FFEAI Young Developer

Draft — pending legal review. This document is not yet effective and may change before launch.

EAI Young Developer · Cookies and Tracking Technologies Notice

Status: Draft v1.0 (initial publication-ready draft) · pending external counsel review Effective Date: [TBD upon launch] Last Updated: 2026-05-29 Version: v1.0 (Initial publication-ready draft, pending external counsel review) Operator: [FF US Subsidiary Legal Entity Name] ("EAI Young Developer," "we," "us," or "our") Service: EAI Young Developer at eai-kids.com (the "Platform") Contact: privacy@eai-kids.com · [Mailing Address]

§1. Introduction and Stance Summary

This Cookies and Tracking Technologies Notice (the "Notice") explains what cookies, local storage, session storage, and similar technologies the Platform uses, why we use them, and how you (or, for users under 18, the user's parent or legal guardian) can control them.

Our stance, in plain terms:

EAI Young Developer is a zero-commerce learning environment for K-12 children, youth, parents, teachers, and community contributors. We have built our cookie and tracking practices to match that mission. Specifically:

  • We use cookies that are strictly necessary for the Service to function (such as keeping you logged in, protecting against cross-site request forgery, and remembering your age band for our system-wide age gate).
  • We use a small set of functional cookies to remember your display preferences (such as theme, font size, and reduced motion).
  • We use a small set of first-party analytics cookies, processed by analytics software we operate ourselves on our own infrastructure, to measure aggregate page views and Core Web Vitals. No third-party analytics SaaS vendor receives data about our users.

What we do NOT do:

  • We do not run behavioral advertising, retargeting, or interest-based advertising.
  • We do not embed third-party advertising SDKs (no Google AdSense, no Meta Pixel, no TikTok Pixel, no DoubleClick).
  • We do not embed third-party analytics SaaS (no Google Analytics, no Mixpanel, no Amplitude, no Hotjar, no FullStory).
  • We do not use persistent identifiers to track users across unaffiliated websites or services.
  • We do not use browser or device fingerprinting.
  • We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

This Notice supplements, and should be read together with, our Privacy Policy (which describes the full scope of personal information we collect, use, and disclose) and our COPPA Direct Notice (which describes our practices for users under 13).

§2. What Are Cookies and Similar Technologies

Cookies are small text files that a website places on your browser or device when you visit it. Cookies allow the site to recognize your browser on subsequent visits, remember preferences, and keep you logged in.

  • First-party cookies are set by the website you are visiting (here, eai-kids.com and its subdomains).
  • Third-party cookies are set by domains other than the one you are visiting. The Platform does not use third-party cookies for advertising, profiling, or cross-site tracking.
  • Session cookies are deleted when you close your browser.
  • Persistent cookies remain on your device for a defined period or until you delete them.

Local storage and session storage are browser features (part of the Web Storage API) that allow a website to store data on your device. They function similarly to cookies for many purposes, and we treat them under the same rules as cookies for the purposes of this Notice.

Fingerprinting refers to techniques that combine details about your browser, device, fonts, screen resolution, time zone, and other signals to create a quasi-unique identifier — even when you have blocked cookies. The Platform does not use fingerprinting techniques for tracking, profiling, or identification purposes.

Persistent identifiers (as defined under the U.S. Children's Online Privacy Protection Act Rule at 16 C.F.R. § 312.2 — "a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or unique device identifier") are treated as personal information of children under the COPPA Rule when they can be used to recognize a user over time and across different services. The Platform's use of persistent identifiers is limited to first-party operational purposes described in this Notice; we do not use persistent identifiers to track child users across unaffiliated services.

§3. Strictly Necessary Cookies

These cookies are required for the Platform to function. They cannot be disabled through our consent banner, because turning them off would prevent the Service from working (for example, you would not be able to log in or stay logged in). They are all first-party cookies, set by eai-kids.com or its subdomains.

Cookie Name Purpose Retention Scope
eaikids_session Session token that keeps you logged in. Marked HttpOnly, Secure, SameSite=Strict. Session (deleted when browser closes or on logout) First-party
eaikids_csrftoken Protects against cross-site request forgery attacks by binding form submissions to your session. Session First-party
eaikids_lang Stores your display language preference so the interface loads in the correct language. 12 months First-party
eaikids_age_band Stores the age band determined by our age gate (5–7, 8–12, 13–17, or 18+). Used to enforce age-appropriate features, default privacy settings, and parental-consent flows on a system-wide basis. Immutable for 24 months to prevent users from cycling through the age gate to lower their declared age — a practice we adopted in light of the U.S. Federal Trade Commission's 2023 enforcement action against Microsoft Xbox (US$20M civil penalty), which highlighted weaknesses in age-gate stickiness across the industry. Note: verifiable parental consent is required for all three minor bands (5–7, 8–12, and 13–17). 24 months (immutable; see §10 for parental override) First-party
eaikids_consent Records your choices on the cookie consent banner (accept / reject / per-category preferences). Allows us to honor your choice on subsequent visits. 12 months First-party

