Legal
Children's Privacy Policy
Last updated: April 2026
1. About DaySteps and This Policy
DaySteps is a routine management application that helps children with ADHD, autism, and other executive function challenges build calm, consistent daily routines. DaySteps is not a medical device, not a clinical intervention, and does not diagnose or treat any medical or developmental condition. DaySteps is not a therapeutic tool in the clinical sense — it is a structured daily support application designed to complement professional care.
DaySteps LLC ("DaySteps," "we," "us," or "our") is committed to protecting the privacy of children and their families. This Children's Privacy Policy explains how we collect, use, share, and protect personal information in connection with the DaySteps application.
This policy complies with the Children's Online Privacy Protection Act (COPPA, as amended by the FTC's 2025 Rule); Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); and Quebec's Law 25.
Privacy Officer: Michael Kessler | daysteps.app">privacy@daysteps.app | daysteps.app
2. Pre-Consent Data Rule
Before parental consent, only minimal information is collected — the parent's email address and the child's nickname. No behavioral or activity data is collected prior to consent.
This rule applies universally. No exception exists for teachers, clinicians, or any other party. DaySteps does not create child accounts on behalf of third parties. Child profiles are created by parents only, at which point explicit consent is obtained before any data is recorded.
3. What Information We Collect and From Whom
3.1 Information Collected About Children — After Consent Only
DaySteps collects information about children exclusively from their parents or guardians, not from children themselves. Collection begins only after a parent creates a child profile and provides verifiable parental consent.
- First name or alias (parent-entered at profile creation)
- Age range or developmental stage (parent-configured)
- Routine structure: daily task sequences configured by the parent or suggested by an authorized clinician or teacher — subject to parent approval before taking effect
- Routine completion data: which steps were completed, skipped, or not attempted, and at what time
- Initiation latency: time elapsed between a scheduled routine start and when the child tapped Start
- Mood and reflection entries: optional self-reported affect rating via illustrated face cards (1=Great through 5=Hard) — child-initiated only
- Device identifier: cryptographic fingerprint stored in the iOS Keychain, used solely to link the child's device to their profile — not used for advertising
- Progression axis settings: parent-configured scaffolding levels
DaySteps does NOT collect: last names, photographs of children, location data, biometric data, government-issued identifiers, health records, medical history, diagnostic codes (ICD/CPT/DSM), treatment plans, clinical assessment scores, or any health-related clinical data. Entry of clinical or diagnostic data is explicitly prohibited by our Terms of Service.
3.2 Information Collected About Parents and Guardians
- Email address (via Google Sign-In or masked via Sign in with Apple — authentication managed by Apple/Google, not DaySteps)
- Account name (entered during onboarding)
- Consent records: timestamp, consent type, consent text version, and parent account identity for each consent event
- Connection approvals: which Care Team members and teachers have been authorized, and with what permissions
- Optional: Google Calendar event metadata (read-only, if the parent activates the calendar integration — not stored by DaySteps)
3.3 Information Collected About Teachers and Care Team Members
- Name, email address, professional credential type, and practice or school name (optional)
- Authentication credentials: managed entirely by Apple or Google
- Usage data related to their account (not linked to child data)
3.4 Information We Do Not Collect — Ever
- No advertising identifiers (IDFA or equivalent)
- No third-party tracking pixels, advertising SDKs, or behavioral analytics
- No precise geolocation
- No biometric data
- No health records, diagnosis codes, treatment plans, or clinical documentation
- No information from students in guest classroom mode (see Section 4)
- No child behavioral data before parental consent
4. Guest Classroom Mode — No Data Collected
Students may participate in live classroom routine sessions through a read-only guest mode in the DaySteps web application. In guest mode:
- No account is created
- No name or identifier is entered or collected
- The student sees a live read-only broadcast of the current routine step
- Nothing is retained when the session ends
Guest mode is COPPA-invisible by design. Because no personal information of any kind is collected, COPPA's consent requirements are not triggered.
5. How We Use Information
We use personal information only for the following purposes. We do not sell personal information. We do not use personal information for advertising, marketing, or profile-building beyond the purposes stated here.
