CleanMy COPPA Disclosure
Effective date: to be set at publication.
Published at: https://cleanmy.life/coppa (or as a section of the main
privacy policy).
This document is the source for our COPPA disclosure under 16 CFR §312. It can live at its own URL or as a section of the main privacy policy depending on what we decide is more discoverable. Apple's reviewer cares mostly that it exists, that it explains parental consent, and that the parent can easily revoke.
The shorter consumer-facing version is in
privacy-policy.md "Children's privacy" section.
COPPA Disclosure for CleanMy
CleanMy is used by both adults and children. This disclosure describes the practices required by the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501-6506, 16 CFR Part 312) and similar laws (GDPR-K in the EU, state laws in California, Connecticut, Maryland, New York, Texas, etc.).
Who this applies to
This disclosure applies if your child under 13 is using CleanMy in the family configuration. In the family configuration:
- The parent (you) sets CleanMy up in person on the child's iOS device: you authenticate with Sign in with Apple, choose which apps are gated, configure Screen Time on that device, and set a PIN, then hand the device to your child.
- Optionally, the child's device is paired to the parent's own device using a 6-digit code shown on the parent's device, so the family can share a pool of cleans and the child can ask the parent for more. This pairing is handled in our own backend and does NOT use Apple Family Sharing.
If an under-13 child set CleanMy up themselves without a parent doing the in-person setup, that is not the family configuration, and we do not authorize that use.
What information we collect from children
In the family configuration, we collect from the child's device:
| Type | Why | Where stored | Retention |
|---|---|---|---|
| Cleaning photos (before/after) | AI task generation + verification | Supabase Storage, linked to the kid's anonymous user UUID | Until parent or kid deletes |
| Anonymous user UUID | App functionality | Supabase user table | Until parent or kid deletes |
| Cleaning session metadata (task list, completion timestamp, AI judgment) | Bank of earned screen-time minutes | Supabase tables | Until parent or kid deletes |
We do NOT collect from the child:
- Phone
- Address
- Date of birth
- Location
- IDFA, IDFV, or other persistent identifiers (we use a Supabase-generated UUID that is meaningless outside CleanMy)
- Audio recordings
- Video recordings
- Biometric data
- A last name. We never store a last name for any child.
The child-facing UI contains no fields where the child could enter such information. We never ask a child to type their own name into the app.
Child's first name — provided by the parent
The setup flow asks the parent to type the child's first name. This name is:
- stored in iOS UserDefaults on the device that did the setup (it does not leave the device for personalization use),
- used locally to personalize the experience (cleaning checklist greeting, parent dashboard labels, send-to-family message copy),
- transmitted to our servers as part of the internal "pending review" record that goes from the child's device to the paired parent's review inbox. Database-level access controls keep that record visible only to the paired parent's account, and it is permanently held in a "pending" state — it is never published, listed in any public surface, or shared with any third party.
When the parent reviews and publishes one of the child's cleans to the public
feed, our server creates a separate public post owned by the parent. The
public post's displayed label is the parent's chosen public name; if the
parent has not set one, the post appears under a system-assigned user
handle (for example, user_a4b3c2d1) derived from a one-way hash of the
parent's account ID. The child's first name is never used as the public
post label. If the parent chooses to mention the child by name in the
free-text caption they write themselves at publish time, that is the
parent's own speech and is outside what we collect.
We treat a first name standing alone as something other than the per-child personal information COPPA's Rule (16 CFR §312.2) is built around. The Rule's enumerated list of "personal information" requires "first and last name" for the name field, and standalone first names are not in the list. We do not store any child's last name. Because the first name is never published alongside a public persistent identifier (the public post uses the parent's chosen name or a system-assigned user handle), the §312.2(11) combination test does not attach. The internal pending-review record IS server-side, but it is parent-scoped, never public, and exists for the sole purpose of letting the paired parent identify which child's clean is in front of them when they review.
A note on the Quick Clean timer: when a child uses the Quick Clean fallback (a timer-based cleaning session with no AI verification), the only data we record about that session is an anonymous bank-event timestamp and the minutes earned. No photo is captured. No AI call is made. No content leaves the device. A child who only ever uses Quick Clean has shared essentially nothing about themselves with our server.
How we obtain verifiable parental consent (16 CFR §312.5(b))
The COPPA Rule's §312.5(b)(2) "reasonable efforts" standard requires the operator to use a consent mechanism "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent." CleanMy's mechanism, end to end:
- Adult Sign in with Apple. To set up the family configuration, the parent installs CleanMy on the parent's own device and authenticates via Apple's Sign in with Apple. We hold a server-side record of this verified adult identity, along with the parent's email (real or Apple relay address).
