Legal · Privacy

Privacy Policy

This is the formal privacy policy. For a plain-English walkthrough of how we handle children's data end-to-end, see our children's-data methodology.

Version 1.0.0 Effective April 15, 2026

Royal Academy ("we", "us", "Royal Academy") is a subscription learning platform operated by Benmore Studio, LLC. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have. Royal Academy is designed to be used by children under 13 with parental consent, so much of this policy is written with the U.S. Children's Online Privacy Protection Act (COPPA) — as amended by the Federal Trade Commission in its 2025 final rule — in mind.

This document has been drafted in plain English and reviewed against the 2025 amended COPPA Rule. It is not legal advice and should be reviewed by qualified counsel before reliance.

1. Who we are

Royal Academy is operated by Benmore Studio, LLC. We're the "operator" of this service under COPPA terminology. If you have questions about how we handle your child's information, the fastest way to reach a human is [email protected].

2. What we collect

We collect three categories of information.

2.1 Information parents provide

  • Your name and email address when you create a parent account.
  • Billing information (processed by Stripe — see section 6). We do not store your card number on our servers.
  • Any children you add to your account — their first name, date of birth (used to pick age-appropriate content), optional last name, and optional profile picture.

2.2 Information we collect automatically from children

  • Learning activity: which lessons they start and finish, quiz scores, time spent, achievements earned.
  • Lesson responses: the buttons they press during interactive activities.
  • Voice recordings: only if a parent has specifically opted in (see section 5). These are treated as biometric information.
  • Basic technical data: IP address and browser user-agent — captured only in our consent audit log to prove consent was legitimate, and used nowhere else.

2.3 What we don't collect

We do not collect: geolocation (precise or approximate beyond general country), contacts, microphone/camera input outside of consented audio moments, advertising identifiers, government IDs, phone numbers, or children's email addresses (student accounts have no email field).

3. How we use the information

We use the information we collect to:

  • Deliver lessons, record progress, and give parents a view of how their child is doing.
  • Select age-appropriate content based on the child's date of birth.
  • Process subscription payments (parent data only; no child data passes to Stripe).
  • Send you service-related email — password resets, subscription notifications. We do not send marketing emails to parents, and we never send email directly to children.
  • Prove consent was obtained, and demonstrate compliance if we're audited.
  • Keep the service running and secure (fixing bugs, blocking abuse).

We do not use any of this information to profile children, target ads, or build marketing audiences — ours or anyone else's.

4. Children's data & COPPA

Royal Academy is directed to children under 13. Children cannot create accounts themselves; their accounts are created by a parent or legal guardian who provides verifiable parental consent first.

Under the FTC's 2025 amendments to the COPPA Rule:

  • We use granular, separate consents for distinct categories of data collection (profile, learning progress, lesson responses, biometric data, and any future third-party disclosure). No single "I agree" button bundles them.
  • We display all required direct-notice information — what we collect, how we use it, who else sees it, and your right to review, correct, or delete — before consent is captured.
  • We maintain an append-only audit log of every consent action, including the IP and browser used and the exact version of this policy in effect.
  • We do not condition your child's use of the service on your consent to more data collection than is reasonably necessary to provide that service.
  • We do not retain personal information indefinitely — see retention (section 7).

5. Biometric data & BIPA

Some lessons include a moment where a child can record a voice answer. Voice recordings are biometric information under both the FTC's 2025 amended definition of personal information (16 CFR § 312.2) and the Illinois Biometric Information Privacy Act (740 ILCS 14).

We treat biometric collection as a separate, explicit, written consent, distinct from general consent to use the service:

  • The consent checkbox for audio is off by default.
  • When off, audio-interaction moments are filtered out of the lesson stream server-side — the child's browser never receives them, so there's no pause or broken UI.
  • When on, recordings are stored in a private object-storage bucket and served only via signed URLs that expire within 10 minutes.
  • We delete recordings from our storage when a parent revokes biometric consent, and we never sell or share them.
  • Our retention window for biometric data is 30 days after consent is withdrawn; see section 7.

6. When we share information

We share information only with the following categories of recipients, and only as described. We do not sell personal information.

6.1 Service providers (processors)

  • Stripe, Inc. — subscription billing. Receives parent name, parent email, and payment card details. No child data.
  • Resend (Privyr Pte. Ltd.) — transactional email to parents. Receives parent name, parent email, and the email body. No child data.
  • DigitalOcean, LLC — hosting, managed database, and private object storage. All application data lives on DigitalOcean infrastructure. Profile pictures, audio recordings, and data exports are stored privately with signed-URL access that expires in 10 minutes.
  • Sentry (Functional Software, Inc.) — production error reporting. Receives exception stack traces and request metadata only; PII scrubbing is enabled, so usernames, emails, and request bodies are excluded.
  • Cloudflare, Inc. — DNS and edge network. Sees standard network metadata only; no application data is cached at the edge.

