Privacy Notice for Parents and Guardians

A guide for parents about how Provii protects children's privacy through zero knowledge technology

Public

Privacy Notice for Parents and Guardians

Effective Date: 13 February 2026 Last Updated: 13 February 2026

Introduction

As a parent or guardian, you want to keep your child safe online while respecting their growing independence. This guide explains how Provii protects your child’s privacy through zero knowledge cryptography - a technology that makes age verification possible without collecting personal information.

Key Takeaway: Provii’s privacy protection isn’t just a policy promise - it’s grounded in mathematical properties of zero knowledge cryptography. Your child’s date of birth is sent once during credential setup to compute a cryptographic commitment (called a Pedersen commitment), but it is immediately discarded and never stored on our servers. After that, every age check uses a zero knowledge proof that reveals nothing about your child’s actual age or birthday.

What is Provii?

Provii is an age verification service designed to help young people prove they meet age requirements for online services without surrendering their personal information.

The Problem with Traditional Age Verification

Most age verification services require:

  • Uploading government-issued ID (passport, driver’s licence)
  • Providing date of birth
  • Sometimes facial recognition or selfie verification
  • Submitting this information to a centralised database

Risks:

  • Data breaches exposing children’s identity documents
  • Creation of profiles that can be tracked across websites
  • Permanent records of sensitive information
  • Potential for identity theft
  • No control over how data is used or shared

Provii’s Zero knowledge Solution

Provii uses cryptographic technology to enable age verification without collecting personal information:

  1. Credential Setup: Your child enters their date of birth once in the Provii wallet app
  2. Credential Creation: A cryptographic credential is created using zero knowledge proofs
  3. Privacy Preservation: The date of birth is sent once to our issuance server to compute a cryptographic commitment, then immediately discarded - it is never stored or logged
  4. Age Verification: When a website needs age verification, the wallet generates a mathematical proof
  5. Minimal Disclosure: The proof reveals only “meets age requirement” or “does not meet requirement” - nothing more

The Result: Your child can access age-appropriate content without creating a digital trail of personal information.

How Zero knowledge Privacy Works (For Parents)

You don’t need to be a cryptographer to understand this, but here’s a helpful analogy:

The Locked Box Analogy

Imagine your child has a locked box containing their birth certificate. A website asks, “Are you over 13?”

Traditional approach: The website demands to see the birth certificate. Your child must unlock the box and hand over the document. The website reads it, photocopies it, and stores it in their filing cabinet.

Zero knowledge approach: Your child’s locked box has a special window that can answer yes/no questions without revealing the contents. The website asks, “Are you over 13?” The box’s math-powered window checks the certificate inside and displays “Yes” or “No” - but the certificate never leaves the box, and the website never sees your child’s date of birth.

The Technical Reality

For technically-minded parents, here’s what actually happens:

1. Credential Creation (One-Time Setup)

  • Date of birth is input into the wallet app on your child’s device
  • The wallet uses a cryptographic commitment scheme (Pedersen commitments) to create a credential
  • A private key is generated and stored securely in the device’s secure enclave (iOS Keychain or Android Keystore)
  • Important detail: During initial credential issuance, the date of birth is transmitted once to our issuance server for cryptographic commitment computation. The date of birth is processed in memory only and immediately discarded. It is never written to disk, stored in a database, or included in any log

2. Age Verification (Each Time It’s Needed)

  • The website sends a challenge: “Prove you’re over [age threshold]”
  • The wallet app generates a zero knowledge proof (specifically, a Groth16 ZK-SNARK)
  • The proof mathematically demonstrates: “The date of birth in my credential, when compared to today’s date, shows I am over the threshold”
  • The proof is sent to Provii’s servers for verification
  • Provii verifies the mathematical validity of the proof
  • The website receives only “verification successful” or “verification failed”

What Provii’s servers see:

  • A string of numbers (the cryptographic proof)
  • Whether the proof is mathematically valid
  • What they CAN’T see: Your child’s date of birth, their actual age, or any identifying information

Mathematical properties: Zero knowledge proofs have three properties - completeness (valid proofs always verify), soundness (invalid proofs are rejected), and zero knowledge (no information beyond “true” or “false” can be extracted). This isn’t a policy; it’s mathematics.

What Data Maelstrom AI Collects About Your Child

The Complete List (It’s Short)

As parents, you deserve complete transparency. Here’s every piece of information Maelstrom AI collects:

Data CollectedPurposeHow Long RetainedHow Protected
IP Address (hashed with SHA-256)Fraud prevention, abuse detection, rate limiting, security investigation90 days, then automatically deleted; critical security event logs are retained for up to 365 daysPseudonymised (hashed), encrypted at rest, access-controlled
Verification Timestamps (anonymised)Security monitoring, service diagnostics90 daysNot linked to identity, aggregated for analytics
Challenge IDs (random UUIDs)Facilitate verification sessions5 minutes, then automatically deletedRandom session identifiers, not linked to identity
Credential Nullifiers (one-way hashes)Prevent credential replay attacks (stop someone from reusing credentials fraudulently)Checked against ban list onlyOne-way cryptographic hash, cannot be reversed

Critical Point: None of this data is personally identifiable. The IP address is hashed (scrambled), timestamps are anonymised, and challenge IDs are random numbers. By design, this data is not intended to be connected to your child’s identity.

What Provii Does NOT Collect

This is equally important. By architectural design, Provii does not collect and has no mechanism to collect:

Identity Information:

  • Full name
  • Email address
  • Phone number
  • Physical address
  • School name
  • Social security number

Identity Documents:

  • Passport
  • Driver’s licence
  • Birth certificate
  • Student ID
  • Any scanned documents or photos

Personal Attributes:

  • Date of birth (transmitted once during issuance to compute a cryptographic commitment, then immediately discarded - never stored or logged)
  • Actual age (only “over/under threshold” is revealed)
  • Place of birth
  • Nationality
  • Gender
  • Race or ethnicity

Biometric Data:

  • Facial recognition
  • Fingerprints
  • Iris scans
  • Voice recognition
  • Any other biometric identifiers

Behavioural Data:

  • Browsing history
  • Search queries
  • Location tracking or GPS data
  • App usage patterns
  • Social connections
  • Cross-site tracking

Device Identifiers:

  • Device IDs
  • Advertising identifiers (IDFA/GAID)
  • Browser fingerprints

Why this matters: If Maelstrom AI’s database were breached, there would be minimal personal information about your child at risk. A breach of our database would expose only pseudonymised operational data, not identity information.

COPPA Compliance (Children Under 13)

If your child is under 13 years old and you’re in the United States, the Children’s Online Privacy Protection Act (COPPA) applies.

COPPA Requirements

COPPA normally requires operators of online services to:

  1. Obtain verifiable parental consent before collecting personal information from children under 13
  2. Provide parents with notice of data collection practices
  3. Collect only information reasonably necessary for the service
  4. Protect children’s information through reasonable security measures

Provii’s COPPA Compliance

Key Distinction: Provii’s zero knowledge architecture means we do NOT collect personal information from children (or anyone else).

COPPA Definition of Personal Information includes:

  • First and last name
  • Home address
  • Email address
  • Telephone number
  • Social security number
  • Any identifier that permits physical or online contacting of a specific individual
  • Information concerning the child or parents that the operator collects online and combines with an identifier

What Provii Collects vs. COPPA:

  • IP addresses (hashed/pseudonymised) - not combined with identifiers
  • Timestamps (anonymised) - not linked to specific individuals
  • Challenge IDs (random session tokens) - not persistent identifiers
  • Credential nullifiers (one-way hashes) - cannot identify a specific individual

Result: Because Provii does not collect personal information as defined by COPPA, the consent requirements do not apply to Maelstrom AI-operated services.

Important Note: Websites using Provii for age verification are independently responsible for their own COPPA compliance. Provii provides the age verification mechanism; each website must ensure its own practices comply with COPPA.

Your Rights as a Parent (COPPA)

Even though COPPA consent doesn’t apply to Provii, you still have rights. You can request information about what data we have about your child (the answer will be minimal operational data only). You can request deletion of that data, though it automatically happens after 90 days anyway. And you can object to data processing, though the applicability is limited given how little we collect.

To Exercise Parental Rights: Email privacy@maelstrom.au with subject line “Parental Rights - COPPA”

UK Children’s Code Compliance (Age-Appropriate Design Code)

If your child is in the United Kingdom or uses UK-based services, the UK Age-Appropriate Design Code applies.

Children’s Code Requirements

The Information Commissioner’s Office (ICO) Children’s Code sets 15 standards for services likely to be accessed by children:

  1. Best Interests of the Child: Prioritise the best interests of the child in design and development
  2. Data Protection Impact Assessments: Conduct DPIAs for processing likely to result in high risk to children
  3. Age-Appropriate Application: Take a risk-based approach to recognising the age of users
  4. Transparency: Provide clear, age-appropriate privacy information
  5. Detrimental Use of Data: Don’t use children’s data in ways that could harm them
  6. Policies and Community Standards: Uphold published terms, policies, and community standards
  7. Default Settings: Settings must be “high privacy” by default
  8. Data Minimisation: Collect minimum data necessary
  9. Data Sharing: Avoid sharing children’s data unless necessary
  10. Geolocation: Default location tracking to “off”
  11. Parental Controls: Support parents in protecting their children
  12. Profiling: Default “off” for profiling children
  13. Nudge Techniques: Don’t use techniques that encourage children to weaken privacy protections
  14. Connected Toys and Devices: Provide clear information about data collection
  15. Online Tools: Provide prominent, accessible tools to exercise data rights

Provii’s Children’s Code Compliance

StandardHow Provii Complies
1. Best InterestsZero knowledge architecture prioritises privacy over data collection
2. DPIAsDPIA conducted for age verification processing
3. Age-Appropriate ApplicationAge-tiered notices (kids, teens, parents); simplified interfaces
4. TransparencyAge-appropriate privacy notices at three reading levels
5. Detrimental UseWe don’t collect enough data to use detrimentally
6. Policies and StandardsPublished privacy policy, terms of service, and compliance docs
7. Default SettingsHigh-privacy defaults; no optional data collection to enable
8. Data MinimisationArchitecturally minimised. we collect almost no data
9. Data SharingMinimal sharing (only Cloudflare for infrastructure)
10. GeolocationWe don’t collect location data
11. Parental ControlsThis guide empowers parents; wallet can be uninstalled anytime
12. ProfilingArchitecturally designed to make profiling impractical; no data collected to profile with
13. Nudge TechniquesNo dark patterns; straightforward interface
14. Connected ToysN/A. software service only
15. Online ToolsDSAR process available; parents can request deletion

Verification: Provii’s compliance can be verified through:

  • Open source code (anyone can audit our privacy claims)
  • Independent security assessments (planned for Q3 2026)
  • This transparent privacy documentation

How to Talk to Your Child About Privacy

Having conversations about online privacy can be challenging. Here are some age-appropriate talking points:

For Younger Children (Under 10)

Keep it simple:

  • “Provii helps you prove you’re old enough without telling anyone your birthday”
  • “Your birthday is sent to Provii once when you set up the app, but they don’t keep it - after that, it stays on your phone”
  • “It’s like having a secret password that proves you’re old enough, but doesn’t tell people how old you are”
  • “Always ask a grown-up before putting your name, birthday, or other information into apps or websites”

For Tweens (10-12)

Introduce concepts:

  • “Many websites and apps collect information about you and sell it. Provii is different - it uses special math to prove your age without collecting information”
  • “Your birthday is private information. You should only share it with people you trust, and only when absolutely necessary”
  • “Provii keeps your birthday on your phone. Even the company that made Provii can’t see it”
  • “If a website asks for your date of birth, talk to me first. We can figure out if it’s safe or if there’s a better way (like using Provii)“

For Teens (13-17)

Encourage critical thinking:

  • “Privacy is a right. You shouldn’t have to give up personal information to prove you’re old enough for age-appropriate content”
  • “Zero knowledge technology is how Provii works. Your date of birth is processed on your device using cryptography. The proof sent to websites reveals only ‘yes’ or ‘no’ - nothing about your actual age”
  • “Think critically about what information you share online. Once you give it to a company, you lose control over it”
  • “Provii gives you control - your credentials are in your wallet, not in some company’s database that could be hacked”
  • “I trust you to use this responsibly. If you have questions about privacy or whether something is safe, I’m here to help”

General Privacy Principles for All Ages

Teach these habits:

  1. Question data collection: “Why does this app need my birthday/location/contacts?”
  2. Read privacy policies: (Or at least the summary - we made ours readable!)
  3. Use privacy-preserving tools: Like Provii, VPNs (for older teens), and privacy-focused browsers
  4. Understand trade-offs: Sometimes convenience comes at the cost of privacy
  5. Know your rights: You can ask companies what they know about you and request deletion

Parental Rights and Controls

What You Can Do

As a parent or legal guardian, you have the following rights regarding your child’s use of Provii:

1. Right to Access (Data Subject Access Request)

What it means: You can request a copy of all data Maelstrom AI holds about your child.

How to exercise:

  • Email privacy@maelstrom.au
  • Subject line: “Parental Access Request”
  • Include: Your child’s approximate verification dates (if known)
  • Verification: We’ll verify your parental relationship

What you’ll receive:

  • IP address logs (if within 90-day retention window) - hashed/pseudonymised
  • Verification timestamps (anonymised)
  • Confirmation that no other personal data is held
  • Explanation of zero knowledge architecture

Response time: 30 days (may extend to 60 days for complex requests)

2. Right to Delete

What it means: You can request deletion of data related to your child.

How to exercise:

  • Email privacy@maelstrom.au
  • Subject line: “Parental Deletion Request”
  • Specify: Date range or “all data”

What happens:

  • IP logs deleted immediately (if still within 90-day window)
  • Challenge records already auto-deleted after 5 minutes
  • Verification timestamps can be deleted
  • Wallet data: You or your child should uninstall the app to delete local credentials

Note: Most data automatically deletes after 90 days anyway.

3. Right to Object

What it means: You can object to processing of your child’s data.

How to exercise:

Options:

  • Request immediate deletion
  • Stop using Provii services
  • Use technical measures (VPN/Tor) to prevent IP logging

4. Right to Complain

What it means: If you believe Maelstrom AI violated your child’s privacy rights, you can complain to a supervisory authority.

Where to complain:

What it means: If your child’s use requires consent, you can withdraw it.

How to exercise:

  • Uninstall the Provii wallet app from your child’s device
  • Request deletion of server-side data (see Right to Delete above)

Monitoring Your Child’s Use

Wallet App Controls:

  • The Provii wallet is installed on your child’s device
  • You can review the app and its permissions
  • You can uninstall it at any time
  • Credentials are stored locally (device keychain/keystore)

What Maelstrom AI Cannot Help With:

  • We cannot provide logs of which websites your child visited (we don’t collect this)
  • We cannot restrict which websites your child accesses (parental control software may help)
  • We don’t have an account system, so there’s no “parent dashboard”

Recommendation: Use device-level parental controls in combination with Provii:

  • iOS Screen Time
  • Android Family Link
  • Third-party parental control software

Security and Data Protection

How Maelstrom AI Protects Your Child’s Data

Encryption:

  • In transit: TLS 1.3 encryption (bank-grade security) for all data transmission
  • At rest: AES-256 encryption for any data stored on servers
  • On device: iOS Keychain or Android Keystore protects wallet credentials
  • Zero knowledge proofs: Groth16 ZK-SNARKs provide cryptographic privacy assurance

Access Controls:

  • Multi-factor authentication for administrators
  • Role-based access control (principle of least privilege)
  • All administrative actions logged and audited
  • Regular access reviews

Testing and Audits:

  • Automated security scanning (continuous)
  • Dependency vulnerability monitoring
  • Penetration testing (planned annually)
  • Responsible disclosure programme (security@maelstrom.au)
  • Open source code (public auditing)

Organisational Measures:

  • ISO 27001:2022-aligned information security management
  • Staff security training
  • Incident response plan (24/7)
  • Data breach procedures (notification within 72 hours if required)

What Happens if There’s a Data Breach?

Low Risk: Due to minimal data collection and zero knowledge architecture, a breach involving your child’s personal data is highly unlikely.

If a breach occurs:

  1. We’ll contain it immediately
  2. Assess what data (if any) was affected
  3. Notify supervisory authorities within 72 hours (if required by GDPR)
  4. Notify affected individuals if there’s high risk to rights and freedoms
  5. Document the incident and implement improvements

What would be at risk:

  • IP address logs (already hashed/pseudonymised, limited usefulness)
  • Verification timestamps (anonymised, not linked to individuals)
  • No date of birth, name, or identity documents to breach (not collected)

Contact for security concerns: security@maelstrom.au

Third-Party Services and Data Sharing

Who Processes Your Child’s Data

Cloudflare, Inc. (Infrastructure Provider)

Services provided:

  • Cloud hosting
  • DDoS protection
  • Content delivery network
  • Serverless computing

Data shared:

  • IP addresses (for service delivery and security)
  • Zero knowledge proofs (cryptographic data, not personal information)
  • Challenge records (random UUIDs)

Location: United States, European Union, Asia-Pacific (global infrastructure)

Safeguards:

  • Standard Contractual Clauses (EU-approved)
  • Data Processing Agreement
  • ISO 27001 and SOC 2 Type II certified (supplier-held, via Cloudflare)
  • GDPR-compliant infrastructure

What Cloudflare cannot see: Your child’s date of birth, identity, or any personal information beyond what’s listed above.

Cloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/

What We Don’t Do

  • We do NOT sell your child’s data
  • We do NOT share data with advertisers
  • We do NOT work with data brokers
  • We do NOT use third-party analytics that track users
  • We do NOT integrate with social media platforms
  • We do NOT monetize your child’s information

Our business model: Websites pay Provii for age verification services. We make money from service fees, not data exploitation.

International Data Transfers

If you and your child are in the EU, UK, or other jurisdictions with data transfer restrictions:

Where data may be processed:

  • United States (Cloudflare headquarters)
  • European Union (Ireland, Germany, France, other member states)
  • United Kingdom
  • Asia-Pacific (Singapore, Australia, Japan)
  • Other Cloudflare edge locations globally

Protections in place:

  • Standard Contractual Clauses (EU Commission Decision 2021/914)
  • UK International Data Transfer Agreement
  • Transfer Impact Assessment completed (low risk)
  • Supplementary measures: encryption, pseudonymization, minimal retention

Why risk is low:

  • Minimal data transferred (IP addresses only, hashed)
  • No sensitive personal data
  • Short retention (90 days)
  • Strong encryption

Data Retention

How Long Data is Kept

Data TypeRetention PeriodDeletion Method
IP addresses (hashed)90 days; critical security event logs are retained for up to 365 daysAutomatic expiry via Grafana Loki tenant retention (Cloudflare Workers Logs sink)
Challenge records5 minutesAutomatic expiry via Workers KV TTL
Verification timestamps90 daysAutomated deletion via Workers KV TTL
Wallet credentialsUntil app uninstalledUnder your/your child’s control on device

Automatic deletion: Maelstrom AI uses time-to-live (TTL) mechanisms that automatically delete data. No manual cleanup required.

Early deletion: You can request deletion before automatic expiry (see “Right to Delete” above).

Wallet data: Your child’s date of birth and credentials are stored locally on their device. To delete, simply uninstall the app. No trace of your child’s date of birth remains on Maelstrom AI’s servers because it was processed ephemerally during initial credential issuance and immediately discarded. it was never stored, logged, or retained.

Cookies and Tracking

What Cookies Provii Uses

We don’t currently use any cookies on our website.

  • Cloudflare infrastructure cookies may be set by Cloudflare’s infrastructure (bot management, security challenges, load balancing - not set by our application code)

What Provii Does NOT Use

  • Advertising cookies
  • Marketing cookies
  • Analytics cookies (client-side)
  • Social media cookies
  • Behavioural tracking cookies
  • Cross-site tracking
  • Persistent user identifiers

No analytics: The website runs no analytics or real user monitoring by design. No data about visits is collected at the application level.

Result: Provii is designed so your child cannot be tracked across websites. We don’t create profiles or collect behavioural data.

Questions and Concerns

How to Contact Us

Primary contact: privacy@maelstrom.au

For parental inquiries:

  • Subject line: “Parental Inquiry - [Topic]”
  • Response time: 2 business days

For data subject requests:

  • Subject line: “Parental Rights - [Type]”
  • Types: Access Request, Deletion Request, Objection, Complaint
  • Response time: 30 days (GDPR), 45 days (CCPA)

For security concerns:

Mailing address: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Trading as: Provii PO Box 169, St Arnaud VIC 3478 Australia

Common Parent Questions

Q: Can Provii track which websites my child visits? A: No. Provii only verifies age. We don’t know which websites your child accesses, and we don’t track their browsing.

Q: Can you tell me my child’s verification history? A: We can provide anonymised timestamps of verifications within the retention period (90 days), but we cannot identify which specific websites were accessed because we don’t collect that information.

Q: What if my child loses their device? A: Wallet credentials are protected by device-level security (iOS Keychain, Android Keystore). If the device is lost, the credentials can be re-created on a new device by re-entering the date of birth. No data needs to be recovered from Maelstrom AI’s servers.

Q: Can I set up the wallet for my child? A: Yes. You can help your child set up the wallet app, including entering their date of birth. Once set up, the credential is on the device and can be used for age verification.

Q: What if my child enters the wrong date of birth? A: They can re-issue their credential in the wallet app with the corrected date of birth. This requires the corrected date to be sent to the issuer server once (just like the original setup), where a new cryptographic commitment is computed and the date of birth is immediately discarded.

Q: How do I know Maelstrom AI is telling the truth about privacy? A:

  1. Our cryptographic implementations are available for independent security audit
  2. Zero knowledge cryptography is mathematically provable
  3. Independent security assessments (planned for Q3 2026)
  4. Designed to meet GDPR, COPPA, and Children’s Code requirements (self-assessed)
  5. This transparent privacy documentation

Q: Can I disable Provii’s data collection entirely? A: The minimal data collection (IP addresses for fraud prevention) is necessary for service operation. However, your child can use a VPN or Tor to prevent IP logging. Our system fully supports this.

Q: What if my child is using Provii inappropriately? A: Provii only verifies age - it doesn’t grant access to specific content. If you’re concerned about your child’s online activity, consider device-level parental controls, browser restrictions, or having a conversation about responsible internet use.

Additional Resources

For you (parents):

For your child:

External resources:

Our Commitment to Families

At Maelstrom AI, we believe:

  • Children deserve privacy and security online
  • Age verification shouldn’t require surrendering personal information
  • Parents should have transparency and control
  • Privacy should be accessible, not just for technical experts
  • Technology can be both functional and privacy-preserving

We built Provii to prove these principles are possible.

During initial credential issuance, your child’s date of birth is transmitted once to our issuance server for cryptographic commitment computation. The date of birth is processed in memory only and immediately discarded. it is never written to disk, stored in a database, or included in any log. All subsequent age verifications use zero knowledge proofs that mathematically prove age eligibility without revealing the date of birth. This isn’t a policy we can change - it’s mathematics.

Thank you for trusting Provii to help protect your child’s privacy.

Questions? Concerns? We’re here to help.

Contact us at privacy@maelstrom.au

Last Updated: 13 February 2026 Effective Date: 13 February 2026 Version 1.0

© 2026 Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust. Protecting children’s privacy through technology, not promises.