Privacy

Privacy Policy

Last updated: May 2, 2026

tinycoders is a place for kids to publish websites with help from their parents and AI tools. Because kids are at the center of what we do, we built the platform to collect as little as possible, give parents complete control, and never share data with advertisers.

This page explains exactly what we collect, why, who else sees it, and how to delete it. We've written it in plain language. If anything is unclear, email privacy@tinycoders.ai.

The short version

Kids don't create accounts. Only parents do.
The only personal info we collect about your kid is what you (the parent) choose to upload as part of their site.
Every change to a kid's site requires the parent's explicit approval click before going live.
We don't run ads, don't track users, don't sell data, and don't share with anyone except service providers we need to operate (Clerk for sign-in, Cloudflare for hosting).
You can review, correct, and delete everything from your dashboard at any time.

Who we are

"tinycoders," "we," and "our" mean tinycoders, the operator of tinycoders.ai and *.tinycoders.dev. The service lets parents claim a subdomain for their child and publish a static website made by the family — typically with help from AI tools like Claude.

What we collect

From parents (account holders)

Name and email address, via your sign-in (Clerk handles authentication for us, including Google sign-in).
An OAuth identifier if you sign in with Google.
Account activity — when you sign in, claim a subdomain, approve or reject a deploy. Used to keep an audit trail and operate the service.
CLI tokens if you use the command-line tool. We store only a one-way hash; we never see the plain token after creation.

From kid sites (content uploaded by parents)

The files in each deploy you upload — HTML, CSS, JavaScript, images, fonts, etc. Whatever your kid creates and you choose to publish.
The chosen subdomain slug (e.g., emma).
Optional display name shown only on your dashboard.

We treat every kid site as content you (the parent) chose to publish. You review and approve every change before it goes live. You can delete any past version, or the entire site, at any time from your dashboard.

From visitors of kid sites

Standard server logs: IP address, request URL, user agent, timestamp, response code.
These logs exist to keep the platform secure and operational. They are not used for advertising, profiling, or any third-party purpose.
We do not use cookies on kid sites.

What we deliberately don't collect

We do not ask kids for an email, age, birthday, full name, photo, school, location, or any other personal info.
We do not run analytics or behavioral tracking (Google Analytics, Segment, Mixpanel, etc.).
We do not place advertising cookies.
We do not collect biometric data, voiceprints, or precise geolocation.

How we use what we collect

Account information: to sign you in, associate sites with the right account, and respond to support requests.
Kid site content: to host and serve the site at <slug>.tinycoders.dev.
Server logs: to operate, secure, and debug the service. Old logs are rotated automatically.
Email address: to send service-critical messages (a deploy needs your review, an account is being closed, a security issue affects you, this policy is changing). No marketing email, ever, unless you opt in separately.

Who we share with

We use a small number of service providers to operate the platform. Each one only sees what they need to do their job, and none of them are allowed to use your information for their own purposes.

Clerk

Handles parent sign-in. Sees your email, name, and (if you sign in with Google) your OAuth identifier. Clerk's privacy policy.

Cloudflare

Hosts the platform — Workers, R2 storage, D1 database, DNS, edge network. All requests to tinycoders.ai and tinycoders.dev pass through Cloudflare. Cloudflare's privacy policy.

Google (only if you choose Google sign-in)

If you sign in with Google, Google sees the request and provides us your name and email. You can revoke this access from your Google account at any time.

We do not sell, rent, or share your data with advertisers, data brokers, or AI training companies. Period.

We may disclose information if required by valid legal process (subpoena, court order). When we can, we'll let the affected account holder know.

Children's privacy

Our COPPA notice to parents

tinycoders is directed to children under 13. The U.S. Children's Online Privacy Protection Act (COPPA) gives parents specific rights and places specific obligations on us. This section explains how we meet them.

Kids do not have accounts

Only adults (18 or older) can create an account on tinycoders. Kids never sign up, never sign in, and never give us their email, age, or any other personal info directly. The parent is the only account holder, and the parent is the publisher of every page that appears on their kid's subdomain.

What we collect about a child

We collect only what the parent uploads as part of their child's site. That can include text, images, audio, or other media the family creates. We don't ask for, scrape, or infer any other personal info about the child.

How we get parental consent

Two layers:

Account creation. When you create your tinycoders account, you confirm you are the parent or legal guardian and that you consent to the practices described in this policy.
Per-publish approval. Every change to a kid's site requires you to click Approve in your dashboard before it goes live. We treat every approval click as your renewed, content-specific consent for that particular publication.

Your parental rights

At any time, you can:

Review what we have — your dashboard shows your kid's claimed slug, every uploaded version, and the current live version.
Refuse further collection — reject any pending deploy, or stop using the CLI/dashboard.
Delete any past version individually, or delete the entire site (which removes all versions and frees the slug). Deletion happens immediately and is permanent — we don't keep "graveyard" copies.
Close your account — email privacy@tinycoders.ai and we'll delete your account and all associated content within 30 days. We'll confirm by email when it's done.

We never condition use on extra info

We never require kids (or parents) to disclose more personal information than is strictly necessary to use tinycoders.

Questions about your kid's privacy

Email privacy@tinycoders.ai or safety@tinycoders.ai. We respond within one business day for safety concerns and within five business days for general privacy questions.

How we protect your data

Encryption in transit — TLS on every request to tinycoders.ai and tinycoders.dev.
Encryption at rest — provided by Cloudflare R2 and D1.
Authentication via Clerk — industry-standard session handling, no passwords ever touch our servers.
Origin isolation — kid sites live on a separate registrable domain from your account, so a misbehaving site can't read your authentication cookies.
Strict Content Security Policy on kid sites — no third-party scripts, no inline JavaScript, no advertising or tracking origins.
Hashed CLI tokens — only the SHA-256 hash is stored; we cannot recover or read your plain token.

How long we keep things

Active account data: as long as the account exists.
Deploys you delete: removed from R2 and the database immediately. We don't keep backups of individual deleted deploys.
Sites you delete: every version of the site is removed from R2 and the database immediately, and the subdomain is freed for someone else to claim.
Account closure: account, sites, deploys, and CLI tokens deleted within 30 days of your request. Server logs are rotated on a rolling 30-day schedule.

Cookies

We use only cookies that are strictly necessary for the platform to work:

Clerk session cookies on tinycoders.ai — keep you signed in to your dashboard.
Cloudflare security cookies — protect against attacks and bots.

We do not place advertising cookies or analytics cookies. Kid sites at *.tinycoders.dev do not have any cookies set by us.

U.S. state privacy rights

Several U.S. states (California, Colorado, Connecticut, Virginia, Utah, Texas, and others) give residents specific privacy rights on top of what's described above. Our state privacy rights notice explains those rights in detail and how to exercise them. Short version: we honor every right listed there for everyone, regardless of where you live.

Where data lives

tinycoders runs on Cloudflare's global edge network. Your data may be stored or processed in countries other than your own. Cloudflare and Clerk both publish data-locality and cross-border transfer details on their respective sites.

Changes to this policy

If we make a material change, we'll email account holders at least 30 days in advance and post a notice on this page. The "Last updated" date at the top always reflects the current version. Continued use after changes take effect means you accept the updated policy.

Contact

Privacy questions: privacy@tinycoders.ai
Safety / kid-site reports: safety@tinycoders.ai
Everything else: hello@tinycoders.ai