Legal · v1 draft

Privacy Policy

How we collect, use, and protect personal information — built with COPPA, UK GDPR, PIPEDA, and the Australian Privacy Principles in mind.

PRIVACY POLICY — MY DAD FROM™ PLATFORM

Effective Date: Upon first publication of v1.0 of this Privacy Policy (currently in pre-launch). The effective date is set on the date the Platform first becomes available to the general public. Last Updated: 2026-04-30 Entity: My Dad From Inc.¹ Registered Address: [Registered office address — to be inserted upon incorporation] Privacy Contact: privacy@mydadfrom.com Privacy Officer (Canada / global): [To be appointed before launch — Privacy Officer, c/o privacy@mydadfrom.com] Data Protection Officer (UK): [To be appointed before UK launch.] UK Representative (Art. 27 UK GDPR): [To be appointed before UK launch — required for non-UK controllers offering services to UK users.] Australian inquiries: privacy@mydadfrom.com

¹ Working entity name. Counsel to confirm exact corporate name and jurisdiction of incorporation.

Section 1 — Who We Are and Who This Policy Is For

This Privacy Policy explains how My Dad From Inc. ("we," "us," "our," "the Platform") collects, uses, stores, and protects personal information when you or your child uses our platform, including our interactive ebooks, subscription services, website at mydadfrom.com, parent dashboard, and related features.

This Platform is designed for children ages 4–9, used with parental involvement. We take children's privacy seriously. This policy is written for parents and legal guardians ("you," "your"). If you are a child reading this: your parent or guardian should read this page with you. A short, child-friendly summary lives in Section 13.

Mode separation. The Platform is structured into three distinct modes — Public, Kid Mode, and Parent Mode — separated server-side by route group and middleware. Children only interact with Kid Mode. Commerce, account settings, and data-rights tooling live in Parent Mode and are gated by parental authentication. No third-party trackers, advertising SDKs, or behavioral analytics are loaded in Kid Mode.

Jurisdictions covered: This policy applies to users in the United States, Canada, the United Kingdom, and Australia. Where our obligations differ by jurisdiction, we say so explicitly.

Section 2 — What We Collect

We collect the following categories of personal information.

2.1 — Information You Provide Directly

Data Type	What It Is	Why We Collect It
Parent / Guardian Account Information	Email address, password (stored only as a salted hash via Supabase Auth), display name (optional), country/region of residence	To create and manage your account; to determine which jurisdiction's privacy rules apply
Parental Gate PIN	A short numeric PIN you set, stored only as a salted hash on our servers and verified server-side via a `SECURITY DEFINER` Postgres routine	To gate Parent Mode, purchases, and account-changing actions; we never see or store your PIN in plaintext
Payment Information	Credit/debit card details and billing address (collected and stored by Stripe, Inc. — we never see, store, or process your full card number)	To process purchases ($14.99 one-time ebook; $5.99/mo Dad Club subscription)
Child Profile (kid-facing)	A first name or nickname, an avatar selected from our pre-illustrated avatar library, an approximate birth year, and a reading level	To personalize the reading experience (e.g., "Welcome back, [Name]") and to ensure age-appropriate content. We do not collect a child's full name, full date of birth, mailing address, photograph, voice, phone number, or any government identifier.
Reading Progress	Which spreads have been viewed, which interactions have been completed, which Passport stamps have been earned, per Child Profile	To resume reading where the child left off and to surface earned stamps/badges to the parent. Stored against the Child Profile, accessible only to the parent's account, not used to build behavioral profiles
Parent-Recorded Audio Narration	Voice recordings you (the parent) make when narrating a book for your child; stored encrypted on object storage and delivered via short-lived signed URLs	To deliver the personalized narration feature. We never use these recordings to train AI, voice-cloning, or speech-synthesis models. They are not shared with anyone outside your household
Cultural Board Reviewer Information	Name, email, mailing address, payment details (for honorarium), photo and bio (only if reviewer opts in to public credit)	To manage the cultural review process, pay honoraria, and (with consent) credit reviewers publicly on the `/credits` page
Support Correspondence	Email content and metadata when you contact support@ or privacy@	To respond to your request and maintain a service record

