For Parents

Legal

Privacy Policy

Effective: March 28, 2026  ·  Operator: Persistence of Vision Previs, LLC ·  Contact: info@persistenceofvision.com

ZAFARI and ZAFARI Trek are operated by Persistence of Vision Previs, LLC ("we," "us," or "our"). We take the privacy of children and families seriously. This policy explains what data we collect, why, how long we keep it, and your rights — written in plain language, not legalese.

1. Who This Policy Covers

This policy applies to all visitors to zafari.com and all users of ZAFARI Trek, including parents, guardians, and the children whose progress is tracked on the platform. We operate under US federal law (COPPA), European Union law (GDPR), and California law (CCPA/CPRA), among others.

2. Children Under 13 — COPPA Compliance

ZAFARI Trek is designed for children aged 3–8. All children using the platform are under 13. We therefore comply fully with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2026 updated rules.

Verifiable Parental Consent (VPC)

We do not collect any personal data about a child until a parent or guardian has given verifiable parental consent. On ZAFARI Trek, VPC is established through a credit card transaction at subscription signup — an FTC-approved high-assurance verification method. No child data is collected before this transaction is completed.

What we collect about your child

  • A first name or nickname (optional — your child can be completely anonymous)
  • Age group: Seedlings (3–4), Explorers (5–6), or Adventurers (7–8)
  • A chosen character avatar
  • Which lessons have been completed and the score (0–3 questions)
  • XP points earned and any badges collected

What we never collect about your child

  • Real full name
  • Location data or GPS coordinates
  • Device identifiers, IP addresses tied to the child, or browser fingerprints
  • Photographs, voice recordings, or video
  • Behavioral tracking data or click-path analytics
  • Any information used for advertising or profiling

Parent rights under COPPA (and COPPA 2.0)

  • Access / Review: You may review all personal information we have collected about your child at any time by logging into your dashboard and using the "Download my data" button.
  • Correct: You may update your child's display name at any time using the "Edit child name" button in your dashboard. This satisfies the right-to-correct introduced in COPPA 2.0.
  • Delete: You may permanently delete all of your child's data at any time using the "Delete all progress data" button in your dashboard. Deletion is immediate and irreversible.
  • Withdraw consent: You may withdraw parental consent at any time by deleting your child's data and canceling your subscription. Email us at info@persistenceofvision.com if you need assistance.
  • Refuse further collection: You may refuse to allow us to collect further information by deleting your account.

3. Teens Aged 13–16 — COPPA 2.0 & GDPR

COPPA 2.0 (proposed) and the EU's GDPR both provide enhanced protections for teens aged 13–16. We apply these protections proactively, regardless of whether COPPA 2.0 has been enacted:

  • Teen opt-in consent: During account setup, parents confirm that the teen has reviewed and affirmatively agreed to the collection and use of their data. This satisfies COPPA 2.0's opt-in consent requirement for teens 13–16.
  • No targeted advertising: We will never use a teen's data for individual-specific advertising, profiling, or behavioral analysis. This is an absolute prohibition with no exceptions.
  • Data minimization: We collect only the minimum data consistent with providing the educational service — a display name (optional) and lesson completion records.
  • Teen's own delete right: The teen (or their parent) may request deletion of their own data by contacting us at info@persistenceofvision.com or using the parent dashboard.
  • EU / GDPR: The age of digital consent is 16 in most EU member states. We apply parental consent requirements to all users under 16 regardless of location.

3A. COPPA 2.0 — Additional Protections We Apply

The Children and Teens' Online Privacy Protection Act 2.0 (COPPA 2.0) passed the US Senate but had not yet been enacted as of the effective date of this policy. We apply its core protections proactively:

No individual-specific advertising

We do not serve any advertising on ZAFARI Trek, and we do not share child or teen data with advertising networks, data brokers, or any third party for commercial targeting purposes. This is an absolute prohibition — there are no opt-out or consent exceptions.

Data minimization

We collect only information that is consistent with the context of providing an educational platform: a parent email address (required for auth), a child display name (optional), age group, and lesson completion records. We do not collect location data, biometric information of any kind, behavioral profiles, or persistent device identifiers tied to a child.

Expanded biometric and identifier exclusions

Under COPPA 2.0's expanded definition, "personal information" includes geolocation data, biometric identifiers (any biological or behavioral trait, whether or not individually identifiable), and persistent identifiers such as IP addresses and cookies when used to recognize a user over time. We collect none of these from children or teens.

