Privacy Policy
Your family's privacy and safety are our top priorities.
Last updated: June 27, 2026 · Effective: June 27, 2026
1. Introduction
The Mixed-Up Robot (a DBA of Leo Doctrina LLC; "we," "our," or "us") operates the website themixeduprobot.com (the "Site") and associated educational services. This Privacy Policy explains what personal information we collect, how we use and protect it, and what rights you have over it.
We are committed to protecting the privacy of children and families. Our Site is directed to parents, guardians, and educators—not to children under 13. We comply with applicable U.S. and international privacy laws, including the Children's Online Privacy Protection Act (COPPA) as amended by the FTC's 2025 Rule (effective April 22, 2026), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the European Union General Data Protection Regulation (GDPR).
By using our Site you agree to this Policy. If you do not agree, please do not use our Site.
2. Who This Policy Covers
This Policy applies to all visitors to themixeduprobot.com. Our newsletter, contact form, and resource downloads are intended for adults (parents, guardians, educators, and caregivers). If you are under 13, please do not submit any personal information to us—see Section 6 for our full children's privacy policy.
3. Information We Collect
3a. Information You Provide Directly
- Newsletter sign-ups: Email address; first name (optional). We do not collect last names unless you voluntarily include them in a message.
- Contact form: Name, email address, and the content of your message.
- Resource downloads: Email address used to deliver the requested resource.
We practice data minimization: we only ask for information necessary to provide the service you requested.
3b. Information Collected Automatically
- Website analytics (consent required): Pages visited, session duration, click paths, and referring URLs. Collected via Google Analytics 4 only after you accept analytics cookies.
- Device and connection data: Browser type, operating system, screen resolution, and anonymized IP address. We do not store full IP addresses.
- Cookies and similar technologies: See Section 9 for the full cookie table and consent controls.
We do not collect biometric identifiers, government-issued ID numbers, financial account information, geolocation data, or audio/video recordings through this Site.
3c. Information from Third-Party Platforms
If you interact with our official social media accounts (Facebook, Instagram, X, YouTube, TikTok), those platforms govern the collection of data related to your activity on their services. We do not receive individually identifiable personal data from those platforms.
4. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Send newsletters and book updates you signed up for | Consent (Art. 6(1)(a)) |
| Respond to contact-form inquiries and provide support | Legitimate interests (Art. 6(1)(f)) |
| Deliver requested resources (worksheets, activity sheets) | Performance of a contract / Consent (Art. 6(1)(a)/(b)) |
| Analyze website traffic to improve content and user experience (only with consent) | Consent (Art. 6(1)(a)) |
| Detect and prevent fraud, abuse, and security threats | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations (e.g., respond to lawful requests) | Legal obligation (Art. 6(1)(c)) |
We do not use your personal information for targeted advertising, behavioral profiling, or sale to third parties.
5. Data Retention
We retain personal information only as long as necessary for the purpose for which it was collected, consistent with our legal obligations. Specific retention periods:
| Data Type | Retention Period | Basis |
|---|---|---|
| Newsletter subscriber email & name | Until you unsubscribe, then deleted within 30 days | Consent (revocable) |
| Contact form messages | 24 months from receipt, then deleted | Legitimate interests |
| Resource-download email addresses | 12 months from download, then deleted | Consent |
| Anonymized analytics data | 26 months (Google Analytics default); no personally identifiable data retained | Consent |
| Cookie consent records | 12 months, then re-prompted | Legal obligation |
When retention periods expire, data is securely deleted or irreversibly anonymized. We do not retain personal information indefinitely.
6. Children's Privacy (COPPA Compliance)
Our Site and its interactive features—newsletter, contact form, resource downloads—are directed to and intended for adults only (parents, guardians, and educators). We do not knowingly collect, use, or disclose personal information from children under 13 years of age.
Age Screening
Our sign-up forms do not invite children to participate. If we have reason to believe a submission was made by a child under 13, we will not process that information and will delete it promptly. If you believe a child under 13 has submitted personal information to us, please contact us immediately at hello@themixeduprobot.com and we will delete it within five (5) business days.
No Targeted Collection from Children
We do not condition participation in any activity on a child disclosing more personal information than is reasonably necessary. We do not use persistent identifiers to recognize children across websites or over time.
Parental Rights
If you are a parent or guardian and have questions about our practices—or believe your child's information may have been inadvertently collected—you have the right to:
- Request to review any personal information we have collected from your child
- Request that we delete any personal information collected from your child
- Refuse to permit further use or collection of your child's information
To exercise these rights, contact us at hello@themixeduprobot.com with the subject line "COPPA Parental Request." We will respond within ten (10) business days.
