Child-Data Notice

This is a direct notice to parents of a child whose information would be recorded in Cohara during the invitation-only trusted-family pilot. Cohara handles parent-provided child information with the protections required of “personal information” under 16 CFR Part 312, the COPPA Rule.

Regulatory anchor: 16 CFR §312.4(b) — Direct notice to parents.

A. What this notice is

This is a direct notice to the parent or legal guardian (the “parent”) about Cohara's handling of information about the child the parent is adding to a Cohara family-context workspace.

This notice does NOT itself collect information about the child. The parent will be asked to confirm consent on a separate onboarding step before any child-attributed information is recorded.

B. Whether Cohara has collected parent or child online contact information

• Parent online contact information: Yes. Cohara collects the parent's email address (and, if the parent opts into SMS, the parent's phone number) at signup / onboarding. The parent supplies this information directly.
• Child online contact information: No. Cohara does not collect any child contact information. Children do not have accounts. Children do not have email addresses or phone numbers on file with Cohara.

C. Parental consent is required; what happens if you withhold it

Cohara will not record any information the parent attributes to a child in the family-context workspace unless the parent provides parental consent on the onboarding step. If the parent withholds consent:

• The parent may still use Cohara without recording child-attributed information (parent-only mode), provided the parent does not later add child-attributed entries.
• If the parent does not consent and no child-attributed entries are added, Cohara will delete the parent's account information per the §312.5(c)(1) exception (collected solely to obtain consent), if consent is not provided within a reasonable timeframe.

D. Specific information about the child Cohara may collect

If the parent provides consent, Cohara may record the following parent-provided information about a child, only to the extent the parent enters it. Categories are stored in the children table:

1. The child's first name (children.first_name; required).
2. The child's last name (children.last_name; optional — collected only if the parent enters it).
3. The child's grade and grade band (children.grade, children.grade_band).
4. The child's birthdate (children.birthdate; optional).
5. The child's pronouns (children.pronouns; optional).
6. The child's school name, school type, classes, activities (children.school_name, children.school_type).
7. Parent-narrated attributes: strengths, interests, support needs, school-support status (children.strengths, children.interests, children.support_needs, children.school_support_status).
8. Parent observations and notes about the child (children.notes).
9. Avatar choice — color, optional image URL (children.color, children.avatar_url).
10. Schedules, calendar events, and tasks the parent associates with the child (schedule_events.child_ids, tasks.related_child_id, including event titles + descriptions + notes + locations).
11. Parent-uploaded child documents (artifacts.file_url, with child_id foreign key) — for example, IEPs, 504 plans, school reports, or related parent-uploaded materials. These uploaded documents are extracted via Anthropic's Claude model; see §F (Disclosure to third parties) and the AI / Vendor Disclosure.
12. Parent observations and AI-co-created plans, hypotheses, and scripts attributed to the child (plans.bottleneck_hypothesis, plans.assumptions, plans.safety_flags, plans.escalation_guidance, plans.script_*). These are AI inferences based on parent-recorded context; the parent reviews and accepts or rejects each plan.

Cohara does not record any child contact information (no child email, no child phone, no child home address) and does not record any child-supplied content (children do not interact with Cohara directly).

Cohara does not intentionally record biometric identifiers, voice recordings, or facial-recognition data from a child.

E. How Cohara uses the information

The parent-provided information about a child is used only to:

1. Power the parent's family-context workspace and Action Plan features.
2. Generate the morning brief and in-app brief content for the parent.
3. Surface relevant calendar events and tasks to the parent.
4. Enable a co-parent the parent has invited to participate in the same family-context workspace.
5. Provide reasonable security and audit logging.

Cohara does not use the information for behavioral advertising, profiling, or any purpose unrelated to the parent's stated use. Cohara does not sell the information.

F. Disclosure to third parties

Cohara discloses information to operational service providers as described in §6 of the Privacy Policy:

• Anthropic receives family-context summaries to power AI-co-created suggestions.
• Vercel provides hosting and serverless runtime; receives request logs (no body content unless explicitly logged).
• Supabase stores the parent's workspace data; per-family row-level security isolates each family.
• Twilio receives SMS dispatch payloads for parents who have opted in to the Cohara morning brief.
• Resend sends operational emails (invite emails, deletion alerts).
• Google (if the parent enables calendar integration) is the source of calendar event data the parent has granted Cohara permission to read.

Each processor's role is limited to what is reasonably necessary to operate the trusted-family pilot. Cohara does not disclose to advertisers, data brokers, or any party for behavioral profiling.

G. Parental consent path

For the trusted-family pilot, Cohara's parental consent path is:

• The parent must have received a signup invite issued directly by the Cohara operator (jr@cohara.ai). The operator-issued invite establishes the parent's identity before any signup token is accepted.
• On the onboarding consent step, the parent must explicitly check each consent acknowledgment (Terms / Privacy / Pilot Agreement / SMS-if-applicable / child-data) before the workspace is created.
• Cohara records per-version consent (with IP + user-agent + timestamp + document_version) in consent_records and sms_consent_records.

H. Parent's right to review, refuse, and delete

At any time, the parent may:

1. Review the categories of information Cohara has collected about the child (§312.6).
2. Refuse Cohara's further use or collection of the child's information.
3. Direct Cohara to delete the child's information.

How to exercise: email jr@cohara.ai from the email address on the family account. Cohara will verify the requestor is a parent on the family account in a manner reasonably designed not to be unduly burdensome.

If the parent refuses further collection or requests deletion, Cohara may discontinue service for the affected family-context workspace, subject to §312.7 (Cohara cannot condition a child's participation in any “activity” on disclosing more information than reasonably necessary).

I. Data minimization

Cohara collects only the parent-provided child information that is reasonably necessary for the family-organizing feature the parent is using. The parent decides what to record. The parent may delete child-attributed entries at any time without deleting the rest of the workspace.

J. Retention

Child-attributed information is retained only while reasonably necessary for the parent's stated use. When the parent withdraws or deletes the family-context workspace, child-attributed information is deleted on the operator-executed deletion path. See §8 of the Privacy Policy for the retention schedule and deletion path.

Per 16 CFR §312.10, Cohara maintains a written data-retention policy. The retention schedule is published in §8 of the Privacy Policy.

K. Security

Cohara maintains a written information security program (WISP) per 16 CFR §312.8. Components: designated security coordinator (Justin Roberts), annual risk assessment, per-family row-level security, service-role compartmentalization, audit logging, env-var fail-closed dispatch gates, signature-verified Twilio inbound webhooks. Full security disclosure is in §9 of the Privacy Policy.

L. Contact

Email: jr@cohara.ai. Operator: Cohara AI Inc., 1300 Grant Ave #204, Novato, CA 94945, United States.