All documents

HiBFF Parent + Teen Charter

Audience: Parents, teens, school counsellors, district counsel, the HiBFF internal team. Owner: Robert Parson, Founder & CEO, HiBFF Status: Live — Production Last revised: February 2026 Related documents:

HIBFF_SCHOOLS.md
,
HiBFF Parent Compact.pdf
,
HiBFF Teen Digital Compact.pdf


Table of contents

  1. What the Charter is
  2. Why dual-consent matters
  3. The Parent Compact
  4. The Teen Digital Compact
  5. Mutual Compact
  6. How the signing flow works
  7. What happens if the Charter isn't active
  8. Withdrawal, expiry, and termination
  9. Privacy guarantees & data rights
  10. Crisis & Empathic Handover Protocol
  11. Charter & the Hybrid Custodial Vault
  12. Audit trail & legal admissibility
  13. FAQ
  14. Appendix A — full default Compact text
  15. Appendix B — system fields & API endpoints

1. What the Charter is

The HiBFF Charter is a digital agreement signed by both a parent (or legal guardian) and the teen before the teen unlocks the full HiBFF feature set — specifically the Dynamic Challenge Engine inside school deployments and the AvA conversational practice surface.

It is composed of three Compacts:

CompactSigned byStored as
Parent CompactParent / legal guardian
db.charters.parent_signature
Teen Digital CompactTeen (13-17)
db.charters.teen_signature
Mutual CompactBoth
db.charters.commitments[].category == "mutual"

A Charter is

active
only when all required commitments in all three sections are signed by both parties.


A unilateral consent design — where the parent ticks a box and the teen is silently enrolled — is the dominant pattern in school SaaS today. It produces low teen trust, low engagement, and (in some jurisdictions) doesn't actually satisfy COPPA's "verifiable parental consent" standard for the kinds of data a chat product processes.

The Charter takes a dual-consent posture:

  • The parent enables access by signing the Parent Compact.
  • The teen accepts access by signing the Teen Compact.
  • Both jointly accept the Mutual Compact.

This:

  1. Treats the teen as a co-author of the agreement, not its subject.
  2. Creates a clean legal record of teen-side consent (admissible under COPPA + GDPR-K).
  3. Makes withdrawal symmetrical — either party can revoke.

3. The Parent Compact

The Parent Compact is the parent's promise. The default text (editable at school-deployment level) is:

IDTextRequired
p1I will trust you to use HiBFF to develop real-world social skills.
p2I will not judge your conversations — this is a safe learning space.
p3I will review monthly progress reports with an open mind.
p4I will celebrate your badge achievements with you.

Tone: declarative, first-person, addressed to the teen. Not legalese. The Compact is a promise, not a permission slip.

Parents may add custom commitments (e.g. "I will not check your phone without asking first") which are stored in

db.charters.custom_commitments
.


4. The Teen Digital Compact

The Teen Compact is the teen's reciprocal promise. Defaults:

IDTextRequired
t1I will use HiBFF honestly and engage with the challenges.
t2I will try to complete at least one badge challenge per month.
t3I will share my progress with friends who might benefit.⬜ Optional
t4I will be open to disconnecting from screens when working on badges.

Tone: first-person, addressed to the parent. The teen is signing to the parent — that's the relational symmetry the Charter relies on.

The Teen Compact is signed inside the AvA conversational surface (Maya guides the teen through it), not on a separate clinical form. This intentionally lowers the cognitive cost of engaging with the agreement.


5. Mutual Compact

Things both parties commit to together:

IDTextRequired
m1We agree to have honest conversations about screen time.
m2We will establish tech-free zones / times together.
m3We will celebrate achievements together — both virtual and physical badges.

When both signatures are recorded against a Mutual commitment, the commitment is

active
. Tech-free zones agreed in
m2
are stored in
db.charters.tech_free_zones
and surfaced as gentle reminders inside the AvA chat.


