What Are COPPA and HIPAA?
COPPA (Children's Online Privacy Protection Act)
Who it applies to: Websites and apps directed to children under 13.
What it requires:
- Clear privacy notice explaining what data is collected
- Parental consent before collecting any personal information
- No sale or sharing of children's data with third parties (with limited exceptions)
- Ability for parents to access, review, and delete data
- Security safeguards to protect collected data
HIPAA (Health Insurance Portability and Accountability Act)
Who it applies to: Covered entities and business associates in healthcare. This includes therapists and clinicians using patient data.
What it requires:
- Encryption of patient health information (PHI)
- Access controls (only authorized users see data)
- Audit trails (log who accesses what, when)
- Business associate agreements (BAAs) with vendors
- Incident response procedures if data is breached
How KidsChatGPT Meets COPPA Requirements
1. Clear Privacy Notices
Our Privacy Policy is plain-language and transparent:
- What data we collect: user messages, session metadata, analytics
- Why we collect it: to provide and improve the service
- Who can access it: only the child and parent (if on Parent Plan), never third parties
- How long we keep it: until explicitly deleted
- Your rights: access, deletion, data portability
2. Parental Consent
Free tier: Users indicate they are 13+ (or parent approves for younger children).
Parent Plan: Parent explicitly creates account and provides consent.
Therapist Plan: Therapist (as healthcare provider) is responsible for patient consent and guardian notification.
3. No Data Sales or Third-Party Sharing
We do NOT:
- Sell conversation data to advertisers
- Share data with data brokers
- Use your child's conversations to train our AI models
- Share data with third-party analytics companies
- Combine data across accounts for profiling
Exception: We share minimal data with payment processors (Stripe) and hosting providers, all under strict data processing agreements.
4. Parental Access & Deletion
Parent Plan includes:
- Full access to all conversation transcripts
- Ability to delete individual messages or entire sessions
- Monthly data export (all your data in portable format)
- Account deletion (permanently removes all data)
How KidsChatGPT Meets HIPAA Requirements
1. AES-256-GCM Encryption
What it is: Military-grade encryption. AES = Advanced Encryption Standard. 256-bit = extremely hard to crack. GCM = authenticated encryption (prevents tampering).
What we encrypt:
- Patient conversation logs (therapist-patient chats)
- Patient memories (extracted therapeutic insights)
- Session summaries (AI-generated clinical notes)
Encryption happens before data is stored in the database. Even if someone broke into our servers, they'd see unreadable ciphertext, not patient conversations.
2. Access Controls
Only authorized users can decrypt and view data:
- Therapist: Can see their own patients' data
- Patient: Can see their own sessions
- Admin staff: Cannot see encrypted data (by design)
- KidsChatGPT engineers: Cannot access patient data in plaintext
3. Audit Trails
We maintain logs of:
- Who accessed which patient records
- When they accessed them
- What actions they performed (view, edit, delete)
This helps detect unauthorized access and supports HIPAA compliance audits.
4. Business Associate Agreements (BAAs)
If you're a therapist using our Therapist Plan, we execute a BAA that obligates us to:
- Protect all patient health information
- Report any breaches within 60 days
- Comply with HIPAA rules around data use and disclosure
- Delete or return patient data on termination
5. Incident Response
If we detect a breach or security incident:
- We isolate the affected systems immediately
- We investigate the scope and impact
- We notify affected users/therapists within 60 days
- We cooperate with regulators
- We document lessons learned and improve security
Encryption in Plain English
Imagine a locked diary with a unique key:
- Your conversation: "I'm worried about my stutter in class"
- We encrypt it: "xK$7#mN2@kL9vQ&pJ8hRz+tUy3cB5dW"
- Only your therapist's key can unlock it: "I'm worried about my stutter in class"
- No one else (hackers, government, KidsChatGPT staff) can read it: Still sees "xK$7#mN2@kL9vQ&pJ8hRz+tUy3cB5dW"
That's AES-256 encryption.
What About the Free Tier?
Free users (no parent/therapist monitoring):
- Conversations are still encrypted in transit (SSL/TLS)
- We don't sell your data
- Chats are not retained after you log off (option to delete)
- COPPA-compliant consent process
But: Free tier conversations are not stored encrypted long-term like therapist data. If you want permanent encrypted storage with therapist monitoring, upgrade to Parent or Therapist Plan.
Regular Security Audits
We conduct third-party security audits annually to verify:
- Encryption is working correctly
- Access controls are enforced
- No data leaks exist
- We're compliant with COPPA, HIPAA, and other standards
Audit reports are available to therapists and enterprise customers.
Questions About Your Data?
You have rights under COPPA and state privacy laws:
- Right to know: What data we have about you
- Right to access: Get a copy of your data
- Right to delete: Request permanent deletion
- Right to opt-out: Opt out of non-essential uses
Submit requests to [email protected]. We'll respond within 30 days.
Transparency is Our Foundation
We believe kids and families deserve to understand how their data is protected. COPPA and HIPAA aren't just legal requirements—they're commitments to ethical, responsible AI.