COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) is a United States federal law that restricts the online collection of personal information from children under the age of 13. It requires operators of websites and online services that collect such information to provide clear notice to parents, obtain verifiable parental consent before collection, and give parents meaningful control over their child's data.

COPPA applies to Focii because the platform's core function involves recording browsing activity, visited URLs, page titles, search queries, and application usage on devices operated by students who may be under 13. Although Focii is controlled entirely by the parent account holder — not the child — the data collected is about the child's activity, which brings it within COPPA's scope.

This page explains how Focii is designed to operate within COPPA's requirements and what controls parents have over their child's data.

Focii is designed from the ground up as a parent-controlled product. The structural protections built into the platform are:

• Only adults (18+) can create a Focii account. Children cannot independently register, purchase a plan, or administer the service.
• Student profiles are sub-accounts created inside the parent's account. The parent defines the student's name, avatar, and access credentials.
• The parent installs a Focii browser extension on the student's device and, if using the Windows app locker, installs the Windows Companion. There is no self-install path for a child.
• All session data, browsing history, classification decisions, app inventory, and override requests collected from the student's device flow directly and exclusively into the parent's account.
• Students have no access to the Focii dashboard. They cannot view their own session history, classification scores, or any stored data.
• The parent is the sole decision-maker for what is blocked, what is allowed, and whether override requests are approved.

This structure means the parent is both the consenting party and the only person with access to the data collected about their child.

The following information is collected from or about a student when Focii is active on their device. All of it is accessible only to the linked parent account.

Profile data (created by the parent)

• Student display name and avatar image
• An optional email address, if the parent chooses to create login credentials for the student so they can authenticate into the Chrome extension
• A unique identifier (UUID) linking the student profile to the parent account

Browsing activity (collected by the Chrome extension during focus sessions)

• Every URL navigated to during an active focus session, along with the page title
• The classification decision for each URL: ALLOWED, BLOCKED, or AMBIGUOUS
• AI-generated scores per page: an academic relevance score (0–100), a distraction score (0–100), a content category, a confidence level, and a short reasoning string
• Search queries entered into Google, Bing, Yahoo, and DuckDuckGo during a session
• Override requests submitted by the student: the URL they requested access to, any justification text they typed, and the outcome (approved or denied by the parent)
• Session metadata: session ID, start time, end time, duration, and session status

Application data (collected by the Windows Companion, if installed)

• A full inventory of applications installed on the student's Windows device, sourced from the Windows registry and Start Menu. This is synced to the parent dashboard so the parent can create app-blocking rules.
• App lock enforcement events: which applications were blocked during a session and at what time
• Device registration data: a unique device ID, platform identifier, and last-seen timestamp

Content metadata (fetched to support AI classification)

• For YouTube URLs: video title, channel name, description, tags, and category — fetched via the YouTube Data API
• For Reddit URLs: subreddit name, post title, and post content (up to 800 characters) — fetched via Reddit's public API
• For unrecognised sites: page title and meta description

We do not collect the student's precise geolocation, biometric data, voice recordings, or any financial information. We do not track student activity outside of active Focii focus sessions.

COPPA requires that operators obtain verifiable parental consent before collecting personal information from children under 13. Focii's consent mechanism is structural: because only an adult parent can create an account and the parent must physically install the Chrome extension and Windows Companion on the student's device, the act of installation constitutes the parent's affirmative decision to enable data collection for that student.

By creating a student profile and installing Focii components on a student's device, the parent:

• Acknowledges they have read and accepted our Terms of Service and Privacy Policy
• Confirms they are the parent or legal guardian of the student being monitored
• Consents to the collection, processing, and storage of the student's browsing and application activity as described on this page and in our Privacy Policy
• Understands that session data will be processed by AI systems (OpenAI) and stored on Supabase-hosted infrastructure

If you are a parent who did not personally install Focii on a device your child uses, or if someone else set up a student profile for a child in your care without your knowledge, please contact us immediately at legal@focii.app so we can assist you.

As the parent account holder, you have full control over all data associated with your child's student profile. You can exercise the following rights at any time:

Review

All session history, browsing activity, classification decisions, app lock events, override requests, and AI-generated reports for your child are visible in your Focii dashboard. There is no student data stored that is not accessible to you through the dashboard.

