Age Verification Policy

Welcome to Chickitik's Age Verification Policy. This document explains how we verify the age of parents and guardians before allowing the creation of a child profile.

About Chickitik:

Chickitik is a safe children's reading platform providing fairy tales, stories, and fables for children aged 0 and up. We take child protection and compliance with children's data privacy laws seriously.

Purpose of this document:

This policy describes:

• Why we verify parents' age

• What verification methods we use

• How the verification process works

• What happens to verification data

• Your rights as a parent

Legal basis:

Our age verification policy is based on:

• COPPA (Children's Online Privacy Protection Act) — USA

• GDPR Article 8 — European Union

• Finnish Personal Data Act — Finland

These laws require us to obtain verifiable parental consent before collecting data from children under 13 (COPPA) or 16 (GDPR, with the possibility of lowering to 13 in some EU countries).

Our approach:

We use passwordless authentication via email as our primary verification method. This is a simple, secure, and effective way to confirm that you are indeed an adult with access to an email address.

Important to understand:

✓ Verification is mandatory for all parents

✓ The process is quick and simple

✓ We don't store unnecessary data

✓ You can withdraw consent at any time

Last updated:

This policy was last updated on November 1, 2025. We may periodically update this policy to comply with changes in legislation or our practices.

Verifying the age of parents is not just a legal requirement. It is a fundamental measure to protect children in the online environment.

Legal requirements:

1. COPPA (USA):

• Requires verifiable parental consent for children under 13

• Website operators must use reasonable efforts to obtain consent from a parent, not from a child

• FTC (Federal Trade Commission) defines acceptable verification methods

2. GDPR Article 8 (EU):

• Requires parental consent for children under 16 (or under 13-15 depending on EU country)

• Data controller must make reasonable efforts to verify that consent is given or authorized by the parent

• Takes into account available technology

3. Finnish Personal Data Act:

• In Finland, the age of digital consent is set at 13 years

• Parental consent required for children under 13

Child protection:

Age verification protects children from:

Unauthorized data processing:

• Children may not understand the consequences of providing personal information

• Parents have the right to control what information is collected about their children

• Without verification, children can easily pretend to be adults

Inappropriate content:

• While all Chickitik content is designed for children, parents should control access

• Parents know best their child's readiness for different types of content

Online risks:

• Parents can make informed decisions about child's digital presence

• Control over which platforms the child interacts with

Practical reasons:

1. Responsible use:

• Parents understand responsibility for child's online actions

• Can teach children safe behavior

• Monitor time spent reading

2. Communication with parents:

• We can contact parents on important matters

• Privacy policy notifications

• Service feature information

3. Informed consent:

• Parents read and understand our privacy policy

• Make an informed decision about creating child profile

• Know their rights and how to exercise them

Ethical obligations:

Beyond laws, we believe that:

• Children deserve special protection online

• Parents have the right and duty to control children's digital life

• Transparency regarding children's data is right

• Respect for family privacy is critical

Balance of interests:

We strive to find balance between:

✓ Protecting children's privacy

✓ Convenience for parents

✓ Compliance with laws

✓ Providing valuable educational content

Age verification is mandatory for certain categories of users. Let's clarify who exactly must go through this process.

Mandatory verification for:

1. Parents and legal guardians:

• Any adult creating a profile for a child under 13

• Must confirm they are indeed a parent or legal guardian

• Must have access to a valid email address

2. Foster parents:

• Persons with legal custody rights over a child

• Must have the right to make decisions on behalf of the child

3. Official guardians:

• Persons appointed by court or custody authorities

• Having documents confirming custody rights

Who should NOT verify:

❌ Children:

• Children should not and cannot create profiles independently

• Even teenagers 13+ cannot create a profile without parental control

• Chickitik is exclusively for use under parental supervision

❌ Other adults:

• Grandparents, aunts, uncles (if not legal guardians)

• Teachers or caregivers

• Older siblings

• Family friends

Note: These individuals can use Chickitik with the child, but only if the profile was created by a parent or legal guardian.

