HiBFF Parent + Teen Charter
Audience: Parents, teens, school counsellors, district counsel, the HiBFF internal team. Owner: Robert Parson, Founder & CEO, HiBFF Status: Live — Production Last revised: February 2026 Related documents:
,HIBFF_SCHOOLS.md,HiBFF Parent Compact.pdfHiBFF Teen Digital Compact.pdf
Table of contents
- What the Charter is
- Why dual-consent matters
- The Parent Compact
- The Teen Digital Compact
- Mutual Compact
- How the signing flow works
- What happens if the Charter isn't active
- Withdrawal, expiry, and termination
- Privacy guarantees & data rights
- Crisis & Empathic Handover Protocol
- Charter & the Hybrid Custodial Vault
- Audit trail & legal admissibility
- FAQ
- Appendix A — full default Compact text
- Appendix B — system fields & API endpoints
1. What the Charter is
The HiBFF Charter is a digital agreement signed by both a parent (or legal guardian) and the teen before the teen unlocks the full HiBFF feature set — specifically the Dynamic Challenge Engine inside school deployments and the AvA conversational practice surface.
It is composed of three Compacts:
| Compact | Signed by | Stored as |
|---|---|---|
| Parent Compact | Parent / legal guardian | |
| Teen Digital Compact | Teen (13-17) | |
| Mutual Compact | Both | |
A Charter is
active only when all required commitments in all three sections are signed by both parties.
2. Why dual-consent matters
A unilateral consent design — where the parent ticks a box and the teen is silently enrolled — is the dominant pattern in school SaaS today. It produces low teen trust, low engagement, and (in some jurisdictions) doesn't actually satisfy COPPA's "verifiable parental consent" standard for the kinds of data a chat product processes.
The Charter takes a dual-consent posture:
- The parent enables access by signing the Parent Compact.
- The teen accepts access by signing the Teen Compact.
- Both jointly accept the Mutual Compact.
This:
- Treats the teen as a co-author of the agreement, not its subject.
- Creates a clean legal record of teen-side consent (admissible under COPPA + GDPR-K).
- Makes withdrawal symmetrical — either party can revoke.
3. The Parent Compact
The Parent Compact is the parent's promise. The default text (editable at school-deployment level) is:
| ID | Text | Required |
|---|---|---|
| p1 | I will trust you to use HiBFF to develop real-world social skills. | ✅ |
| p2 | I will not judge your conversations — this is a safe learning space. | ✅ |
| p3 | I will review monthly progress reports with an open mind. | ✅ |
| p4 | I will celebrate your badge achievements with you. | ✅ |
Tone: declarative, first-person, addressed to the teen. Not legalese. The Compact is a promise, not a permission slip.
Parents may add custom commitments (e.g. "I will not check your phone without asking first") which are stored in
db.charters.custom_commitments.
4. The Teen Digital Compact
The Teen Compact is the teen's reciprocal promise. Defaults:
| ID | Text | Required |
|---|---|---|
| t1 | I will use HiBFF honestly and engage with the challenges. | ✅ |
| t2 | I will try to complete at least one badge challenge per month. | ✅ |
| t3 | I will share my progress with friends who might benefit. | ⬜ Optional |
| t4 | I will be open to disconnecting from screens when working on badges. | ✅ |
Tone: first-person, addressed to the parent. The teen is signing to the parent — that's the relational symmetry the Charter relies on.
The Teen Compact is signed inside the AvA conversational surface (Maya guides the teen through it), not on a separate clinical form. This intentionally lowers the cognitive cost of engaging with the agreement.
5. Mutual Compact
Things both parties commit to together:
| ID | Text | Required |
|---|---|---|
| m1 | We agree to have honest conversations about screen time. | ✅ |
| m2 | We will establish tech-free zones / times together. | ✅ |
| m3 | We will celebrate achievements together — both virtual and physical badges. | ✅ |
When both signatures are recorded against a Mutual commitment, the commitment is
active. Tech-free zones agreed in m2 are stored in db.charters.tech_free_zones and surfaced as gentle reminders inside the AvA chat.
