COPPA Compliance
Children's Online Privacy Protection Act
Last updated: March 27, 2026
Our Commitment to Children's Privacy
Sprout Saver is fully committed to complying with the Children's Online Privacy Protection Act (COPPA). We recognize the importance of protecting children's privacy online and take special precautions to ensure the safety and security of all children who use our service.
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a United States federal law enacted in 1998 that imposes certain requirements on operators of websites and online services directed to children under 13 years of age. COPPA requires:
- Obtaining verifiable parental consent before collecting personal information from children
- Providing parents with control over their children's information
- Limiting the collection of personal information from children
- Maintaining reasonable security practices to protect children's data
How Sprout Saver Complies with COPPA
Parental Consent Required
Only parents (18+) can create accounts. Children's accounts are created and managed exclusively by verified parent accounts. Parents must explicitly add each child to the family.
Minimal Data Collection
We collect only the minimum information necessary to provide our service. For children, this is limited to first name, age, and optionally a username chosen by the parent.
No Email Required for Children
Children sign in using a simple PIN or family code system. We do not collect email addresses from children under 13.
No Third-Party Advertising
We do not display advertisements to children. Sprout Saver is supported by optional subscription fees, not advertising revenue.
No Data Sharing
We never sell, rent, or share children's personal information with third parties for marketing or any other purpose not essential to providing our service.
Information We Collect from Children
When a parent creates a child account, we collect only:
| Information | Purpose | Required? |
|---|---|---|
| First name | Display in the app | Yes |
| Age | Age-appropriate content | Yes |
| Username | Login identification | Optional |
| PIN | Secure login | Yes |
| Avatar preferences | Personalization | Optional |
What We Never Collect from Children
- • Email addresses
- • Phone numbers
- • Physical addresses
- • Photos or videos
- • Precise geolocation
- • Social media accounts
- • Any financial information
Operational Service Providers
We use a small number of operational service providers to deliver Sprout Saver. None of these providers receive children's personal information. The data exchanged with each is strictly operational (app version, anonymous identifiers, error reports) and is necessary to deliver the app to you.
| Provider | Purpose | Children's PII? |
|---|---|---|
| Firebase (Google) | Authentication, database, hosting, push notifications | No |
| Sentry | Crash reporting (device/browser context stripped on child sessions) | No |
| Capawesome | Mobile app over-the-air updates. Receives only app version, platform, anonymous device ID, channel name, and bundle ID — no name, age, or any data tied to a specific child. | No |
As a parent, you opt in to data sharing with these providers separately at signup. See our Privacy Policy for the full list of subprocessors and data residency details.
Parental Rights and Controls
As a parent using Sprout Saver, you have complete control over your children's accounts and data. You can:
Your Rights as a Parent
Verifiable Parental Consent (VPC)
Before collecting, using, or disclosing personal information from any child under 13, we obtain verifiable parental consent as required by 16 CFR § 312.5. We use a consent-plus-email method, with an optional credit-card verification step for higher-risk actions. Specifically:
- Parent account creation. Only a verified adult (18+) can create a parent account. We require a valid email address and age attestation.
- Child profile creation. When a parent adds a child under 13, we present a clear disclosure of what data will be collected, how it will be used, and that the parent is granting VPC on the child's behalf.
- Email confirmation. We send a consent-confirmation email to the parent's registered address. Child data collection does not begin until the parent confirms.
- Ongoing parental controls. Parents can review, export, correct, or delete their child's data at any time from Settings.
- Optional additional verification. For sensitive actions (e.g., full family deletion, account-level identity changes), we may request a one-time credit-card verification charge of $0.01 (refunded immediately) or government-ID review.
We do not require more personal information than is reasonably necessary for participation in the activity and we never condition a child's participation on collecting more information than is reasonably necessary (16 CFR § 312.7).
How to Exercise Your Rights
To review, modify, or delete your child's information:
- Log into your parent account at Sprout Saver
- Navigate to Settings → Kids
- Select your child's profile
- Choose the action you wish to take (edit, export, or delete)
You may also email support@sproutsaver.com with subject line "COPPA Request". We will verify the requesting parent's identity before acting on any request.
Deletion Timeline (FTC Requirement)
When a parent requests deletion of a child's personal information, we delete that information from our active production systems within 5 business days of receiving a verified request, consistent with FTC guidance. Full family-account deletion is subject to an optional 30-day parent-facing grace period during which a parent can cancel the deletion; after that window, personal data is permanently purged from active systems within 5 business days, and from backups within 90 days.
COPPA Safe Harbor Program
Sprout Saver is not currently a member of an FTC-approved COPPA Safe Harbor program. We comply directly with the COPPA Rule at 16 CFR Part 312. We review our participation in Safe Harbor programs annually and will update this statement if that changes.
Security Measures
We implement robust security measures to protect children's information:
- Encryption: All data is encrypted in transit and at rest using industry-standard encryption
- Access Controls: Only authorized personnel have access to user data, under strict protocols
- Regular Audits: We conduct regular security assessments and updates
- Secure Infrastructure: We use Google Cloud Platform (Firebase) which maintains SOC 2 compliance
- PIN Protection: Child accounts are protected by parent-set PINs
Contact Information
If you have any questions about our COPPA compliance or wish to exercise any parental rights regarding your child's data, please contact us:
Changes to This Policy
We may update this COPPA Compliance statement from time to time. When we make changes, we will update the "Last updated" date at the top of this page and notify registered parents via email if the changes are significant.