← Back to Home

Skoul COPPA Compliance Statement

Last Updated: November 7, 2025

---

Introduction

HIGHTHEM is committed to protecting the privacy and safety of children who use Skoul. This document outlines our compliance with the Children's Online Privacy Protection Act (COPPA), a United States federal law designed to protect the privacy of children under 13 years of age.

Company Information:
HIGHTHEM
SIREN: 848274338
France

Contact: privacy@skoul.fr

---

What is COPPA?

The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 years of age, and to operators with actual knowledge that they are collecting personal information from children under 13.

COPPA Requirements

COPPA requires operators to:

1. Post a clear and comprehensive privacy policy
2. Provide direct notice to parents and obtain verifiable parental consent before collecting personal information from children
3. Give parents the choice to consent to the collection and internal use of their child's information, but prohibit the operator from disclosing that information to third parties
4. Provide parents access to their child's personal information and allow them to request deletion
5. Give parents the opportunity to prevent further use or collection of personal information
6. Maintain the confidentiality, security, and integrity of information collected from children
7. Retain personal information only as long as necessary to fulfill the purpose for which it was collected, and delete it using reasonable measures

---

How Skoul Complies with COPPA

1. Age Screening and Parental Consent

Age Collection:

• During onboarding, we collect the child's age (6-12 years)
• If the child is under 13, we trigger the parental consent flow
• The app is designed exclusively for children aged 6-12

Parental Consent Mechanism:

• Before collecting any personal information from children under 13, we display a comprehensive consent screen
• Parents/guardians must review the consent information
• Parents/guardians must actively check a consent checkbox confirming:
  • They are the parent or legal guardian
  • They have read and understood our data practices
  • They consent to the collection and use of their child's information
• The consent screen includes a link to our full Privacy Policy
• Setup cannot be completed without parental consent

Consent Information Provided:

• What information we collect (name, age, grade, country, optional avatar)
• What information we do NOT collect (email, phone, precise location)
• How information is used (personalization, exercise generation)
• That all personal data is stored locally on the device
• That only non-nominative data (age, grade, country, difficulty) is sent for exercise generation
• No nominative data (name, avatar, practice history) is ever transmitted
• Parents can delete all data at any time
• Contact information for privacy inquiries

2. Data Minimization

Information We Collect (Stored Locally Only):

• First name: For personalization only (e.g., "Hello, Emma!")
• Age (6-12): To provide age-appropriate content and determine consent requirements
• Grade level: To align exercises with educational standards
• Country: For compliance with local privacy laws and educational standards
• Optional avatar photo: Stored locally only, never transmitted
• Practice data: Session history, scores, time spent (stored locally only)

Information We Do NOT Collect:

• Email addresses
• Phone numbers
• Precise geolocation data
• Social Security Numbers or other government IDs
• Physical addresses (we only collect country)
• Biometric data
• Contacts or address book information
• Photos (except optional avatar with permission)
• Video or audio recordings of the child
• Social media profiles
• Persistent identifiers for tracking across apps or websites (no IDFA)

Why We Collect This Information:

• First name: Personalization enhances engagement and learning
• Age: Ensures age-appropriate content and COPPA compliance
• Grade: Aligns exercises with curriculum standards
• Country: Determines applicable privacy laws and content localization
• Avatar: Optional personalization feature
• Practice data: Tracks progress and adapts difficulty (local only)

3. Local-First Data Storage

No Server-Side Personal Data Storage:

• All personal information is stored exclusively on the user's iOS device using SwiftData
• We do NOT maintain user accounts, cloud storage, or databases containing children's personal information
• No login credentials are required
• Each device operates independently

Data Sent to External Services:

For exercise generation only, we send minimal, non-nominative data:

• Age (number only, e.g., "8")
• Grade level (e.g., "Grade 3")
• Country code (ISO code, e.g., "US")
• Exercise difficulty preference (e.g., "medium")
• Subject (mathematics, spelling, reading)
• Question count (e.g., "10")

Data NEVER Transmitted:

• Child's first name
• Avatar photo
• Practice session history
• Scores or performance data
• Device information (beyond standard HTTP headers)
• Any personally identifiable information (PII)

4. Third-Party Services and Data Sharing

Services We Use:

HIGHTHEM Backend API (Primary - France):