6. How the signing flow works

Step 1  Teen registers (during school onboarding or direct sign-up).
Step 2  Teen supplies parent email.
Step 3  Postmark dispatches the parent invitation email
        (tag = "parent-invite", template = parent_charter_invite).
Step 4  Parent clicks magic link → creates Parent account → lands on Charter Wizard.
Step 5  Parent reviews + signs Parent Compact + Mutual Compact.
        Status: charter.status = pending_teen
Step 6  Teen receives in-app notification: "Your parent has signed — please review."
Step 7  Teen reviews + signs Teen Digital Compact + Mutual Compact.
        Status: charter.status = active
Step 8  Both parties receive PDF copy of the signed Charter via Postmark.
Step 9  Backend writes audit row to db.charter_audit; Charter is now in force.

The dashboard banner driven by

GET /api/family/consent-banner
reflects current status:

  • pending_parent
    (default after Teen registers).
  • pending_teen
    (after Parent signs).
  • active
    (both signatures captured).
  • expired
    (renewal due — see §8).

7. What happens if the Charter isn't active

The Charter is enforced at the API gate, not just the UI. The two main protected actions:

  1. Completing a challenge
    POST /api/schools/journey/complete
    • Returns HTTP 423 Locked with body
      { "code": "charter_not_active", "missing": ["parent_signature" | "teen_signature"] }
      .
  2. Minting a Vault NFT
    app.services.custodial_vault.mint_to_custody
    • Refuses to mint if the calling teen's Charter status ≠
      active
      .

The teen sees a friendly banner ("Charter pending — your parent's signature is on its way") with a one-click resend button to nudge the parent email.


8. Withdrawal, expiry, and termination

8.1 Voluntary withdrawal

Either party can revoke consent at any time:

  • Parent: Parent Dashboard → Settings → "Withdraw consent". Triggers immediate
    terminated
    status.
  • Teen: Teen account → Settings → "Pause my Charter". Charter goes to
    terminated
    and Schools Engine endpoints lock the same way as if it had never been signed.

8.2 Annual expiry

A Charter expires 365 days after the date both signatures were captured. Status moves to

expired
. The teen sees a renewal prompt 14 days before expiry. Renewal re-runs the dual-signature flow.

8.3 Hard termination

If a

Bounce
/
SpamComplaint
webhook indicates the parent email is unreachable, or the parent account is closed, the Charter automatically moves to
terminated
and all dependent surfaces lock. The audit row records
termination_reason: "parent_unreachable"
.

8.4 What happens to data on termination

  • The teen's chat history is archived but kept (so the teen retains it on a future re-consent).
  • All NFTs already minted to the Hybrid Custodial Vault remain — they are achievements, not access tokens.
  • New challenges, journeys, and analytics events stop flowing immediately.
  • A parent or teen may request full deletion under §9.4.

9. Privacy guarantees & data rights

9.1 What the parent sees

  • Engagement frequency.
  • Mood trend (aggregated across conversations).
  • OCEAN summary movement.
  • Badges + challenge completion counts.
  • Crisis alerts (immediate, see §10).

9.2 What the parent never sees

  • Individual conversation transcripts.
  • Verbatim AvA chat content.
  • Free-text reflection prose attached to challenges.

This is not a UI choice — it is a database-level access control. The Parent Dashboard endpoints use a separate aggregation pipeline that excludes raw chat content.

9.3 What the school sees

The school sees only cohort-level aggregates. See

HIBFF_SCHOOLS.md
§7.

9.4 Right to deletion

Either party can request:

  • Right of access — full export of teen-side data (JSON + PDF).
  • Right of erasure — irrevocable deletion across all collections, including chat archives.
  • Right of rectification — correction of profile fields.

Requests go to

privacy@hibff.com
. SLA: 30 days. Erasure cascades to:

  • users
    ,
    teen_challenges
    ,
    teen_profile_preferences
    ,
    chat_sessions
    ,
    chat_messages
    ,
    notifications
    ,
    charters
    ,
    charter_audit
    ,
    collectibles
    (NFT metadata; on-chain tokens are burned where possible).

