Alatus Academy

COPPA Parental Consent Notice

Version 1.0 — Effective May 19, 2026

Plain-English Summary

1. About This Notice

This notice describes how Alatus LLC ("Alatus," "we," "us") collects and uses information about a child whose parent or legal guardian has signed up for Alatus Academy (the "Service"). Because the Service is designed to plan curriculum for children under 13, the U.S. Children's Online Privacy Protection Act ("COPPA") and the FTC's implementing regulation at 16 CFR Part 312 apply to information that may be associated with a child. This notice is the formal disclosure and consent record required at signup.

If you do not agree to the practices described below, do not click the consent checkbox at signup, and do not use the Service.

2. Definitions

3. What We Collect About Your Child(ren) and Why

Alatus Academy does NOT collect any information directly from the child. The Service is parent-only. Children do not have accounts, do not log in, do not type into the Service, and do not interact with the AI assistant. Every field below is entered by you, the Parent.

CategoryWhen collectedWhy
Child's first name At signup, on the consent form So the consent record names a real child and so generated documents can be addressed to that child by name
Child's date of birth, grade level, school year start date When you create or edit a student profile after signup To pick the right grade-level TEKS standards and to compute the correct school week for each weekly curriculum package
Profile notes (free text you write about your child) When you create or edit a student profile To tailor lesson tone, examples, and pacing to your child
Accommodations, interests, reading level vs. grade, per-subject confidence, preferred lesson length When you create or edit a student profile To personalize each subject's lessons and the worksheet difficulty to your child
Parent-recorded weekly notes When you converse with the planning assistant ("Lyra") each week To inform what is generated for the next week (e.g., "she struggled with fractions")
Parent-entered assessment scores and notes When you record a quiz result you graded by hand from a printed PDF To trigger remediation or advancement on the right TEKS topic
Generated curriculum documents and printable quiz PDFs Each time you generate a week So you can re-download what you've already generated
TEKS position records Updated automatically as you generate weeks So the Service knows what your child has covered and what comes next
Longitudinal context (a derived summary of the above) Computed at generation time So next week's lessons take into account everything previous

We also collect ordinary account-level information about you (the Parent) — your email address, your first and last name, the typed signature you provide on the consent form, your billing identifiers held by Stripe, and operational telemetry such as login events. The Privacy Policy describes this in full.

4. How the Data Is Used

We use the information described in Section 3 only to:

We do NOT use any of the information described in Section 3 for:

5. Who Has Access

We rely on a small set of vendors to operate the Service. Each receives only the data it needs to perform its role and is contractually required to handle that data on our behalf.

PartyWhat they seeNotes
You, the Parent Everything in your account (full read/edit/export/delete) Through the in-app dashboard and the Privacy & Data settings page
Alatus Academy operations Limited, audit-logged access for support, security, and incident response Only authorized personnel; access is logged
Anthropic (Claude API provider) On each curriculum generation and each Lyra chat message, we send Anthropic: your child's first name only (no last name); age in years (raw date of birth is not sent); grade level and active subjects; the profile notes you have written; the five personalization fields (accommodations, interests, reading level, per-subject confidence, lesson length); up to two weeks of your prior weekly parent notes; and recent assessment scores and your notes on those assessments. Anthropic processes this data under its Commercial Terms of Service and does not use customer API inputs or outputs to train its models. Short-term retention (typically up to 30 days) applies for trust-and-safety review, after which the data is deleted. See Anthropic Commercial Terms.
Stripe (payment processor) Your billing identifiers, payment method, and subscription status Never receives information about your child
SendGrid (transactional email) The email body of transactional notifications we send to you Child first names appear in email bodies for personalization (e.g., "Emma's curriculum is ready"); no other child data is shared with SendGrid
Supabase (database + file storage) The encrypted contents of our database and the curriculum/quiz files SOC 2 Type II audited
Render (application hosting) The running application instance SOC 2 Type II audited
Sentry (error monitoring) Error events and stack traces The application strips child PII fields (profile_notes, date_of_birth, Lyra chat content, assessment content, AI prompts/responses) before any event is transmitted to Sentry, via the beforeSend hook in server/index.js

We do not use any third-party advertising network, behavioral analytics, or data broker.