• Purpose: Generate educational exercises
• Data sent: Age, grade, country code, difficulty, subject, question count
• Data NOT sent: Name, avatar, practice history
• No personal data stored on backend servers
• Exercises returned and stored locally only
• Fully COPPA compliant

Google Firebase AI - Gemini (Secondary - USA):

• Purpose: Fallback exercise generation when backend unavailable
• Data sent: Age, grade, country code, language, difficulty, subject, question count
• Data NOT sent: Name, avatar, practice history
• Subject to Google's Gemini API Terms
• Used sparingly, only as backup
• Exercises returned and stored locally only

Apple Intelligence (Tertiary - On-Device):

• Purpose: On-device text recognition and exercise generation
• Data sent: None (complete on-device processing)
• Available on supported devices only
• Fully privacy-preserving

Google AdMob (Advertising):

• Purpose: Display age-appropriate advertisements to support free app
• Data collected by AdMob: Device identifiers (IDFV, not IDFA), ad interaction data
• Data NOT shared with AdMob: Child's name, age, practice data, or any PII from Skoul
• Contextual ads only (no behavioral targeting of children)
• Parents can limit ad tracking: iOS Settings > Privacy > Tracking
• Subject to Google's privacy policy

No Other Third Parties:

• We do NOT use third-party analytics services (beyond AdMob advertising analytics)
• We do NOT use social media integrations
• We do NOT sell or share children's data with data brokers, marketers, or advertisers
• We do NOT allow third-party advertising networks to track children

5. Parental Rights and Controls

Right to Review:

• Parents can view all collected information directly in the app
• Navigate to: Settings > Profile
• All data is visible and accessible on the device

Right to Request Deletion:

• Delete practice data only: Settings > Learning Data > Clear All Practice Data
  • Removes session history, scores, and progress
  • Preserves profile information
  • Requires parental gate verification
• Delete all data: Uninstall the app
  • Permanently removes all local data immediately
  • No data remains on HIGHTHEM servers (we don't store personal data)
  • Cannot be recovered

Right to Refuse Further Collection:

• Parents can stop using the app at any time
• Uninstalling the app prevents any further data collection
• No penalties or consequences for refusal

Right to Consent Withdrawal:

• Parents can withdraw consent by uninstalling the app
• All data is immediately and permanently deleted
• No data retention period (local-only storage)

How to Exercise These Rights:

1. In-App: Use Settings menu for data management
2. Email: Contact privacy@skoul.fr
3. Response Time: We respond within 30 days to all legitimate requests

6. Data Security

Technical Measures:

• Encryption at rest: iOS AES-256 encryption protects all local data
• Encryption in transit: TLS 1.3+ for all network communications
• Certificate pinning: Backend API uses certificate pinning for added security
• iOS sandboxing: App data isolated from other apps
• No remote access: HIGHTHEM employees cannot access user data remotely

Organizational Measures:

• Privacy-by-design approach in all development
• Regular security reviews and updates
• Incident response procedures for security concerns
• Limited access to systems (principle of least privilege)

Device Security Recommendations:

• Use a strong device passcode or biometric lock
• Keep iOS updated to the latest version
• Download Skoul only from the official App Store
• Supervise children's device usage

7. Data Retention and Deletion

Retention Policy:

• Local data: Retained on device until user deletes the app or clears data
• Server data: We do NOT store personal data on servers
• Exercise generation data: Not stored; requests are processed and discarded
• No retention period: Data exists only on the user's device

Automatic Deletion:

• Uninstalling the app immediately and permanently deletes all local data
• iOS automatically removes all app data upon uninstallation
• No recovery mechanism exists

No Data Resurrection:

• We cannot restore deleted data
• No cloud backups of personal information
• Each device is independent

8. No Conditioning on Data Collection

COPPA Prohibition:

COPPA prohibits conditioning a child's participation in an activity on the child disclosing more personal information than is reasonably necessary.

