Skip to content

Your cart is empty

Have an account? Log in to check out faster.

Continue shopping

Trust & Legal

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy explains how COTIS collects, uses, shares, and protects information when you use cotis.ai, the COTIS wearable device, the COTIS companion app, and any related services (together, the "Services"). COTIS is designed for children, including children under the age of 13, and we treat children's data with the heightened protections required by the federal Children's Online Privacy Protection Act ("COPPA") and the applicable state laws described in this Policy.

Plain-language summary. A parent or legal guardian is in charge of every COTIS account. COTIS does not start listening on its own — it only records when a child presses a button. COTIS does not sell children's data. COTIS does not use children's voice recordings to train any artificial-intelligence model unless a parent has expressly opted in through a separate consent flow. COTIS does not show advertising to children, ever. COTIS is not a medical device, is not a HIPAA-covered service, and is not a substitute for medical, mental-health, or emergency services.

1. Who we are

COTIS is the operator of the Services for purposes of COPPA and the equivalent operator/controller obligations under state and international law.

Postal address: PO Box 642, Ketchum, ID 83340, United States.

You can contact us about this Policy or any privacy question at any time through the contact form at cotis.ai/pages/contact.

2. The account model: a parent or legal guardian controls every account

Only an adult (18 years of age or older) can create a COTIS account, agree to these terms, set up a child profile, purchase a device, or change privacy settings. A child does not have a standalone account, cannot purchase, and cannot change privacy settings without the parent or legal guardian. Schools, clinicians, and other organizations that use COTIS in an educational or therapeutic setting access the Services through a separate organizational account governed by a written agreement that allocates parental-consent responsibilities consistent with COPPA.

3. Verifiable parental consent

Before COTIS collects, uses, or discloses any personal information from a child under 13, COTIS provides direct notice to the parent describing exactly what will be collected, how it will be used, and the categories of third parties (if any) that will receive it. COTIS then obtains verifiable parental consent using one or more of the following FTC-approved methods, as updated in the 2025 amendments to the COPPA Rule:

  • Signed consent form returned by mail, fax, or electronic scan
  • Credit-card or other payment-account verification in connection with a monetary transaction
  • Knowledge-based authentication using dynamic, multiple-choice questions of sufficient difficulty
  • Verification of a government-issued photo ID against a parent's submitted image, with immediate deletion of the comparison image after verification
  • Text-message verification ("Text Plus") where children's personal information will not be disclosed to third parties
  • Other methods reasonably calculated to ensure that the consent is given by the child's parent

A parent may consent to COTIS's collection and use of a child's information without consenting to any non-integral third-party disclosure. COTIS will obtain separate parental consent before any of the following: disclosure of a child's personal information to a third party for that third party's own purposes; use of a child's personal information for targeted or behavioral advertising (which COTIS does not do by default and will not enable without separate opt-in); use of a child's audio recordings, voiceprints, or transcripts to train an artificial-intelligence model (which COTIS does not do by default and will not enable without separate opt-in).

4. Information we collect

From the parent or legal guardian (account holder)

  • Full name
  • Email address
  • Postal address
  • Phone number (if voluntarily provided)
  • Account credentials (password is salted and hashed; never stored in plaintext)
  • Payment information (handled by our PCI-compliant payment processor; COTIS does not store full payment card numbers)
  • Communications you send to customer support

About the child, entered by the parent or legal guardian

  • First name or nickname
  • Age or age range
  • Optional personalization details the parent chooses to provide (such as sensory preferences, communication preferences, calming strategies that work for the child)

From the COTIS device and companion app

  • Audio recordings. COTIS records a few seconds of audio when, and only when, a child presses Ask, Translate, or Calm. Under the 2025 amended COPPA Rule, audio recordings of a child's voice are treated as personal information. COTIS uses this audio solely to respond to the child's specific request, and then handles it according to the audio retention schedule in Section 9 below.
  • Voiceprints and other biometric identifiers. COTIS does not derive voiceprints or any other biometric identifier from a child's voice. If COTIS ever introduces biometric features in the future, COTIS will first provide direct notice and obtain separate verifiable parental consent.
  • Device telemetry. Hardware identifier, firmware version, battery state, connection diagnostics, and basic error logs.
  • App interaction data. Which features were used, for how long, and error reports — used solely for the internal operations of the Services (see Section 6).
  • Approximate location. Only if the parent has explicitly opted in for safety features. COTIS does not collect precise geolocation by default.
  • Persistent identifiers. COTIS uses a persistent device identifier solely for the internal operations of the Services as described in Section 6. The persistent identifier is not used or disclosed to contact a specific individual, build a child profile, or amass a behavioral history.

What we do not collect

  • Continuous or always-on audio. COTIS has no wake-word and no always-on microphone. The microphone activates only when a button is pressed.
  • Camera or video data. The COTIS device has no camera.
  • Precise GPS location, unless the parent specifically opts in.
  • Contacts, browsing history, or data from other apps on the parent's phone.
  • Health information that would constitute Protected Health Information ("PHI") under HIPAA. COTIS is not a HIPAA-covered entity and does not function as a business associate of any covered entity in the consumer context.
  • Behavioral profiles of children for commercial purposes.