6. How the signing flow works
Step 1 Teen registers (during school onboarding or direct sign-up). Step 2 Teen supplies parent email. Step 3 Postmark dispatches the parent invitation email (tag = "parent-invite", template = parent_charter_invite). Step 4 Parent clicks magic link → creates Parent account → lands on Charter Wizard. Step 5 Parent reviews + signs Parent Compact + Mutual Compact. Status: charter.status = pending_teen Step 6 Teen receives in-app notification: "Your parent has signed — please review." Step 7 Teen reviews + signs Teen Digital Compact + Mutual Compact. Status: charter.status = active Step 8 Both parties receive PDF copy of the signed Charter via Postmark. Step 9 Backend writes audit row to db.charter_audit; Charter is now in force.
The dashboard banner driven by
GET /api/family/consent-banner reflects current status:
(default after Teen registers).pending_parent
(after Parent signs).pending_teen
(both signatures captured).active
(renewal due — see §8).expired
7. What happens if the Charter isn't active
The Charter is enforced at the API gate, not just the UI. The two main protected actions:
- Completing a challenge —
POST /api/schools/journey/complete- Returns HTTP 423 Locked with body
.{ "code": "charter_not_active", "missing": ["parent_signature" | "teen_signature"] }
- Returns HTTP 423 Locked with body
- Minting a Vault NFT —
app.services.custodial_vault.mint_to_custody- Refuses to mint if the calling teen's Charter status ≠
.active
- Refuses to mint if the calling teen's Charter status ≠
The teen sees a friendly banner ("Charter pending — your parent's signature is on its way") with a one-click resend button to nudge the parent email.
8. Withdrawal, expiry, and termination
8.1 Voluntary withdrawal
Either party can revoke consent at any time:
- Parent: Parent Dashboard → Settings → "Withdraw consent". Triggers immediate
status.terminated - Teen: Teen account → Settings → "Pause my Charter". Charter goes to
and Schools Engine endpoints lock the same way as if it had never been signed.terminated
8.2 Annual expiry
A Charter expires 365 days after the date both signatures were captured. Status moves to
expired. The teen sees a renewal prompt 14 days before expiry. Renewal re-runs the dual-signature flow.
8.3 Hard termination
If a
Bounce / SpamComplaint webhook indicates the parent email is unreachable, or the parent account is closed, the Charter automatically moves to terminated and all dependent surfaces lock. The audit row records termination_reason: "parent_unreachable".
8.4 What happens to data on termination
- The teen's chat history is archived but kept (so the teen retains it on a future re-consent).
- All NFTs already minted to the Hybrid Custodial Vault remain — they are achievements, not access tokens.
- New challenges, journeys, and analytics events stop flowing immediately.
- A parent or teen may request full deletion under §9.4.
9. Privacy guarantees & data rights
9.1 What the parent sees
- Engagement frequency.
- Mood trend (aggregated across conversations).
- OCEAN summary movement.
- Badges + challenge completion counts.
- Crisis alerts (immediate, see §10).
9.2 What the parent never sees
- Individual conversation transcripts.
- Verbatim AvA chat content.
- Free-text reflection prose attached to challenges.
This is not a UI choice — it is a database-level access control. The Parent Dashboard endpoints use a separate aggregation pipeline that excludes raw chat content.
9.3 What the school sees
The school sees only cohort-level aggregates. See
HIBFF_SCHOOLS.md §7.
9.4 Right to deletion
Either party can request:
- Right of access — full export of teen-side data (JSON + PDF).
- Right of erasure — irrevocable deletion across all collections, including chat archives.
- Right of rectification — correction of profile fields.
