Privacy Policy
Last updated February 20261. Introduction
Phosra, Inc. ("Phosra," "we," "us," or "our") is a universal parental controls platform that enables parent-facing applications to define child safety policies once and enforce them across 200+ digital platforms. This Privacy Policy describes how we collect, use, disclose, and protect information when you access or use phosra.com, the Phosra API, the Phosra dashboard, and any related services (collectively, the "Service").
In this Privacy Policy, "you" or "your" refers to any individual or entity that accesses or uses the Service, including parents, guardians, developers, and enterprise customers. "Child data" refers to information about children that is submitted to the Service by authorized parents, guardians, or applications acting on their behalf.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service immediately. We encourage you to review this policy periodically, as it may be updated to reflect changes in our practices or applicable law.
2. Information We Collect
We collect several categories of information in order to provide and improve the Service. The types and extent of data we collect depend on your use of the platform and the features you enable.
Account Information: When you register for a Phosra account, we collect your name, email address, and authentication credentials. Passwords are managed and hashed through our authentication provider, Clerk, using industry-standard bcrypt hashing. We do not store plaintext passwords at any point in our infrastructure.
Child Profile Data: Parents and guardians may create child profiles within the Service. Child profile data includes the child's first name, date of birth, and computed age group. This information is provided exclusively by the parent or guardian and is never collected directly from children. We apply strict data minimization principles and collect only the information necessary to match policies to age-appropriate rules.
Policy and Rule Data: The Service stores policy configurations, rule category selections (such as content rating filters, screen time limits, web filtering preferences, and notification curfews), enforcement preferences, and platform connection settings. This data defines how child safety rules are pushed to connected platforms.
Usage Data: We automatically collect certain technical information when you interact with the Service, including API call logs, request timestamps, IP addresses, browser type and version, device information, and referring URLs. This data is used for analytics, rate limiting, security monitoring, and service optimization.
Platform Credentials: When you connect third-party platforms (such as Netflix, YouTube, or device management services), the Service stores the necessary API keys or OAuth tokens required to enforce policies on those platforms. All platform credentials are encrypted at rest using AES-256-GCM encryption and are never exposed in logs, API responses, or error messages.
3. How We Use Your Information
We use the information we collect for the following purposes, all of which are directed toward providing you with a reliable, secure, and effective parental controls platform.
Service Provision and Policy Enforcement: Your account information, child profiles, and policy configurations are used to operate the core Service, including pushing policy rules to connected platforms, verifying enforcement status, and synchronizing rule changes across your connected ecosystem. When you trigger an enforcement action, we transmit only the minimum rule data necessary to the relevant platform adapters.
Compliance Verification and Audit: We use enforcement logs, job records, and policy snapshots to verify that rules have been successfully applied to each connected platform. These records also support audit trails required by child safety regulations such as COPPA, KOSA, and the EU Digital Services Act.
API Analytics and Performance: Usage data, including API call volumes, response times, and error rates, is analyzed to monitor Service health, optimize infrastructure, enforce rate limits, and plan capacity. Aggregated and anonymized analytics may be used to improve the Service and inform product decisions.
Security and Fraud Prevention: We use IP addresses, authentication logs, device fingerprints, and behavioral signals to detect unauthorized access attempts, prevent credential abuse, identify suspicious API usage patterns, and protect the integrity of child data. Automated systems may temporarily restrict access when anomalous activity is detected.
Communication: We may use your email address to send transactional messages related to your account (such as verification emails, enforcement status alerts, and security notifications) and, with your consent, to send product updates, feature announcements, and educational content about child safety regulations. You may opt out of non-transactional communications at any time.
4. Children's Data
The protection of children's data is central to Phosra's mission and architecture. This section describes how we handle information about children and the safeguards we have implemented to ensure that child data is treated with the highest level of care.
Phosra acts as a data processor on behalf of parents and guardians, who serve as the data controllers for their children's information. We do not collect data directly from children at any point. All child profile data, including names, dates of birth, and age groups, is submitted exclusively by authorized parents, guardians, or applications that have obtained appropriate parental consent.
We apply strict data minimization principles to child data. The only personal information we store for a child profile is the child's first name, date of birth, and computed age group. We do not collect, store, or process children's email addresses, phone numbers, physical addresses, photographs, biometric data, or social media identifiers. Age group data is used solely to match children with age-appropriate policy rules across content rating systems (MPAA, TV Parental Guidelines, ESRB, PEGI, and Common Sense Media).
