Children's Privacy

COPPA Notice

Last updated: April 18, 2026

1. Who This Notice Is For

This notice explains how DayLynx handles personal information about children under 13 under the U.S. Children's Online Privacy Protection Act (COPPA). It is written for parents and guardians of children enrolled at a childcare center that uses DayLynx, and for childcare directors evaluating the platform.

DayLynx is operated by SHIFT MSP. The licensed childcare center that uses DayLynx is the operator of record for your child's enrollment; SHIFT MSP acts as their service provider and processes children's data on their behalf.

2. What We Collect About Children

The information below is entered by authorized staff at the childcare center — never by the child. The exact fields depend on what the center chooses to track.

  • Name, date of birth, and classroom assignment
  • Photo (optional, only with written media consent)
  • Guardian relationships and authorized pickup contacts
  • Emergency contact information
  • Medical information: allergies, medications, dietary requirements, and relevant health notes
  • Attendance events (check-in and check-out times)
  • Developmental notes, milestones, and incident reports the center records
  • Photos shared by staff with guardians, when media consent is on file

Children do not create accounts, do not log in, and do not submit content themselves. DayLynx has no child-facing login, message input, or upload surface.

3. How Parental Consent Is Obtained

Before a child's record is entered into DayLynx, the childcare center must obtain verifiable parental consent from the child's parent or guardian. In practice, consent is collected as part of the center's standard enrollment paperwork. The typical flow looks like this:

  1. Enrollment signature. You sign the center's enrollment packet, which includes a COPPA-compliant consent form describing what information the center will record about your child in DayLynx and which features (photo sharing, messaging, etc.) you are opting into or out of.
  2. Guardian invitation. The director invites you to DayLynx by email. You verify your identity by clicking the invitation link and setting a password. This establishes your status as the verified guardian of record.
  3. Opt-in confirmations in the app. The first time you log in to the parent view, you'll see per-feature consent toggles (for example, whether classroom photos of your child may be shared with other families in the same classroom). These can be changed at any time in your account settings.
  4. Per-child media consent. Photo and media sharing requires a separate, per-child written consent. Without that consent on file, DayLynx will not allow staff to publish images that include your child.

Marketing-site note: the present page is an explanation of how consent is collected in the DayLynx application at app.daylynx.com. The actual consent collection flow lives in the application, not here.

4. How We Use Children's Data

Children's data is used exclusively to:

  • Deliver the childcare services the center has contracted you for
  • Track attendance and ratios required for state licensing compliance
  • Communicate with you as the verified guardian (pickup confirmations, emergency alerts, daily summaries)
  • Validate that an approved pickup person is listed for the child when a PIN is entered at the kiosk for pickup
  • Enable the specific features you have consented to (e.g., photo sharing)
  • Keep records the childcare center is legally required to maintain

We do not use children's data for advertising, behavioral profiling, machine-learning model training, or any purpose unrelated to delivering the service to the center.

5. Third-Party Recipients

A small number of service providers help us operate DayLynx. Each is contractually bound to use the data only for the purpose below and is prohibited from using children's data for their own marketing, advertising, or model training.

  • Supabase — encrypted database and file storage for child records, photos, and attendance events. US-based infrastructure.
  • Vercel — application hosting. Handles request routing only; does not read application data payloads.
  • Stripe — billing for the childcare center's subscription. Stripe never receives children's data — only the adult administrator's billing details.
  • Google OAuth / Microsoft Entra ID — optional single sign-on for adult staff and guardian accounts. Never used to authenticate children.
  • Transactional email provider — delivers account-related email (invitation links, password resets, pickup confirmations) to adult guardians. Never used to email children directly.

No analytics, session replay, or advertising on pages with child data. Google Analytics and Microsoft Clarity are used only on the public marketing site at daylynx.com (with IP anonymization and strict input masking), and are not loaded on any page of the application that contains children's records.

6. Retention and Deletion

While a child is actively enrolled, their record is kept in DayLynx. After withdrawal, the center retains records for up to 7 years to satisfy state childcare licensing recordkeeping requirements. Parents may request earlier deletion — see below — and we will honor those requests for any record the center is not legally required to retain.

Encrypted backups containing child data are cycled out within 35 days of the original record being deleted.

7. Parental Rights

As a parent or guardian, you have the right to:

  • Review the personal information DayLynx holds about your child
  • Request corrections to inaccurate information
  • Withdraw consent to specific features (photo sharing, messaging, etc.)
  • Request deletion of your child's records, subject only to records the center is legally required to retain for licensing
  • Refuse to allow further collection or use of your child's information without impact to the child's enrollment at the center

How to exercise these rights. The fastest path is to ask your childcare director — they can complete the request inside DayLynx while you wait. You can also email privacy@daylynx.com with your child's name, the center's name, and the nature of your request. We verify your identity as the guardian of record (typically by replying from the email address the center has on file) and complete verified requests within 30 days.

8. Security of Children's Data

Child records are stored with AES-256 encryption at rest and delivered to authenticated staff and guardians over TLS 1.3. Access is enforced by role-based permissions — a teacher sees only the classrooms they are assigned to, a parent sees only their own child, and every access is logged. Staff and administrator accounts must pass two-factor authentication to access sensitive information.

9. Changes to This Notice

If we make material changes to how we handle children's data, we will update this notice, update the "Last updated" date, and notify the verified guardians of record by email before the change takes effect.

10. Contact

Questions, concerns, or consent withdrawal requests can be sent to privacy@daylynx.com. For the full picture of how we handle personal data at DayLynx, see the Privacy Policy.