6. Verifiable Parental Consent (VPC)

We obtain Verifiable Parental Consent under 16 CFR §312.5(b)(2), using a credit, debit, or other valid payment-card transaction with notification of each discrete charge to the primary account holder. Specifically: at signup, you authorize a recurring monthly charge through our payment processor (Stripe), and Stripe sends an email receipt confirming each successful payment. The receipt confirms that the account holder consented to the charge, satisfying the "monetary transaction … with notice" prong of the FTC-enumerated VPC methods. The email verification, typed signature, and version-stamped consent record described below are additional belt-and-suspenders evidence of consent; the §312.5(b)(2) payment transaction is the operative VPC method.

In addition to the primary VPC method described above, we capture the following evidentiary support at signup:

  1. Verified email address. During signup we send a six-digit verification code to the email address you provided. You must enter that code into the verification page before the account becomes usable. This proves you control the email address.
  2. Charged payment method. During signup you provide a credit, debit, or other valid payment method through Stripe and your subscription is charged at that time. The successful charge — together with Stripe's transactional email receipt described above — is the §312.5(b)(2) VPC method.
  3. Typed signature on the consent form. You type your full legal name into a signature field on the consent form. Together with the email-verified, payment-verified account, this attests under your own signature that you are the parent or legal guardian of the child(ren) named.

The combination of (1) + (2) + (3) is what we rely on as Verifiable Parental Consent. We retain a record of the version of this notice you consented to (coppa_consent_doc_version), the typed signature, and the timestamp.

7. Data Retention

DataRetained for
Your child's profile record (first name, date of birth, grade, active subjects, profile notes, the five personalization fields) and your account-level data (user record, subscription record) The lifetime of your account. You may archive a student at any time, and may request full account deletion at any time.
Generated curriculum documents, generated quiz PDFs, curriculum sessions, parent-recorded weekly notes, Lyra chat history, assessments (parent-recorded scores and parent notes), and recommendation logs Automatically purged 365 days after creation, even if your account remains active. This rolling purge runs nightly.
Sentry error events (with child PII already stripped before transmission) Per Sentry's default retention (~30 days)
Stripe billing records Per Stripe's own compliance retention requirements, independent of any Alatus deletion request

On account deletion: when you request account deletion, your account immediately enters a 30-day soft-delete grace window during which deletion can be reversed if you change your mind or the request was an accident. After 30 days, a hard purge cascades through all of the following tables and storage locations: users, students, assessments, lyra_chat_history, generated_documents, curriculum_sessions, api_cost_telemetry, ai_recommendation_log, the corresponding objects in our Supabase Storage bucket (including any pending data-export ZIPs), and the entry in our public beta-signup intake table if your email appears there. After hard purge, the data cannot be recovered.

8. Parent Rights

As the Parent, you may at any time:

You also have the right under COPPA to refuse to permit our further collection or use of your child's information. Exercising this right is functionally the same as deleting your account, because the Service cannot operate without the data described in Section 3.

9. Revocation of Consent

To revoke your consent under this notice, sign in, open Settings → Privacy & Data, and click Delete my account. Revocation has the following effects:

If you cannot access the in-app deletion flow (for example, because you have lost access to the email address), email us from any address you control at the address in Section 11 and we will verify your identity and process the request manually.

10. Updates to This Notice

We may update this notice from time to time. Material changes will be:

Where a change materially expands the categories of information we collect about your child, the purposes for which we use it, or the parties with whom we share it, we will obtain renewed Verifiable Parental Consent before the change applies to your account.

11. Contact

Questions about this notice, requests to exercise the rights in Section 8, or revocations under Section 9 may be sent to:

Email: consent@alatusacademy.com

Postal mail:
Alatus LLC
5900 Balcones Drive STE 100
Austin, TX 78731