2.2 — Information Collected Automatically

Data Type	What It Is	Why We Collect It
Device and Browser Information	Device type, operating system, browser type, viewport size, language preference	To ensure ebooks render correctly across devices
IP Address	Your internet protocol address	For coarse jurisdiction detection (to apply the correct privacy rules), fraud prevention, and aggregate request logging. We do not use IP addresses to build profiles of children, and Kid Mode pages are excluded from IP-based analytics aggregation
Usage Data (Parent Mode and Public Mode only)	Pages viewed, features used, session duration, feature errors	To improve the Platform and understand which content resonates. Kid Mode is excluded. No third-party analytics SDK is loaded in Kid Mode — Kid Mode emits only the minimum server-side telemetry necessary for stability (e.g., error reporting, never linked to a child's identity)
Cookies and Similar Technologies	Session cookies, authentication tokens, Parental Gate freshness cookie	To keep you logged in and remember your preferences. See Section 9 below

2.3 — Information We Do NOT Collect

We do not collect a child's full name, date of birth, mailing address, phone number, Social Security / Social Insurance number, or any government identifier.
We do not collect a child's voice. The narration recording feature is for parents only. Kid Mode contains no microphone, camera, or voice-capture feature, and the Platform does not include any flow that records, captures, or processes a child's voice or face.
We do not collect or accept user-uploaded photographs of children. Avatars are selected from our pre-illustrated avatar library.
We do not allow children to make purchases. All purchases are made by the parent/guardian behind the Parental Gate.
We do not serve advertising of any kind on the Platform, to children or to parents.
We do not load behavioral-analytics, tracking-pixel, or marketing SDKs (e.g., PostHog, Mixpanel, Segment, Google Analytics, Meta Pixel) in Kid Mode.
We do not sell, rent, or license personal information to third parties. Ever. To anyone.
We do not use personal information (yours or your child's) to train, fine-tune, or evaluate machine-learning models, including generative-AI or speech-synthesis models.
We do not send any information about your child to a third-party AI provider. The optional AI co-author feature (Parent Mode only) sends your heritage prompt, theme, age band, and the draft text you generate to Anthropic, PBC for processing in the United States, and only those fields. We do not send your child's name, profile, reading history, voice recordings, or any other identifier. See Section 6.2 below.

Section 3 — Verifiable Parental Consent (COPPA — United States)

This section applies to users in the United States and is required by the Children's Online Privacy Protection Act (COPPA), 16 CFR §312.

We do not collect personal information from a child under 13 without first obtaining verifiable parental consent from the child's parent or legal guardian.

How We Obtain Consent

For paid users (one-time purchase or Dad Club subscription): When you complete a purchase through our Stripe-powered checkout, the payment transaction (combined with the just-in-time COPPA disclosure displayed at checkout and your affirmative consent before payment is processed) serves as verifiable parental consent under 16 CFR §312.5(b)(2)(ii) (use of credit card or other online payment system that provides notification of each discrete transaction to the primary account holder).

For free-preview users (no purchase): If you access the free preview (spreads 1–5 of any ebook) without making a purchase, we use the Email-Plus method under 16 CFR §312.5(b)(2)(vi): we send a consent notice to the parent's email address, and the parent must reply or click a confirmation link. We then send a follow-up confirmation email with instructions on how to revoke consent. No personal information from or about a child is collected until this consent is confirmed.

Self-attestation v1 note: Until full third-party-verified parental consent (e.g., government-ID match) is in place, we rely on the methods above and on the Parental Gate to ensure that only adults can transact on the Platform. We document this approach internally (the "v1" COPPA self-attestation posture) and will upgrade verification as the Platform scales.

Your COPPA Rights

As a parent or guardian of a child under 13, you have the right to:

Review the personal information we have collected from or about your child.
Refuse further collection or use of your child's information.
Request deletion of your child's personal information.

To exercise any of these rights, contact us at privacy@mydadfrom.com. We will verify your identity (typically by sending a confirmation link to the email address on file for the account) before processing your request. We will respond within 30 days.

Data Retention Under COPPA

We retain children's personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. When you request deletion, or when an account is inactive for 18 months (a tighter window than the 24-month general-account window, by design), we delete all personal information associated with the child's profile. A 30-day warning email is sent before automated deletion, with one-click reactivation.

Section 4 — UK GDPR and Age Appropriate Design Code (United Kingdom)

This section applies to users in the United Kingdom and supplements the general provisions of this policy. It reflects our obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the ICO's Age Appropriate Design Code (AADC).

