Privacy Policy

👋 Welcome

VibeCodeKidz ("we", "us", "our") is a kid-friendly game creation platform. We take your privacy seriously -- especially for our youngest creators.

This policy explains what information we collect, how we use it, and your rights. It's written to be clear and understandable for both kids and parents.

👶 COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA), which protects children under 13 in the United States.

Two-Tier Age System

We operate two age tiers with distinct protections:

Junior (under 13): Full COPPA protections apply. Verifiable parental consent is required before the account can be used. All social and public features are locked down by default.
Teen (13+): Standard teen safety protections. COPPA parental consent is not required but strong content moderation, PII filtering, and safety features still apply.

        For Junior users (under 13): We require verifiable parental consent before allowing account use. A parent or guardian must verify their identity via a credit card micro-charge (a small refundable charge through Stripe) or by email confirmation before the child can access the platform.
      

Parents receive a link to our Parent Command Center when they approve their child's account. From there, parents can at any time:

Review all data we've collected about their child
Approve or deny their child's games before public publishing
Toggle whether their child can publish games publicly
Toggle whether their child can use multiplayer features
Opt their child out of anonymized AI improvement data
Download a copy of all their child's data
Request deletion of their child's data and account
Revoke their consent, which will immediately deactivate the account

Junior Feature Restrictions

The following features are restricted or unavailable for Junior (under 13) accounts:

Public game publishing — requires parent approval in the Parent Command Center; each game must be individually approved
Multiplayer rooms — disabled by default; parent must explicitly enable
Discord community links — hidden entirely for Junior accounts
External links in games — blocked by pre-publish scan
Profile sharing and social features — not available

📋 What We Collect

Information you provide:

Username and display name -- no real names required
Password -- stored securely using bcrypt hashing (we never see your actual password)
Age bracket -- we ask your age to determine if parental consent is needed
Parent email -- only for users under 13, used solely for consent verification
Recovery email (optional, 13+ only) -- used solely for password recovery if you forget your password; never used for marketing
Games you create -- the code and titles of your game projects

If you send us a bug report:

When a logged-in user taps Report Bug in the studio, we collect only the information needed to diagnose the issue:

Your bug note -- the short description you choose to send
Recent AI conversation context -- up to the last 3 chat messages tied to the issue
A capped code snapshot -- a limited excerpt of the current game code
Basic technical diagnostics -- such as page route, viewport size, browser language, request ID, browser user-agent, and the last AI model used

We scan the bug description and recent chat snapshot for obvious personal information and redact detected items before storing the report. Reports from under-13 accounts are flagged for extra compliance review, and automated triage uses a reduced summary rather than the full snapshot.

Session identifiers:

When you log in, we create a temporary session token (stored for up to 24 hours) so you can stay logged in without re-entering your password. This identifier is used only to recognize your account during your visit. We do not use it to contact you or track you across other websites. We do not use cookies for session management; the login token is stored in your browser's local storage while the session remains active.

Information collected automatically:

Basic usage data (number of prompts, games created) for rate limiting
Login timestamps
Security and abuse-prevention data -- we may temporarily use your IP address during a request for security and rate limiting. In logs, we store only an irreversible hash instead of the raw IP address.
Anonymized AI interaction data — to improve our AI assistants, we may collect anonymized data about how the AI is used (e.g., which model answered, whether code was generated). This data is stripped of user IDs and any personally identifiable information before analysis.

📊 Improving Our AI

We use anonymized chat and generation data to make our AI assistants better — better at understanding prompts, communicating clearly, and producing great game code. This helps all users over time.

What we collect: Anonymized signals such as which AI model was used, whether code was generated, and similar metrics. We do not store your prompts, usernames, or any identifying information.
How we use it: For internal analytics (e.g., comparing model performance) and to improve our prompts and AI behavior.
We do not use this data to train third-party AI models or for advertising.
Opt-out: Parents can opt their child out of this improvement use at any time by emailing us at admin@vibecodekidz.org with the child's username. We will stop using their data for improvement and will not require more information than necessary.

🚫 What We Do NOT Collect

Real name, home address, or phone number
Precise location or GPS data
Photos, videos, or audio recordings
Data from cookies, trackers, or advertising networks
Social media profiles or contacts
School or grade information

🔒 How We Protect Your Data

Passwords are hashed with bcrypt (industry standard)
All connections use HTTPS with HSTS enforcement
Content-Security-Policy headers restrict script and resource loading
Admin access requires separate two-factor authentication
AI prompts are automatically scanned to strip personal information before transmission
AI-generated code is scanned for PII leakage and inappropriate content before delivery
Games are scanned before public publishing for content and safety issues
Multiplayer chat is filtered for safety. Kids can choose from preset phrases (e.g., "Good game!") or type messages that are automatically checked for appropriateness before being sent. Inappropriate messages are blocked.
Game iframes are sandboxed and cannot access the parent page
All fonts and assets are self-hosted (no third-party tracking)
Parent emails are only used for consent and account management — never for marketing
Recovery emails are used only for password reset links — never for marketing

Content moderation: Users can report published games. Our team reviews reports and removes content that violates our guidelines. Repeated content filter violations result in progressive discipline (warnings, cooldowns, and temporary suspensions).

Password recovery: If you forget your password, users under 13 receive reset links at the parent email on file. Users 13+ who added an optional recovery email receive reset links there; otherwise they can contact support for help.