- To deliver the DaySteps service: displaying routines, recording completions, generating progress insights for parents
- To maintain the child's device link
- To enable authorized Care Team and teacher collaboration — subject to parent-approved permissions only
- To send routine notifications to the child's device (calm, non-punitive copy only — see Section 9)
- To maintain security and prevent abuse
- To comply with legal obligations, including retaining consent records
6. Role-Based Data Access — Exactly Who Sees What
All access to child data is governed by parent-controlled permissions enforced at the database layer via Row-Level Security. The following table defines exactly what each role can access by default. Permissions marked 'parent-configurable' can be expanded or restricted by the parent at any time.
| Role | Default Access | Explicitly Cannot Access |
|---|---|---|
| Parent / Guardian | Full access to all child data: routine structure, step-level completions, initiation latency, mood entries, reflection face card selections, progression axis settings, device link status, all connection approvals. Full administrative control: create/edit/delete routines, approve or revoke all connections, configure all progression settings. |
N/A — parent has full access by design as account owner. |
| Care Team Member (clinician, OT, BCBA, school psychologist) | Default (parent consent required for each item): • Routine completion summaries (% complete per routine, weekly patterns) • Initiation latency aggregates (not raw timestamps) • Progress trend data (7-day and 30-day views) Can submit routine modification suggestions — parent reviews and approves before any change takes effect. |
Step-level completion detail | Mood entries and face card selections | Reflection content | Sensory profile | Raw initiation timestamps | Progression axis settings | Any data the parent has not explicitly authorized. |
| Teacher | For enrolled students (parent consent required): • Whether a class routine was completed or not (binary status only) • Aggregate class completion rates (not individual student detail) |
Step-level completion detail | Mood entries | Reflection data | Initiation latency | Sensory profile | Personal routines (non-class) | Any clinical or health-related data. |
| Guest (classroom session) | Live routine step broadcast (read-only, anonymous). | Everything. No data is collected. No account exists. |
7. How We Share Information
DaySteps does not sell personal information. DaySteps does not share children's personal information with any third party except: (1) within the platform to roles the parent has explicitly authorized, as defined in Section 6; and (2) to service providers who process data on DaySteps' behalf under written agreement.
7.1 Within the DaySteps Platform
All intra-platform sharing is governed by parent-controlled permissions as defined in the role-based access table in Section 6. No child data is shared with any party without the parent's explicit, separate consent for that specific sharing relationship.
Connection Management — Who Can Invite and Who Can Remove
| Action | Who Can Do It | Who Cannot Do It |
|---|---|---|
| Invite a Care Team member to access a child's account | Parent or guardian only — via QR code, deep link, or in-app invite sent by the clinician | Care Team members and teachers cannot self-invite. No connection is established without parent action. |
| Invite a teacher / connect to a class | Parent or guardian only — by scanning the class QR code or entering the class code | Teachers cannot add students directly. No student data is associated with a class without parent action. |
| Remove a Care Team member's access | Parent or guardian only — via Settings > Connections > Remove. Revocation is immediate. | Care Team members cannot remove themselves in a way that affects the parent's data or the child's profile. |
| Remove a teacher / disconnect from a class | Parent or guardian only — via Settings > Connections > Remove. Revocation is immediate. | Teachers cannot disconnect students. The parent always controls the relationship. |
7.2 Service Providers
DaySteps uses the following service providers who may process personal information on our behalf. Each provider is categorized by function. Each processes only the data necessary to perform their specific function and is prohibited from using DaySteps data for any other purpose.
| Category | Provider | Location | DPA | Data Received |
|---|---|---|---|---|
| Hosting | Supabase Inc. | Canada (ca-central-1, AWS Montreal) | Executed | All application data. Primary data processor. Data stored in Canada. |
| Crash Reporting | Sentry / Functional Software | United States | Executed | Anonymized crash reports only. PII scrubbing enforced. No personal information transmitted. |
| Authentication | Apple Inc. | United States | Developer Agreement | Authentication tokens; device push tokens (APNs). No routine or behavioral data. |
| Authentication | Google LLC | United States | Google API Terms | Authentication tokens. Optional calendar integration: read-only metadata only — not stored by DaySteps. |
| Web Hosting | Cloudflare Inc. | Global CDN | Standard Terms | Static web content delivery only. No personal information processed. |
All service providers with access to personal information have signed a Data Processing Agreement (DPA) with DaySteps LLC. No service provider may use DaySteps data for advertising, profile-building, or any purpose beyond the function listed above.
7.3 Legal Requirements
We may disclose personal information if required by law, regulation, court order, or lawful government request. We will notify affected users to the extent permitted by law before making any such disclosure.
8. Verifiable Parental Consent
DaySteps does not collect, use, or share personal information about a child until verifiable parental consent (VPC) is obtained from a parent or legal guardian. Consent is obtained in-app at the moment of child profile creation.
The consent process:
- Parent reviews the Direct Notice (plain-language disclosure of what will be collected, by whom, for how long)
- Parent enters the child's first name or alias and age range
- Parent provides explicit checkbox consent to data collection and use (required to proceed)
- Parent provides separate checkbox consent to any specific sharing relationship (optional — parent may consent to collection without consenting to sharing)
- Consent event is written to the consent ledger before the child profile is created — if the ledger write fails, the profile is not created
The parent's authentication via Apple or Google Sign-In, combined with the explicit checkbox consent, satisfies the FTC's email-plus-confirmation VPC method (16 CFR §312.5(b)(2)(iii)).
