Privacy Policy

Kidbox Corporation (“Kidbox,” “we,” “us,” or “our”) operates the Kidbox mobile application and website at kidbox.com (collectively, the “Service”). Kidbox is a children’s reading platform designed for children ages 2–8. Because our Service is directed to children under 13, we comply with the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule, including the 2025 amendments.

This Privacy Policy explains what information we collect, how we use it, and what rights you have as a parent or guardian. Please read this policy carefully before allowing your child to use the Service.

1. Operator Contact Information

If you have questions about this Privacy Policy or our data practices, or wish to exercise your parental rights, contact us at:

Kidbox Corporation is the sole operator that collects and maintains personal information through the Service. No other companies or partners operate parts of the Service or collect personal information from children through it.

2. Information We Collect About Children

When a parent creates a child profile, we collect the following:

Provided by the parent:

• Child’s first name (required)
• Birthdate (optional)
• Gender (optional)
• Color preference (optional)
• Avatar selected from presets (optional — not a photo upload)
• Favorite topics (optional)
• Learning objectives (optional)

Collected automatically during the child’s use of the Service:

• Reading activity: books opened, pages viewed, time spent reading, favorites saved, skip and play counts
• Crash reports via Firebase Crashlytics (no personal identifiers are included)

We do not collect the following from children:

• Photos, videos, or audio recordings
• Location data
• Contact information
• Device identifiers for advertising purposes

Children cannot make their personal information publicly available through the Service.

3. Information We Collect from Parents and Guardians

When you create an account, we collect:

• Email address (required for account creation and parental consent verification)
• Name (required only if you publish a story to the Kidbox library)

When you use creation features (passcode-protected, parent-only):

• Story content you create (text, images, audio, animations)
• Chat messages with the AI creation assistant
• Photos uploaded for character creation (optional — the original photo is not retained; only the AI-generated cartoonified version is stored)

When you make a purchase:

• Payment information for physical book orders (processed by our payment provider)
• Shipping address

Collected automatically when you (not your child) use the Service:

• Usage analytics via Firebase Analytics, Mixpanel, and Customer.io
• Crash reports via Firebase Crashlytics
• Cookies for session management and functionality
• IP address, browser type, and device information
• Parent-only advertising attribution and conversion measurement data, such as Meta click/browser identifiers captured in parent/adult contexts and parent-only events such as account registration, trial or subscription start, or purchase

Important: All third-party analytics and tracking tools listed above are completely disabled when a child profile is active. They only operate when a parent is using the Service under their own parent profile.

4. How We Use Children’s Information

We use children’s information solely to provide the Service:

• Library personalization: We use the child’s age, favorite topics, learning objectives, favorites, and reading history to curate and replenish their reading queue with age-appropriate, human-approved content.
• Reading experience: To display the child’s name, preferences, and reading progress within the app.
• Parent analytics: To show parents their child’s reading habits and progress.
• Crash reporting: Crashlytics collects technical crash data without personal identifiers to help us maintain Service stability.

We do not use children’s information for:

• Advertising or marketing of any kind
• Behavioral profiling
• Training AI models
• Any purpose beyond the immediate app experience

5. How We Use Parent Information

We use parent information to:

• Create and manage your account
• Verify parental consent
• Enable story creation and publishing features
• Process physical book orders
• Send you emails about your child’s reading progress, weekly digests, and milestone alerts
• Respond to your inquiries
• Improve the Service through analytics (parent sessions only)
• Measure parent-only advertising attribution and conversion performance

6. Information Sharing and Third-Party Disclosure

Children’s data: We do not share, sell, or disclose children’s personal information to any third party for any purpose. Children’s data is not shared with advertisers, data brokers, or any other external parties.

Parent data: We may share parent information with:

• Service providers: Companies that help us operate the Service (e.g., Google Cloud/Firebase for data storage and SendGrid for email delivery). These providers process data only on our behalf and under our instructions.
• Advertising and attribution providers: Meta, for install attribution and parent-only conversion measurement and ad optimization. We may share parent-only conversion events such as account registration, trial or subscription start, or purchase, along with limited matching data such as hashed parent email, Meta click/browser identifiers captured in parent/adult contexts, event time, and purchase value and currency when applicable. We do not share child profile data, reading activity, story data, personalization inputs, child-session events, read-derived audience data, IDFA, GAID, or other advertising device identifiers with Meta.
• Payment processors: To process physical book orders.
• Legal compliance: If required by law, legal process, or to protect the safety and rights of Kidbox, our users, or others.
• Business transfers: In connection with a merger, acquisition, or sale of assets, we will notify you before your information is transferred and becomes subject to a different privacy policy.

We do not sell personal information of any user — parent or child.

7. Cookies, Analytics, and Tracking Technologies

When a child profile is active: All third-party analytics, cookies, and tracking technologies are disabled. The only exceptions are:

• Firebase Crashlytics: Collects technical crash data only, without any personal identifiers, to maintain Service stability.
• Meta SDK: Sends a single app-activation signal at launch for install attribution only. Advertising identifier collection (IDFA/GAID) is disabled, no personal data is sent, and no behavioral events are tracked. On iOS, Apple’s privacy-preserving SKAdNetwork framework is used for ad attribution without revealing individual user data.
• Internal read session tracking: We track reading activity (books opened, pages viewed, time spent) on our own servers. This data is not sent to any third-party analytics service.

