# Children’s Privacy and Age-Appropriate Design Policy

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This policy governs services directed to children, likely to be accessed by minors, or knowingly processing children’s or minors’ data.

## 1. Default rule
The services are not directed to children under 13 unless expressly designated. Do not knowingly collect personal information from children under 13 without required verifiable parental consent and privacy review.

## 2. Child-directed or mixed-audience services
Before launch, complete a Children’s Privacy Impact Assessment covering audience, age screening, data minimization, parental notice/consent, third-party disclosures, advertising, retention, security, deletion, and parental rights.

## 3. Advertising and monetization
Do not use children’s personal information for targeted advertising or third-party advertising without required parental opt-in or other lawful authorization. Avoid behavioral advertising to children and minors unless legal counsel approves.

## 4. Teens and minors under 18
Services likely to be accessed by minors must consider privacy-by-default, age-appropriate notices, high-privacy defaults, geolocation limits, profiling limits, dark-pattern avoidance, parental controls where appropriate, and harm assessments required by state laws.

## 5. School and education contexts
If services are provided to schools, verify FERPA, state student privacy laws, school contract restrictions, and parental/student rights before collecting student data.

## 6. Deletion
Delete children’s personal information when no longer needed, when parental consent is withdrawn, or when required by law.

## Audit addendum
Child-directed or mixed-audience products must complete a COPPA and state minor-law review before launch. Do not collect personal information from children under 13 without required verifiable parental consent, direct notice, data minimization, retention limits, parental rights workflows, vendor controls, and advertising/behavioral profiling restrictions. School-directed services must also complete the Education and FERPA Policy review.