9.5 Regulatory frame

  • COPPA (US) — fully compliant for 13-17. (Under-13 not permitted on Schools deployments; routed to a separate Family product.)
  • FERPA (US schools) — HiBFF processes data only as a school official under the directly-related-services exception.
  • GDPR-K (EU/UK) — Charter satisfies the higher consent standard for under-16s in EU member states that have lowered the digital consent age.
  • California CCPA — full data-subject rights honoured; no "sale" of personal info ever.

10. Crisis & Empathic Handover Protocol

If the AvA detects language indicative of self-harm, severe distress, or another safeguarding signal, the Empathic Handover Protocol is triggered.

Step 1  AvA detects signal (server-side classifier).
Step 2  AvA gently pauses the conversation:
        "I want to make sure you're okay. Can we slow down for a second?"
Step 3  AvA surfaces region-appropriate professional resources
        (e.g. 988 Suicide & Crisis Lifeline for US teens; Samaritans for UK).
Step 4  Within 60 seconds:
          - Postmark email to the parent.
          - Twilio SMS to the parent if phone on file.
          - Notification dropped into Parent Dashboard inbox.
Step 5  Charter audit row written: { "event": "empathic_handover",
        "category": "<self_harm|severe_anxiety|other>", "ts": ... }

The parent never sees the verbatim chat that triggered the handover. They see the category of signal and the time. This preserves the teen's privacy while alerting the parent to act.

The handover is a safety net, not surveillance. Teens are told at onboarding that crisis-language triggers exist.


11. Charter & the Hybrid Custodial Vault

The Charter governs the Hybrid Custodial Vault in three ways:

  1. Mint authorisation — A Charter must be
    active
    for a teen to mint an achievement NFT (§7).
  2. 180-day timelock — Each NFT in the Vault is locked for 180 days from its individual mint date (per-NFT, not per-account). A teen cannot transfer or burn before timelock expiry.
  3. Age-18 handover — On the teen's 18th birthday, a guided wallet-handover ceremony moves wallet keys from HiBFF custody to the (now-adult) user's chosen wallet. Charter terminates at that point — replaced by an adult Terms of Use.

NFTs already minted survive Charter termination and Charter expiry — they are tamper-proof transcripts of social growth, not access tokens.


Every Charter event is captured in

db.charter_audit
:

FieldDescription
audit_id
UUID
charter_id
FK to
db.charters
event
One of:
created
,
parent_signed
,
teen_signed
,
activated
,
withdrawn
,
expired
,
terminated
,
renewed
,
empathic_handover
actor
parent_user_id
/
teen_user_id
/
system
/
webhook
ts
UTC ISO timestamp
ip_address
Best-effort, masked at /24
user_agent
Truncated to 256 chars
meta
Free-form JSON for context (signature hash, pdf_url, etc.)

The signed Charter PDF is archived to S3-compatible storage (

db.storage.charter_pdfs
) with a SHA-256 hash recorded in the audit row. This produces a tamper-evident artefact admissible as documentary evidence in most US jurisdictions.


13. FAQ

Q: My teen signs up at school. Do I have to sign a separate Charter for school use? A: No — one Charter covers HiBFF use across all surfaces (Schools, Family, direct consumer). It is signed once and renews annually.

Q: My teen has divorced / separated parents. Whose signature counts? A: Either parent / legal guardian with parental responsibility may sign. If both have responsibility, either signature satisfies the COPPA threshold; HiBFF strongly recommends informing the other parent.

Q: I want to read my teen's chat. How do I escalate? A: You don't read it. If you have a safeguarding concern, contact

safeguarding@hibff.com
. We will conduct a privacy-respecting review with a trained professional and contact you with the appropriate level of detail.

Q: Can I sign on behalf of my teen? A: No. Dual-consent is non-negotiable. The teen must sign their own Compact. You can encourage and explain — you can't sign for them.

Q: What if my teen refuses to sign? A: Then the Charter never activates and HiBFF features remain locked. The teen's account exists in a "pending_teen" state. We don't pressure teens into signing.

