Privacy Policy

TeenAegis, Inc. is a Delaware corporation that operates an intelligence platform providing parents, schools, and institutions with data-driven insights about digital threats to minors, including sextortion, grooming, cyberbullying, and platform-specific risks. Our Service includes the Guardian AI assistant, the Platform Danger Index, threat briefings, legal databases, and crisis response coordination.

TeenAegis is a service for adults — parents, guardians, school administrators, legal professionals, and institutional users. We do not provide services directly to minors.

2.1 Account Information. When you create an account, we collect your name, email address, and authentication credentials. If you subscribe to a paid plan, we collect billing information through our payment processor, Stripe, Inc. We do not store full payment card numbers.

2.2 Profile Information. You may optionally provide information about your child's age range and the platforms they use. This is used solely to personalize your Guardian AI experience. We do not collect your child's name, date of birth, school name, or any directly identifying information about minors.

2.3 Usage Data. We collect standard server log data including IP addresses, browser type, operating system, referring URLs, pages visited, and timestamps for security monitoring and service improvement.

2.4 Guardian AI Conversations. Conversation inputs and AI responses are processed on our servers. History is retained for 12 months by default and can be deleted at any time from your account settings. We do not use your conversations to train AI models without your explicit consent.

2.5 Crisis Response Data. If you activate a Crisis Response, we collect your name, email address, and situation description. This data is handled under strict confidentiality protocols and retained for 7 years for legal compliance and follow-up purposes.

2.6 School and Institutional Data. For school district subscribers, we process aggregate, de-identified data about student risk exposure in accordance with FERPA. We do not collect personally identifiable student information.

• We do not collect Social Security numbers, government ID numbers, or financial account numbers.
• We do not collect precise geolocation data.
• We do not collect biometric data.
• We do not monitor your child's devices, messages, or online activity.

• To provide, operate, maintain, and improve the TeenAegis Service.
• To deliver Guardian AI responses, personalized threat intelligence, and safety briefings.
• To process payments and manage your subscription through Stripe.
• To send transactional communications (receipts, account notices, security alerts).
• To send marketing communications, if you have opted in (opt out at any time).
• To detect, investigate, and prevent fraudulent transactions, abuse, and security incidents.
• To comply with applicable law, legal process, and law enforcement requests.
• To enforce our Terms of Service and protect the rights and safety of TeenAegis, our users, and the public.

Legal Basis (GDPR). For EEA users, we process personal data on the following bases: (a) performance of a contract; (b) legitimate interests (security, fraud prevention, service improvement); (c) legal obligations; and (d) consent (marketing, optional features).

In compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC's COPPA Rule, 16 C.F.R. Part 312:

• We do not direct our Service to children under 13.
• We do not knowingly collect verifiable personal information from children under 13.
• We do not require children to provide personal information as a condition of using our Service.
• Parents may contact [email protected] to review, delete, or refuse further collection of their child's information.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share information only in the following limited circumstances:

5.1 Service Providers. Trusted third-party vendors under strict data processing agreements, including Stripe (payment processing) and cloud infrastructure providers.

5.2 Law Enforcement and Legal Process. We may disclose information when required by valid court order, subpoena, or other legal process; necessary to protect the safety of a child from imminent harm; or necessary to enforce our Terms of Service. We will notify you to the extent permitted by law.

5.3 Child Safety Reporting. In cases involving credible evidence of child sexual exploitation or imminent danger to a minor, we may proactively report to the NCMEC CyberTipline, FBI IC3, or relevant law enforcement as required by 18 U.S.C. § 2258A and applicable state law.

5.4 Business Transfers. In the event of a merger or acquisition, we will notify you at least 30 days before any data transfer.

Upon receipt of a valid legal hold notice, preservation request, or law enforcement order, we will:

• Preserve the specified data in its original form for the duration of the legal hold.
• Maintain a chain-of-custody log documenting all access to preserved data.
• Provide data in formats suitable for forensic analysis upon receipt of appropriate legal process.
• Process emergency requests (imminent child danger) within 2 hours; non-emergency requests within 5 business days.

• Account data: Retained for the duration of your account plus 3 years after closure.
• Guardian AI conversation history: 12 months by default; deletable at any time from account settings.
• Payment records: 7 years (required by tax and financial regulations).
• Crisis Response case data: 7 years (for legal compliance and follow-up).
• Server logs: 90 days for standard logs; 1 year for security incident logs.
• De-identified analytics data: Retained indefinitely.

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for data at rest.
• Strict role-based access controls limiting data access to authorized personnel.
• Regular third-party security audits and penetration testing.
• Multi-factor authentication required for all administrative access.
• Incident response plan with 72-hour breach notification capability.

If you suspect unauthorized access to your account, contact us immediately at [email protected].

In the event of a data breach reasonably likely to result in harm, TeenAegis will:

• Notify affected users by email within 72 hours of discovering the breach (GDPR Art. 33/34).
• Notify relevant supervisory authorities within 72 hours as required by applicable law.
• Notify affected California residents without unreasonable delay (Cal. Civ. Code § 1798.82).
• Provide a clear description of the nature of the breach, data affected, likely consequences, and measures taken.
• Maintain a breach register documenting all incidents, regardless of notification obligation.

Under the CCPA, as amended by the CPRA, California residents have the following rights:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected in the past 12 months.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond CPRA-permitted purposes.
• Right to Non-Discrimination: We will not discriminate for exercising CCPA rights.

Shine the Light (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes.

If you are located in the EEA or UK, the GDPR and UK GDPR grant you the following rights:

• Right of Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion ('right to be forgotten'), subject to legal retention requirements.
• Right to Restriction of Processing (Art. 18): Request that we limit processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.

Contact [email protected] to exercise any GDPR right. We respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

International Transfers. Transfers outside the EEA are protected by Standard Contractual Clauses approved by the European Commission.

• Essential Cookies: Required for authentication, session management, and security. Cannot be disabled without affecting Service functionality.
• Analytics Cookies: Aggregate, de-identified usage statistics. You may opt out via our cookie preference center.
• No Advertising Cookies: We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking technologies.

We will notify you of material changes by email at least 14 days before the change takes effect and by posting a prominent notice on our website. Continued use after the effective date constitutes acceptance of the updated Policy.