Correct

You can update the student's display name, avatar, and login credentials at any time from the student profile settings in your dashboard.

Delete

You can delete a student profile — and all session data, browsing records, app inventory, and events associated with it — directly from your dashboard. You can also request deletion by contacting us at legal@focii.app. Upon account deletion, all student data is permanently purged within 30 days in accordance with our Privacy Policy.

Stop collection immediately

Uninstalling the Chrome extension from the student's browser immediately stops all browsing activity collection. Uninstalling the Windows Companion stops all app inventory sync and app blocking. Both can be uninstalled without affecting your dashboard account or historical data.

To operate Focii we use the following third-party services that may process student-related data. We do not allow any of these providers to use student data for their own advertising, profiling, or purposes beyond delivering the service to us.

Supabase

All student profile data, session records, browsing events, app inventory, and override requests are stored in our Supabase-hosted PostgreSQL database. Supabase processes this data as a data processor under our instructions. Row-Level Security policies ensure that a parent account can only access data belonging to their own students.

OpenAI

When a student navigates to an unrecognised website during a session, the extension sends the URL and available page metadata (title, description, and for YouTube/Reddit: content metadata) to the authenticated Focii classification endpoint, which requests a result from OpenAI's GPT-4o-mini model. OpenAI returns a classification result; it does not store or use this data to train its models under the API data usage terms we operate under. Session summary reports sent to OpenAI contain only aggregated statistics (counts, scores, domain names) — not raw URLs or page content.

In Firefox private windows, page analysis remains local to the extension. Private URLs and page metadata are not submitted to Focii or OpenAI for classification and are not written to decision log tables.

Resend

Weekly digest emails sent to parents may contain AI-generated summaries of their child's session activity. These emails are delivered via Resend. Resend processes the parent's email address and email content as a data processor.

Vercel

The Focii dashboard is hosted on Vercel. Vercel may retain edge function invocation logs for a short period as part of normal infrastructure operation.

YouTube Data API (Google) and Reddit

When classifying content in normal browsing windows, the extension may collect rendered YouTube metadata, use YouTube's public oEmbed response for a missing title, or obtain public Reddit metadata. These lookups use a URL or content identifier only. We do not send student identifiers to YouTube or Reddit.

The following practices are explicitly not part of how Focii operates:

• We do not sell student data to any third party
• We do not use student activity data for advertising or behavioural profiling
• We do not collect student data outside of active focus sessions — the extension does not run in the background when no session is in progress
• We do not allow students to interact with third-party advertising, social login, or tracking systems through the Focii platform
• We do not use analytics services, third-party tracking pixels, or fingerprinting on the dashboard
• We do not share student data with schools, employers, or any party other than the linked parent account and the sub-processors listed above
• We do not condition participation in the service on a student disclosing more personal information than is necessary to operate the platform

Student data is retained for as long as the parent account remains active and the student profile exists within it. Parents can delete individual student profiles at any time, which removes all associated session and activity data.

When a parent account is closed or a student profile is deleted, all associated personal data — including session records, browsing events, app inventory, and override requests — is permanently deleted within 30 days.

Domain-level classification cache entries (which record only that a domain was classified, not which student visited it) may be retained longer as they contain no personally identifiable information.

We apply the following technical measures to protect student data:

• All data in transit is encrypted using TLS
• Supabase Row-Level Security ensures each parent can only query data belonging to their own student profiles
• Authentication tokens used by Focii browser extensions are stored in extension-local storage, which is isolated from websites the student visits
• The Windows Companion communicates with the Chrome extension over a local Native Messaging pipe — this is not a network-accessible connection
• The parent dashboard uses HttpOnly, Secure cookies for authentication — session tokens are not accessible to client-side JavaScript
• Student login credentials for the extension are created and managed exclusively by the parent

If you are a parent or guardian with questions about how we handle your child's data, wish to review or delete data associated with a student profile, or believe we have inadvertently collected information from a child without proper parental consent, please contact us:

• Email: legal@focii.app
• Legal entity: Samantha Manono, trading as Focii.

We will respond to verifiable parental requests within 30 days. Requests for data deletion will be acted upon as described in Section 5 of this page and Section 10 of our Privacy Policy.