M
MindBrightBack
Privacy & Security

Our Commitment to Your Privacy

MindBright is built for children. Privacy and security are not features we added — they are foundational to every architectural and design decision we make.

Last updated: February 24, 2026

No Ads Ever
No Data Selling
COPPA Compliant
Zero Dark Patterns

Information We Collect

Parent Account

  • Email address (stored in AWS Cognito, not in our application database)
  • Display name
  • Account creation and last-updated timestamps

Storage: AWS Cognito (email) / DynamoDB (display name, timestamps)

Child Profile

  • First name only (no last name, no full name required)
  • Grade tier selection (Pre-K/K, 1st–2nd, or 3rd–5th)
  • Gamification state (XP, level, streak — generated by the platform, not collected from the child)

Storage: DynamoDB (tied to anonymous profile ID, not to any external identifier)

Learning Activity

  • Activity completion records (module, score, attempts, time spent)
  • Achievement badges earned

Storage: DynamoDB (tied to anonymous profile ID)

What We Do Not Collect

×Child email addresses
×Child dates of birth
×Physical addresses or location data
×Device fingerprints or advertising identifiers
×Photos, videos, or voice recordings
×Social media accounts or contacts
×Browsing history outside of MindBright
×Any data from third-party sources

Children's Privacy (COPPA)

MindBright is designed for use by children under 13 under the supervision of a parent or legal guardian. We comply with the Children's Online Privacy Protection Act (COPPA) and apply its principles as the baseline for all data handling decisions, regardless of jurisdiction.

1

Children never create accounts directly. All accounts are created and managed by a parent or legal guardian.

2

We collect only the minimum data necessary to provide the educational service: a first name and grade tier.

3

We do not serve behavioral advertising or targeted advertising of any kind.

4

We do not use third-party analytics, tracking pixels, or ad network scripts in the child-facing portions of the platform (/play routes).

5

We do not sell, rent, license, or otherwise disclose children’s personal information to third parties.

6

Parents may review their child’s data, request corrections, or delete profiles entirely at any time through the parent dashboard.

7

Upon profile deletion, all associated activity data (progress, achievements, portfolio) is permanently removed.

How We Use Data

Providing the service

Displaying progress, and achievements to the child during learning activities and to the parent on the dashboard.

Progress reporting

Generating per-subject breakdowns, accuracy metrics, and activity history for the parent dashboard.

Platform improvement

Aggregated, de-identified usage patterns to improve content quality and difficulty calibration. No individual child data is used for this purpose.

We Never Use Data For

  • ×Advertising or marketing to children
  • ×Selling or sharing with third parties
  • ×Building behavioral profiles of children
  • ×Training machine learning models on individual child data
  • ×Any purpose unrelated to providing the educational service

Data Security

We implement security controls at every layer of the platform. Security is not a feature — it is an architectural requirement applied to every component, endpoint, and deployment.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). Enforced by AWS CloudFront and ACM certificate management.

Encryption at Rest

All data stored in DynamoDB and S3 is encrypted at rest using AWS-managed encryption keys (AES-256).

Authentication

Parent accounts are authenticated through AWS Cognito using Secure Remote Password (SRP) protocol. Passwords are never transmitted in plaintext and are not stored by MindBright.

Access Control

Every API request verifies that the authenticated parent owns the requested resource. A parent can only access their own children’s data. Backend services use least-privilege IAM roles with per-table, per-action permissions.

Infrastructure

MindBright runs entirely on AWS infrastructure, which maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications. We do not operate our own servers.

No Third-Party Scripts in Kid Zone

The child-facing portion of the platform (/play) loads zero third-party JavaScript. No analytics, no chat widgets, no tracking pixels, no ad scripts. Every script that runs in the kid zone is our own.

Dependency Management

We regularly audit our dependencies (npm audit, pip audit) and minimize third-party packages to reduce attack surface.

Data Retention & Deletion

Active Accounts

Data is retained for as long as your account is active. We do not archive or retain data beyond what is necessary to provide the service.

Profile Deletion

When a child profile is deleted through the parent dashboard, all associated data is permanently removed from our database: progress records, achievements, and the profile itself. This action is immediate and irreversible.

Account Deletion

When a parent account is deleted, all child profiles and their associated data are permanently removed. The Cognito authentication record is also deleted. No data is retained after account deletion.

Third-Party Services

MindBright uses a minimal set of third-party services. We do not use ad networks, data brokers, analytics platforms, or social media integrations.

Amazon Web Services (AWS)

Purpose: Cloud infrastructure (compute, database, storage, CDN, authentication, DNS)

Data exposure: All application data is processed and stored within AWS. AWS does not access or use this data for its own purposes.

GitHub

Purpose: Source code hosting and CI/CD deployment

Data exposure: Source code only. No user data is stored in or transmitted to GitHub.

Your Rights

As a parent or legal guardian, you have full control over your children's data on MindBright.

Right to Access

You may view all data associated with your child’s profile at any time through the parent dashboard, including activity history, scores, and achievements.

Right to Correction

You may update your child’s name and grade tier at any time through the profile settings.

Right to Deletion

You may delete any child profile at any time. Deletion is immediate and permanent — all associated progress, and achievements data is removed from our database.

You may delete your entire parent account, which will remove all child profiles and all associated data.

Right to Refuse

You may refuse further data collection by deleting your child’s profile or your account. Because we collect only what is necessary to provide the service, refusing data collection means discontinuing use of the platform.

Contact

If you have questions about this privacy policy, want to exercise your rights regarding your child's data, or have concerns about our data practices, contact us at:

privacy@mindbright.io

We will respond to all privacy-related inquiries within 30 days.

Built for kids. Protected like it matters.

Get Started
MindBright.io
Privacy & Security