Special cases:

1. Split custody:

If parents have split custody:

• Each parent can create their own account

• Both parents must verify

• Each controls child profiles in their account

2. Joint custody:

With joint custody:

• One account can be created by one parent

• Second parent can access through shared email

• Both parents are responsible

3. Institutional custody:

For children's institutions, orphanages:

• Official representative of institution verifies

• Must provide documents confirming authority

• Contact us: info@itcoti.fi for special conditions

Custody rights confirmation:

When creating a child profile, you confirm that:

✓ You are a parent or legal guardian

✓ You have the right to make decisions about child's data processing

✓ You are responsible for actions taken under this account

✓ You are not creating a profile for someone else's child without parents' permission

Age requirements:

For parents/guardians:

• Must be over 18 years old

• Must be legally competent

• Must have the right to give consent

For children:

• Profile can be created for a child from 0 to 17 years

• Child's date of birth is mandatory

• Child's name is optional (can be alias)

Multiple children:

You can create profiles for:

• Up to 5 children per parental account

• Each child must have separate profile

• Separate birth date needed for each child

What happens in case of violation:

If we discover that:

• Profile created by child pretending to be adult

• Profile created without parental permission

• Verification data is false

We have the right to:

• Immediately block account

• Delete child profile

• Request additional verification

• If necessary — contact law enforcement

Important to understand:

Verification is not just a formality. It's protecting your child and complying with law. We take this process seriously and expect the same from parents.

We use several methods to verify parents' age. The main method is passwordless authentication via email. Let's look in detail at how this works.

Main method: Email verification

This is our primary age verification method. It is based on the assumption that only adults have access to a valid email address.

Why email verification:

1. Accessibility:

• Most adults have email

• No additional documents required

• Fast and convenient

2. Security:

• Confirms address ownership

• Codes valid only 24 hours

• Protection from automated bots

3. Privacy:

• No documents required

• Minimal data collection

• GDPR and COPPA compliant

4. Efficiency:

• Process takes 1-2 minutes

• No technical skills required

• Works on all devices

How email verification works:

Step 1: Enter email

• You enter your email address

• System checks format correctness

• Email must not be disposable (temporary)

Step 2: Send code

• We send a 6-digit code to your email

• Code is randomly generated

• Valid for 24 hours

• Can request new code after 60 seconds

Step 3: Confirm code

• You enter the received code

• System checks correctness

• Up to 5 input attempts

• After successful verification — access to profile creation

Technical details:

Code format:

• 6 digits (e.g.: 123456)

• Generated by cryptographically secure generator

• Unique for each request

Validity period:

• Code valid for 24 hours

• After expiration — need new code

• Used code becomes invalid

Limitations:

• Maximum 5 code input attempts

• After 5 failed attempts — need new code

• Brute force protection

Resend:

• Can request new code after 60 seconds

• Old code becomes invalid

• Limit: 3 requests per hour

Email address types:

Accepted:

✓ Regular email (Gmail, Outlook, Yahoo, etc.)

✓ Corporate email

✓ Educational email (.edu)

✓ Personal domains

Not accepted:

❌ Disposable email (tempmail, guerrillamail, etc.)

❌ Email addresses with suspicious patterns

❌ Blocked domains

Additional checks:

Besides email verification, we use:

1. Behavioral analysis:

• Analysis of interaction patterns

• Detection of suspicious activity

• Protection from automated systems

2. IP analysis:

• Check for known VPN/proxy (to prevent abuse)

• Geographic region determination

• Detection of suspicious IP addresses

3. Device fingerprinting:

• Device identification

• Detection of multiple accounts from one device

• Fraud protection

Note: These additional checks are used only for security and don't affect regular users.

Alternative verification methods:

In the future, we may add:

• Credit card verification (small payment)

• Government document verification

• Mobile phone verification

Important: These methods will be used only when email verification is insufficient or unavailable.

Legal compliance:

Our email verification method complies with:

• COPPA: Considered "reasonable effort" for obtaining parental consent

• GDPR Article 8: Takes into account available technology for consent verification

• FTC Guidelines: Approved as acceptable method for low-risk services

Process security:

We ensure security through:

• Encryption of all data (HTTPS/TLS)

• Secure code storage (hashed)

• Logging all verification attempts

• Monitoring suspicious activity

• Automatic blocking upon abuse detection

Let's look in detail at how the email verification process works in Chickitik from start to finish.

Process overview:

The verification process consists of several stages and takes 1-2 minutes. It is designed to be as simple as possible for parents while ensuring reliable age verification.

