Protecting children and families is our highest priority. This page describes how we secure your data and how to report a vulnerability.
All personally identifiable information (PII) — including parent email addresses and child names — is encrypted using AES-256 before being written to the database. All traffic is served exclusively over HTTPS with HSTS enforced for one year.
We collect only what is necessary to operate the service. Children's chat conversations are stored solely to power learning continuity and parent visibility. We do not sell, rent, or share personal data with third parties for advertising.
Project Nova is designed for children ages 5–11. We comply with the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA). Parental consent is required before a child account is created.
Role-based access control (RBAC) ensures that children can only access their own content, parents can only see their own children's data, and admin capabilities are restricted to verified staff. Two-factor authentication (TOTP) is enforced for all admin accounts.
Security-relevant events — including login attempts, permission changes, and payment operations — are logged with timestamps and user identifiers. Logs are retained for 90 days.
In the event of a confirmed data breach affecting personal data, we will notify affected users within 72 hours of discovery, consistent with applicable data protection regulations.
We welcome reports from security researchers, parents, educators, and members of the public who discover potential vulnerabilities in Project Nova. We are committed to working with you to verify and address any issues quickly.
Please send a detailed report to [email protected]. Include a clear description of the vulnerability, steps to reproduce it, the potential impact, and any supporting evidence (screenshots, proof-of-concept code). Encrypt sensitive reports using our PGP key if available.
In-scope targets include projectnova.fun and its subdomains. Out of scope: social engineering attacks against our staff, physical security, and third-party services we do not control (e.g., PayPal, Manus OAuth).
We will not pursue legal action against researchers who act in good faith, avoid accessing or modifying data beyond what is necessary to demonstrate the vulnerability, and report findings to us before public disclosure. We ask that you give us a reasonable time to remediate before publishing details.
If you believe you have discovered a security vulnerability, please reach out. We take every report seriously and will respond promptly.
[email protected]