LaneParty

LaneParty — Children's Privacy & COPPA Compliance

Last updated: 2026-04-19

LaneParty — Children's Privacy & COPPA Compliance (DRAFT)

DRAFT — Requires attorney review before publication

Last updated: 2026-04-19

Executive Summary

LaneParty is a bowling score tracker progressive web app (PWA) designed for bowlers of all ages. This document outlines LaneParty's approach to compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and establishes clear operational procedures for handling user data from individuals under 13.

Core Principle: LaneParty has no direct relationship with anyone under 13. All profiles for users under 13 ("managed profiles") are created, managed, and consented to by a parent or legal guardian operating their own authenticated LaneParty account. The parent is the data controller; LaneParty is the data processor.

This policy is designed to:

  • Minimize data collection from children
  • Obtain verifiable parental consent before any data collection
  • Provide parents with full visibility and control
  • Enable safe progression to independent account ownership
  • Ensure transparent deletion and data retention procedures

1. Overview of LaneParty's Approach to Children's Privacy

1.1 Age Groups and Governance

LaneParty serves three distinct age groups with different feature sets and consent requirements:

| Age Group | Account Type | Consent | Direct Access | Features |

|-----------|--------------|---------|---------------|----------|

| Under 13 | Managed Profile | Parent/Guardian | None | Basic scoring, avatar (limited), card collection, achievements |

| 13–17 | Standard w/ Co-sign | Parent/Guardian | Yes (claim token) | Basic + restricted AI features (parent co-sign required for AI Portrait, Photo avatar, Pro tier) |

| 18+ | Standard | Self | Yes | Full feature set |

1.2 No Direct Collection from Children Under 13

LaneParty does not directly collect, solicit, or use any information from anyone under 13. All data collection occurs through the parent/guardian's authenticated account. The child never creates an account, logs in, or receives direct communications from LaneParty.

The managed profile is a child profile container created, managed, and deleted entirely by the parent.

2. Parent Notice Template

The following notice is displayed at the moment a parent initiates creation of a managed profile. This constitutes the COPPA-required parental notice.

[ATTORNEY REVIEW NEEDED — Ensure alignment with FTC Parent Notice guidance]

Parent Notice: Creating a Managed Profile for a Child

What is a Managed Profile?

A Managed Profile lets you track and manage bowling scores for your child (or other family member) under 13 directly in your LaneParty account. Your child does not create a separate account or login. You remain the owner and manager of all data.

What Information Do We Collect?

When you create a Managed Profile, you provide:

  • Child's name
  • Child's birth year (not full date of birth)
  • An avatar (chosen by you from LaneParty's free options)

We do not collect:

  • Your child's email address
  • Phone number or device identifiers
  • Location data tied to the child's profile
  • Payment information tied to the child's profile

How Do We Use This Information?

  • Score tracking: To store and display bowling scores
  • Age-gating: To restrict certain features (e.g., AI-generated portraits are not available to users under 18)
  • Achievements: To unlock bowling milestones and badges
  • Card collection: To track collectible card progress in-app

We do not:

  • Use this information for marketing or advertising
  • Send promotional emails or push notifications to your child
  • Share this information with third parties
  • Use this information to build behavioral profiles

Your Rights

You can:

  • View all of your child's data anytime
  • Update your child's avatar or name
  • Delete the Managed Profile at any time (data deleted within 30 days)
  • Release the profile to your child when they're ready (generates a claim token)
  • Access this policy anytime at [LaneParty Privacy Center]

Consent

By checking the box below, you confirm:

  • ☐ I am the parent or legal guardian of this child
  • ☐ I consent to LaneParty collecting and using the information described above
  • ☐ I understand I can delete this profile or change this consent at any time

Questions?

Email us at [legal@laneparty.app] with any questions about this notice or our privacy practices.

[ATTORNEY REVIEW NEEDED — Verify alignment with FTC standards for verifiable parental consent]

Method: Verifiable parental consent via authenticated parent account action.