Stage 1: Accessing the login page

What happens:

• You go to Chickitik login page

• See form for entering email

• System ready to accept your address

What we check:

• HTTPS connection established

• Page loaded without errors

• Form protected from CSRF attacks

Stage 2: Entering email address

Your actions:

• Enter your email address

• Click "Sign In" or "Send Code" button

What we check:

• Email format correct (contains @, domain)

• Email not empty

• Email not too long (max 255 characters)

• Domain not blacklisted as disposable service

Possible errors:

• "Invalid email format" — check correctness

• "This email service not supported" — use different email

Stage 3: Code generation and sending

What happens on server:

1. Code generation:

• System generates random 6-digit code

• Code hashed before saving

• Expiration time set (24 hours)

2. Database storage:

• Hashed code saved

• Linked to email address

• Creation time recorded

• Attempt counter set to 0

3. Email sending:

• Email with code formatted

• Email sent to your address

• Sending logged

What you see:

• Message "Code sent to your email"

• Field for entering code

• Timer until resend possible (60 seconds)

Stage 4: Receiving email

Email contains:

• 6-digit code (e.g.: 123456)

• Code entry instructions

• Automatic login link (optional)

• Validity period info (24 hours)

• Warning: "If you didn't request this code, ignore this email"

Delivery time:

• Usually: few seconds

• Maximum: 5 minutes

• If email not received — check spam

Stage 5: Entering confirmation code

Your actions:

• Open email

• Copy or remember code

• Enter code in form on site

• Click "Confirm" or "Continue"

What we check:

1. Code format:

• Code consists of 6 digits

• No extra characters

2. Code validity:

• Code exists in database

• Code not used before

• Code not expired (within 24 hours)

• Code matches email address

3. Attempt counter:

• Number of attempts not exceeded (max 5)

• No signs of automated brute force

Possible results:

Success:

• Code correct

• You automatically logged in

• Session created

• Redirect to main page or child profile creation

Error — invalid code:

• "Invalid code. Try again"

• Attempt counter increases

• N attempts remaining

Error — expired code:

• "Code expired. Request new code"

• "Send new code" button

Error — attempts exceeded:

• "Too many attempts"

• Code invalidated

• Need to request new code

Stage 6: Session creation

After successful verification:

1. User check or creation:

• If email exists — load profile

• If new — create new user record

2. Session creation:

• Unique session token generated

• Session linked to user

• Expiration set (e.g., 30 days)

• Device information saved

3. Cookie setup:

• Session token saved in secure cookie

• Cookie has flags: HttpOnly, Secure, SameSite

4. Logging:

• Successful login recorded

• IP address, device, time

Alternative path: Automatic login via link

If you use link from email instead of entering code:

1. Link click:

• Link contains encrypted token

• Automatic redirect to site

2. Token validation:

• Token authenticity check

• Expiration check

• Check token not used

3. Automatic login:

• Session creation

• Redirect to account

Time limits:

• Code validity: 24 hours

• Resend: after 60 seconds

• Max resends: 3 per hour

• Max input attempts: 5 per code

• Session validity: 30 days (or until logout)

Security at each stage:

• All data transmitted via HTTPS

• Codes hashed before storage

• CSRF, XSS attack protection

• Rate limiting

• All actions logged

• Suspicious activity monitoring

One of the main goals of age verification is to prevent situations where children try to create a profile pretending to be adults. Let's look at what measures we apply for protection.

The false consent problem:

Children, especially teenagers, may attempt to:

• Use parents' email without their knowledge

• Create a fake email address

• Access parents' email to enter code

• Deceive the system in other ways

Our multi-level approach:

Level 1: Email verification as first barrier

Email verification itself is an obstacle:

Why it works:

• Most children don't have their own email

• Children usually don't have access to parents' email

• Getting code requires mailbox access

• Parents see email with code and can notice suspicious activity

Limitations:

• Some children may know parents' email password

• Children can create their own email pretending to be adults

Level 2: Behavior analysis

We analyze user behavior patterns:

What we track:

1. Action speed:

• Too fast form filling may indicate child

• Adults usually read terms, children skip

2. Navigation patterns:

• Children often go straight to child content

• Adults first explore interface

3. Time patterns:

• Registration during school hours (9:00-15:00 weekdays) is suspicious

• Mass registration from one IP is suspicious

4. Technical indicators:

• Device type (child tablet vs adult laptop)

• Browser and operating system

• Parental control presence on device

What we do when suspicious:

• Request additional verification

• Send notification to email

• Temporarily block account until confirmation

Level 3: Parent notification

Every important action comes with email notification:

When we send notifications:

• When creating account

• When adding child profile

• When changing privacy settings

• When deleting data

What notifications contain:

• Time and date of action

• IP address and device

• Action description

• Link to cancel if not you

Why it's needed:

If child used parent's email without permission, parent immediately sees notification and can:

• Cancel action

• Block account

• Contact us

Level 4: Periodic re-verification

We may request re-verification:

When this happens:

• During suspicious activity

• When attempting to change critical settings

• Periodically (e.g., once a year)

• When logging in from new device

How it works:

• System sends new code to email

• Action confirmation required

• Without confirmation — access limited

Level 5: New account restrictions

New accounts have additional restrictions:

First 24 hours:

• Limit on number of child profiles created

• Cannot immediately delete account

• Additional checks for any actions

First 7 days:

• Activity monitoring

• Automatic detection of suspicious patterns

Purpose:

Gives parents time to notice unauthorized email use.