Our Practice:

• We collect only the minimum information necessary for app functionality
• Optional features (avatar) are truly optional and do not affect core functionality
• Children can use all educational features with minimal data
• No "upsells" or premium features requiring additional data
• The app is completely free with no in-app purchases

9. Safe Harbor and Compliance Certifications

FTC Compliance:

• Skoul adheres to all FTC guidelines for COPPA compliance
• We monitor FTC updates and adjust practices accordingly
• Regular compliance reviews ensure ongoing adherence

No COPPA Safe Harbor:

• We are not currently members of an FTC-approved COPPA Safe Harbor program
• We voluntarily comply with COPPA requirements regardless

10. Transparency and Notice

Privacy Policy Availability:

• Accessible during onboarding (required reading before consent)
• Available in-app: Settings > Privacy Policy
• Available via email: privacy@skoul.fr
• Clear, readable language appropriate for parents

Changes to Privacy Practices:

• Material changes to data collection or use will trigger new parental consent
• Parents will be notified through the app
• Continued use after notification constitutes acceptance
• Parents can refuse by uninstalling the app

11. International Users

COPPA Application:

• COPPA applies to operators subject to U.S. jurisdiction
• HIGHTHEM, based in France, voluntarily complies with COPPA for U.S. users
• We apply COPPA standards globally as a best practice

Additional Protections:

• EU users receive GDPR protections (often stricter than COPPA)
• Age thresholds vary by jurisdiction (13-16 years)
• We comply with the strictest applicable standard

---

Parental Verification Methods

Current Method: Parental Gate

Implementation:

• Parents must solve a simple math problem to access sensitive actions
• Prevents accidental deletion by children
• Does not verify parental identity but ensures adult involvement

Acknowledged Limitation:

• This method does not provide verifiable parental consent as defined by COPPA
• However, given our local-first architecture and minimal data collection, we rely on:
  • In-app consent during onboarding
  • Parental supervision (recommended for 6-12 year-old users)
  • Easy access to Settings for data management

Why This Works for Skoul:

• All data is local-only (no server-side storage of PII)
• No data sharing with third parties for marketing
• Minimal data transmission (only non-nominative exercise parameters)
• Parents have immediate access to all data and deletion controls
• No email or payment information collected

---

Accountability and Audits

Internal Reviews:

• Quarterly privacy and security audits
• COPPA compliance checks before each major release
• Developer training on child privacy requirements

External Resources:

• FTC COPPA guidelines: https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business
• COPPA FAQs: https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions

Reporting Violations:

If you believe Skoul is not complying with COPPA, you may:

1. Contact us immediately: privacy@skoul.fr
2. File a complaint with the FTC: https://www.ftc.gov

We take all compliance concerns seriously and will investigate promptly.

---

COPPA Compliance Checklist

✅ Privacy Policy: Comprehensive privacy policy posted and accessible
✅ Parental Notice: Direct notice provided during onboarding consent flow
✅ Parental Consent: Active consent required before collecting child data
✅ Parental Access: Parents can view all data in Settings
✅ Parental Deletion: Easy data deletion via Settings or uninstallation
✅ Parental Control: Parents can refuse or withdraw consent
✅ Data Minimization: Collect only necessary information
✅ No Third-Party Sharing: No sharing of children's data for marketing
✅ Data Security: AES-256 encryption and TLS 1.3+ in transit
✅ Data Retention: Local-only storage, deleted upon uninstallation
✅ No Conditioning: Core features available with minimal data
✅ Transparency: Clear communication of data practices

---

Summary for Parents

What You Need to Know:

1. Your Consent Required: If your child is under 13, you must provide consent during onboarding
2. Minimal Data Collection: We collect only first name, age, grade, country, and optional avatar
3. Local-Only Storage: All personal data stays on your device; we don't store it on servers
4. No Name Sharing: Your child's name is never sent to our servers or third parties
5. Safe Exercise Generation: Only non-personal data (age, grade, country, difficulty) sent to generate exercises
6. No Behavioral Ads: Age-appropriate ads only; no tracking of your child
7. Easy Deletion: Uninstall the app to permanently delete all data
8. Your Control: Review, edit, or delete data anytime in Settings
9. Free & Safe: No in-app purchases, no hidden data collection
10. Responsive Support: Contact us anytime at privacy@skoul.fr and we'll respond within 30 days

Questions?

We're here to help. Email us at privacy@skoul.fr and we'll respond within 30 days.

---

Contact Information

Data Controller:
HIGHTHEM
SIREN: 848274338
France

Privacy Inquiries: privacy@skoul.fr

FTC (COPPA Enforcement):
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
https://www.ftc.gov

---

Version History

• Version 1.0 - November 7, 2025 - Initial publication

---

HIGHTHEM is committed to protecting children's privacy and maintaining COPPA compliance. We regularly review and update our practices to ensure the safety and security of all Skoul users.