Parents may withdraw consent at any time. Upon withdrawal, all child data (excluding consent and audit records) is deleted within 48 hours.
9. Notifications
DaySteps sends local notifications to the child's device to prompt routine starts. All notification copy must be calm, non-punitive, and non-urgent. DaySteps does not send marketing notifications to children.
Approved copy examples: 'Time to start your morning routine!' | '[Name], your routine is ready.' Quiet hours enforced: 9 PM – 7 AM, no notifications.
Forbidden copy: 'You're late,' 'Hurry up,' 'Don't forget,' 'You missed,' or any language implying failure or urgency.
10. Data Retention
We do not retain personal information indefinitely. Our full Written Data Retention Policy is at daysteps.app/retention. Summary:
| Data Type | Retention Period | Deletion Trigger | Enforcement |
|---|---|---|---|
| Active child data (all categories) | Duration of account | Parent deletion request | Fulfilled within 30 days |
| Completion and step data | 24 months | Rolling automatic | Daily automated job |
| Mood and reflection entries | 24 months | Rolling automatic | Daily automated job |
| Inactive account (all data) | 12 months of inactivity | Warning at 11 months; deletion at 12 | Automated — daily check |
| Consent and audit records | 7 years | No automatic deletion | Manual review required |
| Guest classroom session data | Not retained | Nothing collected | N/A |
11. Data Security
- Encryption in transit: TLS 1.3 for all client-to-server communication
- Encryption at rest: AES-256 for all data stored in Supabase (AWS default encryption, ca-central-1)
- Row-Level Security enforced on all 29 database tables — every request evaluated against role-based access policies before data is returned
- No passwords stored by DaySteps — authentication managed by Apple and Google
- Child device link uses cryptographic fingerprint in iOS Keychain — cannot be forged via UserDefaults
- Invite codes rate-limited (5 attempts per hour) to prevent brute-force attacks
- All data stored in Canada (Supabase ca-central-1, AWS Montreal)
- No advertising SDKs, no analytics SDKs, no third-party tracking pixels
12. Parental Rights
| Right | What It Means | How to Exercise |
|---|---|---|
| Review | Request a copy of all data DaySteps holds about your child | Email privacy@daysteps.app — response within 30 days |
| Correct | Correct inaccurate information | In-app Settings or email privacy@daysteps.app |
| Delete | Delete your child's account and all associated data permanently | Settings > Delete Account, or email privacy@daysteps.app — fulfilled within 30 days |
| Revoke consent | Withdraw consent to data collection — all child data deleted within 48 hours (consent records retained) | Email privacy@daysteps.app |
| Restrict sharing | Remove a Care Team member's or teacher's access — takes effect immediately | In-app Settings > Connections — instant |
| Refuse further collection | Stop further data collection entirely | Delete Account or email privacy@daysteps.app |
Note: Quebec users: Under Law 25, you also have the right to data portability and the right to be informed of and object to any automated decision-making. Contact daysteps.app">privacy@daysteps.app.
Note: Canadian users: Under PIPEDA, you may challenge compliance by contacting the Privacy Officer or filing a complaint with the Office of the Privacy Commissioner of Canada.
13. COPPA, PIPEDA, and Quebec Law 25
13.1 United States — COPPA
DaySteps is directed to children under 13. The full requirements of COPPA (as amended by the FTC's 2025 Rule) apply. Verifiable parental consent is obtained before any child data is collected. Parents may review, correct, and delete their child's information at any time.
13.2 Canada — PIPEDA
PIPEDA applies to DaySteps' handling of personal information about Canadian users. Parental consent is applied at age 13 per OPC guidance. DaySteps applies COPPA-equivalent consent requirements universally regardless of jurisdiction.
13.3 Quebec — Law 25 (Compliance Ceiling)
Quebec's Law 25 is the most demanding regime DaySteps operates under. Our architecture is designed to meet Law 25 requirements:
- Age of consent: 14 — DaySteps applies a 14-year parental consent threshold to satisfy all jurisdictions simultaneously
- Privacy by default: no child data collected until parent explicitly creates a profile and consents
- Data residency: all personal data stored in Canada (Supabase ca-central-1, AWS Montreal) — no cross-border transfer for primary storage
- Privacy Impact Assessment: completed prior to launch
- Privacy Officer: Michael Kessler, daysteps.app">privacy@daysteps.app
- Bilingual access: French-language version of this policy available at daysteps.app/confidentialite — contact daysteps.app">privacy@daysteps.app
14. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify parents through the app and update the effective date above. For changes materially affecting children's privacy or parental rights, we will provide 30 days' advance notice and, where required, obtain fresh parental consent.
15. Contact
Privacy Officer: Michael Kessler | daysteps.app">privacy@daysteps.app | daysteps.app