Level 6: Educational measures

We explain to parents the importance of verification:

During registration:

• Brief explanation of why verification needed

• Warning that children should not register independently

In emails:

• Reminder about email account protection importance

• Security tips

In help:

• Detailed information about false consent protection

• What to do if child registered without permission

Signs of false consent:

We pay attention to:

1. Data inconsistencies:

• Email looks childish (e.g., coolgamer2015@...)

• Usage patterns typical for children

2. Technical signs:

• Device configured for child

• Child apps installed

• Parental control enabled

3. Behavioral signs:

• Immediate transition to content without exploration

• Ignoring terms of use

• Unusual activity for adult user

What we DON'T do:

❌ Don't require documents at every login

❌ Don't block accounts without reason

❌ Don't make process too complex for honest parents

❌ Don't collect extra data "for verification"

Balance between security and convenience:

We strive to find balance:

Security:

• Sufficient measures to prevent false consent

• Protect children from themselves

• COPPA and GDPR compliance

Convenience:

• Simple process for honest parents

• Minimal obstacles

• Fast verification

What parents should do:

To protect against false consent, we recommend:

1. Protect your email:

• Use strong password

• Don't share password with children

• Enable two-factor authentication

2. Monitor email:

• Check emails from Chickitik

• Pay attention to notifications

3. Talk to children:

• Explain why it's important not to register without permission

• Talk about online safety

4. If suspicious:

• Immediately contact us: info@itcoti.fi

• Change email password

• Block Chickitik account

Our guarantees:

We commit to:

• Continuously improve false consent detection methods

• Respond to parent messages within 24 hours

• Immediately block accounts upon false consent confirmation

• Delete all data collected without parental consent

After successful age verification, we create a secure parent account for you and provide access to child profile management features.

Creating a Parent Account:

Immediately after email confirmation, we:

• Create your parent account

• Save verification information

• Generate a unique parent identifier

• Assign "parent" role in the system

• Establish a secure session

What You Get Access To:

After verification, you can:

• Create child profiles — add up to 5 child profiles

• Manage settings — control content access

• View statistics — see what your children are reading

• Get recommendations — curated book selections by age

• Manage subscriptions — purchase and renew subscriptions

• Add to favorites — save favorite stories

Your Account Security:

We protect your account through:

• Passwordless authentication — login via email without passwords

• Secure sessions — automatic logout after inactivity

• Login notifications — receive alerts about new logins

• Activity history — review all account actions

Creating a Child Profile:

After account creation, you can:

1. Enter child information:

• Child's name

• Date of birth

2. Configure content settings:

• Age restrictions

3. Set up parental controls:

• App usage time

• Available sections

• Parent notifications

Mobile Application:

After web verification:

• Log in to the Chickitik mobile app

• Use the same email for login

• All child profiles sync automatically

• Reading progress saves across devices

Verification Confirmation:

You will receive a confirmation email with:

• Date and time of verification

• Created account information

• Getting started instructions

• Links to useful resources

Re-verification:

In some cases, we may request re-verification:

• When changing email address

• Upon suspicious activity

• After extended inactivity (over 2 years)

• When changing critical security settings

Sometimes the verification process may not complete successfully. Let's look at what can go wrong and how we help in such situations.

Reasons for Verification Failure:

Verification may fail for the following reasons:

• Email unavailable — address doesn't exist or isn't active

• Technical issues — mail delivery problems

• Code expired — more than 15 minutes passed since sending

• Attempt limit exceeded — too many verification requests

• Suspicious activity — signs of fraud detected

• Email provider block — message blocked by spam filter

What to do if email doesn't arrive:

If you haven't received the verification code email:

1. Check your "Spam" folder:

• Email may have landed in spam

• Add noreply@chickitik.com to contacts

• Mark the message as "Not spam"

2. Check email correctness:

• Make sure address is entered without typos

• Verify the mailbox is active

• Try a different email address

3. Check mailbox fullness:

• Free up space in your mailbox

• Delete old messages

4. Wait a few minutes:

• Delivery may take up to 5 minutes

• Check your internet connection

5. Request resend:

• Click "Resend code"

• Available every 60 seconds

Attempt Limit Exceeded:

