Privacy Isn't a Policy.
It's the Architecture.

AuthentiKid was built on a single architectural principle: you cannot protect children's privacy by collecting children's data. Every system, every API, every verification flow we build is designed to confirm age-group membership without ever creating, storing, or transmitting Personally Identifiable Information (PII) about a minor. This Privacy Policy describes how AuthentiKid, Inc. ("AuthentiKid," "we," "us," or "our") handles information in connection with our website (authentikid.com), our compliance infrastructure products (AuthentiKey™, EduLock™, AuthentiLock™), and our Stateless AI systems. It applies to all visitors, users, school district partners, enterprise platform integrations, and any individual whose age-group verification flows through our network.

Most privacy policies describe what data a company collects and how it protects it. Ours begins with what we do not collect — because that is the architectural foundation of everything we build. We do not collect biometric data. We do not collect government-issued identification. We do not create persistent user profiles tied to real-world identities. We do not sell, license, or share personal data with third-party advertisers. Our verification outputs are binary, ephemeral, and stateless: a platform receives a signal that a user is or is not within a protected age group. That signal contains no name, no device fingerprint, no behavioral history, and no linkable identifier.

When you visit authentikid.com, we may collect standard server log data including IP address (truncated), browser type, referring URL, and pages visited. This data is used solely for security monitoring and aggregate analytics. It is not linked to any individual identity and is not retained beyond 90 days. If you submit a contact form, join our waitlist, or request a presentation, we collect the name and email address you provide. This information is used only to respond to your inquiry or fulfill the specific request you made. We do not add you to marketing lists without explicit opt-in.

When a school district deploys EduLock™, the district provides AuthentiKid with a roster of enrolled students in a format compliant with FERPA and applicable state student privacy laws. This roster data is used exclusively to generate cryptographic verification tokens — it is never stored in a form that links a student's identity to their verification status. Student roster data is processed in an isolated, air-gapped environment. The output of that processing is a set of anonymous verification tokens. The source roster data is deleted within 24 hours of token generation. AuthentiKid does not retain any student PII beyond the token generation window.

AuthentiKey™ is free for every family. When a parent or guardian enrolls a child, they provide a verified email address and confirm the child's age group (not exact birthdate). AuthentiKid does not collect the child's name, school, location, or any other identifying information. The parent/guardian email is used only for account management and security notifications. It is never shared with platforms that use AuthentiKey™ for verification. The child's age-group classification is stored as a non-reversible hash — it cannot be used to reconstruct the child's identity or exact age.

When a platform integrates the AuthentiKid SDK, verification requests are processed in real time and discarded immediately after the response is returned. AuthentiKid does not log individual verification events in a way that could be used to reconstruct a user's activity history across platforms. Aggregate, anonymized metrics (total verifications, age-group distribution by platform, error rates) are retained for product improvement and regulatory reporting purposes. These metrics contain no individual-level data.

We use the information we collect for the following purposes only: • To respond to contact form submissions, waitlist registrations, and presentation requests • To generate and deliver cryptographic verification tokens for enrolled students (EduLock™) • To manage parent/guardian accounts and send security notifications (AuthentiKey™) • To process real-time age-group verification requests from integrated platforms (SDK) • To monitor system security, detect abuse, and maintain service integrity • To comply with applicable law, including COPPA, FERPA, KOSA, and applicable state student privacy statutes • To produce aggregate, anonymized analytics for product improvement and regulatory reporting

AuthentiKid will never: • Sell, rent, or license personal data to any third party for any purpose • Use student data for advertising, profiling, or any commercial purpose unrelated to the verification service • Share individual verification records with platforms beyond the binary age-group signal required for compliance • Retain biometric data, government ID data, or any data capable of uniquely identifying a minor • Use data collected under FERPA or COPPA for purposes beyond those explicitly authorized by the applicable law • Transfer data to jurisdictions without adequate privacy protections without appropriate safeguards

AuthentiKid's verification infrastructure is built on zero-knowledge cryptographic principles. This means that the verification output — the signal a platform receives — is mathematically derived from the underlying data without exposing that data. A platform learns only what it needs to know: whether a user is within a protected age group. It learns nothing else. This is not a policy commitment. It is an architectural constraint. The system is designed so that even AuthentiKid employees cannot reconstruct an individual's identity from a verification token. The privacy guarantee is structural, not procedural.

