Child Safety

COPPA-first: how we protect your children's data

Last updated: April 18, 2026

Plain-English answers to the questions parents and directors ask us most. For the formal legal text, see our COPPA Notice and Privacy Policy.

The short version

Children never sign up. Only adult staff and verified guardians log in to DayLynx.
Parental consent comes before the child record. The center collects written enrollment consent, then invites you to verify your guardian account.
No ads. No selling data. No behavioral tracking inside the app. The pages that show children's records carry no analytics, session replay, or marketing pixels.
Encrypted and access-controlled. AES-256 at rest, TLS 1.3 in transit, role-based access, two-factor authentication for staff and admins.
Parents keep control. Review, correct, withdraw feature consent, or request deletion through your director or privacy@daylynx.com.
Approved pickup stays tied to the child record. Centers can list authorized pickup people for a child, and the kiosk validates their PIN at pickup.

1. What data we collect about children

Authorized staff at your childcare center enter these records on behalf of the child. Children themselves never log in, type messages, or upload anything to DayLynx. Which fields are used depends on what your center tracks and what you have consented to.

Name, date of birth, and classroom assignment
Photo (optional — requires a separate, per-child written media consent on file)
Guardian relationships and authorized pickup contacts
Emergency contact information
Medical information: allergies, medications, dietary requirements, and relevant health notes
Attendance events (check-in and check-out times)
Developmental notes, milestones, and incident reports the center records
Photos shared by staff with guardians (only when media consent is on file)

That list is the full picture. It mirrors Section 2 of our COPPA Notice — we do not collect categories of children's data that are not on it.

When a center uses authorized pickup, approved pickup people can be listed for a child and the kiosk validates their PIN at pickup before checkout starts.

2. What we explicitly do not do

We do not show ads — to children, to parents, or to staff. DayLynx has no advertising surface.
We do not sell, rent, or share children's data with third parties for their own marketing or advertising. Ever.
We do not run behavioral analytics, session replay, heatmapping, or marketing pixels inside the app. The only cookies set at app.daylynx.com are essential session and CSRF cookies required for authentication.
We do not use children's data to train machine-learning models or for any purpose unrelated to delivering the service to the center.
We do not give children a login, a message inbox, or an upload button. There is no child-facing surface to exploit.

Google Analytics and Microsoft Clarity run on our public marketing site at daylynx.com only, with IP anonymization and strict input masking. They are not loaded on any page at app.daylynx.com. Details in Privacy Policy §7.

3. How parental consent flows through the center

Under COPPA, a child's record cannot exist in DayLynx until the childcare center has verifiable parental consent on file. The center collects consent as part of enrollment, and DayLynx gives you a verified guardian account so you can control optional features from there.

Written enrollment consent. You sign the center's enrollment packet, which includes a COPPA-compliant consent form describing what will be recorded about your child and which optional features you are opting into.
Guardian email invite. The director invites you to DayLynx. You verify your identity by clicking the invitation link and setting a password — this establishes you as the verified guardian of record.
Per-feature toggles in the app. The first time you log in, you see consent toggles for optional features (for example, whether classroom photos of your child may be shared). You can change these in account settings at any time.
Per-child media consent. Photo and media sharing requires a separate, per-child written consent. Without that consent on file, DayLynx will not allow staff to publish images that include your child.

This is the same flow described in Section 3 of our COPPA Notice. We do not ask you to consent separately on this marketing site — the consent is collected by the center and in the application itself.

4. Where your child's data lives, and how it's protected

Child records are stored in an encrypted database hosted on US-based infrastructure at Supabase, delivered to authenticated staff and guardians over the public web through Vercel. The posture — verbatim from Section 4 of our Privacy Policy:

AES-256 encryption at rest on child records and photos
TLS 1.3 encryption in transit for every request to the app
Role-based access control — a teacher sees only their assigned classrooms; a parent sees only their own child
Two-factor authentication required for staff and administrator accounts
Rate-limited authentication to slow credential-stuffing attempts
SOC 2 compliant infrastructure in the United States

A small number of service providers help us run the platform — Supabase (encrypted database and file storage), Vercel (application hosting), Stripe (billing for the center, which never sees children's data), Google OAuth and Microsoft Entra ID (optional sign-on for adult accounts only), and a transactional email provider (account email to adult guardians). Each is bound by a data processing agreement and is prohibited from using children's data for their own marketing, advertising, or model training. The full list is in Privacy Policy §7.

5. If something goes wrong: our breach-notification commitment

If we confirm a security incident that affects your account data or a child's records in your center, we will notify the affected childcare center and verified guardians by email, without undue delay, as required by applicable law after confirming the incident. The notice will describe what was affected, what we have done in response, and what the center or guardian can do to protect themselves. We also cooperate with the center on any additional notifications required by applicable state breach-notification laws. This commitment is codified in Section 4 of our Privacy Policy.

6. How long we keep children's records

While your child is enrolled at the center, their record is kept in DayLynx. After withdrawal, the center retains records for up to 7 years to satisfy state childcare licensing recordkeeping requirements. Parents may request earlier deletion, and we honor those requests for any record the center is not legally required to retain.

Encrypted backups containing child data are cycled out within 35 days of the original record being deleted. Verified parental requests are completed within 30 days. The full retention schedule lives in Privacy Policy §6 and COPPA Notice §6.

7. For the full legal picture

This page is the short, plain-English version. Every commitment on it is backed by one of two longer documents:

COPPA Notice — what we collect about children, how parents consent, parental rights, and the request process.
Privacy Policy — the full data map, retention schedule, third-party recipients, and security-incident notification commitment.

Questions, concerns, or requests go to privacy@daylynx.com. Your childcare director can also complete most requests inside DayLynx while you wait.