If you've exceeded the verification request limit:

• Temporary block — 1 hour after 5 failed attempts

• What to do:

— Wait for the block to expire

— Check email address correctness

— Contact support if the problem persists

Alternative Verification Methods:

If standard email verification doesn't work:

• Use a different email:

— Gmail, Outlook, Yahoo, or other popular providers

— Make sure you have access to the mailbox

• Contact support:

— Email: support@chickitik.com

— Provide your email and problem description

— We'll check and help complete verification manually

Manual Verification:

In exceptional cases, we can perform manual verification:

• When applicable:

— Technical issues with email provider

— Email unavailability after multiple attempts

— Special circumstances

• How to request:

— Write to support@chickitik.com

— Provide your email and reason for request

— Attach error screenshots (if any)

• Processing time:

— 1-2 business days

— We'll contact you for confirmation

Block for Suspicious Activity:

If the system detected suspicious activity:

• Reasons for blocking:

— Multiple attempts from different IPs

— VPN/proxy usage

— Signs of automation

— System bypass attempts

• How to unblock:

— Contact support

— Explain the situation

— We'll review and unblock if necessary

Important:

We strive to make the verification process as simple and reliable as possible. If you encounter problems — don't hesitate to contact support. We're always ready to help!

After successful verification, we store the minimum necessary information about the verification process. Let's review what data we store and how we protect it.

What We Store:

After verification, our database stores:

• Parent's email — used for account login

• Verification status — mark of completed verification

• Verification date — when verification was completed

• Verification method — how verification was conducted (email)

• Verification code hash — not the code itself, but its hash

• Request IP address — for security and abuse prevention

What We DON'T Store:

We deliberately don't store:

• Verification code itself — only hash for verification

• Email content — don't save correspondence

• Biometric data — don't collect or store

• Document data — don't request passports or IDs

• Full browser history — only necessary technical data

How We Protect Data:

Verification data security is ensured through:

1. Encryption in transit:

• SSL/TLS encryption for all requests

• HTTPS for all connections

• Secure communication channels

2. Encryption at rest:

• Hashing of passwords and codes (bcrypt)

• Encryption of sensitive data in DB

• Secure key storage

3. Access restrictions:

• Access only for authorized personnel

• Multi-level permission system

• Audit of all data access

4. Database security:

• Regular backups

• Geographically distributed storage

• SQL injection protection

• Suspicious activity monitoring

Data Retention Period:

We store verification data according to legal requirements:

• Active account:

— Data stored while account is active

— Or until explicit user deletion

• Deleted account:

— Main data deleted within 30 days

— Verification logs — 90 days for security

— Financial records — up to 7 years (legal requirements)

• Inactive account:

— After 3 years without activity — reminder

— After 5 years without activity — data deletion

Access to Verification Data:

Your verification data is accessible to:

• You:

— Through account settings

— Can view verification date and method

— Can request full data copy (GDPR)

• Our security team:

— Only during incident investigations

— With full access auditing

— In accordance with internal policies

• Third parties:

— Only by legal requirement (court, law enforcement)

— With prior user notification (when possible)

— With full request documentation

Database Security:

Our database is protected as follows:

• PostgreSQL with security settings

• Firewall — IP-based access restriction

• VPN — access only through secure network

• Audit — logging of all data operations

• Backups — daily encrypted copies

• Monitoring — 24/7 security control

Data Anonymization:

For analytics and service improvement, we use anonymized data:

• Verification statistics — not linked to specific users

• Error analysis — depersonalized logs

• Performance metrics — aggregated data

Your Data Rights:

According to GDPR, you have the right to:

• Data access — request a copy of your data

• Correction — update incorrect information

• Deletion — "right to be forgotten"

• Portability — receive data in machine-readable format

• Processing restriction — limit data usage

• Objection — object to processing

To exercise these rights, write to privacy@chickitik.com

In certain situations, we may request re-verification of your identity to ensure security and compliance with legal requirements.