5. How we use information

  • To operate the Ask, Translate, and Calm features your child uses
  • To send the parent transactional messages (order confirmations, shipping notifications, safety alerts, firmware updates, account notices)
  • To respond to customer-support requests
  • To diagnose, debug, and maintain the Services (the "internal operations" exception under COPPA, scoped as described in Section 6)
  • To meet legal, safety, and security obligations
  • To prevent fraud and protect the security of accounts and the device

COTIS does not use children's personal information for any other purpose without first obtaining separate verifiable parental consent. COTIS does not engage in behavioral advertising, profiling for marketing, or sale of children's personal information under any circumstances.

6. Persistent identifiers and the COPPA internal-operations exception

COTIS uses a persistent device identifier to perform the following internal operations and only these internal operations: (a) maintaining or analyzing the functioning of the Services; (b) performing network communications; (c) authenticating users and personalizing settings the parent has configured; (d) serving contextual content directly requested by the child (such as the response to a press of Ask, Translate, or Calm); (e) protecting the security and integrity of the Services, including detecting fraud; (f) ensuring legal or regulatory compliance; (g) fulfilling a child's request under the audio-recording exception described in Section 7.

COTIS does not use the persistent identifier or any other data collected under the internal-operations exception to contact a specific individual (including through behavioral advertising), to amass a profile of a child, or for any purpose unrelated to those listed above.

7. Audio recordings — specific handling

COTIS captures audio only when a child presses Ask, Translate, or Calm. The 2025 amended COPPA Rule includes a limited exception that allows operators to collect an audio file containing a child's voice for use in responding to the child's specific request, provided the operator does not use the information for any other purpose, does not disclose it (other than as needed to process the request), and deletes it promptly after responding.

COTIS relies on this exception for the Ask and Translate functions. The raw audio file is transmitted to our speech-processing partner over an encrypted channel solely to convert the audio into a response, and is deleted immediately after the response is generated. The de-identified transcript is retained on COTIS's systems for the limited period described in Section 9, solely for debugging and quality assurance.

For the Calm function, audio capture is shorter and is used only to detect that a child has activated the function; no transcript is retained by default.

If a parent has opted in to retain transcripts in the companion app, transcripts are retained for the period the parent selects (up to 30 days by default) and are visible only to the parent.

8. Service providers and other third-party recipients

COTIS discloses children's personal information only to the following categories of service providers, each of which is bound by a written data-processing agreement that requires the provider to use the data solely to provide services to COTIS, prohibits the provider from using the data for the provider's own purposes (including AI training), and requires the provider to maintain appropriate safeguards. COTIS does not allow service providers to share children's data onward.

  • Cloud hosting and infrastructure providers — for storing account data and operating the back-end services.
  • Speech-processing and language-model providers — for the Ask and Translate functions. Audio is sent to the provider, processed to generate a response, and the audio is deleted by the provider immediately after the response is generated. The provider is contractually prohibited from training on COTIS data.
  • Payment processors — for handling card transactions, governed by PCI-DSS.
  • Shipping and logistics partners — for delivering devices and accessories.
  • Transactional email and SMS providers — for sending order confirmations, shipping updates, safety alerts, and account notifications.
  • Analytics providers — which receive only aggregated, de-identified data and never receive personal information about children.
  • Customer-support tooling providers — for ticket management and parent communications.

COTIS may also disclose information (a) where required by law or legal process; (b) to protect the safety of a child, another person, or COTIS; (c) to investigate suspected fraud, security breaches, or violations of these terms; or (d) in connection with a merger, acquisition, or sale of assets, in which case any acquirer will be bound by this Policy or a policy at least as protective. A parent will be notified of any such transfer.

COTIS does not sell personal information. COTIS does not share personal information for cross-context behavioral advertising. COTIS does not allow third parties to advertise to children through the Services. COTIS does not disclose children's data to data brokers.

9. Data retention

COTIS retains personal information only as long as reasonably necessary to fulfill the purpose for which it was collected, after which the data is deleted or de-identified. COTIS does not retain children's personal information indefinitely. The written retention schedule below is part of COTIS's COPPA-required data-retention policy.

