COPPA Compliance Statement

Version: 1.0
Effective Date: [TO BE SET BEFORE PUBLISHING]

LULL COPPA Compliance Statement

1. APPLICABILITY

This COPPA Compliance Statement applies to the Lull application and related services operated by Rhetoric Innovations LLC ("Company") when accessed by or potentially accessible to children under 13 years of age. The Company has determined that Lull is directed to a general audience that includes users under 13, triggering full COPPA compliance obligations.

2. OPERATOR INFORMATION

Operator Name: Rhetoric Innovations LLC Product: Lull — A Growth Journaling Application Website: lulljournal.app Contact for COPPA Inquiries: [email protected] Designated COPPA Contact: [NAME AND TITLE — TO BE COMPLETED BEFORE PUBLISHING]

3. PERSONAL INFORMATION COLLECTED FROM CHILDREN UNDER 13

3.1 Categories of Information Collected

Pursuant to 16 C.F.R. § 312.2, the Company collects the following personal information from children under 13:

• First name — collected for personalized greeting purposes only
• Parent or guardian email address — collected solely for verifiable parental consent process
• Birthdate — collected solely to determine age and route to appropriate consent flow
• Journal entry content — collected to provide the core journaling service
• Account activity data — collected for guardian dashboard functionality

3.2 Information NOT Collected from Children Under 13

4. VERIFIABLE PARENTAL CONSENT PROCEDURES

Pursuant to 16 C.F.R. § 312.5, the Company obtains verifiable parental consent before collecting personal information from children under 13. The Company's consent procedure is as follows:

• Age Verification: Users are required to provide their birthdate at account creation. Users with a calculated age under 13 are identified and routed to the parental consent flow.
• Account Suspension: Account creation is paused immediately upon identification of a user under 13. No personal information is collected beyond what is necessary to initiate the consent process.
• Parent Email Collection: The child is prompted to provide a parent or legal guardian email address. This is the only information collected before parental consent is obtained.
• Consent Notice: A detailed notice is sent to the provided parent email address describing: (a) the types of information collected; (b) how information is used; (c) how parents can review and delete information; (d) the Company's contact information; and (e) a mechanism for providing consent.
• Account Activation: The child's account is activated only upon receipt of verified parental consent.

5. PARENTAL RIGHTS

Pursuant to 16 C.F.R. § 312.6, parents and legal guardians of children under 13 have the following rights at any time:

5.1 Right to Review Parents may request a copy of all personal information collected from their child by contacting [email protected]. The Company will provide this information within 10 business days of a verified request.

5.2 Right to Delete Parents may request deletion of their child's personal information at any time. Upon verified request, all personal information will be deleted within 30 days. The Company will confirm completion of deletion by email.

5.3 Right to Refuse Further Collection Parents may revoke consent and refuse further collection of their child's information at any time by contacting [email protected]. Revocation of consent will result in account deactivation.

5.4 Verification of Parent Identity

6. DATA RETENTION AND DELETION

Personal information collected from children under 13 is retained only as long as reasonably necessary to provide the requested service. The Company retains children's personal information in accordance with the following schedule:

• Active account data: retained while account is active with valid parental consent
• Account data upon deletion request: deleted within 30 days of verified parental request
• Safety logs: retained for 7 years as required by applicable law (does not include journal content)
• Payment records: retained 7 years for tax compliance (subscription accounts only)

7. SCHOOL CONSENT EXCEPTION

Pursuant to 16 C.F.R. § 312.5(b)(1), schools may provide consent in place of parents when Lull is deployed for educational purposes under a School Data Processing Agreement. The Company's school deployment procedure ensures:

• A written School Data Processing Agreement is executed before school deployment
• The DPA specifies the educational purpose for which data is collected
• The school represents that it has the authority to provide consent on behalf of parents
• Data collected under school consent is used only for the educational purpose specified in the DPA

8. THIRD-PARTY SERVICE PROVIDERS

The Company discloses children's personal information to the following service providers solely to operate the Service. Each provider is contractually obligated to maintain the confidentiality and security of children's information:

• Anthropic, PBC — AI response generation (journal content processed in real-time; not retained)
• Supabase, Inc. — Database and authentication infrastructure
• Resend, Inc. — Parental consent email delivery

The Company does not disclose children's personal information to any other third party and does not permit service providers to use children's information for any purpose other than providing services to the Company.

9. SECURITY MEASURES

The Company implements the following security measures to protect children's personal information:

• Encryption of all data in transit and at rest
• Row-level security policies in the database layer
• Access controls limiting employee access to children's data
• Regular security monitoring and incident response procedures

10. CONTACT FOR COPPA INQUIRIES

Parents, guardians, and users with questions or concerns about COPPA compliance may contact:

Email: [email protected] Subject Line: COPPA Inquiry Company: Rhetoric Innovations LLC Website: lulljournal.app

The Company will respond to COPPA-related inquiries within 2 business days.