When Re-verification is Required:

We may request re-verification in the following cases:

• Email address change — when changing primary email

• Suspicious activity — unusual account actions

• Extended inactivity — more than 2 years without use

• Critical settings changes — security settings modifications

• Legal requirements — changes in legislation

• Adding new children — creating additional profiles after a break

Re-verification Process:

Re-verification follows a similar process to initial verification:

1. Notification:

• You receive an email explaining the reason

• Deadline for completing verification

• Link to verification form

2. Email confirmation:

• Receive code to current email

• Enter code on website

• Identity confirmation

3. Access restoration:

• Access restored after successful verification

• All data remains unchanged

• Children profiles are preserved

What Happens Before Re-verification:

While verification is pending:

• Limited access — content viewing available, new creation is not

• Data preservation — all profiles and settings preserved

• Notifications — regular reminders about verification requirement

• Waiting period — 30 days to complete re-verification

If Re-verification is Not Completed:

If verification not completed within 30 days:

• Day 1-7:

— Daily email reminders

— In-app banner about verification requirement

• Day 8-14:

— New content creation restricted

— Reading access preserved

• Day 15-30:

— Enhanced notifications about approaching block

— Support assistance offered

• After 30 days:

— Temporary account suspension

— Data preserved for 90 more days

— Recovery possible after verification

Reasons for Re-verification Request:

1. Email Change:

When changing primary email address:

• Need to confirm new address

• Receive code to new email

• Confirm ownership of both addresses

2. Suspicious Activity:

If system detected:

• Unusual login attempts

• Changes from different devices/IPs

• Bulk settings modifications

• Restriction bypass attempts

3. Extended Inactivity:

After 2+ years without login:

• To confirm account is still in use

• Update data processing consent

• Comply with current legal requirements

Re-verification Assistance:

If you have problems with re-verification:

• Email unavailable:

— Contact support for email change

— Confirm identity through alternative methods

• Technical issues:

— Write to support@chickitik.com

— Describe problem in detail

— Attach error screenshots

• Urgent access needed:

— Specify urgency reason

— We'll try to expedite the process

Re-verification Security:

We apply the same security standards:

• Encryption of all data

• IP address and device verification

• Verification code hashing

• Attempt limit restrictions

• Action auditing

After successful verification, you gain full control over your children's data and profiles. Let's review your rights in detail.

Basic Parental Rights:

After verification, you have the right to:

• Data access — view all data about your children

• Data editing — modify profiles and settings

• Data deletion — complete removal of children profiles

• Data export — obtain a copy of all data

• Consent management — change privacy settings

• Activity control — monitor children's actions

Right to Data Access:

You can request and receive at any time:

• Children profiles:

— Name, age, date of birth

— Content settings

— Profile creation history

• Activity history:

— Read stories

— Favorites

— Usage time

— Reading progress

• Verification data:

— Date and method of verification

— Change history

Right to Editing:

You can modify:

• Children information:

— Update name and age

— Change content settings

— Add or remove children

• Parental control settings:

— App usage time

— Available content categories

— Notifications

• Your account:

— Email address

— Notification settings

— Language preferences

Right to Deletion:

You can delete:

• Individual child profile:

— Profile and all related data removed

— Other profiles preserved

— Process irreversible after 30 days

• Entire account:

— All children profiles deleted

— All settings deleted

— Complete deletion after 30 days

Right to Data Export (Portability):

According to GDPR, you can request export of all data in machine-readable format:

• Data format:

— JSON for technical data

— CSV for tabular data

— PDF for reports

• What's included:

— All children profiles

— Activity history

— Settings and preferences

— Verification data

• How to request:

— Through account settings

— Email to privacy@chickitik.com

— Response within 30 days

Right to Consent Management:

You control:

• Data collection:

— What data we collect

— For what purposes

— How long we store

• Data usage:

— Analytics

— Personalization

— Recommendations

• Consent withdrawal:

— Can be withdrawn anytime

— Data deletion after withdrawal

— Minimum necessary retained for legal compliance

Right to Processing Restriction:

You can restrict data processing:

• Temporary freeze:

— Data stored but not processed

— Useful for resolving disputes

• Purpose limitation:

— Prohibit use for specific purposes

— For example, storage only, no analysis

Right to Object:

You can object to:

• Automated processing:

— Decisions made by algorithms

— Profiling

• Direct marketing:

— Promotional mailings

— Personalized offers

How to Exercise Your Rights:

1. Through personal account:

• Log into account settings

• "Privacy and Data" section

• Select desired action

2. Via email:

• Write to privacy@chickitik.com

• Provide your email and request

• Attach identity confirmation (if needed)

3. Response timeframes:

• Receipt confirmation — 48 hours

• Request fulfillment — up to 30 days

• Complex requests — up to 60 days with notification

Protecting Children's Rights:

We also protect children's rights:

• Data minimization — collect only necessary

• Secure storage — encryption and protection

• Limited access — only authorized personnel

• Regular audits — compliance verification

Appealing Decisions:

If you disagree with our decision:

• Internal complaint:

— Write to complaints@chickitik.com

— Review within 14 days

• Supervisory authority:

— Can contact your country's Data Protection Authority

— We'll provide all necessary information

Contacts for Rights Exercise:

• Email: privacy@chickitik.com

• Response: within 48 hours

• Languages: Russian, English, Finnish

The security of your data and your children's data is our top priority. We use modern technologies and best practices to protect information.