Data category Purpose Retention
Audio file (raw recording) To generate a response Deleted by speech-processing partner immediately after the response is generated; deleted from COTIS within 30 days
Transcript of a voice interaction Debugging and quality assurance De-identified within 30 days; deleted within 90 days
Companion-app interaction logs Internal operations 13 months
Account information To operate the account For the life of the account, plus 12 months after closure; then deleted or anonymized except where retention is required by tax, accounting, or legal obligation
Payment records Tax and accounting compliance 7 years
Customer-support tickets To provide ongoing support 3 years
Device telemetry (de-identified) Internal operations 13 months

10. Parental rights

As the parent or legal guardian, you have the right at any time, and free of charge, to:

  • Review the personal information COTIS has collected from or about your child
  • Receive a copy of that personal information in a portable, readable format
  • Request correction of inaccurate or incomplete information
  • Request deletion of your child's personal information
  • Refuse to permit further collection or use of your child's personal information
  • Revoke any consent you previously gave, including consent to retain transcripts or to participate in any opt-in program

To exercise any of these rights, submit a request through cotis.ai/pages/contact from the email address on the account, or write to COTIS at the postal address in Section 1 with the subject line "Privacy request." COTIS will verify the request as required by applicable law and respond within 30 days. COTIS does not charge a fee and does not discriminate against any account holder for exercising these rights.

11. Security

COTIS maintains a written information security program reasonably designed to protect the confidentiality, integrity, and availability of children's personal information, as required by the 2025 amended COPPA Rule. The program includes: a designated security coordinator; documented administrative, technical, and physical safeguards; encryption in transit (TLS 1.3) and at rest; access controls limited to personnel with a documented business need; audit logging of all access to children's data; an annual risk assessment with corrective actions; regular testing and monitoring of safeguards; written assurances from service providers; and an incident-response plan.

No system is perfectly secure. If a security breach affects your child's personal information, COTIS will notify the parent or legal guardian without unreasonable delay, and in any event within 72 hours of confirming the breach, by email to the address on the account. COTIS will also notify regulators where required by applicable federal or state law, and will provide the affected account with a description of what happened, what information was affected, and what to do.

12. Artificial intelligence training

By default, COTIS does not use a child's voice recordings, transcripts, voiceprints, personalization data, or any other personal information to train, fine-tune, or improve any artificial-intelligence model — including COTIS's own models and any third-party model. COTIS's service providers are contractually prohibited from training on COTIS data.

If a parent expressly opts in to share de-identified transcripts to help improve COTIS responses for kids like theirs, the parent will see a separate, plain-language consent flow describing exactly what is shared, how it is de-identified, how long the consent lasts, and how to withdraw it. Opting in is never required to use any feature, and the consent can be withdrawn at any time through the companion app.

13. Targeted advertising

COTIS does not engage in targeted or behavioral advertising directed at children, does not allow third parties to do so through the Services, and does not facilitate cross-context behavioral advertising involving children's data. Under the 2025 amended COPPA Rule and applicable state laws including Oregon HB 2008, Arkansas Act 901, and the Connecticut Data Privacy Act, COTIS treats this as a hard prohibition rather than an opt-out.

14. International transfers

COTIS is based in the United States and processes personal information primarily in the United States. Where data is transferred internationally — for example, where a service provider has operations in another country — COTIS uses Standard Contractual Clauses, an applicable adequacy decision, or another lawful transfer mechanism as required.

15. State-specific rights (United States)

Residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have additional rights under their state privacy laws, which include the right to access, correct, delete, port, and opt out of targeted advertising or sale of personal information. Residents of California have additional rights under the California Consumer Privacy Act and the California Age-Appropriate Design Code Act, including the right to limit use and disclosure of sensitive personal information and the right to non-discrimination for exercising privacy rights.

COTIS processes children's personal information as sensitive personal information by default, consistent with the requirements of state laws (including Colorado, Connecticut, and Texas) that treat data of a known child as sensitive. Default privacy settings for any feature visible to or used by a child are set to the most protective option.

To exercise any state-law right, submit a request through cotis.ai/pages/contact or write to the postal address in Section 1 with the subject line "State privacy request." If your request is denied, you have the right to appeal; COTIS will respond to an appeal within 45 days. If you remain dissatisfied, you may contact your state attorney general's office.

16. Health information and HIPAA

COTIS is not a HIPAA-covered entity, is not marketed as a medical device, is not cleared by the U.S. Food and Drug Administration, and does not provide medical, mental-health, or therapeutic services. COTIS does not collect or process Protected Health Information ("PHI") in the consumer context. Where a clinician separately uses COTIS within a clinical practice in a manner that would involve PHI, that clinician must contact COTIS to discuss whether a separate Business Associate Agreement is required for that specific use. In the absence of a written Business Associate Agreement, COTIS does not function as a business associate of any HIPAA-covered entity.

17. Changes to this Policy

If COTIS makes material changes to this Policy, COTIS will notify the parent on each affected account by email and will update the "Last updated" date at the top of this page. Continued use of the Services after a material change indicates acceptance of the updated Policy. If you do not agree to a material change, you may close your account and request deletion of your child's data.

18. Contact

Submit any privacy question, parental-rights request, or complaint through cotis.ai/pages/contact, or by writing to:

COTIS — Privacy
PO Box 642
Ketchum, ID 83340
United States

If you have a concern that COTIS has not adequately addressed, you may also contact the U.S. Federal Trade Commission at reportfraud.ftc.gov or your state attorney general's office.

COTIS · PO Box 642 · Ketchum, ID 83340