LaneParty employs parent-initiated account action as the basis for parental consent. This method is recognized by the FTC as appropriate for COPPA compliance when:

  1. The parent is authenticated (logged into their own LaneParty account)
  2. The parent explicitly initiates the managed profile creation
  3. The parent confirms receipt and understanding of the parent notice (checkbox)
  4. A record of consent is retained in the account

Consent Flow:

  1. Parent logs into their LaneParty account
  2. Parent navigates to "Add Child Profile" or similar option
  3. Parent enters child's name and birth year
  4. Parent selects avatar from free tiers only
  5. Parent is presented with the Parent Notice (Section 2, above)
  6. Parent checks: "I am the parent/guardian and consent to data collection as described"
  7. LaneParty logs the consent action with timestamp
  8. Managed profile is created; parent gains full access to manage it

LaneParty maintains:

  • Timestamp of consent
  • Parent account that provided consent
  • Explicit acknowledgment (checkbox confirmation)
  • Copy of the notice presented at time of consent
  • Any subsequent consent updates (e.g., privacy policy changes)

At any time, a parent may:

  • Revoke consent by deleting the managed profile
  • LaneParty will delete all associated data within 30 days
  • Parent receives confirmation of deletion
  • No questions asked; no retention for any purpose after deletion

4. Data Collected for Managed Profiles (Exhaustive List)

4.1 Required Data

| Data Point | Purpose | Retention |

|------------|---------|-----------|

| Child's name | Display in-app, account management | Until parent deletes profile |

| Birth year (only) | Age-gating certain features | Until parent deletes profile |

| Avatar selection | Visual identification in app | Until parent deletes profile |

| Bowling scores | Core feature (score tracking) | Until parent deletes profile |

| Achievements / milestones | Gamification, engagement | Until parent deletes profile |

| Card collection progress | Collectible system | Until parent deletes profile |

| Account creation date | Account management | Until parent deletes profile |

4.2 Implicit Data (System-Generated)

| Data Point | Purpose | Retention |

|------------|---------|-----------|

| Access logs (to parent account) | Security, fraud prevention | 90 days |

| Device type (only) | Compatibility, not tracking | 30 days |

| App version | Performance analytics | 30 days |

| Crash reports (anonymized) | Bug detection | 30 days |

4.3 Data NOT Collected

Explicitly NOT collected from managed profiles:

  • Full date of birth (birth year only)
  • Email address
  • Phone number
  • Home address or geolocation
  • Device identifiers (IDFA, Android Advertising ID, etc.)
  • Browsing history
  • Cookie or tracking data tied to the child's profile
  • Behavioral data for profiling or targeting
  • Payment information
  • Social media accounts or linking

5. Data NOT Collected for Managed Profiles

[This section emphasizes negative space — what we explicitly do NOT do.]

5.1 No Direct Communication with Child

  • LaneParty will never send emails, push notifications, SMS, or in-app messages directly to a child under 13
  • All parental notifications go to the parent's account email
  • Parents control whether the child sees notifications on a shared device

5.2 No Marketing or Advertising

  • No behavioral targeting
  • No ad networks (Google AdSense, Facebook Pixel, etc.) linked to child data
  • No profiling for marketing purposes
  • No data sold, rented, or shared with advertisers

5.3 No Third-Party Sharing

  • Child data is never shared with:

- Advertising networks

- Data brokers

- Analytics platforms (Google Analytics tracks only aggregated, anonymized data)

- Third-party APIs or integrations

- Sponsors, venues, or league operators (without explicit parent consent in each case)

5.4 No Location Tracking

  • Managed profiles have no location data associated with them
  • If a parent's account has location (for venue sync), that location is tied to the parent, not the child's managed profile
  • QR code leaderboards and venue-level score uploads do not expose child profile data

5.5 No AI-Generated Imagery

  • AI Portrait avatar generation is blocked for all users under 18
  • Photo avatar uploads are blocked for all users under 18
  • Managed profiles (under 13) are limited to:

- Generated abstract avatars

- Illustrated character builder (static, no AI)

- Emoji combinations

6. How Data is Used

6.1 Permitted Uses

Data from managed profiles is used solely for:

  1. Score tracking and storage — to record and display bowling scores entered by the parent
  2. Age-gating — to restrict age-inappropriate features (AI Portraits, Photo avatars, Pro tier)
  3. Achievements and milestones — to unlock badges and gamification elements
  4. Card collection mechanics — to track progress in the in-app collectible card system
  5. Account management — to maintain the profile, enable profile transfer (claim-to-own), and handle parental requests
  6. Service improvement (aggregate only) — anonymized, non-identifiable usage patterns (e.g., "X% of managed profiles use achievements")
  7. Legal compliance — to meet COPPA, GDPR, CCPA, and other legal obligations
  8. Fraud prevention and security — to detect and prevent account abuse

6.2 Prohibited Uses

Data from managed profiles is explicitly not used for:

  • Marketing or promotional purposes
  • Behavioral profiling or targeting
  • Selling, renting, or sharing with third parties
  • Creating derivative profiles or insights
  • A/B testing or experimentation involving the child's data
  • Training machine learning models (unless anonymized beyond re-identification risk)
  • Cross-device tracking
  • Linking to parent account behavior or parent's preferences

6.3 Parental Visibility

Parents have full and real-time visibility into:

  • All data stored about their child's managed profile
  • All uses of that data
  • All access logs (who accessed the profile, when)
  • Any settings that affect data handling

7. Third-Party Access (None for Under-13 Data)

7.1 Service Providers

LaneParty may use third-party service providers to operate the app:

| Service | Purpose | Access to Child Data? | Safeguards |

|---------|---------|----------------------|-----------|

| Cloud storage (Vercel, AWS) | Data hosting | Yes (encrypted) | COPPA-compliant BAA; no data use beyond hosting |

| Error tracking (Sentry) | Bug detection | Anonymized only | No identifiable child data |

| Database provider | Core infrastructure | Encrypted | Contracts prohibit use outside of LaneParty |

| Payment processor | Parental Pro tier purchases | No child data | Only processes parent's payment info |

[ATTORNEY REVIEW NEEDED] — Ensure all service provider contracts include:

  • Specific COPPA-compliant Business Associate Agreements
  • Prohibition on using child data for any purpose other than providing the service
  • Commitment to not combine child data with other datasets
  • Deletion obligations aligned with LaneParty's 30-day deletion window

7.2 Third Parties Explicitly Excluded

The following services have NO ACCESS to any data from managed profiles:

  • Google Analytics (aggregate, anonymized metrics only)
  • Advertising networks (Google Ads, Facebook, etc.)
  • Social media platforms
  • Data brokers or aggregators
  • League operators or venue partners (unless parent explicitly grants permission in writing for each case)

7.3 League/Venue Score Sync

If a parent's account is linked to a bowling league or venue (e.g., for automatic score pulls), managed profile data does not flow to the league. Only the parent's own scores sync. The parent controls what data leaves LaneParty.

8. Parental Rights (View, Edit, Delete)

8.1 Right to Access

Parents may view all data stored about their child's managed profile by:

  1. Logging into their LaneParty account
  2. Navigating to the child's Managed Profile
  3. Clicking "View Profile Data"

All data is displayed in human-readable format, including:

  • Profile metadata (name, birth year, avatar)
  • Complete score history
  • Achievements and milestones
  • Card collection progress
  • Account creation date
  • Last modified timestamps

8.2 Right to Edit

Parents may edit:

  • Child's name
  • Avatar (limited to free tiers only)
  • Privacy settings (notification preferences, etc.)
  • Any custom tags or notes the parent has added

Parents cannot edit:

  • Birth year (this prevents circumvention of age-gating)
  • Score history (immutable for integrity)
  • Achieved milestones (immutable)

8.3 Right to Delete

Parents may delete the managed profile entirely by:

  1. Logging into their LaneParty account
  2. Navigating to the child's Managed Profile
  3. Clicking "Delete Profile"
  4. Confirming deletion (one-click confirm; no additional verification required beyond parent login)

Upon deletion:

  • All data about the child is permanently deleted within 30 days
  • Data is purged from all backups within 60 days
  • Parent receives confirmation email
  • No data is retained for any other purpose
  • The managed profile cannot be recovered

8.4 Right to Obtain a Copy

Parents may request a machine-readable copy of all data by:

  1. Emailing legal@laneparty.app with subject "Data Export Request"
  2. Confirming their parent account
  3. Receiving a CSV or JSON export within 5 business days

9. Parental Release / Claim-to-Own Procedure

[ATTORNEY REVIEW NEEDED — This mechanism is novel and may require specific legal guidance on data ownership transfer]

9.1 Overview

The Claim-to-Own feature allows a parent to release a managed profile to the child when the parent determines the child is ready for independent account access. The child then "claims ownership" of the profile, transfers all historical data, and becomes the full account owner while the parent retains visibility rights until the child turns 18.

9.2 When Can a Parent Release a Profile?

  • At any age the parent deems appropriate (not strictly at age 13)
  • Parents in shared custody may release after mutual agreement
  • Parents may revoke a release if the child is not ready (child must delete their independent account first)

9.3 Release Initiation

The parent initiates release by:

  1. Logging into their LaneParty account
  2. Opening the child's Managed Profile
  3. Clicking "Release to [Child Name]"
  4. Confirming: "I am releasing this profile to my child. They will need a claim token to activate it."
  5. LaneParty generates a Claim Token (unique, alphanumeric, one-time use)

9.4 Claim Token Details

Token Properties:

  • Format: Alphanumeric string (e.g., CLAIM-ABC123-XYZ789)
  • Validity: 72 hours from generation
  • Extendability: Parent can extend validity by logging back in and clicking "Extend Token" (unlimited extensions)
  • One-time use: After successful claim, token is consumed and cannot be reused

Token Display:

  • Shown on parent's Managed Profile screen
  • Can be printed or shared verbally with child
  • NOT sent to child via email or push (parent maintains control of transmission)

9.5 Child Claims Ownership

The child:

  1. Opens LaneParty app (on any device)
  2. Selects "I Have a Claim Token" on the login/signup screen
  3. Enters the token
  4. Creates a new, independent account (username, password, email address)
  5. Upon successful entry, the managed profile data transfers to the child's account:

- All historical scores

- All achievements and milestones

- Card collection progress

- Avatar (transferred as-is)

9.6 Post-Claim Account Status

For 13–17 year-olds:

  • Child owns and manages their own account
  • Child can log in independently
  • Child can add a personal email address
  • Child has restricted access to certain features:

- AI Portrait generation — requires parent co-sign

- Photo avatar upload — requires parent co-sign

- Pro tier purchase — requires parent co-sign

  • Parent co-sign is optional: parent and child can agree to parent oversight, or parent can opt out entirely
  • Parent can view child's data (optional visibility) if opted in

For 18+ year-olds:

  • Child owns and manages their own account
  • No parental co-sign required for any feature
  • Full feature set available

9.7 Parent Visibility After Release

After the child claims the profile, the parent:

  • Loses automatic ownership of the managed profile
  • May retain visibility if the child (or co-signing parent) explicitly grants permission
  • Can request data deletion from the child's account (if child is under 18)
  • Can revoke co-sign authority if applicable

9.8 Reversal / Revocation

If a child is not ready for independent account ownership:

  1. Child deletes their independent account (or parent initiates deletion if child is under 13)
  2. Parent logs back into their account and reclaims the managed profile
  3. All data returns to managed profile status
  4. Child must re-claim if/when they are ready again

10. Ages 13–17 Account Rules (Reduced Features & Parent Co-Sign)

10.1 Account Ownership Transition

At age 13 or upon claimed profile release (whichever the parent chooses):

  • Child gains independent account ownership
  • Child can log in directly
  • Child can add personal email address
  • Child retains full access to basic features

10.2 Restricted Features (Require Parent Co-Sign)

The following features are restricted for ages 13–17 and require parent co-sign:

| Feature | Restriction | Why |

|---------|------------|-----|

| AI Portrait avatar | Requires parent email confirmation | AI-generated imagery concerns |

| Photo avatar upload | Requires parent approval | User-generated content + facial imagery |

| Pro tier purchase | Requires parent payment method | Financial transaction; purchase consent |

| Custom nickname in league | May require parent approval (configurable by parent) | Identity management |

| Public profile visibility | Disabled by default; parent can enable | Prevents inadvertent public exposure |

10.3 Parent Co-Sign Flow

When a 13–17 year-old attempts a restricted feature:

  1. App displays: "This feature requires parent approval"
  2. Child enters parent's email address
  3. LaneParty sends parent a one-time link to approve or deny
  4. Parent logs in and reviews the request (with context: "Your child wants to use AI Portrait generation")
  5. Parent approves or denies
  6. Child is notified of the decision
  7. If approved, the feature is unlocked; if denied, feature remains restricted

10.4 Parent Co-Sign is Optional

Parents can:

  • Opt into co-sign oversight — review and approve restricted actions
  • Opt out entirely — child has full access to all features at age 13+
  • Toggle oversight on/off — change preferences as child matures

11. Data Retention and Deletion Procedures

11.1 Retention Timeline

| Data Type | Retention Period | Reason |

|-----------|-----------------|--------|

| Managed profile data | Until parent deletion | Core service necessity |

| Scores, achievements, cards | Until parent deletion | User-facing history |

| Access logs (account-level) | 90 days | Security monitoring |

| Crash/error logs (anonymized) | 30 days | Bug detection |

| Backups (with child data) | 60 days after deletion | Disaster recovery |

| Analytics (aggregated, anonymized) | Indefinite | Service improvement (non-identifiable) |

11.2 Parental Deletion

When a parent deletes a managed profile:

  1. All data is marked for deletion immediately in the production database
  2. Data is inaccessible to the parent and child within 24 hours
  3. Data is purged from backups within 60 days
  4. Data is permanently deleted and not retained for any secondary purpose

11.3 Claimed Profile Deletion (Child-Initiated)

When a child (13+) deletes their own account:

  1. Same deletion timeline applies (24 hours to marking, 60 days to permanent purge)
  2. Parent (if co-sign was enabled) is notified of deletion
  3. Historical data is not recoverable by parent or child

11.4 Parental Request for Child Deletion (Minor Under 18)

If a parent requests deletion of a child's account (post-claim, before age 18):

  1. LaneParty requires verification that the parent is the account creator (managed profile creator)
  2. If verified, parental deletion is granted
  3. Child account is deleted with same timeline (24 hours / 60 days)
  4. Parent is notified upon completion

11.5 Age of Majority (18+)

At age 18:

  • All co-sign requirements are removed
  • Parent co-sign access is automatically revoked
  • Account is treated as a standard adult account
  • No parental deletion rights remain
  • Child-initiated deletion is final

11.6 Voluntary Policy Changes

If LaneParty updates this privacy policy:

  • Existing managed profiles are subject to the more protective of the old or new policy
  • If new policy is less protective, LaneParty grandfathers existing profiles under old rules
  • Parents are notified of changes and can delete the profile if they disagree

12. Contact Information for Parental Inquiries

12.1 Privacy & COPPA Requests

Email: legal@laneparty.app

Response time: 5 business days for routine inquiries; 24 hours for urgent privacy concerns

What to include:

  • Parent name and account email
  • Child's name (as it appears on managed profile)
  • Nature of inquiry (data access, deletion, co-sign issue, etc.)

12.2 Data Deletion Requests

Email: legal@laneparty.app

Subject: "Data Deletion Request — [Child Name]"

What to include:

  • Parent account email
  • Child's name
  • Confirmation: "I request permanent deletion of this child's data"

Confirmation: LaneParty will confirm deletion within 24 hours and provide a completion timeline.

12.3 Disputes or COPPA Concerns

If a parent believes LaneParty has violated COPPA:

  1. First: Email legal@laneparty.app with details
  2. Next: LaneParty will respond within 48 hours with remediation
  3. Escalation: Parent can file a complaint with the FTC at https://reportfraud.ftc.gov

12.4 Compliance Contact

Chief Privacy Officer: [Name, title]

Email: privacy@laneparty.app

Mailing Address: [LaneParty legal address]

13. Changes to This Policy

13.1 When LaneParty Updates This Policy

LaneParty will:

  1. Post the updated policy with a clear "Last Updated" date
  2. Notify all parents via email of material changes
  3. If a change is less protective (expands data collection, sharing, or reduces parental rights):

