Skip to content
PhoxFin

Legal

Privacy Policy

Last updated: May 19, 2026 · Effective immediately.

This policy is under active review by COPPA-experienced counsel. The stance below is binding pending that review; material changes are communicated to account holders per §10.

Plain-language summary

We collect the minimum information needed to run a kid-safe learning product. Parents are in control of their child's data. We never sell kid data. We never target kids with ads. Data lives on Supabase (US-hosted) and is encrypted in transit and at rest.

1. Who we are

PhoxFin is a financial literacy learning product operated by Knightbyrd Tech LLC, a South Carolina limited liability company. References to "we," "us," or "PhoxFin" in this policy mean Knightbyrd Tech LLC. You can reach us at privacy@phoxfin.com.

2. Children under 13 — COPPA notice

PhoxFin is designed for children ages 4 through 18 and complies with the Children's Online Privacy Protection Act ("COPPA"). We do not knowingly collect personal information directly from children under 13. Instead, a parent or guardian creates the family account and adds the child profile. The information we collect about a child is limited to:

  • First name (used for personalization in lessons + games)
  • Grade level + grade band (used to serve age-appropriate lesson content)
  • Lesson progress, scores, and adaptive-learning signals (used to personalize the learning experience and produce parent-readable progress reports)
  • Smart Break game sessions + reward records (used to power the rotation engine and the family streak)
  • Reflection text the child enters into the AI-graded reflection feature (used to provide feedback; processed by Anthropic Claude API per their data processing terms)

We do not collecta child's email address, phone number, photograph, geolocation, or any persistent identifier used for tracking across third-party services. Our telemetry is anonymous and scoped to product improvement (lesson completion rates, drop-off patterns) — never to ad targeting.

3. Parental consent

When a parent creates an account and adds a child profile, the parent provides consent to the data collection described above on the child's behalf, as authorized by COPPA. The parent can review, modify, or delete the child's data at any time from the family dashboard, or by emailing privacy@phoxfin.com.

4. Information we collect from parents

From the parent (or other adult account owner), we collect:

  • Name and email address (account creation, transactional emails)
  • Billing information (payment is processed by Stripe; we do not store full card numbers on our servers — Stripe holds the PCI scope)
  • Optional: account preferences, parent-track lesson progress, Friday Family Talk email opt-in

5. How we use information

  • To operate the learning product (serve lessons, run games, track progress, surface adaptive feedback)
  • To process payments and manage subscriptions (Stripe)
  • To send transactional emails (welcome, payment receipts, lesson-complete notifications, certificate awards)
  • To improve the product through anonymous, aggregated telemetry
  • To respond to your support requests

We do notuse children's personal information for marketing, advertising, behavioral targeting, or any purpose beyond what's necessary to operate the learning product.

6. Third-party service providers

PhoxFin uses the following service providers as data processors under contract, each of whom is contractually obligated to use your data only for the purposes we direct:

  • Supabase (US-hosted database + authentication) — stores account data, lesson progress, family records
  • Stripe (payment processing) — handles subscriptions and PCI-compliant card data
  • Resend (transactional email delivery) — handles outbound email (welcome, receipts, lesson-complete)
  • Anthropic(Claude API for the AI tutor + AI-graded reflections) — processes Phoxyn ask interactions and Grade 6-12 reflection text; per Anthropic's terms, this content is not used to train their models
  • Vercel (hosting) — serves the web application

7. Data retention + deletion

We retain account data for as long as the account is active. If you delete your account or your child's profile, we delete the associated personal data within 30 days, except where required by law (e.g., tax records for paid transactions). A parent can request immediate deletion by emailing privacy@phoxfin.com.

8. Your rights

Depending on where you live, you may have rights under privacy laws including the California Consumer Privacy Act ("CCPA") and the EU/UK General Data Protection Regulation ("GDPR"). These rights generally include the right to:

  • Know what personal information we have about you or your child
  • Request correction or deletion of that information
  • Opt out of any data sale (PhoxFin does not sell personal information)
  • Withdraw consent and close your account

To exercise any of these rights, email privacy@phoxfin.com.

9. Security

We encrypt data in transit (HTTPS) and at rest (Supabase encryption). Authentication is handled via Supabase Auth. Payment data is tokenized by Stripe and never stored on our servers. We do not promise absolute security, but we follow industry-standard practices.

10. Changes to this policy

We'll post any changes to this policy on this page with an updated "Last updated" date. If the changes are material, we'll email account holders before the changes take effect.

11. Contact us

Knightbyrd Tech LLC
Attn: PhoxFin Privacy
Email: privacy@phoxfin.com

← Terms of Service