Technical Security Measures:

1. Data Encryption:

• In transit:

— TLS 1.3 for all connections

— HTTPS required for all requests

— Certificate pinning in mobile apps

• At rest:

— AES-256 database encryption

— Password hashing via bcrypt (cost factor 12)

— Encrypted backups

2. API Protection:

• Authentication:

— JWT tokens with short lifetime (15 minutes)

— Refresh tokens with secure storage

— Passwordless authentication via email

• Authorization:

— Role-based access control (RBAC)

— Permission check on every request

— Data isolation between users

• Attack Protection:

— Rate limiting (max 5 verification requests per hour)

— CSRF tokens for forms

— XSS protection via Content Security Policy

— SQL injection prevention via parameterized queries

3. Infrastructure Security:

• Network Isolation:

— Virtual Private Network (VPN) for DB access

— Firewall with IP whitelist

— Separate networks for production and development

• Monitoring:

— 24/7 security monitoring

— Automatic alerts for suspicious activity

— Logging of all data operations

Organizational Measures:

1. Data Access:

• Principle of Least Privilege:

— Each employee has access only to necessary data

— Multi-factor authentication for staff

— Regular access rights audits

• Staff Training:

— Regular security training

— Confidentiality policy for employees

— NDA (non-disclosure agreement) for all

2. Processes and Policies:

• Incident Response Plan:

— Security incident response plan

— User notification procedure (within 72 hours)

— Incident response team

• Regular Audits:

— Quarterly security audit

— Penetration testing annually

— Code review for all changes

Children's Data Privacy:

Special Protection for Children:

• Data Minimization:

— Collect only name and age

— No photos of children

— No geolocation

— No children's contact information

• Data Isolation:

— Children profiles linked only to parent account

— No direct access to child profile

— All actions only through parental control

• No Advertising:

— No ads for children profiles

— No targeting of children

— No data sharing with advertisers

Legal Compliance:

1. COPPA (USA):

• Verifiable Parental Consent before creating child profile

• Parents' right to view and delete data

• Notice of data collection practices

2. GDPR (EU):

• Parental consent for children under 16

• Right to be forgotten

• Right to data portability

• Data Protection Officer appointed

3. Finnish Personal Data Act:

• Compliance with Finnish legislation

• Registration with Finnish Data Protection Authority

Transparency and Control:

What You Can Control:

• Data Access:

— View all collected data

— Export data anytime

— History of all actions

• Privacy Settings:

— Manage processing consent

— Disable analytics

— Restrict data processing

• Deletion:

— Delete individual profiles

— Complete account deletion

— Automatic deletion after 30 days

Breach Notification:

In case of data breach, we commit to:

• Notify Regulator:

— Within 72 hours of discovery

— Full incident report

• Notify Users:

— If breach affects their data

— Description of incident and measures taken

— Protection recommendations

Third-Party Practices:

• Third-Party Services:

— Use only verified providers

— DPA (Data Processing Agreement) with each

— Regular third-party audits

• No Data Sharing for:

— Advertising

— Sales

— Third-party marketing

Your Security Actions:

• Email Protection:

— Use strong password for email

— Enable two-factor authentication

— Don't use public email addresses

• Caution:

— Don't share verification links

— Check URLs before entering data

— Report suspicious activity

We are constantly improving our processes and policies to enhance security and convenience. It's important to understand how and when we make changes and how this affects you.

Right to Change Policy:

We reserve the right to change this policy at any time. This is necessary for:

• Legal Compliance:

— Adaptation to new laws and regulations

— GDPR, COPPA, Finnish Personal Data Act

— Local requirements of different countries

• Security Improvements:

— Implementation of new protection measures

— Response to new threats

— Raising security standards

• Process Optimization:

— Simplifying verification

— Improving user experience

— Adding new features

Notification of Changes:

Material Changes:

For material changes to the policy, we will notify you:

• Email Notification:

— To your registered address

— 30 days before taking effect

— With detailed description of changes

• In-App Notification:

— Pop-up on next login

— Detailed description of changes

— Link to full text of new policy

• On Website:

— Notice on homepage

— "What's Changed" section

— Comparison of old and new versions

What Constitutes Material Changes:

• Changes to verification methods

• Changes to the scope of data collected

• Changes to data retention periods

• Changes to parental rights

• Addition of new third parties

• Changes to data use

Minor Changes:

Minor changes take effect immediately:

• Examples of Minor Changes:

— Fixing typos and grammar

— Clarifying wording without changing meaning

— Updating contact information

— Adding examples for clarity

• Notification:

— Update of "Last Modified" date at the beginning of the document

— Entry in change history

Your Consent to Changes:

Accepting Changes:

After notification of material changes, you have 3 options:

1. Accept Changes:

• Continue using the service

• New policy automatically applies after 30 days

• No additional action required

2. Reject Changes:

• Delete your account before changes take effect

• All data will be deleted according to our policy

• Service will become unavailable after deletion

3. Discuss Changes:

• Contact us by email: policy@chickitik.com

• Express your concerns

• We will try to find a solution

Change History:

We maintain a complete history of all policy changes:

Current Version: 1.0

Publication Date: 2025-10-31

• First version of "Age Verification Policy"

• Includes all main sections

• Complies with GDPR, COPPA, Finnish Personal Data Act

Future Versions:

All future versions will be added here indicating:

• Version number

• Effective date

• Brief description of changes

• Link to full text of changes

Access to Previous Versions:

You can request previous versions of the policy:

• Email: archive@chickitik.com

• Specify: which version you want to receive (date)

• Delivery: PDF file to your email within 7 days

Tracking Changes:

For easy change tracking, we provide:

1. Changelog:

• Available on policy page

• Shows all changes with dates

• Highlights material changes

2. Version Comparison:

• "Diff" tool for comparison

• Shows what was removed (in red)

• Shows what was added (in green)

3. Change RSS Feed:

• Subscribe to updates

• Automatic notifications of new versions

Legal Effect of Changes:

Taking Effect:

• For New Users:

— New policy applies immediately

— From registration

• For Existing Users:

— 30 days after notification (for material changes)

— Immediately (for minor changes)

Transition Period:

Within 30 days after notification of material changes:

• Old policy version applies

• You can delete your account without consequences

• You can contact us with questions

Feedback:

We value your opinion on our policies:

How to Leave Feedback:

• Email: feedback@chickitik.com

• Subject: "Feedback on Verification Policy"

• Content:

— What you like

— What can be improved

— Your suggestions

We Consider:

• All feedback is carefully reviewed

• Constructive suggestions are considered in updates

• Most frequent questions are added to FAQ

Regular Review:

We conduct regular policy reviews:

Annual Audit:

• Checking compliance with current legislation

• Analyzing security measure effectiveness

• Assessing user satisfaction

• Implementing improvements

Unscheduled Review When:

• Legislation changes

• Security issues are discovered

• Significant service changes

• Significant feedback is received

Relationship with Other Policies:

This policy is closely related to other documents:

• Privacy Policy — general data processing rules

• User Agreement — service usage rules

• Parental Consent Form — consent obtaining process

• Cookie Policy — cookie usage

In Case of Contradictions:

• More specific documents take priority

• This policy takes priority on age verification matters

• When in doubt, contact: legal@chickitik.com

Contacts for Change-Related Questions:

• General Questions: policy@chickitik.com

• Legal Questions: legal@chickitik.com

• Feedback: feedback@chickitik.com

• Version Archive: archive@chickitik.com

Thank You for Your Trust!

We are constantly working to improve our services and value your trust. If you have questions or suggestions, please don't hesitate to contact us.

If you have any questions, comments or concerns about our age verification policy, we are always ready to help.

Main Contacts:

General Questions:

• Email: support@chickitik.com

• Response Time: within 24 hours

• Languages: Russian, English, Finnish

Verification Questions:

• Email: verification@chickitik.com

• Response Time: within 12 hours

• Help: technical support for verification process

Privacy Questions:

• Email: privacy@chickitik.com

• Response Time: within 48 hours

• Topics: data protection, GDPR, user rights

Legal Questions:

• Email: legal@chickitik.com

• Response Time: within 72 hours

• Topics: legal aspects, legislation compliance

Data Protection Officer:

• Email: dpo@chickitik.com

• Responsibility: GDPR and other data protection laws compliance

Business Hours:

• Support: Monday - Friday, 9:00 - 18:00 (EET)

• Emergency Cases: 24/7 via email

Mailing Address:

Chickitik Oy

Helsinki, Finland

(exact address will be provided upon company registration)

Useful Links:

• Privacy Policy

• User Agreement

• Parental Consent Form

• Cookie Policy

• FAQ

Feedback:

We value your feedback! Please write to feedback@chickitik.com