When a parent profile is active: We use Firebase Analytics, Mixpanel, Customer.io, cookies, and Crashlytics for analytics, communications, and Service improvement. We use the Meta SDK and Meta Conversions API for install attribution and parent-only conversion measurement and ad optimization, with advertising identifier collection disabled. Parent-only conversion events may include account registration, trial or subscription start, or purchase. Matching data may include hashed parent email and Meta click/browser identifiers captured in parent/adult contexts. We do not send IDFA, GAID, child profile data, reading activity, story data, personalization inputs, child-session events, or read-derived audience data to Meta.

Logged-out website browsing: Visitors who are not logged in may browse the website. Analytics for logged-out visitors are limited to what COPPA permits under the “support for internal operations” exception: maintaining and analyzing the functioning of the website, performing network communications, and protecting the security and integrity of the Service. We do not use persistent identifiers from logged-out browsing to contact or build a profile of any specific individual. Parent-only Meta conversion measurement does not apply to logged-out browsing unless you move into a parent-only account, signup, subscription, or purchase flow.

8. Artificial Intelligence in Content Creation

Kidbox uses AI technologies to help adults create children’s books. Children do not interact with AI features directly. All AI-generated content is reviewed by a human before being shown to a child. Children are only shown content approved by the Kidbox team or by their parents. No child data is sent to AI providers.

If a parent optionally creates a character based on their child (name, age, or appearance), this information is provided by the parent during the creation process, which is passcode-protected and accessible only to parents.

The following third-party AI providers receive personal data when a parent uses creation features:

• Google (Gemini, Imagen) — Story text generation and illustration creation. Data shared: text prompts, chat messages, and input images.
• ElevenLabs — Story voiceover and narration. Data shared: story text and dialogue.
• Black Forest Labs (Flux) — Illustration creation. Data shared: image generation prompts and input images.
• ByteDance (Seedance, Seedream) — Page animations and illustration creation. Data shared: input images, motion prompts, and image generation prompts.
• Replicate — Hosts and runs image, video, and background removal models on our behalf. Data shared: image generation prompts and input images.

Providers may change over time. We will update this policy when providers are added or removed.

9. Parental Consent

We obtain verifiable parental consent before collecting personal information from children. Our consent process works as follows:

1. A parent creates an account using their email address.
2. We send a verification email to the parent.
3. The parent must click “I Consent” in the email to verify their identity and authorize the collection of their child’s information.

If we do not receive consent, no child profile can be created and no child data is collected.

Because we do not share children’s information with third parties, separate consent for third-party disclosure is not required.

10. Parental Rights

As a parent or guardian, you have the right to:

• Review your child’s personal information. You can view your child’s profile details and reading activity directly in the app.
• Delete your child’s profile and all associated data. You can do this directly in the app under account settings. Data is deleted immediately.
• Refuse further collection. You may delete your child’s profile at any time to stop all further collection of their information. You may also contact us to request that we stop collecting information about your child.

To exercise any of these rights, you may use the controls in the app or contact us at privacy@kidbox.com or by phone at (917) 382-4888.

We will not require your child to disclose more information than is reasonably necessary to participate in the Service.

11. Data Retention and Deletion

We retain personal information only as long as reasonably necessary for the purpose it was collected:

• Child profile data (name, birthdate, gender, preferences, learning objectives): Retained while the child’s profile is active. Deleted immediately when the parent deletes the child’s profile or their account.
• Child reading activity (books opened, pages viewed, time spent, favorites, skip/play counts): Retained while the child’s profile is active to provide personalization and parent-facing analytics. Deleted immediately with the child’s profile.
• Parent account data (email, name): Retained while the parent’s account is active. Deleted upon account closure.
• Purchase records (physical book orders): Retained for up to 7 years after the transaction for tax and legal compliance, then deleted.
• Created stories: Retained until the parent deletes them or closes their account.
• Photos uploaded for character creation: The original photo is not retained. Only the AI-generated cartoonified version is stored, and it is deleted with the parent’s account.
• Crash reports: Retained for up to 90 days for debugging purposes, then automatically deleted.

12. Data Security

We store data on Google Cloud Platform and Firebase, which provide industry-standard security measures including encryption in transit and at rest. We implement access controls, monitoring, and other reasonable security measures to protect personal information.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security.

13. Device Permissions

The Kidbox app may request the following device permissions, which are used only for parent features:

• Camera: Used only when a parent chooses to upload a photo for character creation during the story creation process. Not used by or accessible to children.
• Microphone: Used only when a parent chooses voice input instead of typing in the AI creation chat. Not used by or accessible to children.

The app does not request access to location, contacts, or other device sensors.

14. Communications

We send parents emails about their child’s reading progress, weekly digests, and milestone alerts. These emails are sent from our servers. We do not currently send push notifications. We do not send any communications directly to children.

15. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal information.

16. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale of personal information. We do not sell personal information.

To exercise your California privacy rights, contact us at privacy@kidbox.com.

17. Availability

The Service is available in the United States only. Our Terms of Service require that users be located in the United States. The Service is available on iOS (Apple App Store), Android (Google Play Store), Amazon Appstore, and the web at kidbox.com.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes to how we collect, use, or share children’s personal information, we will notify parents by email and post a prominent notice on the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us: