Skip to Content
Child Check-InCOPPA compliance

COPPA compliance

COPPA (Children’s Online Privacy Protection Act) is the US federal law that regulates collecting and using personal data from minors under 13. If your church operates in the US, COPPA applies.

What COPPA requires (summary)

  1. Verifiable parental consent before collecting a minor’s data.
  2. Clear notice to parents about what data is collected and why.
  3. Parental rights to review, correct, or delete the minor’s information.
  4. Minimum necessary: collect no more than needed.
  5. Reasonable security for the data.
  6. Limited retention: delete when no longer needed.

How Ministrium implements COPPA

  • No minor data is created without an adult in the household completing the flow at the kiosk or app.
  • The adult must have a verified account (confirmed email or phone).
  • Consent is logged in the audit trail:
{
  "action": "coppa.consent.given",
  "minor_id": "m_42",
  "parent_user_id": "u_18",
  "occurred_at": "...",
  "consent_text_version": "2026-01-15"
}

Notice

In the minor creation flow (kiosk, app, web), the adult sees a COPPA notice:

“By registering your minor at La Roca, you authorize the church to use their name, birthdate, and medical info solely for pastoral care during services and events. We will not share this information with third parties without your consent. You can view, edit, or delete this data at any time from the app.”

The text is customizable per church from Settings → Kids → COPPA notice.

Parental rights

From the app or web, the parent can:

  • View all minor data at Family → [Minor] → My data.
  • Edit medical info, authorized pickup people, photos.
  • Export minor data (PDF + JSON).
  • Delete the minor account (with documented consequences: history loss).

Minimum necessary

The system doesn’t allow collecting:

  • Minor’s geolocation
  • Access to the minor’s device contacts / camera
  • Minor’s biometric data (no face scan, no fingerprint)

The minor’s photo is optional and uploaded by the parent. If the family doesn’t upload one, the system works without it.

Security

  • AES-256 at rest, TLS 1.2+ in transit.
  • Least-privilege access (see permission matrix).
  • Full audit of every access to minor data.

Retention

  • Minor data is retained while the minor is an active member or prospect.
  • If the family departs, minor data is anonymized within 90 days (statistical history remains, personal data does not).
  • Full deletion on parent request within 30 days.

If your church doesn’t operate in the US

COPPA is a US law. Equivalent laws in other countries:

  • Mexico: LFPDPPP
  • Brazil / LatAm: LGPD (see GDPR/LGPD)
  • EU: GDPR
  • UK: UK GDPR

Ministrium’s protections are designed to meet the strictest of these frameworks: if you’re COPPA-compliant, you’re compliant with most.

Legal advice

This documentation describes our technical implementation. It is not legal advice. If your church operates in the US and has COPPA questions, consult specialized counsel.

Last updated on
Authorized pickup peopleOverview