4.1 — Lawful Basis for Processing

Processing Activity	Lawful Basis (Art. 6 UK GDPR)	Additional Basis for Children's Data
Account creation and management	Performance of a contract (Art. 6(1)(b))	Parental consent (Art. 8)
Payment processing	Performance of a contract	N/A (parent's data only)
Personalised narration storage	Consent (Art. 6(1)(a)), revocable at any time	Parental consent
Reading-progress tracking (per Child Profile)	Performance of a contract; necessary to deliver the reading experience	Parental consent; no behavioural profiling
Aggregated usage analytics (Parent Mode / Public Mode only)	Legitimate interests (Art. 6(1)(f))	LIA completed; Kid Mode excluded; no individual child profiling
Jurisdiction detection via IP	Legitimate interests	LIA completed
Fraud prevention (incl. Parental Gate brute-force protection)	Legitimate interests	LIA completed

4.2 — Age Appropriate Design Code Compliance

We have designed the Platform with the best interests of the child as a primary consideration (AADC Standard 1). Specifically:

Data Protection Impact Assessment (DPIA): We have completed a DPIA for all processing activities involving children's data. A summary is available on request to privacy@mydadfrom.com.
Default settings: All privacy settings default to the most protective option. No data sharing, profiling, or optional data collection is enabled by default (AADC Standard 7).
No profiling: We do not profile children. Our gamification and interactive features do not adapt based on individual behavioural data. Reading progress is stored locally against the parent's account and is not used to build behavioural profiles or to drive recommendation algorithms (AADC Standard 12).
No nudge techniques: We do not use design techniques that encourage children to provide more personal data or to weaken their privacy settings (AADC Standard 13).
No detrimental use: We do not use children's data in ways that are detrimental to their wellbeing. Our gamification features are designed to encourage learning and cultural connection, not compulsive use (AADC Standard 5).
Transparency: This policy is our detailed, parent-facing notice. We also provide a child-friendly privacy summary (Section 13) accessible within the Platform, written at a reading level appropriate for ages 7–9 (AADC Standard 4).
Parental controls: Parents can access, review, modify, and delete all data associated with their child's profile through the Parent Mode dashboard (AADC Standard 11).
Connected toys / online tools: Not applicable — the Platform does not connect to physical devices or expose APIs to third-party integrations (AADC Standard 14).

4.3 — Your UK Data Rights

Under the UK GDPR, you have the right to:

Access your personal data (Art. 15)
Rectification of inaccurate data (Art. 16)
Erasure ("right to be forgotten") (Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing based on legitimate interests (Art. 21)
Withdraw consent at any time (Art. 7(3))

To exercise these rights, contact privacy@mydadfrom.com. We will respond within one month (extendable by two months for complex requests, with notice to you).

Complaints: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Section 5 — PIPEDA (Canada)

This section applies to users in Canada and reflects our obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

5.1 — The Ten PIPEDA Principles

We comply with all ten fair information principles set out in Schedule 1 of PIPEDA:

Accountability: My Dad From Inc. is responsible for personal information under our control. Our Privacy Officer is [to be appointed before launch — Privacy Officer, c/o privacy@mydadfrom.com].
Identifying Purposes: We identify the purposes for collection at or before the time of collection (see Section 2 above).
Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information. For children who lack the capacity to consent meaningfully, we obtain consent from a parent or guardian.
Limiting Collection: We collect only the personal information necessary for the identified purposes (Principle 4.4). For children, that cap is: first name or nickname, avatar (selected from our library), approximate birth year, and reading level.
Limiting Use, Disclosure, and Retention: We use and disclose personal information only for the purposes for which it was collected, and retain it only as long as necessary (see Section 11).
Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary.
Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information (see Section 8).
Openness: This policy is our openness document. It is publicly available at mydadfrom.com/privacy.
Individual Access: You may request access to your personal information by contacting privacy@mydadfrom.com. We will respond within 30 days.
Challenging Compliance: You may challenge our compliance with these principles by contacting our Privacy Officer. If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

5.2 — Quebec Residents (Law 25)

If you are a resident of Quebec, the following additional protections apply under the Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25):

We have conducted a Privacy Impact Assessment for our processing activities involving personal information.
We have designated a person responsible for the protection of personal information (our Privacy Officer above).
We will notify you and the Commission d'accès à l'information du Québec (CAI) of any confidentiality incident (breach) that presents a risk of serious injury, in line with Law 25 timelines.
You have the right to data portability — to receive your personal information in a structured, commonly used technological format.
You have the right to be informed of, and to refuse, automated decision-making based exclusively on automated processing. We do not currently make any such decisions.