All child data is encrypted at rest using AES-256-GCM encryption. When policy rules are transmitted to third-party platforms for enforcement, we send only the abstract rule categories (such as content rating thresholds or screen time limits) and never transmit children's names, dates of birth, or any other personal information to platform providers.
Parents and guardians retain full control over their children's data at all times. Child profiles can be deleted at any time through the Phosra dashboard or via the API. Upon deletion, all associated data, including the profile record, linked policy rules, and enforcement history, is permanently removed from our systems within seven days. We comply with the Children's Online Privacy Protection Act (COPPA), the Kids Online Safety Act (KOSA), and equivalent international regulations governing children's data, including the EU General Data Protection Regulation (GDPR) as it applies to minors and the UK Age Appropriate Design Code.
5. Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following grounds under the General Data Protection Regulation (GDPR) and equivalent frameworks.
Contractual Necessity (Article 6(1)(b) GDPR): Processing of your account information, child profile data, and policy configurations is necessary to perform the contract between you and Phosra, specifically to provide the Service, enforce policies across connected platforms, and maintain your account. Without this processing, we cannot deliver the core functionality of the platform.
Legitimate Interest (Article 6(1)(f) GDPR): We process certain data, such as IP addresses, API usage logs, and device information, based on our legitimate interest in maintaining the security and integrity of the Service, preventing fraud and abuse, and improving platform performance. We have conducted balancing tests to ensure these interests do not override your fundamental rights, particularly with respect to children's data.
Consent (Article 6(1)(a) GDPR): Where we send marketing communications, product newsletters, or non-essential communications, we do so based on your explicit opt-in consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in the dashboard Settings page. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
Legal Obligation (Article 6(1)(c) GDPR): Certain processing activities are required to comply with applicable laws and regulations, including child safety laws (COPPA, KOSA), data protection regulations, tax and accounting requirements, and lawful requests from regulatory authorities or law enforcement. We retain enforcement audit logs and certain account records as required by these obligations.
6. Information Sharing
Phosra does not sell, rent, or trade your personal data or children's data to any third party for any purpose. We share information only in the limited circumstances described below, and we impose contractual and technical safeguards on all data recipients.
Platform Providers: When you connect a third-party platform (such as Netflix, YouTube, TikTok, or a device management service) and trigger policy enforcement, we transmit the minimum set of abstract policy rules required for that platform to apply the requested restrictions. We never share children's names, dates of birth, personal identifiers, or any information beyond the specific rule parameters needed for enforcement. Each platform adapter is designed to operate on a least-privilege basis.
Infrastructure Providers: We use third-party service providers for hosting, database management, email delivery, and monitoring. These providers process data on our behalf under strict data processing agreements and are prohibited from using your data for their own purposes. We select providers that maintain SOC 2 compliance or equivalent security certifications.
Law Enforcement and Legal Requirements: We may disclose information if we believe in good faith that disclosure is required by applicable law, regulation, legal process, or governmental request. We will attempt to notify affected users of such requests unless we are legally prohibited from doing so or the request relates to an emergency involving potential harm to a child.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will provide at least 30 days' notice before any such transfer and will ensure that the acquiring entity is bound by privacy protections at least as protective as those described in this Privacy Policy.
We want to be unequivocal on two points: We never sell personal data to any party, and we never share children's data with advertisers, data brokers, or any entity for marketing or commercial profiling purposes.
7. Data Retention
We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, and resolve disputes. The specific retention periods vary by data category.
Account Data: Your account information (name, email, authentication records) is retained for the duration of your active account plus 30 days following account deletion. This 30-day post-deletion period allows for account recovery in case of accidental deletion and ensures we can fulfill any outstanding legal or contractual obligations.
Child Profile Data: When a child profile is deleted by a parent or guardian, all associated data, including the profile record, linked policy rules, enforcement preferences, and enforcement history for that profile, is permanently deleted from our systems within 7 days. This accelerated deletion timeline reflects our commitment to minimizing the retention of children's data.
API and Usage Logs: API call logs, request metadata, and usage analytics are retained for 90 days from the date of the request. After this period, logs are permanently deleted. Aggregated, anonymized statistics derived from usage data may be retained indefinitely for capacity planning and service improvement.
Enforcement Job Records: Records of enforcement actions (including job status, timestamps, platform responses, and error logs) are retained for 1 year to support compliance audits, dispute resolution, and regulatory reporting requirements under child safety laws.
Platform Credentials: Encrypted platform API keys and OAuth tokens are deleted immediately upon disconnection of the associated platform from your account. No cached or backup copies are retained after disconnection.
8. Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights and have implemented mechanisms to facilitate their exercise.
Under the EU General Data Protection Regulation (GDPR), residents of the EEA and UK have the following rights: the right of access to obtain a copy of the personal data we hold about you; the right to rectification to correct inaccurate or incomplete data; the right to erasure ("right to be forgotten") to request deletion of your data; the right to restriction of processing in certain circumstances; the right to data portability to receive your data in a structured, machine-readable format; and the right to object to processing based on legitimate interests, including profiling.
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following rights: the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information we hold about you; the right to opt out of the sale of personal information (Phosra does not sell personal data, so this right is already satisfied); and the right to non-discrimination for exercising your privacy rights.
You may exercise any of these rights through the Settings page in your Phosra dashboard, which provides self-service tools for data access, export, and deletion. Alternatively, you may submit a request by contacting us at privacy@phosra.com. We will verify your identity before processing any request and will respond within 30 days of receipt. If we require additional time, we will notify you of the extension and the reasons for it. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable administrative fee or decline the request.
10. Security
Phosra implements comprehensive technical and organizational security measures to protect your data and your children's data against unauthorized access, alteration, disclosure, or destruction.
Encryption at Rest: All sensitive data, including child profile information, platform credentials, and provider API keys, is encrypted at rest using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). Encryption keys are managed through a dedicated key management system with regular key rotation.
Encryption in Transit: All data transmitted between your browser or application and our servers is protected by TLS 1.3 (Transport Layer Security). We enforce HTTPS across all endpoints and apply HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks.
Authentication Security: User passwords are managed by Clerk, our authentication provider, which employs bcrypt hashing with appropriate cost factors. API authentication uses JSON Web Tokens (JWT) with 15-minute expiry windows and cryptographic refresh token rotation. Refresh tokens are hashed using SHA-256 before storage, ensuring that even a database compromise would not expose valid session credentials.
Credential Vault: Third-party platform credentials (API keys, OAuth tokens) are stored in an encrypted vault with application-level access controls. Credentials are decrypted only at the moment of use during enforcement operations and are never logged, cached in memory beyond the operation lifecycle, or included in error reports.
Operational Security: We conduct regular security audits and penetration testing of our infrastructure and application layer. Our development process includes automated dependency vulnerability scanning, static code analysis, and mandatory code review for all changes to authentication, encryption, and data access components. We maintain an incident response plan and will notify affected users promptly in the event of a data breach.
11. International Transfers
Phosra's primary data processing infrastructure is located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may have data protection laws that differ from those in your jurisdiction.
For users located in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that international data transfers are conducted in compliance with Chapter V of the GDPR. Transfers to our infrastructure providers and sub-processors in the United States are protected by the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical measures including encryption in transit and at rest.
We continuously monitor developments in international data transfer frameworks, including the EU-U.S. Data Privacy Framework and successor arrangements, and will adopt appropriate transfer mechanisms as they become available. Where a sub-processor is located in a jurisdiction that has received an adequacy decision from the European Commission, we rely on that adequacy decision as the basis for transfer.
If you have questions about international data transfers or wish to obtain a copy of the applicable Standard Contractual Clauses, please contact our Data Protection Officer at dpo@phosra.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the introduction of new features, or developments in applicable privacy laws and regulations.
For material changes that affect how we collect, use, or share your personal data or children's data, we will provide at least 30 days' advance notice before the changes take effect. Notice will be delivered via email to the address associated with your account and through a prominent notification in the Phosra dashboard. Material changes include, but are not limited to, new categories of data collection, new third-party data sharing arrangements, changes to data retention periods for children's data, and changes to your rights or how to exercise them.
Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you should discontinue use of the Service and delete your account before the effective date. Previous versions of this Privacy Policy are available upon request by contacting privacy@phosra.com.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, we encourage you to reach out through the following channels.
Privacy Inquiries: For general privacy questions, data access requests, or concerns about how your information is handled, please contact us at privacy@phosra.com. Our privacy team aims to acknowledge all inquiries within two business days and to provide a substantive response within 30 days.
Data Protection Officer: For matters relating to GDPR compliance, international data transfers, data protection impact assessments, or to exercise your rights under European data protection law, please contact our Data Protection Officer at dpo@phosra.com.
Mailing Address: Phosra, Inc., Wilmington, Delaware, United States.
EU Representative: For users in the European Economic Area who wish to contact a representative within the EU regarding data protection matters, our EU representative details will be published on this page upon appointment.
Supervisory Authority: If you are located in the EEA or UK and believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority, and we invite you to contact us first.