we rely on the mechanism described below.
Under Article 8 of the EU General Data Protection Regulation, the age at which a child can provide their own consent to information-society services defaults to 16 and may be lowered by each Member State (typically to 13, 14, or 15 depending on jurisdiction). SparkForge is designed so that a parent or legal guardian is the contracting party regardless of the child's age, which satisfies the parental-authorization prong of GDPR Article 8 where that prong applies. Teens aged 13–17 in the United Kingdom and EU/EEA retain the data-subject rights described in Section 15f below.
Canadian residents are protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), and, in Quebec, Law 25. Australian residents are protected by the Privacy Act 1988. Where these laws apply, we implement equivalent rights of access, correction, and deletion, and we process complaints through the same Parental Rights workflow described in Section 6 and at /privacy/rights.
Regardless of where you are located, you have the right to access, correct, delete, or port the personal information we hold about you or your child, and to object to or restrict certain processing. You may withdraw consent at any time. These rights are subject to narrow exceptions permitted by applicable law. Submit requests through /privacy/rights or by email to privacy@sparkforge-labs.com.
EU/EEA and UK residents have the additional right to lodge a complaint with a supervisory authority. A list of EU/EEA data-protection authorities is available at edpb.europa.eu; the UK Information Commissioner's Office is at ico.org.uk.
In the event of a data breach that involves children's personal information or parent account credentials, SparkForge will investigate the scope of the incident, contain and remediate the vulnerability, and notify affected parents and applicable regulators within the timeframe required by the strictest applicable federal or state law. We will not delay notification beyond what is reasonably necessary for a law-enforcement request or legitimate investigative need.
All 50 U.S. states (and the District of Columbia and U.S. territories) have breach notification laws. We commit to the following notification windows, measured from the time we determine a breach has occurred:
A breach notification from SparkForge will include, at minimum:
We will send the initial notification by email to the address registered on each affected parent account. Where state or national law additionally requires postal notification, substitute notification, or public disclosure (for example, to a state Attorney General, consumer-reporting agencies, or a prominent website notice), we will provide that additional notification in the form prescribed by that law.
After every confirmed incident, we complete a root-cause analysis, document corrective actions taken, and update our written children's personal information security program (see Section 8a) as needed. Nothing in this section creates liability in excess of what is imposed by applicable law.
LEGAL REVIEW REQUIRED: This privacy policy has been drafted to cover all FTC COPPA requirements including the 2025 amendments (compliance deadline April 22, 2026). It should be reviewed by qualified legal counsel before production deployment.