Section 6 — Australian Privacy Principles (Australia)

This section applies to users in Australia and reflects our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

6.1 — APP Compliance Summary

APP	Our Compliance
APP 1 (Open and transparent management)	This policy; available at mydadfrom.com/privacy
APP 2 (Anonymity and pseudonymity)	Children may use a nickname instead of their real name
APP 3 (Collection of solicited personal information)	We collect only what is reasonably necessary (see Section 2)
APP 4 (Unsolicited personal information)	We destroy or de-identify unsolicited personal information we receive
APP 5 (Notification of collection)	This policy serves as our collection notice
APP 6 (Use or disclosure)	We use personal information only for the purpose of collection or a directly related secondary purpose
APP 7 (Direct marketing)	We do not use children's personal information for direct marketing. Adult-account marketing (if any) is opt-in and includes a one-click unsubscribe
APP 8 (Cross-border disclosure)	See Section 6.2 below
APP 9 (Government-related identifiers)	We do not collect government identifiers
APP 10 (Quality of personal information)	We take reasonable steps to ensure accuracy
APP 11 (Security)	See Section 8
APP 12 (Access)	You may request access to your personal information
APP 13 (Correction)	You may request correction of inaccurate information

6.2 — Cross-Border Data Transfers

Our Platform is operated from Canada, with infrastructure provided by Vercel Inc. (United States, regional edge runtime), Supabase Inc. (managed Postgres, authentication, and managed object storage), Cloudflare, Inc. (R2 object storage in the region we have configured), Stripe, Inc. (payment processing), and Resend, Inc. (transactional email). If you are an Australian user, your personal information will be transferred to and stored in these jurisdictions. Under APP 8.1, we take reasonable steps to ensure that any overseas recipient does not breach the APPs in relation to your information, including via contractual data-processing agreements where required.

If you choose to use the optional AI co-author feature (Parent Mode only), your heritage prompt, theme, age band, optional one-line hook, and the draft text generated for your book are transmitted to Anthropic, PBC (United States) for processing. No information about your child is transmitted. Anthropic processes this information solely to return the requested draft and, per our account configuration with Anthropic, does not use it to train or fine-tune their models. You can opt out of this feature at any time by simply not using it — all other Platform features work without AI assistance.

6.3 — Notifiable Data Breaches

In the event of an eligible data breach (as defined in Part IIIC of the Privacy Act), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme.

Complaints: You may lodge a complaint with the OAIC at oaic.gov.au.

Section 7 — How We Use Your Information

We use personal information for the following purposes and no others:

To provide the Platform — delivering ebooks, processing purchases, managing subscriptions, storing narration recordings, persisting reading progress, and personalising the reading experience.
To communicate with you — sending purchase confirmations, subscription renewal reminders, and service-related notices. We will send a reminder email at least 48 hours before your free trial converts to a paid subscription and before each subscription renewal where required by your jurisdiction.
To improve the Platform — analysing aggregated, de-identified usage data from Parent Mode and Public Mode to understand which content resonates and to fix bugs. We do not analyse individual children's behaviour. Kid Mode is excluded from analytics tooling.
To comply with the law — responding to legal requests, enforcing our Terms of Service, and meeting our obligations under COPPA, UK GDPR, PIPEDA, and the Australian Privacy Act.
To prevent fraud — detecting and preventing fraudulent transactions and unauthorised access (including Parental Gate brute-force attempts).
To manage the cultural review process — processing honorarium payments and (with consent) publicly crediting Cultural Board reviewers.

We do NOT use personal information to:

Serve advertising of any kind to children or parents
Build behavioural profiles of children
Sell, rent, or trade personal information to third parties
Make automated decisions that produce legal or similarly significant effects on you or your child
Train, fine-tune, or evaluate any machine-learning model, including generative-AI or speech-synthesis models

