U.S. state privacy rights
Last updated: May 2, 2026
This page supplements our main Privacy Policy with rights and disclosures specific to certain U.S. states. We honor every right listed here for everyone, regardless of where you live — that's how we want to run things.
Rights we honor for everyone
Whether or not your state requires it, we'll honor each of these on request:
- Right to know — see what personal information we have on you.
- Right to access — get a copy of that information in a portable format.
- Right to correct — fix inaccuracies.
- Right to delete — remove your account, your kid's site, and all stored content. (You can already do most of this from your dashboard.)
- Right to opt out of sale or sharing — we don't sell or share personal information, so there's nothing to opt out of, but the right exists if our practices ever change.
- Right to opt out of targeted advertising — we don't do targeted advertising. Same point.
- Right to limit use of sensitive information — we don't process sensitive personal information beyond what's strictly required to authenticate you.
- Right against discrimination — we won't deny service, raise prices, or degrade your experience because you exercised any of these rights.
California (CCPA/CPRA)
If you're a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights. This section is your CCPA notice at collection.
Categories of personal information we collect
In CCPA's vocabulary:
- Identifiers — name, email address, account ID, IP address (in server logs).
- Internet/network activity — server logs (request URL, timestamp, response status) tied to operating and securing the platform.
- Customer records — your sign-in identifier from Clerk and (if you used Google sign-in) the Google OAuth identifier.
- User-generated content — the files in deploys you upload as the parent.
We do not collect: precise geolocation, biometric information, racial or ethnic origin, religious beliefs, mental or physical health information, sexual orientation, union membership, or genetic data.
Sources
- Directly from you (your sign-up, what you upload, what you click).
- From Clerk and (when applicable) Google as authentication providers.
- Automatically from your device (server logs from requests to our domains).
Purposes
- To authenticate you and operate your account.
- To host and serve your kid's published site.
- To keep the platform secure and detect abuse.
- To respond to support, safety, and privacy requests.
- To send service-critical email notifications.
Disclosures and "sharing"
We disclose personal information to our service providers — Clerk (sign-in), Cloudflare (hosting and edge network), and Google (only when you explicitly choose Google sign-in) — for the limited purposes listed above and only as permitted by contract.
We do not sell personal information for money or other valuable consideration, and we do not share it for cross-context behavioral advertising. We never have, and we have no plans to.
Sensitive personal information
The only category that might brush against the CCPA's "sensitive personal information" definition is your account login credentials managed by Clerk. We use them solely to authenticate you. Under CCPA, you would have the right to limit our use of sensitive personal information for additional purposes — there are no such additional purposes here.
Retention
We retain account data while your account is active. Deleted deploys and deleted sites are removed immediately. On account closure, we delete your account, sites, deploys, and CLI tokens within 30 days. Server logs are rotated on a rolling 30-day schedule.
How to exercise California rights
Email privacy@tinycoders.ai from the email address on your account, or use the deletion controls in your dashboard. We'll respond within 45 days; if we need an extension, we'll tell you and respond within 90 days total.
Authorized agents
You may designate an authorized agent to make a request on your behalf. We'll ask for written, signed authorization (or proof of power of attorney) and may verify directly with you before acting.
Universal opt-out signals
We honor Global Privacy Control (GPC) signals. Since we don't sell or share personal information, the practical effect is none, but we recognize the signal as a do-not-share preference and treat it as binding.
California minors
tinycoders is directed to children, so we never sell or share personal information of users we know to be under 18 (and never sell or share any user's personal information regardless). Under California Business & Professions Code §22581, a minor who registered for a service may request removal of content they posted; in our model, the parent (account holder) can do this directly from the dashboard at any time.
We design with the principles of California's Age-Appropriate Design Code in mind — data minimization for kids, no dark patterns, no precise geolocation, default privacy settings at the highest available level — even where specific provisions are subject to ongoing legal challenge.
"Shine the Light" (Cal. Civ. Code §1798.83): we don't share personal information with third parties for their direct marketing purposes, so there's nothing to disclose under this statute.
