Compliance: Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501–6505) and the FTC’s COPPA Rule (16 CFR Part 312)

Operator: AI Metrologist, LLC

Service: MetTutor (https://mettutor.ai)

Effective Date: May 1, 2026

Last Updated: May 1, 2026

1. Introduction and Scope

This Children’s Privacy Policy describes how AI Metrologist, LLC (“MetTutor,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information from children under the age of 13 (“children”) who may have access to or use the MetTutor service at https://mettutor.ai (the “Service”). MetTutor may only be used by children under the age of 13 with the consent and supervision of a parent, legal Guardian, or educational institution.

MetTutor is an educational tutoring service for metrology, calibration, and measurement science, and employs safeguards to prevent accessing general information on the internet. MetTutor utilizes a dedicated knowledge base, MetLibrary, specifically designed for educational purposes in measurement science. Certain features of the Service are designed to be appropriate for K-12 students, including children under 13. We are committed to complying with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501–6505) and the FTC’s COPPA Rule at 16 CFR Part 312.

This policy supplements, and does not replace, MetTutor’s general Privacy Policy and Terms of Service (“EULA”). Where this policy and the general Privacy Policy conflict regarding children under 13, this policy controls.

Who this policy applies to:

• Children under the age of 13 who may use the Service with the consent and supervision of their parents or legal guardians
• Parents and legal guardians providing consent for children’s use of the Service
• Schools and educational institutions providing institutional consent under the framework described in Section 6 below

• Operator Identity and Contact Information

For all matters related to children’s privacy at MetTutor, please contact:

AI Metrologist, LLC

Attn: Privacy Officer / COPPA Inquiries

Email: info@aimetrologist.com

Web: https://mettutor.ai

• Information We Collect From Children With Permission Form: Parental or Legal Guardian

• Information collected directly from the child

When a child uses MetTutor under parental or legal guardian consent, we may collect:

• Account information:
  • First name or display name (no last name required); username; year of birth or grade level (used to gate age-appropriate content)
  • Educational profile: User role (designated as `k12_student`), experience level, learning goals
• Service interaction data: Tutoring conversations (text questions and answers exchanged with the AI tutor); quiz responses and scores; learning event records (sessions started, questions asked, modes used); skill usage records
• Voice data (if voice features are enabled): Audio recordings of the child’s voice questions submitted to the speech-to-text feature; the child’s selection of a synthesized voice character (“MET”). Note: Voice audio is not retained beyond transient processing (not retained for training).
• Document uploads (this feature is blocked for K-12 students and educators).
• Technical information: IP address, browser type and version, device type, operating system, session cookies and authentication tokens, language preference

3.2 Information collected from parents/guardians

When a parent or legal guardian provides consent on behalf of a child, we collect from the parent:

• Parent/guardian full name
• Parent/guardian email address
• Verification information used to confirm identity (see Section 5: Verifiable Parental Consent)
• Relationship to the child (parent, legal guardian, school-authorized representative)

• Information we do NOT collect

We do not knowingly collect from children:

• Last name (beyond what a parent voluntarily provides at registration)
• Home address, phone number, or other geolocation precise enough to identify a street address
• Photographs, videos, or images of the child
• Persistent identifiers used for behavioral advertising
• Social Security numbers or government-issued ID numbers
• Financial account information (payment is processed only through the parent/guardian account)
• Information about the child’s family members beyond the consenting parent/guardian

3.4 Passive collection through technology

Cookies and similar technologies: We use authentication cookies and session cookies necessary to operate the Service. We do not use third-party advertising cookies, tracking pixels, or behavioral targeting tools on pages used by children.

Server logs: Our servers automatically log IP addresses, request timestamps, and pages accessed for security, debugging, and abuse-prevention purposes. These logs are retained per Section 9 below.

• How We Use Information Collected From Children

We use information collected from children **only** to:

• Provide, maintain, and personalize the educational tutoring service
• Generate AI tutor responses tailored to the child’s role, experience level, and goals
• Track learning progress and surface relevant content
• Synthesize voice responses (text-to-speech) and process voice questions (speech-to-text)
• Communicate with parents/guardians about service updates, account status, or COPPA-related matters
• Respond to parent/guardian requests under Section 7 (Parental Rights)
• Maintain security, prevent fraud and abuse, and comply with legal obligations

We do NOT

• Use children’s personal information for behavioral advertising or marketing of products/services
• Sell, rent, lease, or trade children’s personal information to any third party
• Use children’s personal information to build advertising profiles
• Disclose children’s personal information except as described in Section 6

• Verifiable Parental Consent (VPC)

Before we collect, use, or disclose personal information from a child under 13, we obtain verifiable parental consent from the child’s parent or legal guardian, as required by 16 CFR § 312.5.

