Skip to main content

Privacy Notice

Craft Your Knowledge — operated by BS in a Box LLC

Last updated: May 14, 2026

What this notice covers

Craft Your Knowledge is an educational learning app for children in grades K–6 (ages 5–12). This privacy notice explains what information we collect from children and parents, how we use it, and how you can control or delete it. We comply with the Children's Online Privacy Protection Act (COPPA) and treat all app users as children.

Who operates this service

BS in a Box LLC
San Diego, California
Contact: privacy@bsinabox.com

What information we collect

From parents

We collect your email address, display name, and payment information (processed by Stripe — we never store card numbers). This is collected during account creation and is used to manage your account and verify parental consent.

From children

We collect only what is necessary for the app to function:

  • Display name (chosen by the parent)
  • Grade level (set by the parent)
  • Avatar selection
  • Optional 4-digit PIN (stored as a one-way hash)

Learning data stays on-device. All raw learning events (answers, timing, mastery estimates) are processed and stored locally on the device using on-device databases. Only aggregated mastery snapshots (no raw answers) are synced to our servers so parents can view progress.

How we use this information

  • To provide age-appropriate learning content across subjects
  • To show parents their child's learning progress
  • To manage child profiles within the parent account
  • To process subscription payments (Stripe)
  • To respond to parent support requests

We do notuse children's information for advertising, profiling, or any purpose unrelated to the educational service.

Third-party services we use

Every third-party service in our app has been reviewed for COPPA compliance. Each has a contractual purpose limitation — they may only use data for the specific purpose we engage them for, and may not use it for secondary purposes.

ServicePurposeData accessed
SupabaseAuthentication & databaseParent email, auth tokens
StripePayment processingParent email, payment method
VercelParent dashboard hostingNone (static hosting)
ResendTransactional email deliveryParent email (never child data)
SentryError monitoring & crash reportsCrash diagnostics only (no child PII attached)

No third-party service collects persistent identifiers from children. The child-facing app (Expo/React Native) uses only local, on-device libraries for rendering, animation, audio, and data storage.

We do not sell, rent, or share children's personal information with any third party for marketing, advertising, or any purpose unrelated to providing the educational service.

Parental consent (COPPA Verifiable Parental Consent)

Before any child data is collected, we verify parental consent using a credit-card transaction. The small charge during signup serves as verifiable parental consent (VPC) under COPPA. If credit-card verification is unavailable, we offer a "Text-Plus" alternative method. Consent records are retained for 3 years for FTC audit purposes.

You may revoke consent at any time by contacting us at privacy@bsinabox.com or by using the "Delete my data" option in your parent dashboard.

How long we keep data

We retain data only as long as reasonably necessary to fulfill the purpose for which it was collected. Here are our specific retention periods:

Data typeRetention periodWhat happens after
Parent account infoWhile active + 30 days after deletionPermanently deleted
Child profile dataWhile active + 30 days after deletionPermanently deleted
Learning progress (server)While active + 30 daysPermanently deleted
Learning events (device)On-device only, never uploadedCleared on profile delete
Payment recordsWhile subscription active + 90 daysStripe customer deleted
Parental consent records3 years from grant datePermanently deleted
Support communications1 year after resolutionPermanently deleted
Aggregated analyticsIndefiniteN/A — contains no personal info

Your rights as a parent

Under COPPA, you have the right to:

  • Review what personal information we have collected from your child
  • Request that we delete your child's personal information
  • Refuse to allow further collection of your child's information
  • Revoke your consent at any time

To exercise any of these rights, email privacy@bsinabox.com or use the data management tools in your parent dashboard. We will respond to verified requests within 30 days.

How to delete data

You can delete a child profile or your entire account from the parent dashboard. When you request deletion:

  1. We immediately stop collecting new data
  2. Server-side data is permanently deleted within 30 days
  3. Stripe customer records are deleted via API
  4. You receive an email confirming deletion is complete

On-device learning data is deleted automatically when you remove the child profile from the app.

How we protect data

We use industry-standard security measures including encryption in transit (TLS 1.3), encrypted storage, row-level security policies on all database tables, and security headers on all web traffic (CSP, HSTS, X-Frame-Options). Child PINs are hashed using PBKDF2 with 100,000 iterations — we never store PINs in plain text. We have designated a security coordinator and maintain a written Children's Information Security Program (CISP).

Changes to this notice

If we make material changes to this privacy notice, we will notify you by email at the address associated with your account before the changes take effect. We will obtain new parental consent if any changes affect how we collect or use children's information.

Contact us

If you have questions about this privacy notice or our data practices, please contact us:

BS in a Box LLC
Email: privacy@bsinabox.com