2025 COPPA Rule Amendments
The FTC's updated COPPA Rule (effective April 22, 2026) imposes stricter data minimization and retention obligations on operators of child-directed services. Because our Site is not directed to children and we do not knowingly collect their data, many provisions do not directly apply; however, we have reviewed and aligned our practices with the spirit of these requirements as a best practice for any family-facing brand.
7. Information Sharing and Disclosure
We do not sell, rent, or trade your personal information. We do not share personal information for cross-context behavioral advertising. We may share information only in these limited circumstances:
- Service providers: We share data with the third-party platforms listed in Section 8 solely to operate our Site and communicate with you. Each is contractually required to protect your data and may not use it for their own marketing.
- Legal requirements: We may disclose information if required by law, court order, or governmental authority, or to protect the rights, safety, or property of our users, ourselves, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via the Site before your information becomes subject to a different privacy policy.
- With your explicit consent: We may share information for purposes not described here when you have given us clear, affirmative consent.
We obtain separate consent before disclosing any personal information to third parties for purposes beyond core site operations, consistent with COPPA 2025 requirements.
8. Third-Party Services
The following third-party services are integrated into our Site. Each service has its own privacy policy, which governs data they receive.
| Service | Purpose | Data Sent | Policy |
|---|---|---|---|
| Google Analytics 4 | Website traffic analysis. Only loaded after analytics consent is granted. | Anonymized IP, page views, session data | Google Privacy Policy |
| Kit (ConvertKit) | Email newsletter delivery and subscriber management. | Email address, first name (if provided), open/click events | Kit Privacy Policy |
| Ko-fi / Stripe | Voluntary supporter donations. Only activated when you click "Support on Ko-fi." | Payment and session data handled entirely by Ko-fi and Stripe; we do not receive or store card details. | Ko-fi Privacy Policy |
| Google Fonts | Typography served from Google's CDN for consistent rendering. | IP address sent to Google servers on page load. | Google Privacy Policy |
We do not use advertising networks, data brokers, or affiliate tracking pixels on this Site.
9. Cookies and Local Storage
We use browser cookies and localStorage to keep our Site functional and, with your consent, to understand how visitors engage with our content. We do not use advertising, behavioral targeting, or cross-site tracking cookies.
You can manage or withdraw consent at any time using the "Manage Cookies" link in the site footer. Withdrawing consent stops future data collection but does not delete data already collected. Consent records expire after 12 months and you will be prompted again.
Technical note: our three consent-management entries (mur_consent, mur_consent_ver, mur_consent_date) are stored in browser localStorage, not as HTTP cookies. They serve the same purpose as consent cookies and are subject to the same 12-month expiry enforced by our code.
| Name | Storage Type | Purpose | Duration | Consent Required? |
|---|---|---|---|---|
| mur_consent | localStorage (first-party) | Records your consent choice (granted / denied) | 12 months (code-enforced) | No (essential) |
| mur_consent_ver | localStorage (first-party) | Stores policy version to re-prompt after major changes | 12 months (code-enforced) | No (essential) |
| mur_consent_date | localStorage (first-party) | Records the timestamp of your consent to enforce 12-month expiry | 12 months (code-enforced) | No (essential) |
| _ga, _ga_* | Cookie (third-party, Google) | Google Analytics — distinguishes unique visitors for traffic analysis | 2 years | Yes |
| Ko-fi / Stripe session | Cookie (third-party, Ko-fi / Stripe) | Payment security — set only when you open the Ko-fi support panel | Session | Set on interaction (not pre-loaded) |
Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. Our consent-first approach means analytics are blocked by default until you explicitly grant permission, which provides protections equivalent to or exceeding DNT. We do not respond to DNT signals from browsers that do not also honor our consent localStorage entry.
10. Data Security
We maintain a written information security program that includes the following measures:
- Encryption in transit: All traffic to this Site is served over HTTPS (TLS 1.2 or higher).
- Access controls: Access to subscriber and contact data is limited to authorized personnel only.
- Vendor security: We select third-party processors with documented security practices and require them to protect data under confidentiality obligations.
- Data minimization: We collect the minimum data necessary and delete it when the purpose is fulfilled.
- Regular review: We periodically review our privacy and security practices to ensure ongoing compliance.
No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we take reasonable precautions to protect your information.
