COPPA Compliance Statement
Version: 2.0-draft
Effective Date: 2026-06-01
LULL COPPA Compliance Statement FOR ATTORNEY REVIEW AND APPROVAL
This COPPA Compliance Statement summarizes Rhetoric Innovations LLC's compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., and its implementing regulations at 16 C.F.R. Part 312, as applied to the Lull journaling application.
1. APPLICABILITY
This COPPA Compliance Statement applies to the Lull application operated by Rhetoric Innovations LLC when accessed by or potentially accessible to children under 13 years of age. The Company has determined that Lull is directed to a general audience that includes users under 13, triggering full COPPA compliance obligations for both the consumer channel and the school channel.
2. OPERATOR INFORMATION
3. PERSONAL INFORMATION COLLECTED FROM CHILDREN UNDER 13
3.1 Categories of Information Collected
Pursuant to 16 C.F.R. § 312.2, the Company collects the following personal information from children under 13:
- First name — collected for personalized greeting purposes only
- Parent or guardian email address — collected solely for verifiable parental consent process
- Birthdate — collected solely to determine age and route to appropriate consent flow
- Journal entry content — collected to provide the core journaling service
- Account activity data — collected for guardian dashboard and school counselor alert functionality
- School association — collected for school-enrolled students to associate the student with their school's counselor and DPA
3.2 Information NOT Collected from Children Under 13
4. VERIFIABLE PARENTAL CONSENT PROCEDURES
4.1 Consumer Channel Consent Procedure
Pursuant to 16 C.F.R. § 312.5, the Company obtains verifiable parental consent before collecting personal information from children under 13 in the consumer channel:
- Age Verification: Users are required to provide their birthdate at account creation. Users with a calculated age under 13 are routed to the parental consent flow.
- Account Suspension: Account creation is paused immediately upon identification of a user under 13. No personal information is collected beyond what is necessary to initiate the consent process.
- Parent Email Collection: The child is prompted to provide a parent or legal guardian email address. This is the only information collected before parental consent is obtained.
- Consent Notice: A detailed notice is sent to the provided parent email address describing: (a) the types of information collected; (b) how information is used; (c) the counselor alert framework if applicable; (d) how parents can review and delete information; (e) the Company's COPPA contact information; and (f) a mechanism for providing consent.
- Consent Verification: Parental consent is verified through a tokenized email link requiring the parent to (a) review the disclosure and five legal documents, (b) affirmatively check acknowledgment of each document, and (c) provide a typed digital signature. The consent token is single-use and expires 72 hours after issuance.
- Consent Recording: All consent records are stored permanently with: timestamp, IP address, user agent, guardian signature, documents acknowledged, and disclosure version presented.
- Account Activation: The child's account is activated only upon receipt of verified parental consent.
4.2 School Channel Consent Procedure
Pursuant to 16 C.F.R. § 312.5(b)(1), schools may provide consent in place of parents when Lull is deployed for educational purposes. The school channel consent procedure is:
- The school must execute a School Data Processing Agreement with Rhetoric Innovations LLC prior to any student enrollment. The DPA constitutes school consent pursuant to 16 C.F.R. § 312.5(b)(1).
- For school deployments, Lull also independently collects guardian consent from the parent or guardian on file with the school, using the school-provided guardian contact information.
- The school-level DPA consent and the individual guardian consent both operate as independent consent mechanisms. The individual guardian consent is collected for transparency and legal belt-and-suspenders purposes even where school consent under the DPA is sufficient under COPPA.
- The DPA specifies the educational purpose for which data is collected. School consent does not extend to any use of student information beyond the educational purpose in the DPA.
5. PARENTAL RIGHTS
Pursuant to 16 C.F.R. § 312.6, parents and legal guardians of children under 13 have the following rights at any time:
5.1 Right to Review Parents may request a copy of all personal information collected from their child by contacting [email protected] with the subject line 'COPPA Inquiry — Data Review Request.' The Company will provide this information within 10 business days of a verified request.
5.2 Right to Delete Parents may request deletion of their child's personal information by contacting [email protected] with the subject line 'COPPA Inquiry — Deletion Request.' Upon verified request, all personal information will be deleted within 30 days. The Company will confirm completion by email. Safety logs and guardian consent records will be retained as required by applicable law.
5.3 Right to Refuse Further Collection Parents may revoke consent and refuse further collection of their child's information at any time by contacting [email protected]. Revocation of consent will result in account deactivation within 5 business days.
5.4 Verification of Parent Identity To protect children's privacy, the Company verifies parent identity before honoring requests under this section. Verification is accomplished by confirming the request comes from the email address registered as the guardian email for the child's account. If a parent no longer has access to that email address, they should contact [email protected] with alternative verification information.
6. DATA RETENTION AND DELETION
- Active account data: retained while account is active with valid parental or school consent
- Account data upon deletion request: deleted within 30 days of verified parental request
- Guardian consent records: retained permanently as legal proof of consent
- Safety event logs: retained for 7 years as required by applicable law (does not include journal content)
- Counselor access logs: retained for 7 years (school-enrolled students only)
- Payment records: retained 7 years for tax compliance (subscription accounts only)
7. SCHOOL CONSENT EXCEPTION — FERPA COORDINATION
Pursuant to 16 C.F.R. § 312.5(b)(1), schools may provide consent in place of parents when Lull is deployed for educational purposes. The Company's school deployment procedure ensures:
- A written School Data Processing Agreement is executed before school deployment
- The DPA specifies the educational purpose for which data is collected
- The school represents that it has notified parents of Lull's use in accordance with FERPA and applicable state law
- Data collected under school consent is used only for the educational purpose specified in the DPA
- The Company independently collects guardian consent in addition to school consent for maximum legal protection
8. THIRD-PARTY SERVICE PROVIDERS
The Company discloses children's personal information to the following service providers solely to operate the Service. Each provider is contractually obligated to maintain the confidentiality and security of children's information:
- Anthropic, PBC — AI response generation (journal content processed in real-time; not retained by Anthropic)
- Supabase, Inc. — Database and authentication infrastructure
- Resend, Inc. — Parental and guardian consent email delivery
- Twilio, Inc. — Guardian consent SMS delivery (school channel, where SMS method selected)
The Company does not disclose children's personal information to any other third party and does not permit service providers to use children's information for any purpose other than providing services to the Company.
9. SECURITY MEASURES
The Company implements the following security measures to protect children's personal information:
- Encryption of all data in transit using TLS 1.2 or higher
- Encryption of all data at rest
- Row-level security policies in the database layer
- Access controls limiting employee access to children's data
- Separate role-based access controls for school counselor portal access
- Tamper-evident audit logging for all counselor access to student conversation content
- Regular security monitoring and incident response procedures
10. DATA MINIMIZATION
Pursuant to 16 C.F.R. § 312.3(c), the Company collects only the personal information reasonably necessary for the child to participate in the Service. The Company does not condition a child's participation in the Service on providing more personal information than is reasonably necessary.
11. CONTACT FOR COPPA INQUIRIES
Email: [email protected] | Subject: COPPA Inquiry Company: Rhetoric Innovations LLC | Website: lulljournal.app The Company will respond to COPPA-related inquiries within 2 business days.
FOR ATTORNEY REVIEW AND APPROVAL — NOT EFFECTIVE UNTIL COUNSEL APPROVES Rhetoric Innovations LLC | lulljournal.app | [email protected]