We rely on the lawful basis of "strictly necessary" for these cookies under the ePrivacy Directive (Directive 2002/58/EC, as transposed into national law in the EEA and UK), and they are within the COPPA "support for the internal operations of the Web site or online service" exception at 16 C.F.R. § 312.5(c)(7) where they involve a persistent identifier of a child user.

§4. Functional Cookies (User-Controllable)

These cookies remember your preferences so that the Platform behaves the way you like. They are not required for the Service to function, but turning them off will reset your preferences each time you visit. All are first-party.

Cookie Name Purpose Retention Scope How to Disable
eaikids_theme Remembers your selected display theme (light / dark / system / high-contrast). 12 months First-party Account Settings → Preferences; or clear in browser
eaikids_fontsize Remembers your accessibility font-size preference. 12 months First-party Account Settings → Accessibility; or clear in browser
eaikids_reducemotion Remembers your "reduce motion" accessibility preference. 12 months First-party Account Settings → Accessibility; or clear in browser
eaikids_avatar_pref Stores your selected preset avatar (we offer preset avatars only — no user-uploaded photos for minor accounts). 12 months First-party Account Settings → Profile; or clear in browser
eaikids_editor_prefs Remembers your editor layout, block-palette state, and recently used blocks in the Skills editor. 12 months First-party Account Settings → Editor; or clear in browser

In the EEA, UK, and other jurisdictions that require informed consent for non-strictly-necessary cookies, these functional cookies are set only after you have given consent through the cookie banner described in §7.

§5. Analytics Cookies (Self-Hosted, Non-Profiling)

We measure how the Platform is used so we can keep it fast, fix problems, and decide what to improve. To do this in a way that respects child users, we operate our own analytics software on our own infrastructure (using a self-hosted deployment of a privacy-respecting analytics tool such as Plausible, Umami, or PostHog in self-hosted mode). No third-party analytics SaaS vendor receives data about any user of the Platform, child or otherwise.

Our analytics are designed around four principles:

  1. Aggregate, not individual. We measure aggregate page views, aggregate Core Web Vitals, and aggregate feature usage. We do not build per-user behavior profiles.
  2. No cross-session linking for child users. The analytics identifier for any visitor rotates daily and cannot be used to stitch sessions together across days.
  3. Default-off for minor accounts when a parent opts out. A parent can disable analytics for a minor account at any time through the parental dashboard described in our COPPA Direct Notice. When disabled, no analytics cookies are set on that account's sessions.
  4. No sharing with third parties. Analytics data is processed only on our infrastructure. We do not export it, sell it, or share it with advertising or data-brokerage partners.
Cookie Name Purpose Retention Scope
eaikids_analytics_id A rotating identifier used to deduplicate page views and approximate unique visitor counts. Rotated daily; cannot be used to link sessions across days. 24 hours First-party
eaikids_page_perf Collects sampled Core Web Vitals measurements (Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift) to detect performance regressions. 7 days First-party

To the extent our analytics processing of child users involves a persistent identifier, that processing is conducted within the COPPA "support for the internal operations of the Web site or online service" exception at 16 C.F.R. § 312.5(c)(7), and the resulting data is not used to contact a specific individual, to amass a profile on a specific individual, or for any other purpose outside of that exception. Performance and reliability telemetry that does not involve personal information of children is processed as ordinary operational data.

In jurisdictions that require consent for analytics cookies (including the EEA and UK), the analytics cookies above are set only after you have given consent through the cookie banner described in §7.

§6. Tracking Technologies We Do NOT Use

For transparency and as a deliberate product commitment, we list here what the Platform does not use. If you discover anything on the Platform that contradicts this list, please contact us immediately at privacy@eai-kids.com — we will treat it as a serious incident.