• Direct notice to parents

When a child attempts to register, or a parent registers a child under 13, we provide direct notice to the parent that includes:

• That we have collected the parents’ online contact information for the purpose of obtaining consent
• That parental consent is required for the child to use the Service
• The categories of personal information we will collect (Section 3 of this policy)
• How we will use the information (Section 4)
• That the parent may consent or refuse consent
• How the parent may later revoke consent and have the child’s information deleted (Section 7)
• A link to this Children’s Privacy Policy

This direct notice is provided via email to the parent’s verified email address before the child’s account is activated.

5.2 Methods of verifiable parental consent we accept

The following methods are listed by 16 CFR § 312.5(b)(2) as acceptable VPC methods. AI Metrologist, LLC must select and implement one or more of these methods. The recommended method for a small SaaS operator is “email plus“.

The methods AI Metrologist, LLC currently uses are:

1. Email Plus (for internal-use-only collection). Where personal information collected from the child is used only by AI Metrologist, LLC and not disclosed to third parties, we obtain consent through:

• The parent submitting a signed consent form via email (typed name plus checkbox affirmation, or scanned signed PDF), AND
• A confirmatory follow-up communication (a confirmation email sent to the parent’s verified email address, with a unique consent-confirmation link the parent must click within a defined window)

2. Government-issued identification verification. For institutional and high-tier accounts, we may accept a parent’s submission of a government-issued photo ID, which we verify against authoritative databases and promptly delete after verification.

3. Knowledge-based authentication. We may verify parental identity through dynamic knowledge-based questions drawn from public and proprietary records, where supported by our verification provider.

4. Credit/debit card transaction. A parent may consent by completing a small charge on a credit or debit card (which requires the parent to provide card details that are processed by our PCI-DSS-compliant payment processor, Stripe). The charge confirmation serves as VPC. Charges are refunded or applied to the account at the parent’s option.

5. Video conference with trained personnel. Available upon request for parents who prefer this method.

Email Plus is appropriate only where personal information is used internally by the operator and not disclosed to third parties.

5.3 School-authorized use (institutional consent)

For children using MetTutor as part of a school-administered or institution-administered program (e.g., MetTutor Institution-tier subscriptions), the school or institution may provide consent on behalf of parents under the framework permitted by FTC COPPA guidance, provided that:

• The school has authorized the use of MetTutor solely for educational purposes within the school context
• The school has provided notice to parents and offered an opportunity to opt out
• MetTutor is not used for any commercial purpose with the child’s information
• The school remains responsible for verifying parental authorization where required

Schools acting under this framework should review the MetTutor Institutional Data Processing Agreement (DPA) before deploying MetTutor with students under 13.

5.4 Refusing or withdrawing consent

A parent may refuse consent at the time of registration by closing the consent flow without completing it. The child’s account will not be activated, and any information temporarily collected during the registration attempt will be deleted within 30 days.

A parent who has previously consented may withdraw consent at any time by following the procedures in Section 7 (Parental Rights).

6. Disclosure of Information

We disclose children’s personal information only to:

6.1 Service providers (sub processors)

We use the following third-party service providers to operate the Service. Each is contractually bound to use children’s personal information only to provide services to MetTutor and not for their own purposes:

Sub processor	Purpose	Data accessed
Anthropic, PBC	AI tutor inference (Claude)	Tutoring conversation text
Google LLC (via AI Studio)	Text-to-speech and speech-to-text	Voice audio (transient, not retained for training per current API terms)
Vercel, Inc	Web hosting and edge computing	All Service traffic, server logs
Supabase, Inc.	Database, authentication, storage	Account data, learning events, conversation history
Stripe, Inc.	Payment processing (parent/guardian only)	Parents’ payment information, not children’s information
Resend	Transactional email delivery (parent communications)	Parent email addresses, message content

6.2 Legal compliance and protection

We may disclose children’s personal information when required by law, subpoena, or court order; to protect the safety of the child or others; to investigate fraud or abuse; or to comply with regulatory inquiries (including FTC inquiries).

6.3 Business transfers

In the event of a merger, acquisition, or sale of assets, children’s personal information may be transferred to the successor entity, subject to this policy’s requirements. Parents will be notified of any change in operator and offered the opportunity to delete the child’s information before transfer.

6.4 Aggregated and de-identified information

We may use and disclose aggregated or de-identified information (information that cannot reasonably be linked to a specific child) for any purpose, including service improvement, research, and reporting. Aggregated data does not include any personal identifiers.

7. Parental Rights

Per 16 CFR § 312.6, parents have the following rights with respect to information we have collected from their child:

7.1 Right to review

A parent may request a description of the specific types of personal information we have collected from the child, as well as a means to review that information. We will provide this information within 30 days of receiving a verified request.

