Privacy Policy

Effective 2026-05-05. Compliant with COPPA 2025 amendments (April 22, 2026).

The short version

• We never sell your data. Not now, not ever.
• We never serve ads inside Glowloop.
• We don't track children for advertising. Period.
• You can export and delete all your data at any time, self-serve.
• Children give us zero direct personal information. Parents control everything.

Who this applies to

Glowloop is a service for parents and caregivers. Children under 13 use Glowloop only through a parent-controlled household account. We comply with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 amendments effective April 22, 2026.

What we collect

Parent account: email address, hashed password (or magic-link token), Stripe customer ID after purchase. Optional: display name.

Profiles: a name (encrypted at rest), age, optional special interests, optional IEP goals, optional sensory preset. Users under 13 (child profiles) never sign up directly; a parent creates the profile inside their authenticated session. Adult users manage their own profile.

Session data: when each profile played each game, and for how long. We do not record what happened inside the game (no answers, no creations, no audio, no faces).

Technical data: hashed IP, user agent, timestamp, for security audit only. Hashed before write. Rotated salt.

What we never collect

• Biometric data (no face, no voice samples, no eye tracking)
• Geolocation
• Behavioral advertising profiles
• Persistent advertising identifiers
• Game content from children (no quiz answers, no drawings, no audio)

Verifiable parental consent (VPC)

Per COPPA, we use a verified credit card transaction (your $12.99 Lifetime Pass purchase via Stripe) as our VPC method, layered with a post-purchase consent screen, a confirmation email, and an immutable consent record stored in our database. Free-tier accounts collect only a parent's email and a verified magic-link click; child profiles (for users under 13) cannot be created on the free tier without VPC.

Vendors we use

Stripe (payment processor, US), Cloudflare (hosting, DB, storage), Resend (transactional email, US), Sentry (error tracking, US, sampled). All vendors have signed data-processing agreements. Each is listed here per 16 CFR 312.4(d)(3).

Your rights

You can: export all data tied to your account, delete all data tied to your account, request a refund within 90 days of purchase (full self-serve in your account portal), revoke consent at any time. To exercise these rights, sign in and visit the Account section, or email [email protected].

California, Connecticut, EU, UK

California (CCPA + AADC), Connecticut (CTDPA, effective July 1, 2026), Colorado, Texas, Utah, Virginia, Maryland: we do not sell or share data; we honor opt-out and deletion requests. EU + UK: we comply with GDPR-K and the UK Age Appropriate Design Code if you reach us from those regions.

Contact

Email [email protected] or write to AstraBrava, our parent entity. We respond to verified privacy requests within 30 days.

Terms · Accessibility