Grown-up information
Cookie Policy
Approval-gated policy stub: final legal copy must be reviewed before launch. This page documents the current site behavior and blocks non-essential tracking until the child-safety gate is approved.
Current cookie and storage defaults
- Essential Payload/admin cookies may be used only for grown-up CMS administrators and must stay separate from child-facing flows.
- The public site currently does not load analytics, advertising pixels, session replay, heatmaps, or embedded YouTube iframes that set non-essential cookies.
- The cookie notice stores only a local acknowledgement flag in the visitor's browser; it is not a tracking identifier and is not sent to Dinosaur Kids.
- Any future non-essential cookies require a named provider, purpose, retention owner, opt-out path, and Brandon approval recorded before production enablement.
COPPA-sensitive guardrails
- Dinosaur Kids content is for families, but data-collection forms are directed only to adults/parents, not children under 13.
- Do not ask for child names, exact ages, birthdays, school, address, location, photos, voice, interests tied to a child identity, or account credentials.
- Do not create child accounts, behavioral profiles, targeted advertising audiences, or persistent child identifiers.
- Treat any accidental child PII submission as sensitive: do not copy it into issues, logs, analytics, or PRs; delete/ignore it according to the approved retention path.
Before non-essential cookies are enabled
Analytics, embeds, advertising pixels, session replay, heatmaps, commerce cookies, or any persistent identifiers beyond essential site operation require documented approval first.
- DK-51 privacy/terms audit is merged and reviewed.
- Brandon approval is recorded on the relevant GitHub/Linear issue before production deploy or data-collection enablement.
- The selected email/list provider or Payload storage path, double opt-in behavior, unsubscribe path, retention owner, and export/delete process are documented.
- Sentry, logging, and analytics are configured default-off for child-facing flows and redact email addresses, contact messages, request bodies, IP addresses, user agents, and URLs with query strings before capture.
- YouTube embeds, analytics, printable unlocks, and parent email capture have a pre-production smoke test proving no child PII fields or child-directed tracking are present.