- Existing profiles are grandfathered under the old policy

- Parent can opt into the new policy or delete the profile

  1. If a change is more protective (restricts data use, improves privacy):

- Changes apply to all profiles immediately

- Parent is notified for transparency

13.2 Material vs. Non-Material Changes

Material changes (parents are notified):

  • Expansion of data collection
  • New third-party access or sharing
  • Reduction in parental rights
  • Changes to age-gating or feature restrictions
  • Changes to deletion timelines

Non-material changes (posted but no email required):

  • Clarifications or formatting improvements
  • Contact information updates
  • Minor operational updates that do not expand data usage

13.3 Effective Date

Changes to this policy are effective 30 days after posting, unless otherwise required by law.

14. Summary of COPPA Defensibility

This policy complies with COPPA because:

  1. No direct collection from children under 13

- All data is collected by and through a parent's authenticated account

- Child never creates an account, logs in, or interacts with LaneParty directly (until claimed)

  1. Verifiable parental consent

- Parent initiates managed profile creation

- Parent reviews parent notice

- Parent explicitly confirms consent via checkbox

- Consent is logged with timestamp and account reference

  1. Data minimization

- Only birth year collected (not full DOB)

- No email, phone, location, or device identifiers

- Data limited to what's necessary for the service

  1. No marketing or targeting

- No ads, behavioral profiling, or third-party sharing

- No direct communications with child

  1. Parental control and visibility

- Parent can view, edit, and delete at any time

- Parent initiates release to child

- Parent retains oversight until age 18

  1. Data security

- Encryption in transit and at rest

- Limited third-party access (service providers only)

- Secure deletion procedures

  1. Transparent practices

- Clear disclosure of data collection and use

- Accessible parent notice at time of collection

- Regular policy updates with parental notification

15. Disclaimer

[ATTORNEY REVIEW NEEDED] This document is a DRAFT. It has been prepared based on good-faith interpretation of COPPA requirements and current FTC guidance, but is not a substitute for legal review by a qualified attorney specializing in children's privacy law.

Before publishing this policy:

  1. Obtain review by a licensed attorney in the jurisdiction(s) where LaneParty operates
  2. Audit all technical implementations to verify they match these descriptions
  3. Verify all third-party service agreements include COPPA-compliant BAAs
  4. Test the parental consent flow with real users to ensure clarity
  5. Document your compliance program for potential FTC audits

Potential sections requiring specific legal review:

  • Section 3 (Consent mechanism) — verify alignment with FTC examples
  • Section 7 (Third-party access) — ensure all BAAs are compliant
  • Section 9 (Claim-to-own procedure) — novel mechanism; needs legal validation
  • Section 10 (Ages 13–17 rules) — verify co-sign flow meets legal requirements
  • Section 12 (Contact information) — ensure CPI contact details are accurate

Non-compliance with COPPA can result in FTC enforcement, civil penalties (up to $43,280 per violation as of 2026), and reputational damage.

Appendix A: Technical Implementation Checklist

[ATTORNEY REVIEW NEEDED — Verify each item is implemented in the actual app]

  • [ ] Managed profile creation requires parent to be logged in
  • [ ] Parent notice is displayed before profile creation
  • [ ] Explicit consent checkbox is required
  • [ ] Consent is logged with timestamp and parent account ID
  • [ ] Child data is segregated in database from parent data (for access control)
  • [ ] Birth year field only; full DOB not collected
  • [ ] No email address collected for managed profiles
  • [ ] Avatar selection limited to free tiers (no AI, no photo for under-18)
  • [ ] No third-party cookies or tracking pixels on child data
  • [ ] All third-party service providers have COPPA-compliant agreements in place
  • [ ] Data deletion is tested and verified (manual audit of backups)
  • [ ] Access logs are purged after 90 days
  • [ ] Claim token generation, validation, and expiry are working correctly
  • [ ] Parent co-sign flow for 13–17 is tested
  • [ ] Profile visibility settings are properly enforced
  • [ ] No marketing emails or push notifications are sent to child data

End of COPPA Compliance Document

This draft is ready for attorney review. Sections marked [ATTORNEY REVIEW NEEDED] require specialized legal input before publication.