Colorado (CPA)
Colorado residents have rights under the Colorado Privacy Act:
- Access the personal data we have about you.
- Correct inaccuracies.
- Delete your data.
- Receive a portable copy.
- Opt out of (a) the sale of personal data, (b) targeted advertising, and (c) profiling that produces legal or similarly significant effects. We do none of these, but the rights stand.
Email privacy@tinycoders.ai to make a request. We'll respond within 45 days. If we deny a request, you may appeal within 30 days by replying to our denial; if your appeal is denied you may contact the Colorado Attorney General.
Connecticut (CTDPA)
Connecticut's Data Privacy Act gives residents rights similar to Colorado: access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling. We honor all of them.
Connecticut also has specific protections for users known to be under 18. We will not process the personal data of a known minor for targeted advertising or sale, will not sell such data, and will not use it for profiling that produces legal or similarly significant effects — none of which we do for any user. Same request channel: privacy@tinycoders.ai; same 45-day response window with the right to appeal a denial.
Virginia (VCDPA)
Virginia residents have access, correction, deletion, portability, and opt-out (sale, targeted ads, significant profiling) rights under the Virginia Consumer Data Protection Act. Same request channel and timeline.
Utah (UCPA)
Utah residents have access, deletion, portability, and opt-out of sale and targeted advertising rights. Utah's law is narrower than Colorado's or Connecticut's, but we honor the full universal rights list above.
Texas (TDPSA)
The Texas Data Privacy and Security Act applies more broadly than most state laws — it applies to any business that processes Texans' personal data and is not a "small business" under the SBA, regardless of revenue thresholds. Texans have access, correction, deletion, portability, and opt-out rights.
As required by Texas law, we explicitly state:
- We do not sell personal data for monetary or other valuable consideration.
- We do not engage in targeted advertising.
- We do not process biometric or genetic data for identification.
Same request channel: privacy@tinycoders.ai.
Other states with privacy laws
A growing list of states have enacted comprehensive consumer privacy laws — Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, and Rhode Island, among others. Specifics vary, but the rights all overlap substantially with the universal list at the top of this page. If you live in any of these states (or any state) and want to exercise a privacy right, email privacy@tinycoders.ai and we'll handle your request under whichever framework gives you the strongest protection.
State laws specifically about kids
Several states have passed laws targeting platforms that serve minors. A note on each:
California Age-Appropriate Design Code (AB 2273)
Although portions of the AADC are subject to ongoing litigation, we follow its core principles by design — data minimization for users known to be children, no dark patterns, no precise geolocation, no profiling, default privacy settings at the highest available level.
Florida HB 3 (Social Media for Minors)
Florida HB 3 restricts certain "social media platforms" from accepting accounts by minors. tinycoders is not a social media platform under HB 3's definition — there are no algorithmic feeds, no follower or friend graph, no direct messaging, and no public profiles. Children also do not create accounts on our service. So HB 3 does not apply, but we share the goal of keeping kids out of harmful environments online.
New York SAFE for Kids Act
The SAFE Act regulates "addictive feeds" served to minors. tinycoders has no algorithmic feeds at all, so the SAFE Act does not apply.
Connecticut, Maryland, and other states' kid-specific provisions
Connecticut, Maryland, and a handful of other states have added kid-specific provisions to their general privacy laws — generally requiring opt-in (rather than opt-out) for targeted advertising or sale of minors' data. We never sell or share data and never run targeted advertising, so these provisions are met by default.
How to exercise any privacy right
- Email privacy@tinycoders.ai from the address on your account, or send the request from your dashboard's account settings.
- Tell us which right you're exercising and which state you're a resident of (so we know which framework's clock applies).
- If you're using an authorized agent, include written authorization or proof of power of attorney.
- We'll verify by replying to that email and may ask one or two questions to confirm account ownership.
- We respond within 45 days. If we need a 45-day extension, we'll tell you why before the first 45 days are up.
- If we deny your request, we'll explain why. You can appeal within 30 days by replying — and you can always escalate to your state's attorney general after that.
Questions
Email privacy@tinycoders.ai. We don't outsource privacy requests — a real human reads every one.