6.2 Advertising, analytics, marketing

We do not share any child personal information with any third party for advertising, marketing, or analytics. There are no advertising SDKs, analytics pixels, or trackers on the children's experience. If this ever changes, we will obtain a separate, specific parental consent in advance — we will not rely on your prior general consent.

6.3 Legal

We may disclose information if required by valid legal process (subpoena, court order, regulatory request) or to protect the safety of a user or the public. We will challenge overbroad requests and will not disclose child data in response to requests that lack lawful basis.

6.4 Business transfers

If Royal Academy is acquired, merged, or transferred, your data may pass to the successor entity. In that event we will notify you by email and provide at least 30 days to export or delete data before the transfer takes effect.

7. How long we keep information

The 2025 COPPA amendments prohibit indefinite retention. We publish a specific retention period for each data category on our methodology page and enforce it with a nightly automated job. A summary:

  • Profile — kept while the account is active; deleted on request.
  • Learning progress & responses — deleted within 30–90 days of consent withdrawal or account closure.
  • Audio recordings — deleted within 30 days of consent withdrawal, or immediately when biometric consent specifically is revoked.
  • Consent audit log — retained 7 years, required to demonstrate compliance.
  • Data export files — auto-expire 48 hours after creation.

8. How we secure information

Our technical controls include:

  • HTTPS site-wide with HSTS (1-year max-age, preload-listed).
  • Argon2 password hashing with a 10-character minimum length.
  • Secure, HttpOnly cookies; CSRF protection on every mutating request.
  • Private object storage for sensitive files (audio, profile pictures, exports), served only via 10-minute signed URLs.
  • An append-only consent audit log enforced at the database model level (records cannot be updated or deleted).
  • Fail-closed consent middleware — every authenticated request re-checks consent; a withdrawal locks the child out on the very next click.

No system is perfectly secure. If we ever discover a breach affecting your child's personal information, we will notify you by email within the timelines required by applicable law.

9. Your rights

As a parent or guardian, you have the right to:

  • Review the information we hold about your child — available in the Parent Hub at any time.
  • Correct any inaccurate information — edit the child's profile directly from the Parent Hub.
  • Export the data in a portable format — one-click ZIP containing profile, progress, responses, consent history, and audio recordings.
  • Delete a specific child's data, or your entire account and all children associated with it. Deletion is permanent and processed immediately.
  • Withdraw consent at any time — either all consent (locks the child out, triggers retention-window deletion) or biometric consent only (deletes existing recordings, skips future audio moments).
  • Refuse any further collection without affecting information already collected.

All of these are built into the product — you don't need to email us to exercise them, although we're happy to help if something isn't working.

10. Cookies & tracking

We use a minimal set of cookies, all strictly necessary for the service to function:

  • A session cookie so you stay logged in across pages.
  • A CSRF token cookie to prevent cross-site request forgery.
  • Optionally, a "remember me" cookie on the login page if you opt in.

We do not set any advertising, analytics, or cross-site-tracking cookies. We do not use browser fingerprinting. Children's accounts do not have "remember me" functionality available.

11. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act gives you additional rights to know, delete, correct, and opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. Because we do not sell or share personal information for cross-context behavioral advertising and do not use sensitive personal information for any purpose beyond providing the service, most of these rights produce a null result — but you can exercise any of them using the tools in your Parent Hub or by emailing [email protected].

12. International users

Royal Academy is operated from the United States and data is stored and processed on infrastructure located in the United States. If you use the service from outside the U.S., your information will be transferred to and processed in the U.S. We comply with COPPA regardless of the user's geographic location, because children everywhere deserve the same protections.

13. Changes to this policy

If we materially change this Privacy Policy, the policy version number (shown at the top of this page) will be incremented. The next time your child logs in after a version change, they will be redirected to a "waiting for a grown-up" page and you will be asked to review and re-consent to the updated policy. We do not silently migrate prior consent across material changes.

Minor, non-material updates (fixing typos, clarifying language without changing our actual practices) may be made without bumping the version number but will still be recorded in our internal change log.

14. Contact

Privacy questions, requests, or complaints: [email protected].

General support: [email protected].

You may also file a complaint about COPPA compliance with the U.S. Federal Trade Commission at reportfraud.ftc.gov. For BIPA-specific concerns, the Illinois Attorney General accepts biometric-privacy complaints.

Version 1.0.0 · Effective April 15, 2026 · See also: Children's-data methodology · Terms of Service