7.2 Right to delete

A parent may request the deletion of all personal information we have collected from the child. Upon receiving a verified request, we will:

– Permanently delete the child’s account and all associated personal information from production systems within 30 days

– Delete or de-identify the child’s information in backup systems within 90 days, or within the next regular backup retention cycle, whichever is sooner

– Confirm completion of deletion to the parent in writing

7.3 Right to refuse further collection

A parent may direct us to stop collecting personal information from the child while leaving previously collected information in place. The child’s account will be limited or suspended to comply with this direction.

7.4 Right to revoke consent

A parent may revoke previously granted consent at any time. Revocation has the same effect as a deletion request unless the parent specifies otherwise.

7.5 How to exercise these rights

To exercise any of these rights, a parent must contact us at:

Email: info@aimetrologist.com (subject line: “COPPA Parental Rights Request”)

We will verify the requester’s identity using the same method used for the original consent (e.g., reply confirmation from the email address used for VPC). Verified requests are processed within 30 days. We do not charge a fee to process parental rights requests.

8. Conditioning Participation

Per 16 CFR § 312.7, we do not condition a child’s participation in any activity on the disclosure of more personal information than is reasonably necessary to participate in that activity. The Service’s tutoring features require only the categories of information described in Section 3.1.

9. Data Retention and Deletion

Per 16 CFR § 312.10, we retain personal information collected from children only as long as reasonably necessary to fulfill the purpose for which it was collected, after which we delete or de-identify the information using reasonable measures to protect against unauthorized access or use.

Data category	Retention period
Active account data (account active and being used)	For the duration of the account’s activity
Conversation history and learning events	24 months from last activity, then deleted
Voice audio (STT submissions)	Not retained beyond transient processing (sub-processor terms apply)
Server logs containing IP addresses	90 days
Inactive accounts (no activity for 12+ months)	Account closed or deletion requested
Account and associated data deleted after 12 months of inactivity, with parental notice 30 days before deletion	Production data deleted within 30 days; backup data within 90 days
Aggregated/de-identified data	Retained indefinitely

10. Data Security

We maintain reasonable security measures to protect children’s personal information from unauthorized access, use, alteration, and disclosure, per 16 CFR § 312.8. These measures include:

• Encryption in transit (HTTPS/TLS 1.2 or higher) for all data transmitted between user devices and our servers
• Encryption at rest for stored data
• Row-level security policies on our database to restrict access to authorized accounts only
• Multi-factor authentication for administrative accounts
• Logging and monitoring of access to children’s data
• Regular review of subprocessor security practices
• Employee and contractor confidentiality agreements
• Incident response procedures including parental notification in the event of a breach affecting children’s data

No system is perfectly secure. In the event of a security incident affecting children’s personal information, we will notify affected parents and applicable regulators as required by law.

11. Changes to This Policy

We may update this Children’s Privacy Policy from time to time. Material changes will be notified to parents via email at the address provided during VPC, at least 30 days before the changes take effect. Continued use of the Service by the child after the effective date of changes constitutes the parent’s renewed consent to the updated policy. Parents who do not consent to updated terms may withdraw consent under Section 7.

The “Last Updated” date at the top of this policy reflects the date of the most recent revision.

12. State-Specific Provisions

• California Consumer Privacy Act (CCPA) and the California Age-Appropriate Design Code
• Connecticut Data Privacy Act
• New York SHIELD Act
• Florida Digital Bill of Rights
• Texas Data Privacy and Security Act

13. International Considerations

MetTutor is operated from the United States and is intended for use within the United States.

• General Data Protection Regulation (GDPR) and GDPR-K provisions for children in the EU (consent age varies by Member State, typically 13–16)
• UK Age Appropriate Design Code (Children’s Code)
• Canadian PIPEDA and provincial privacy laws

14. Effective Date and Acknowledgment

This policy is effective on the date stated at the top of this document. By providing verifiable parental consent and continuing to allow your child to use the Service, you acknowledge that you have read, understood, and agreed to this Children’s Privacy Policy.

Parents may print or download a copy of this policy at any time from https://mettutor.ai/privacy/coppa.

Appendix A — FTC COPPA Rule Cross-Reference

Policy Section:

16 CFR Reference

Section 2 (Operator contact) | § 312.4(d)(1)

Section 3 (Information collected) | § 312.4(d)(2), § 312.2 (definitions)

Section 4 (Use) | § 312.4(d)(3)

Section 5 (Verifiable Parental Consent) | § 312.4(c), § 312.5

Section 6 (Disclosure) | § 312.4(d)(2)(iii), § 312.6

Section 7 (Parental Rights) | § 312.6

Section 8 (Conditioning) | § 312.7

Section 9 (Retention/Deletion) | § 312.10

Section 10 (Security) | § 312.8

Section 11 (Material Changes) | § 312.4(c)(1)(iv)