  • Third-party advertising SDKs and pixels — including but not limited to Google AdSense, Google Ads conversion tags, DoubleClick, Meta (Facebook / Instagram) Pixel, TikTok Pixel, Snap Pixel, X/Twitter Pixel, Pinterest Tag, LinkedIn Insight Tag, Microsoft Advertising UET, Criteo, The Trade Desk.
  • Behavioral advertising cookies — no cookies are set for the purpose of building an advertising profile, targeting ads, retargeting users across the web, or measuring ad performance.
  • Cross-context behavioral tracking — we do not track users across unaffiliated websites, services, or contexts as "cross-context behavioral advertising" is defined under CCPA/CPRA.
  • Third-party SaaS analytics — no Google Analytics (any version, including GA4 and Universal Analytics), no Mixpanel, no Amplitude, no Heap, no Adobe Analytics.
  • Session-replay and heatmap tools — no FullStory, no Hotjar, no LogRocket, no Microsoft Clarity, no Smartlook.
  • Browser or device fingerprinting — we do not combine browser, device, font, canvas, audio, or other signals to construct a fingerprint identifier.
  • Persistent identifiers used for cross-site profiling of children — see the U.S. Federal Trade Commission's 2019 enforcement action against YouTube and Google (US$170M civil penalty), which centered on the use of persistent identifiers to serve targeted advertising to viewers of child-directed content. We have designed the Platform to make that category of practice structurally impossible: we do not run advertising, we do not embed third-party ad SDKs, and our first-party persistent identifiers are limited to the purposes disclosed in §3–§5.
  • Social-media tracking widgets — no embedded Facebook "Like" buttons, Twitter / X share widgets, or similar third-party social plugins that would set third-party cookies. Where we offer share functionality, it is implemented as a plain link that does not load third-party scripts.

§7. Cookie Consent Banner

When you visit the Platform for the first time (or after clearing your eaikids_consent cookie), we display a cookie consent banner that:

  • Does not pre-select "Accept All" and does not use dark patterns. "Accept" and "Reject" are presented with equal visual weight.
  • Offers, at minimum, the choices Accept, Reject (non-essential), and Manage Preferences (per-category granular control over Functional and Analytics categories).
  • Clearly states that Strictly Necessary cookies (§3) cannot be disabled and explains why.
  • Confirms that choosing Reject (non-essential) does not degrade the core learning experience: you can still author, run, save, and share Skills; you can still receive feedback from teachers and the community.

For minor accounts (ages 5–17), analytics cookies (§5) are additionally subject to the parental opt-out mechanism described in the COPPA Direct Notice and our Privacy Policy. When a parent has opted the minor account out of analytics, no analytics cookies are set regardless of the banner choice.

Your banner preferences are recorded in eaikids_consent (§3). You can change them at any time by:

  • Clicking the persistent "Cookie Preferences" link in the Platform footer; or
  • Visiting Account Settings → Privacy → Cookie Preferences.

For minor accounts, the Parent Email on file may exercise these controls through the parental dashboard.

§8. Global Privacy Control (GPC) and Do Not Track (DNT)

We honor the Global Privacy Control signal. When your browser or browser extension sends the Sec-GPC: 1 HTTP header to our servers, we treat that as a valid request to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising under CCPA/CPRA, consistent with the California Attorney General's interpretation of California Civil Code § 1798.135 and the California Privacy Protection Agency's implementing regulations.

Because the Platform does not sell or share personal information in the first place, the practical effect of a GPC signal on the Platform is limited. Nonetheless, we record receipt of the signal, treat it as a privacy opt-out for any future use that might otherwise be in scope, and apply it uniformly across all age bands (including 18+ accounts).

We also honor the legacy DNT: 1 (Do Not Track) header as a fallback signal, treating it identically to GPC for our purposes. We acknowledge that DNT has been formally deprecated by major standards bodies and is no longer maintained, but we continue to recognize it for users who still send it.

Neither GPC nor DNT affects the Strictly Necessary cookies described in §3, which are required for the Service to operate.

§9. Jurisdictional Notes

This Notice is designed to meet a high baseline across multiple jurisdictions. Where local law provides users with stronger rights than this Notice describes, the local law applies.

United States — California (CCPA / CPRA). The Platform does not sell or share personal information for cross-context behavioral advertising. See the Privacy Policy for full CCPA/CPRA disclosures, including categories of personal information collected, purposes of use, and how to exercise rights to know, delete, correct, and limit. To submit an opt-out preference signal, send Sec-GPC: 1 from your browser; you may also submit a request through Account Settings → Privacy or by emailing privacy@eai-kids.com.

United States — COPPA. Our use of persistent identifiers in cookies that may constitute personal information of a child under 13 is limited to the "support for the internal operations" exception at 16 C.F.R. § 312.5(c)(7), or is conducted under verifiable parental consent as described in the COPPA Direct Notice. Verifiable Parental Consent is required for all minor users ages 5–17 on the Platform, not only those under 13.