Data Breach Notification
In the event of a data breach that is reasonably likely to result in harm to affected individuals, we will notify impacted users by email (where we have an email address) and post a notice on this Site within the timeframes required by applicable law, and no later than 72 hours after discovery where required by the GDPR.
11. Your Rights
Depending on where you live, you may have some or all of the following rights regarding your personal information. To exercise any of these rights, email us at hello@themixeduprobot.com with the subject line "Privacy Rights Request." We will respond within 30 days (or the timeframe required by your jurisdiction).
- Access / Right to Know: Request a copy of the personal information we hold about you and how we use it.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request that we delete your personal information, subject to certain exceptions (e.g., legal obligations).
- Portability: Request your data in a structured, commonly used, machine-readable format.
- Objection / Restriction: Object to or request restriction of processing based on legitimate interests.
- Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing. For cookies, use the "Manage Cookies" footer link. For email, use the unsubscribe link in any newsletter.
- Opt-Out of Sale or Sharing: We do not sell or share personal information for advertising—so this right is already honored. See Section 12 for California-specific disclosures.
- Non-Discrimination: You will not receive less favorable service for exercising any privacy right.
We will verify your identity before processing a request. We do not charge a fee for reasonable requests.
12. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights. This section supplements the rest of this Policy.
Categories of Personal Information Collected (Last 12 Months)
- Identifiers: Email address, first name (newsletter/contact/download)
- Internet or network activity: Browsing behavior on our Site (analytics, consent-gated)
- Inferences: None drawn from the above categories
Sources
Directly from you (form submissions) and automatically from your browser (analytics, only with consent).
Business or Commercial Purpose
Operating the Site, communicating with you, and improving our content—as described in Section 4.
Sale / Sharing of Personal Information
We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. You do not need to opt out because we do not engage in these activities.
Your California-Specific Rights
- Right to know what personal information we have collected, used, disclosed, or sold in the past 12 months
- Right to delete personal information we hold about you, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing (moot—we do not sell or share)
- Right to limit use of sensitive personal information (we do not collect sensitive PI as defined by CPRA)
- Right to non-discrimination for exercising these rights
To submit a California privacy request, email hello@themixeduprobot.com with "California Privacy Request" in the subject line. We will respond within 45 days (extendable by an additional 45 days with notice).
Minors Under 16 (California)
We do not sell the personal information of consumers under 16. As noted throughout this Policy, our Site is not directed to anyone under 13, and we take additional care to avoid collecting data from minors.
13. International Users
Our Site is operated from the United States. If you are located outside the United States, please be aware that information you provide will be transferred to, processed, and stored in the U.S., where privacy laws may differ from those in your country.
European Economic Area, UK, and Switzerland (GDPR)
If you are in the EEA, UK, or Switzerland, you have rights under the GDPR in addition to those described in Section 11:
- Right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national DPA in the EU)
- Right not to be subject to automated decision-making (we do not engage in automated profiling that produces legal effects)
The legal bases for each processing activity are set out in the table in Section 4. Where we rely on legitimate interests, you may object at any time. We do not transfer personal data from the EEA to the U.S. unless we have a valid transfer mechanism in place (e.g., Standard Contractual Clauses where applicable through our processors).
14. Email Communications (CAN-SPAM)
Our newsletters comply with the U.S. CAN-SPAM Act. Every marketing email we send includes:
- Our physical mailing address
- A clear "unsubscribe" link that honors your request within 10 business days
- An honest "from" name and subject line
You can unsubscribe at any time using the link at the bottom of any email or by emailing hello@themixeduprobot.com.
15. Governing Law
This Privacy Policy is governed by the laws of the State of Iowa and the United States of America, without regard to conflict-of-law principles. Any disputes arising from or relating to this Policy that are not resolved informally will be subject to the exclusive jurisdiction of the state and federal courts located in Polk County, Iowa (Des Moines).
16. Changes to This Privacy Policy
We may update this Policy periodically. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, send notice to newsletter subscribers. We encourage you to review this page periodically. Continued use of the Site after changes are posted constitutes acceptance of the updated Policy.
17. Contact Us
For privacy questions, rights requests, parental COPPA requests, or data breach concerns:
- Email: hello@themixeduprobot.com
- Mailing Address: The Mixed-Up Robot (Leo Doctrina LLC), Des Moines, IA, USA
- Website: www.themixeduprobot.com
We aim to respond to all privacy inquiries within 10 business days.
Legal Notice: This Privacy Policy is provided for informational purposes and does not constitute legal advice. For specific legal questions about your situation, please consult with a qualified attorney.