International data transfer restrictions

COPPA 2.0 prohibits storing or transferring children's personal data in or to North Korea, China, Russia, Iran, or other designated countries. All of our sub-processors are headquartered in the United States and store data on US or EU-based infrastructure:

  • Supabase — database, US-based (AWS us-east-1)
  • Stripe — payments, US-based
  • Vercel — hosting, US-based
  • Resend — transactional email, US-based

No child or teen data is stored in, transferred to, or accessible from any country on the COPPA 2.0 restricted list.

4. Data We Collect from Parents & Guardians

DataWhy we collect itLegal basis
Email addressAccount login, transactional emails (receipts, alerts)Contract (GDPR Art. 6(1)(b)); COPPA VPC
Password (hashed)Account authenticationContract
Payment infoSubscription billing; serves as Verifiable Parental ConsentContract; COPPA VPC
Consent timestampCompliance record of when parental consent was givenLegal obligation (COPPA, GDPR Art. 6(1)(c))

Payment information is processed and stored by Stripe. We never store raw card numbers in our database. We store only the Stripe Customer ID (a non-sensitive reference).

5. Cookies & Local Storage

We use a single session cookie managed by Supabase to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies on any page where children's learning content is served.

On the public marketing site (zafari.com), we use a minimal first-party cookie consent preference stored in localStorage. No data from this preference is shared with third parties.

6. Data Retention & Automatic Deletion

We retain parent account data for as long as the account is active. We retain child progress data (lesson completions, XP, badges) according to the following rules:

  • Active accounts: Data is retained for the duration of the subscription.
  • Inactivity purge: If a child's account shows no lesson activity for 12 consecutive months, all of that child's progress data is automatically and permanently deleted from our production database. Parents are not required to take any action — this happens automatically.
  • Manual deletion: You can delete all data at any time from your dashboard, regardless of the inactivity window.
  • Account deletion: Deleting your parent account permanently deletes all associated child profiles, progress data, and rewards. This is immediate and irreversible.

7. No Targeted Advertising to Children

We do not serve targeted advertising of any kind on ZAFARI Trek. We do not build advertising profiles of children or teens. We do not share child data with advertisers, data brokers, or marketing platforms. This is a hard line — not a policy we will change.

The XP and badge system is designed to reward learning progress. It is not used to "nudge" data sharing, extend screen time beyond educational goals, or generate engagement metrics for advertising purposes.

8. Sub-Processors & Third Parties

We use the following third-party services that may process personal data on our behalf. Each has signed a Data Processing Agreement (DPA) with us:

VendorPurposeData transferredLocation
Supabase (Supabase Inc.)Database & authentication hostingParent email, child progress dataUS (AWS us-east-1)
Stripe (Stripe, Inc.)Payment processing & subscription billingParent email, payment methodUS / EU
Vercel (Vercel Inc.)Website hosting & serverless functionsRequest logs (ephemeral, no child PII)US / Global CDN
Resend (Resend Inc.)Transactional email (receipts, alerts)Parent email addressUS

We do not use Google Analytics, Meta Pixel, or any behavioral analytics platform on ZAFARI Trek pages.

9. International Data Transfers

Our infrastructure is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the US under the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs), which our sub-processors have adopted.

10. Your Rights Under GDPR (EU/EEA Users)

If you are in the EU/EEA, you have the following rights:

  • Access (Art. 15): Request a copy of all data we hold about you and your child. Use the "Download data" button in your dashboard.
  • Rectification (Art. 16): Correct inaccurate data by updating your profile or contacting us.
  • Erasure (Art. 17): Delete all data using the "Delete all progress data" button or by deleting your account. Requests are fulfilled immediately.
  • Portability (Art. 20): Download your data in machine-readable JSON format from your dashboard.
  • Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Object (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw parental consent at any time — see Section 2.

To exercise any right, email info@persistenceofvision.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of categories and specific pieces of personal information we collect.
  • Right to delete: Request deletion of your personal information (and your child's), subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

To submit a CCPA request, email info@persistenceofvision.com with the subject line "California Privacy Request."

12. Security

All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted using AES-256 by our hosting provider (Supabase/AWS). We use Row Level Security (RLS) in our database, ensuring that parents can only access their own family's data — no account can see another's records. We conduct security reviews annually.

13. Contact & DPO

For any privacy question, data request, or COPPA/GDPR concern, contact us at:

Persistence of Vision Previs, LLC
Privacy Inquiries
info@persistenceofvision.com

We aim to respond to all privacy requests within 30 days.

14. Changes to This Policy

If we make material changes to this policy, we will notify parents by email at least 30 days before the changes take effect. We will also update the effective date at the top of this page. Continued use of ZAFARI Trek after changes take effect constitutes acceptance of the revised policy.

← Back to ZAFARITerms of Service · Do Not Sell or Share · Last updated: March 28, 2026