Requests go to
privacy@hibff.com. SLA: 30 days. Erasure cascades to:
,users
,teen_challenges
,teen_profile_preferences
,chat_sessions
,chat_messages
,notifications
,charters
,charter_audit
(NFT metadata; on-chain tokens are burned where possible).collectibles
9.5 Regulatory frame
- COPPA (US) — fully compliant for 13-17. (Under-13 not permitted on Schools deployments; routed to a separate Family product.)
- FERPA (US schools) — HiBFF processes data only as a school official under the directly-related-services exception.
- GDPR-K (EU/UK) — Charter satisfies the higher consent standard for under-16s in EU member states that have lowered the digital consent age.
- California CCPA — full data-subject rights honoured; no "sale" of personal info ever.
10. Crisis & Empathic Handover Protocol
If the AvA detects language indicative of self-harm, severe distress, or another safeguarding signal, the Empathic Handover Protocol is triggered.
Step 1 AvA detects signal (server-side classifier). Step 2 AvA gently pauses the conversation: "I want to make sure you're okay. Can we slow down for a second?" Step 3 AvA surfaces region-appropriate professional resources (e.g. 988 Suicide & Crisis Lifeline for US teens; Samaritans for UK). Step 4 Within 60 seconds: - Postmark email to the parent. - Twilio SMS to the parent if phone on file. - Notification dropped into Parent Dashboard inbox. Step 5 Charter audit row written: { "event": "empathic_handover", "category": "<self_harm|severe_anxiety|other>", "ts": ... }
The parent never sees the verbatim chat that triggered the handover. They see the category of signal and the time. This preserves the teen's privacy while alerting the parent to act.
The handover is a safety net, not surveillance. Teens are told at onboarding that crisis-language triggers exist.
11. Charter & the Hybrid Custodial Vault
The Charter governs the Hybrid Custodial Vault in three ways:
- Mint authorisation — A Charter must be
for a teen to mint an achievement NFT (§7).active - 180-day timelock — Each NFT in the Vault is locked for 180 days from its individual mint date (per-NFT, not per-account). A teen cannot transfer or burn before timelock expiry.
- Age-18 handover — On the teen's 18th birthday, a guided wallet-handover ceremony moves wallet keys from HiBFF custody to the (now-adult) user's chosen wallet. Charter terminates at that point — replaced by an adult Terms of Use.
NFTs already minted survive Charter termination and Charter expiry — they are tamper-proof transcripts of social growth, not access tokens.
12. Audit trail & legal admissibility
Every Charter event is captured in
db.charter_audit:
| Field | Description |
|---|---|
| UUID |
| FK to |
| One of: , , , , , , , , |
| / / / |
| UTC ISO timestamp |
| Best-effort, masked at /24 |
| Truncated to 256 chars |
| Free-form JSON for context (signature hash, pdf_url, etc.) |
The signed Charter PDF is archived to S3-compatible storage (
db.storage.charter_pdfs) with a SHA-256 hash recorded in the audit row. This produces a tamper-evident artefact admissible as documentary evidence in most US jurisdictions.
13. FAQ
Q: My teen signs up at school. Do I have to sign a separate Charter for school use? A: No — one Charter covers HiBFF use across all surfaces (Schools, Family, direct consumer). It is signed once and renews annually.
Q: My teen has divorced / separated parents. Whose signature counts? A: Either parent / legal guardian with parental responsibility may sign. If both have responsibility, either signature satisfies the COPPA threshold; HiBFF strongly recommends informing the other parent.
Q: I want to read my teen's chat. How do I escalate? A: You don't read it. If you have a safeguarding concern, contact
safeguarding@hibff.com. We will conduct a privacy-respecting review with a trained professional and contact you with the appropriate level of detail.
Q: Can I sign on behalf of my teen? A: No. Dual-consent is non-negotiable. The teen must sign their own Compact. You can encourage and explain — you can't sign for them.
Q: What if my teen refuses to sign? A: Then the Charter never activates and HiBFF features remain locked. The teen's account exists in a "pending_teen" state. We don't pressure teens into signing.
