LEGAL · CHILDREN'S PRIVACY

COPPA Notice

Effective:May 25, 2026 · Last updated:May 25, 2026 · Operator: MINDS N HEARTS INC.

This Notice provides parents, guardians, and partner organizations with information about our practices regarding the personal information of children under 13, as required by the Children's Online Privacy Protection Act (“COPPA”) and the 2025 amendments thereto.

Quick summary:We collect from children only what we need to operate our services. We require verifiable parental or school consent. We do not sell children's personal information, do not serve targeted ads to children, and delete account data within 60 days of deactivation.

1. Who We Are

MINDS N HEARTS INC. is a 501(c)(3) nonprofit based at 525 Broadhollow Rd, STE 104, Melville, NY 11747. We operate the IMPACT platform (joinimpact.app, iOS, Android) and other educational and civic-engagement programs. For COPPA purposes, we are the “operator” of these services.

2. Information We Collect From Children

We collect only the following categories of information from children:

Account information: first name, school/organization affiliation, grade level (optional), and an avatar (optional).
Authentication: hashed password or single sign-on token through their school identity provider.
Mission submissions: photos, video, text, and (where required and consented) approximate location data submitted as proof of completing a mission.
Usage data: de-identified analytics on which screens are viewed and which features are used.

We do not collect: full names beyond first name, home addresses, phone numbers, Social Security numbers, or persistent device identifiers used for behavioral advertising.

3. How We Use the Information

We use the limited information we collect to:

Authenticate the child's account;
Display the child's missions, points, and badges;
Submit mission proofs to authorized teachers, youth directors, or program administrators within the child's organization;
Operate, secure, and improve our platforms;
Comply with legal obligations.

We do not use children's personal information to serve targeted advertising or build profiles for commercial purposes.

4. Consent

4.1 Parental consent

Where required, we obtain verifiable parental consent before collecting personal information from a child. Acceptable consent methods include signed parental consent forms, payment-card verification, government-issued ID matching, or other methods approved by the FTC.

4.2 School-authorized use

Where a school, synagogue, or youth organization authorizes use of our services for educational or program-related purposes, that organization may provide consent on behalf of parents for limited educational use, consistent with FTC guidance and the COPPA School Authorization exception. In those cases, the organization is responsible for notifying parents.

5. Disclosure of Children's Information

We do not share children's personal information with third parties except:

With the child's authorized organization (e.g., teachers, youth directors), for the educational purpose for which the account was created;
With service providers we use to operate our platform (hosting, email, push notifications), under contracts that require them to protect the information and use it only for our purposes;
To comply with law or respond to valid legal process;
To protect the safety of the child or others.

We do not sell children's information. We do not share it with advertisers.

6. Parental Rights

Parents and guardians have the right to:

Review the personal information we have collected from their child;
Request that we delete the child's personal information;
Refuse to permit further collection or use of the child's information;
Agree to the collection and use of the child's information but not its disclosure to third parties.

To exercise any of these rights, contact privacy@mindsandhearts.org. We will verify your identity (as the child's parent or guardian) before honoring the request.

7. Data Retention & Deletion

We retain children's personal information only as long as necessary to provide our services or to comply with our legal obligations. When a child's account is deactivated — by the parent, by the school, or by our team — we delete the child's personal information within 60 days, except where retention is required by law.

8. Security

We use commercially reasonable physical, electronic, and procedural safeguards to protect children's information, including TLS encryption in transit, AES-256 encryption at rest, principle-of-least-privilege access controls, and routine security audits.

9. Changes to This Notice

If we make material changes to our practices regarding children's personal information, we will notify parents through the contact information we have on file before applying those changes.

10. Contact

For questions or concerns about our collection, use, or disclosure of children's personal information:

MINDS N HEARTS INC.
Attn: COPPA Compliance Officer
525 Broadhollow Rd, STE 104
Melville, NY 11747
privacy@mindsandhearts.org