Section 8 — How We Protect Your Information

We implement the following security measures:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Personal information stored in our managed Postgres database (Supabase) and object storage (Cloudflare R2) is encrypted at rest using AES-256.
Row-level security (RLS): Database access is mediated by Postgres row-level security policies enforced on every table holding user data, so a parent's account can only ever read its own rows.
Short-lived signed URLs: Audio narrations, illustrations, and other private assets are served via signed URLs with a maximum 15-minute time-to-live, regenerated on demand. Direct object URLs are not shared.
Parental Gate hardening: PINs are stored as salted hashes; verification is server-side via a SECURITY DEFINER Postgres routine; 5 failed attempts trigger a 15-minute account-level lockout.
Payment security: All payment processing is handled by Stripe, Inc., which is PCI DSS Level 1 certified. We never see, store, or process your full credit or debit card number. We rely on Stripe's signed webhooks to update access entitlements; we never query Stripe to gate access at runtime.
Access controls: Access to personal information is restricted to authorised personnel on a need-to-know basis; service-role database keys are server-side only and never exposed to client code.
Audio recording storage: Parent-recorded narrations are stored in encrypted, access-controlled object storage scoped to the parent's account. They are not accessible to other users, to our staff (except for technical support with your explicit, time-bound permission), or to any third party.
Mode-separated routing: Kid Mode pages do not load any third-party analytics, advertising, or tracking SDK. This is enforced both at build time (lint rule on (kid) route imports) and at runtime (mode-tagged middleware).
Regular security reviews: We conduct annual security reviews of our systems and practices, plus targeted reviews after any architectural change with security implications.
Incident response: We maintain a documented incident-response plan. In the event of a data breach, we will notify affected users and relevant authorities as required by law (see jurisdiction-specific sections above).

Section 9 — Cookies and Tracking Technologies

What We Use

Technology	Purpose	Duration	Can You Opt Out?
Session cookies	Keep you logged in during a browsing session	Expire when you close your browser	No — required for the Platform to function
Authentication tokens	Remember your login across sessions (issued by Supabase Auth)	30 days, refreshed on use	Yes — log out, which clears the token
Parental Gate freshness cookie	Remember that the Parental Gate has been recently passed, so you're not re-prompted on every action within a short window	Short (minutes); expires on logout or window close	No — required for the Parental Gate to function
Preference cookies	Remember your language and display preferences	1 year	Yes — through your browser settings

What We Do NOT Use

We do not use third-party advertising cookies or tracking pixels.
We do not use analytics cookies that track individual children's behaviour.
We do not use fingerprinting or any covert tracking technology.
We do not share cookie data with third parties.
We do not load any third-party SDK in Kid Mode routes.

UK Users — Cookie Consent

If you are in the United Kingdom, we will ask for your consent before placing any non-essential cookies on your device, in compliance with the Privacy and Electronic Communications Regulations (PECR). Essential cookies (session, authentication, Parental Gate freshness) do not require consent.

Section 10 — Third-Party Service Providers

We share personal information with the following third-party service providers, and only to the extent necessary for them to perform services on our behalf:

Provider	What They Process	Why	Their Privacy Policy
Stripe, Inc.	Payment information (card details, billing address)	Payment processing, subscription billing, Stripe Customer Portal	stripe.com/privacy
Supabase, Inc.	Account data, Child Profile data, parent-narration metadata, reading progress	Authentication and managed Postgres database backing the Platform	supabase.com/privacy
Vercel Inc.	Application traffic (HTTPS-encrypted), edge logs	Application hosting and edge runtime	vercel.com/legal/privacy-policy
Cloudflare, Inc. (R2)	Encrypted audio narrations, illustrations, and other private assets	Object storage served via short-lived signed URLs	cloudflare.com/privacypolicy
Resend, Inc.	Parent email addresses, email content (receipts, renewal reminders, COPPA consent confirmations)	Transactional email delivery	resend.com/legal/privacy-policy

We require all third-party service providers to:

Process personal information only on our instructions
Implement appropriate security measures
Not use personal information for their own purposes
Delete personal information when the service relationship ends

For UK users: We have executed Data Processing Agreements (DPAs) with all sub-processors as required by Art. 28 UK GDPR, and rely on the UK International Data Transfer Agreement / Addendum where personal data is transferred outside the UK.