Q: Can a school waive the Charter? A: No school, mayor, or HiBFF admin can override the Charter requirement. It is enforced at the API layer.
Q: How is the digital signature legally binding? A: HiBFF uses an ESIGN-Act compliant click-to-sign flow (audit row + IP + UA + timestamp + hash). The signed PDF is the legal artefact.
Q: Where do I read the latest Compact text before I sign? A: The Charter Wizard surfaces the current text inline before each signature. You can also download
HiBFF_Parent_Compact.pdf and HiBFF_Teen_Digital_Compact.pdf from the Parent Dashboard at any time.
Appendix A — full default Compact text
A.1 Parent Compact (verbatim)
To my teenager:
- I will trust you to use HiBFF to develop real-world social skills.
- I will not judge your conversations — this is a safe learning space.
- I will review monthly progress reports with an open mind.
- I will celebrate your badge achievements with you.
Signed: ______________________ Date: __________
A.2 Teen Digital Compact (verbatim)
To my parent:
- I will use HiBFF honestly and engage with the challenges.
- I will try to complete at least one badge challenge per month.
- I will share my progress with friends who might benefit. (optional)
- I will be open to disconnecting from screens when working on badges.
Signed: ______________________ Date: __________
A.3 Mutual Compact (verbatim)
Together:
- We agree to have honest conversations about screen time.
- We will establish tech-free zones / times together: ____________________.
- We will celebrate achievements together — both virtual and physical badges.
Parent: __________________ Teen: __________________ Date: __________
Appendix B — system fields & API endpoints
B.1 db.charters
document shape
db.charters{ "charter_id": "CHR-AB12CD34EF56GH78", "parent_user_id": "usr_xxxxxx", "teen_user_id": "usr_yyyyyy", "teen_email": "teen@example.com", "teen_name": "Alex Johnson", "status": "active", // draft | pending_teen | pending_parent | active | expired | terminated "commitments": [ { "id": "p1", ... }, ... ], "custom_commitments": [], "tech_free_zones": ["meal times", "bedrooms after 9pm"], "parent_signature": { "user_id": "usr_xxxxxx", "signed_at": "2026-01-12T19:24:00Z", "ip_address": "203.0.113.0/24", "user_agent": "Mozilla/5.0 …" }, "teen_signature": { "user_id": "usr_yyyyyy", "signed_at": "2026-01-13T10:02:00Z", "ip_address": "203.0.113.0/24", "user_agent": "Mozilla/5.0 …" }, "activated_at": "2026-01-13T10:02:00Z", "expires_at": "2027-01-13T10:02:00Z", "created_at": "2026-01-12T19:00:00Z", "updated_at": "2026-01-13T10:02:00Z", "pdf_url": "/api/files/charters/CHR-AB12…/charter.pdf", "pdf_sha256": "9f86d081…" }
B.2 Endpoints
| Method | Path | Auth | Purpose |
|---|---|---|---|
| | Parent JWT | Parent initiates a Charter for a known teen email. |
| | Parent JWT | Parent records signature. |
| | Teen JWT | Teen records signature. |
| | Either JWT | Withdraw consent → . |
| | Either JWT | Inspect status. |
| | Either JWT | Download signed PDF. |
| | Teen JWT | Drives the dashboard banner state. |
| | Admin / Sub-admin JWT | Aggregate charter status across deployment. No signature data returned. |
B.3 Key services
app.services.charter_pdf.render_charter_pdf(charter_id) → bytesapp.services.charter_audit.append(charter_id, event, actor, meta)
— creates the row + dispatches the parent invitation email.app.api.family.create_charter(...)
— used as a FastAPI dependency on protected endpoints; raisesapp.utils.charter_gate.require_active_charter(user_id)
when not active.HTTPException(423)
HiBFF — Brave Friends Forever. Brave conversations, in a safe place.