Our AI-assisted verification systems are stateless by design. Each verification request is processed independently, without reference to prior requests from the same device, IP address, or behavioral profile. There is no persistent user model, no behavioral fingerprint, and no cross-session tracking. This design eliminates an entire category of privacy risk: the risk that a system designed to protect children could itself become a surveillance infrastructure. Stateless AI means that even if our systems were compromised, there would be no longitudinal data to exfiltrate.

AuthentiKid employs industry-standard and beyond-standard technical safeguards including: • End-to-end encryption for all data in transit (TLS 1.3 minimum) • Encryption at rest for all stored data using AES-256 • Air-gapped processing environments for student roster data • Automated deletion protocols for source data after token generation • Role-based access controls with least-privilege principles • Regular third-party security audits and penetration testing • Incident response procedures with mandatory notification timelines

Under the Children's Online Privacy Protection Act (COPPA), parents and guardians have the right to: • Review the personal information AuthentiKid has collected about their child • Request deletion of their child's personal information • Refuse to permit further collection or use of their child's information • Withdraw consent for AuthentiKid's processing of their child's data at any time To exercise any of these rights, contact us at [email protected]. We will respond within 10 business days. Withdrawal of consent will result in deactivation of the child's AuthentiKey™ account.

School districts that have entered into a Data Processing Agreement with AuthentiKid retain all rights and obligations under FERPA with respect to student education records. AuthentiKid acts as a "school official" under FERPA for the limited purpose of providing the verification service described in the applicable agreement. Districts may request a full accounting of all student data processed under their agreement, request deletion of all associated data, and terminate the agreement at any time. Upon termination, all student data associated with the district's account will be deleted within 30 days.

Depending on your jurisdiction, you may have additional rights including the right to access, correct, port, or delete your personal data. Residents of California (CCPA/CPRA), the European Union (GDPR), and states with comprehensive privacy laws may have specific rights beyond those described here. To submit a privacy request, contact [email protected] with the subject line "Privacy Request — [Your Jurisdiction]." We will respond within the timeframe required by applicable law, and no later than 30 days.

AuthentiKid's architecture was designed from the ground up to comply with — and in many cases exceed the requirements of — the following regulatory frameworks: • COPPA (Children's Online Privacy Protection Act) — Federal U.S. law governing online collection of data from children under 13 • FERPA (Family Educational Rights and Privacy Act) — Federal U.S. law governing student education records • KOSA (Kids Online Safety Act) — Federal U.S. legislation establishing duty-of-care requirements for platforms serving minors • EU Digital Services Act (DSA) — European regulation governing platform obligations for minor users • California Age-Appropriate Design Code (CAADC) — California law requiring privacy-by-design for products likely to be accessed by minors • Applicable state student privacy laws in all 50 U.S. states

Compliance is not a checkbox at AuthentiKid — it is the product. Every architectural decision, every data flow, and every third-party integration is evaluated against the most stringent applicable standard. When laws conflict, we apply the more protective standard. When laws are silent, we apply our own internal privacy-by-design principles. We maintain a Legal and Compliance Framework document that describes our compliance posture in detail, including our data processing agreements, sub-processor list, and regulatory correspondence. This document is available to school district partners, enterprise clients, and regulators upon request.

For all privacy-related inquiries, requests, or concerns, contact: AuthentiKid Privacy Office Email: [email protected] Response time: 10 business days for general inquiries; as required by applicable law for formal rights requests. For urgent matters involving potential unauthorized access to children's data, please use the subject line "URGENT — Child Data Incident" and we will respond within 24 hours.

This Privacy Policy was last updated on May 11, 2026. We will notify registered users and school district partners of material changes to this policy by email at least 30 days before the changes take effect. Non-material changes (such as clarifications or formatting updates) may be made without notice. The current version of this policy is always available at authentikid.com/privacy. Prior versions are available upon request.