Privacy Policy
Who We Are
Finley Reading Quest ("Finley," "we," "us," or "our") is operated by Lorenzo Harris. This privacy policy explains what information we collect from parents and children who use Finley, how we use and protect that information, and the rights you have as a parent or legal guardian under the Children's Online Privacy Protection Act (COPPA) and applicable state laws.
Finley is designed for children ages 4 through 12. Because our users include children under 13, we treat every piece of data with the highest standard of care required by federal law. We do not monetize children's data. We do not serve ads. We do not sell, rent, or share personal information with third parties for marketing or advertising purposes.
Operator Contact:
Lorenzo Harris
Email: hello@finleyreads.com
Information We Collect
We collect only what is necessary to deliver personalized reading instruction and maintain account security.
From Parents (Account Holders):
- Email address (used for account login, receipts, and service communications)
- Password (stored as a salted hash, never in plaintext)
- Billing information (processed and stored by Stripe; Finley never sees or stores full payment card numbers)
- Support correspondence (emails, in-app feedback)
From Children (Learner Profiles):
- First name or nickname (used to personalize the reading experience; last names are never collected)
- Age or grade range (used to calibrate initial reading level placement)
- Reading performance data (answers, accuracy, response time, skill mastery scores generated by our Bayesian Knowledge Tracing engine)
- Session metadata (session start/end times, features used, levels completed)
Collected Automatically:
- Device type and operating system (for compatibility and bug fixes)
- Anonymous usage analytics (page views, feature engagement, crash reports)
- Persistent identifiers such as device IDs or cookies (used only for authentication and internal operations, never for advertising)
What We Do NOT Collect:
- Last names of children
- Physical addresses of children
- Photos, videos, or audio recordings of children
- Geolocation data
- Social media identifiers
- Any information beyond what is reasonably necessary to provide the reading service
How We Use Information
All data we collect is used for the following purposes and no others:
- Personalized Reading Instruction: Learner performance data powers our adaptive AI engine, which adjusts content difficulty, selects appropriate phonics patterns, and sequences skills based on each child's demonstrated mastery.
- Parent Insights and Reporting: After each session, we generate an AI-powered summary showing what skills the child practiced, what they mastered, and what comes next. Weekly progress reports are delivered to the parent's email.
- Product Improvement: Aggregated, de-identified usage data helps us improve the reading curriculum, fix bugs, and optimize the learning experience. Individual children are never identified in aggregate analytics.
- Account Security and Fraud Prevention: Login credentials, session tokens, and device identifiers are used to keep accounts secure and prevent unauthorized access.
- Service Communications: We use parent email addresses to send account confirmations, billing receipts, product updates, and responses to support requests. We do not send marketing emails to children.
Parental Consent
Finley requires a parent or legal guardian to create an account before any child profile can be added. By creating an account and adding a child learner profile, you are providing verifiable parental consent for Finley to collect and use your child's information as described in this policy.
Our consent mechanism:
- Only a parent or legal guardian can create an account (protected by email verification)
- Child profiles are created by the parent within the parent dashboard
- The parent dashboard is protected by a PIN lock separate from the child's reading experience
- Parents may withdraw consent at any time by deleting the child profile or contacting us
If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information promptly.
Parental Rights Under COPPA
As a parent or legal guardian, you have the right to:
- Review your child's personal information at any time through the parent dashboard
- Correct any inaccurate information in your child's profile
- Export your child's reading data (performance history, mastery scores, session logs)
- Delete your child's profile and all associated data
- Refuse further collection by deleting the child profile or closing your account
- Consent to internal use but limit disclosure: you may allow Finley to use your child's data internally while prohibiting disclosure to third parties (note: Finley does not disclose children's data to third parties regardless)
To exercise any of these rights, use the parent dashboard or email hello@finleyreads.com. We will respond to all requests within 72 hours and complete deletion requests within 30 days.
Third-Party Services
Finley uses a limited number of third-party services to operate. Each service is bound by contract to handle data in accordance with COPPA requirements.
| Service | Purpose | Data Accessed |
|---|---|---|
| Stripe | Payment processing | Parent billing information only; no child data |
| Firebase / Google Cloud | Authentication, database hosting | Encrypted account and learner data |
| Cloudflare | Website hosting, CDN, DDoS protection | Standard web traffic logs (IP addresses, anonymized) |
| Anthropic API | AI-generated reading content | Anonymized reading level and skill parameters are sent to Anthropic API; no child names or identifiers are sent |
We do not use any advertising networks, behavioral tracking tools, social media SDKs, or analytics platforms that profile individual children. We do not allow third-party cookies on any part of the child-facing experience.
Data Security
We implement reasonable and appropriate security measures to protect children's personal information:
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Passwords are stored using salted cryptographic hashing (bcrypt)
- The parent dashboard is protected by a separate PIN lock
- Database access is restricted to essential services with role-based access controls
- We conduct regular security reviews of our infrastructure and dependencies
- Stripe handles all payment data under PCI DSS Level 1 compliance
No system is 100% secure. If we discover a data breach affecting children's personal information, we will notify affected parents within 72 hours and report to the FTC as required.
Data Retention
We retain children's personal information only as long as necessary to provide the reading service and fulfill the purposes described in this policy. For detailed retention windows and deletion procedures, see our Data Retention Policy.
In summary:
- Active learner profiles are retained while the account is active
- Deleted profiles are permanently purged within 30 days
- Aggregated, de-identified analytics data (which cannot identify any individual child) may be retained indefinitely for product improvement
- Billing records are retained for the minimum period required by tax and financial regulations
California Residents
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Age-Appropriate Design Code Act. Finley does not sell personal information. To exercise any rights under California law, contact hello@finleyreads.com.
Changes to This Policy
We will post any changes to this privacy policy on this page and update the "Effective" date at the top. If we make material changes to how we handle children's personal information, we will notify parents by email before the changes take effect.
Contact
For any questions about this privacy policy, your child's data, or to exercise your parental rights:
Email: hello@finleyreads.com
We respond to all privacy-related inquiries within 72 hours.