📤 Data Sharing & Service Providers

We do not sell personal information. We share limited data with trusted service providers solely to operate our platform:

AI game generation and bug triage (Anthropic, xAI & OpenAI) — Game creation prompts are transmitted to Anthropic (Claude), xAI (Grok), and/or OpenAI (GPT) to generate game code. Before transmission, prompts are automatically scanned and stripped of any personally identifiable information (PII), including names, emails, phone numbers, and addresses. For some game iteration features, we may send a screenshot of the game to our AI provider to improve the result. Screenshots are stripped of any personal information before transmission. If you choose to submit a bug report, we may also send a limited, sanitized summary of the report to Anthropic or OpenAI to help classify it for our internal admin team before human review. For bug reports from under-13 accounts, we reduce that automated triage input further and do not send the full code excerpt. Neither Anthropic, xAI, nor OpenAI train their models on our users' data.
Payment processing & parental verification (Stripe) — If you purchase a paid membership, Stripe processes the payment. For Junior accounts, we also offer a Stripe-powered credit card micro-charge ($0.50, immediately refunded) as a method of verifiable parental consent. We send only a username, display name, membership tier, and age bracket to Stripe's checkout — no passwords, parent email, recovery email, or other personally identifiable information. All sensitive signup data is stored and processed on our servers only. We do not store credit card numbers on our servers.
Transactional email (Resend) — We use Resend to send essential emails such as parental consent requests and password reset links. Only the recipient email address and message content are shared with Resend.
Error monitoring (Sentry) — We use Sentry to capture server-side errors and improve stability. Error reports include stack traces and request metadata; we automatically remove authorization headers, cookies, and other sensitive data before transmission.
Legal requirements — We may disclose information if required by law or to protect the safety of our users.

        No advertising, no analytics trackers, no social media SDKs. We do not use Google Analytics, Facebook Pixel, or any third-party tracking technology. All fonts and assets are self-hosted.
      

🗑 Data Retention & Deletion

We retain account data as long as the account is active. We run automated data cleanup:

Expired login sessions are purged automatically
Inactive Junior accounts (under 13) are automatically purged after 12 months of inactivity
Anonymous demo event logs are purged after 90 days
Resolved moderation reports are purged after 90 days
Resolved or dismissed bug reports are purged after 90 days
Accounts requested for deletion are anonymized promptly upon request (typically within 48 hours)

Open bug reports stay in our internal support queue while we investigate them.

For Junior accounts (under 13), parents can request data deletion via the Parent Command Center (linked in the consent approval email) or by contacting us. After deletion, we retain a minimal anonymized record (username placeholder) to prevent abuse and re-registration; no personal data remains.

For Teen accounts (13+), users can download their data and delete their account directly from their account settings. Account deletion requires password confirmation.

To request data access or deletion: Use the Parent Command Center dashboard, or email us at admin@vibecodekidz.org with the child's username. We will respond within 48 hours.

👩‍👩‍👧 Parents' Rights

As a parent or guardian, you have the right to:

Be informed about what data we collect from your child
Review your child's personal information
Request that we delete your child's information
Refuse to allow further collection of your child's information
Revoke consent at any time

We will not require your child to disclose more information than is reasonably necessary to participate in the platform.

🔄 Changes to This Policy

If we make material changes to this privacy policy, we will notify users through the platform and, for child accounts, send an updated consent request to the parent email on file.

❓ Frequently Asked Questions

Does my child need parental consent to use VibeCodeKidz?

If your child is under 13, yes. We require verifiable parental consent before they can use the platform. You can verify via a small refundable credit card charge or by email confirmation.

Are my child's AI prompts shared with third parties?

AI prompts are transmitted to our AI providers (Anthropic, xAI, and OpenAI) to generate game code. Before transmission, all prompts are automatically scanned and stripped of personal information (names, emails, addresses, phone numbers). Neither Anthropic, xAI, nor OpenAI train their models on our data.

Can my child publish games publicly?

For Junior accounts, publishing requires your explicit approval. Each game your child wants to publish appears in your Parent Command Center for review first. For Teen accounts, games are published directly but still undergo an automated safety scan.

Can my child chat with other users?

Multiplayer chat is filtered for safety. Kids can choose from preset phrases (e.g., "Good game!") or type messages that are automatically checked for appropriateness before being sent. Inappropriate messages are blocked. Multiplayer is disabled by default for Junior accounts and must be enabled by a parent.

Does VibeCodeKidz use advertising or tracking?

No. We do not display ads, use advertising networks, employ social media trackers, or use analytics services like Google Analytics. All fonts and assets are self-hosted.

How do I delete my child's account?

Use the Parent Command Center (linked in your consent approval email) to download data or delete the account. You can also email admin@vibecodekidz.org and we will respond within 48 hours.

What happens if my child types personal information into a prompt?

Our system automatically detects and removes personal information (names, addresses, emails, phone numbers) from prompts before they are sent to AI providers. AI-generated output is also scanned before delivery to your child.

What happens if my child reports a bug?

A bug report is sent to our internal admin team with the note your child wrote, a limited recent chat snapshot, a capped code excerpt, and basic technical diagnostics so we can reproduce the issue. We may use AI to add an internal label before a human reviews it. For under-13 accounts, the report is flagged for extra compliance review and the automated triage uses a reduced summary.

📬 Contact Us

Questions about this privacy policy or your data?

admin@vibecodekidz.org

VibeCodeKidz · A kid-friendly game creation platform