- Parent generates a pairing code on their device. CleanMy on the parent's device produces a single-use 6-digit pairing code that the parent then types into CleanMy on the child's device. Only an adult with control of the parent's SiwA-verified device can produce this code; the kid device redeeming it is then permanently associated with the parent's account in our database.
- Per-publish review and approval. A child's clean can never publish on its own. A database rule forces every child-captured post into a pending-review state, regardless of what the rest of the system requests. For every individual instance in which the parent chooses to publish one of the child's cleans to the public feed, the parent must review and approve it on the parent's own Sign in with Apple verified session. Our server records the approving parent's verified identity and makes that parent the publisher of record for the post, providing an auditable per-act consent record.
CleanMy does not at this time make programmatic use of Apple's Family Sharing APIs to independently verify family relationships, and we do not hold or process the parent's payment card. The consent mechanism above is what we rely on; it is what the FTC's "reasonable efforts in light of available technology" standard contemplates, and the per-act parent review and approval on the parent's verified session goes meaningfully beyond a one-time-consent posture.
How parents can review, delete, or refuse to consent to further collection
A parent can, at any time:
- Delete all data we hold about their child: Settings → Account → Delete account on the kid device deletes the kid account and cascades to remove all photos, cleaning sessions, and bank entries belonging to that kid. The parent can do the same from their own device by deleting the parent account, which also cascades to any paired kid accounts. Deletion is processed within seconds; we commit to it being complete within 24 hours at the outside.
- Refuse to consent to further collection: revoke Apple's Sign in with Apple from iOS Settings → [Your Name] → Sign in with Apple → CleanMy → Stop using Apple ID. This locks the family configuration and prevents new data collection.
- Review the data we hold about their child: email
coppa@cleanmy.lifeand we will export a copy of all data CleanMy holds about the child within 7 days. (An in-app self-service export is on our roadmap; until it ships, the email path is the path.)
We do not use children's information for advertising
We do not serve ads to a child using CleanMy. Even if we later add an ad-supported free tier on the adult product, children's data is never used to serve ads, and ads are never shown to a child using the kid surface of CleanMy. We know which users are children because the kid surface is a distinct mode of the app, set during pairing by a Sign-in-with-Apple-verified parent and stored tamper-resistantly on the device. We do not share children's information with any advertising network. We do not use any cross-app tracking or device-identifier collection on the kid surface.
We do not enable communication between children and other users
The child-facing surface in CleanMy contains:
- No public feed
- No comments
- No direct messaging
- No chat
- No share-to-arbitrary-contact (the "share to family" path is a parent-maintained allowlist)
Children using CleanMy cannot communicate with strangers through the app.
Third-party service providers that touch children's data
| Provider | What they receive | Why | Where |
|---|---|---|---|
| Supabase Inc. | Encrypted photos + UUID + session metadata | Backend hosting | US |
| Google LLC (Vertex AI service) | Photo content for AI task generation + verification. We use Gemini 3.5 Flash today; Vertex AI's catalog includes other multimodal models (Google Gemini 3.1 Pro / Flash-Lite / Pro Image, Anthropic Claude 4.x, Mistral Small 3.1 + OCR 2505) we may evaluate. Vertex AI's terms commit Google to not using customer content to train Google's models or any partner-model provider's models. AI consent for kid-captured photos is inherited from the SiwA-verified parent; a kid never grants their own AI processing consent. | AI vendor | US |
| Industry image-hash database providers (e.g. Microsoft PhotoDNA, planned for V1.5) | Perceptual photo hashes only, never photo content | Moderation hash match | US (planned) |
| Sentry | Crash diagnostics (no PII, no photo content) | Diagnostics | US |
| PostHog | Anonymous product-interaction events (no PII, no photo content) | Analytics | US |
We require each provider, where contracts apply, to use the data only for the purpose above and to delete it when we terminate the relationship. Where the provider's published terms govern (Google's Vertex AI service in particular), we describe those terms accurately above rather than overstating the protections in place.
State-law overlays
- California (CCPA, CPRA, AB 22): California children have the right to know
what we collect and to request deletion. Both rights are exercisable via the
Settings paths above or via
support@cleanmy.life. - Connecticut, Maryland, New York, Virginia, Colorado: comparable rights. Same exercise paths.
- Texas (App Store Accountability Act, 2025): when the Apple Declared Age Range API becomes generally available, we will integrate it for an additional age signal. As of this disclosure's effective date, Apple's enforcement approach is to require the Declared Age Range API integration in apps that collect age signals; ours is forward-looking compliance.
Contact
For COPPA-related inquiries:
- Email:
coppa@cleanmy.life - Mailing address: Devon Saliga, 555 West 53rd St., New York, NY 10019.
We respond to COPPA inquiries within 7 days.