European Economic Area and United Kingdom (ePrivacy Directive 2002/58/EC; UK PECR; GDPR / UK GDPR). Where the Platform is offered to users in the EEA or UK, Strictly Necessary cookies (§3) are set without consent on the legal basis of strict necessity for the service requested by the user. Functional cookies (§4) and Analytics cookies (§5) are set only after the user has given informed, freely given, specific, and unambiguous consent through the cookie banner described in §7. Consent can be withdrawn at any time through Account Settings → Privacy → Cookie Preferences with the same ease with which it was given.

Other jurisdictions. Where you reside in a jurisdiction with cookie or tracking-related law (for example, Brazil's LGPD, Canada's PIPEDA and provincial equivalents, Australia's Privacy Act, Singapore's PDPA, or China's PIPL where applicable), and that law sets a higher standard than this Notice, we will apply the higher standard.

v1 jurisdictional scope. Version 1.0 of the Platform is primarily directed to users in the United States. We make reasonable efforts to comply with the laws of other jurisdictions where users may access the Platform; consult the Privacy Policy for the full international-applicability statement.

§10. How to Control Cookies

You have multiple ways to control cookies on the Platform.

In-Platform controls (recommended).

  • Cookie banner. On first visit (or after clearing eaikids_consent), make your choice on the banner described in §7.
  • Footer link. Click "Cookie Preferences" in the Platform footer at any time to revisit and change your choices.
  • Account Settings. Visit Account Settings → Privacy → Cookie Preferences for granular per-category control.
  • Parental dashboard (for minor accounts). The registered Parent Email may exercise these controls on behalf of the minor account, including disabling Analytics cookies entirely for that account. See the COPPA Direct Notice.

Browser-level controls. All major browsers allow you to view, manage, block, and delete cookies. Refer to your browser's official help pages for current instructions:

  • Google Chrome — Settings → Privacy and security → Cookies and other site data
  • Mozilla Firefox — Settings → Privacy & Security → Cookies and Site Data
  • Apple Safari — Settings → Privacy → Manage Website Data (macOS); Settings → Safari → Privacy & Security (iOS)
  • Microsoft Edge — Settings → Cookies and site permissions → Manage and delete cookies and site data
  • Brave, Opera, Vivaldi, and other Chromium-based browsers — see each browser's documentation

Effect of blocking cookies.

  • If you block Strictly Necessary cookies (§3), the Platform may not function correctly. You may be unable to log in, may be logged out unexpectedly, may encounter security errors (such as repeated CSRF failures), and may bypass age-band protections in ways that prevent us from delivering age-appropriate experiences.
  • If you block Functional cookies (§4), your preferences will not be remembered between sessions.
  • If you block Analytics cookies (§5), aggregate measurement of Platform usage may be slightly less complete; no aspect of your individual experience changes.

Overriding the immutable age-band cookie. The 24-month eaikids_age_band cookie (§3) is designed to be immutable from the user side to prevent age-gate cycling. A parent of a minor account may request a correction (for example, if the wrong age was entered during registration) by contacting privacy@eai-kids.com from the verified Parent Email. We will verify the request consistent with the procedures in the COPPA Direct Notice before applying the correction.

§11. Changes to This Notice

We may update this Notice from time to time to reflect changes in technology, law, our practices, or the design of the Platform.

  • Routine updates. We will post the updated Notice at the URL where this Notice resides, update the "Last Updated" date in the header, and increment the version number.
  • Material changes. If we make a material change — for example, introducing a new category of cookies, changing the purposes for which we use an existing category, or expanding the data shared with any third party — we will provide prominent notice on the Platform.
  • Material changes affecting minor accounts. For minor accounts (ages 5–17), we will additionally provide notice via the Parent Email on file at least 30 days before the material change takes effect, consistent with our COPPA Direct Notice. Where the change would require new or updated verifiable parental consent under COPPA, we will obtain that consent before the change applies to the affected account.

Your continued use of the Platform after the effective date of an updated Notice constitutes your acknowledgement of the update (and, for minor accounts, the parent's acknowledgement on behalf of the minor), subject in all cases to any consent requirements imposed by applicable law.

§12. Contact

Questions, requests, or concerns about this Notice or our cookie practices:

  • Privacy: privacy@eai-kids.com
  • Legal: legal@eai-kids.com
  • Mailing address: [FF US Subsidiary Legal Entity Name], [Mailing Address]

Companion documents:

Version and Effective Date

  • Version: v1.0 (Initial publication-ready draft, pending external counsel review)
  • Last Updated: 2026-05-29
  • Effective Date: [TBD upon launch]
  • Operator: [FF US Subsidiary Legal Entity Name]
  • Service: EAI Young Developer (eai-kids.com)

End of Cookies and Tracking Technologies Notice.