Section 11 — Data Retention and Deletion

Data Type	Retention Period	Deletion Trigger
Parent account information	Duration of account + 30 days after deletion request	Account deletion request or 24-month inactivity (with 30-day warning)
Child Profile information	Duration of account; minimum data necessary to deliver the experience	Account deletion request, parental request, or 18-month inactivity (more protective than the parent-account window)
Parental Gate PIN hash	Duration of account; rotated when you change your PIN	Account deletion or PIN reset
Payment records	7 years (tax / financial-records compliance)	Automatic after retention period
Parent-recorded narrations	Duration of account, or 30 days after subscription cancellation for Dad Club–only titles	Account deletion request, parental request, or end of 30-day post-cancellation window
Reading progress / Passport stamps	Duration of Child Profile	Child Profile deletion or account deletion
Aggregated usage analytics (de-identified)	2 years	Automatic after retention period
Cultural Board reviewer data	Duration of public credit + 1 year after credit removal	Reviewer request or contract termination
Support correspondence	2 years	Automatic after retention period

To request deletion: Email privacy@mydadfrom.com or use the "Delete My Data" button in your account settings (Parent Mode → Settings → Delete Account). We will process deletion requests within 30 days (US/Canada/Australia) or one month (UK).

Section 12 — Subscription and Auto-Renewal Disclosures

Because our Dad Club subscription involves recurring charges, we include the following disclosures for transparency (see also Section 5 of the Terms of Service):

Free trial: Your 5-day free trial begins on the date you sign up. We will send you a reminder email at least 48 hours before your trial ends.
Auto-renewal: At the end of your 5-day trial, your subscription will automatically renew at $5.99/month (USD) plus applicable tax, unless you cancel before the trial ends.
Renewal reminders: We send a renewal reminder before each monthly renewal for users in jurisdictions that require it (including Quebec). For users in jurisdictions that do not require pre-renewal notice, we send a reminder before the first paid renewal and at least annually thereafter.
Cancellation: You can cancel your subscription at any time with one tap in your account settings (Parent Mode → Subscription → Cancel). Cancellation takes effect at the end of your current billing period. You retain access to subscription content until that date. No further charges will occur.
Refund policy: We offer a 14-day refund window for one-time ebook purchases. For subscriptions, we offer a prorated refund for the current billing period upon cancellation. To request a refund, contact support@mydadfrom.com.

Section 13 — Children's Privacy Summary (Child-Facing — AADC Standard 4)

This section is written for children ages 7–9 and is also displayed inside the Platform in a child-friendly format with illustrations and audio.

Your Privacy — For Kids

🔒 We keep your stuff safe. When you use My Dad From, we don't share your name or anything about you with anyone outside your home.

👀 We don't watch what you do. We don't follow you around the app or keep track of everything you click. We don't use ads.

🚫 No ads. Ever. You will never see ads in this app.

🎙️ Only your grown-up records the voice. The app doesn't listen to you. The voice you hear reading the story is your dad's, your mom's, or your guardian's — and they decided to record it.

🗑️ Your grown-up is in charge. Your mom, dad, or guardian can see everything we know about you, change it, or delete it any time.

❓ Questions? Ask your grown-up to email us at privacy@mydadfrom.com.

Section 14 — Changes to This Policy

We may update this policy from time to time. When we make material changes:

We will update the "Last Updated" date at the top of this policy.
We will notify you by email at least 30 days before the changes take effect.
If the changes affect how we handle children's personal information, we will obtain new parental consent before applying the changes to existing Child Profiles.
We will not retroactively apply changes that reduce your privacy protections without your affirmative consent.

Section 15 — Contact Us

For all privacy inquiries, data-access requests, deletion requests, or complaints:

Email: privacy@mydadfrom.com Mail: My Dad From Inc., [Registered office address — to be inserted upon incorporation] Privacy Officer: [To be appointed before launch — Privacy Officer, c/o privacy@mydadfrom.com] Response time: 30 days (US/Canada/Australia) / one month (UK)

Regulatory authorities (if we cannot resolve your concern):

Jurisdiction	Authority	Website
United States	Federal Trade Commission (FTC)	ftc.gov
United Kingdom	Information Commissioner's Office (ICO)	ico.org.uk
Canada	Office of the Privacy Commissioner (OPC)	priv.gc.ca
Canada (Quebec)	Commission d'accès à l'information (CAI)	cai.gouv.qc.ca
Australia	Office of the Australian Information Commissioner (OAIC)	oaic.gov.au

End of Privacy Policy — My Dad From Inc., v1.0 draft, 2026-04-30. Prepared for legal review and customization by counsel. Items remaining for counsel sign-off: (i) confirmed registered legal name; (ii) registered office address; (iii) Privacy Officer appointment; (iv) UK Data Protection Officer and Art. 27 representative appointment before UK launch; (v) confirmation of Canada (Ontario presumed) as jurisdiction of formation.