Q: Can a school waive the Charter? A: No school, mayor, or HiBFF admin can override the Charter requirement. It is enforced at the API layer.

Q: How is the digital signature legally binding? A: HiBFF uses an ESIGN-Act compliant click-to-sign flow (audit row + IP + UA + timestamp + hash). The signed PDF is the legal artefact.

Q: Where do I read the latest Compact text before I sign? A: The Charter Wizard surfaces the current text inline before each signature. You can also download

HiBFF_Parent_Compact.pdf
and
HiBFF_Teen_Digital_Compact.pdf
from the Parent Dashboard at any time.


Appendix A — full default Compact text

A.1 Parent Compact (verbatim)

To my teenager:

  1. I will trust you to use HiBFF to develop real-world social skills.
  2. I will not judge your conversations — this is a safe learning space.
  3. I will review monthly progress reports with an open mind.
  4. I will celebrate your badge achievements with you.

Signed: ______________________ Date: __________

A.2 Teen Digital Compact (verbatim)

To my parent:

  1. I will use HiBFF honestly and engage with the challenges.
  2. I will try to complete at least one badge challenge per month.
  3. I will share my progress with friends who might benefit. (optional)
  4. I will be open to disconnecting from screens when working on badges.

Signed: ______________________ Date: __________

A.3 Mutual Compact (verbatim)

Together:

  1. We agree to have honest conversations about screen time.
  2. We will establish tech-free zones / times together: ____________________.
  3. We will celebrate achievements together — both virtual and physical badges.

Parent: __________________ Teen: __________________ Date: __________


Appendix B — system fields & API endpoints

B.1
db.charters
document shape

{
  "charter_id":      "CHR-AB12CD34EF56GH78",
  "parent_user_id":  "usr_xxxxxx",
  "teen_user_id":    "usr_yyyyyy",
  "teen_email":      "teen@example.com",
  "teen_name":       "Alex Johnson",
  "status":          "active",                // draft | pending_teen | pending_parent | active | expired | terminated
  "commitments":     [ { "id": "p1", ... }, ... ],
  "custom_commitments": [],
  "tech_free_zones": ["meal times", "bedrooms after 9pm"],
  "parent_signature": {
    "user_id":    "usr_xxxxxx",
    "signed_at":  "2026-01-12T19:24:00Z",
    "ip_address": "203.0.113.0/24",
    "user_agent": "Mozilla/5.0 …"
  },
  "teen_signature":  {
    "user_id":    "usr_yyyyyy",
    "signed_at":  "2026-01-13T10:02:00Z",
    "ip_address": "203.0.113.0/24",
    "user_agent": "Mozilla/5.0 …"
  },
  "activated_at":   "2026-01-13T10:02:00Z",
  "expires_at":     "2027-01-13T10:02:00Z",
  "created_at":     "2026-01-12T19:00:00Z",
  "updated_at":     "2026-01-13T10:02:00Z",
  "pdf_url":        "/api/files/charters/CHR-AB12…/charter.pdf",
  "pdf_sha256":     "9f86d081…"
}

B.2 Endpoints

MethodPathAuthPurpose
POST
/api/family/charter/create
Parent JWTParent initiates a Charter for a known teen email.
POST
/api/family/charter/{id}/parent-sign
Parent JWTParent records signature.
POST
/api/family/charter/{id}/teen-sign
Teen JWTTeen records signature.
POST
/api/family/charter/{id}/withdraw
Either JWTWithdraw consent →
terminated
.
GET
/api/family/charter/{id}
Either JWTInspect status.
GET
/api/family/charter/{id}/pdf
Either JWTDownload signed PDF.
GET
/api/family/consent-banner
Teen JWTDrives the dashboard banner state.
GET
/api/admin/charters
Admin / Sub-admin JWTAggregate charter status across deployment. No signature data returned.

B.3 Key services

  • app.services.charter_pdf.render_charter_pdf(charter_id) → bytes
  • app.services.charter_audit.append(charter_id, event, actor, meta)
  • app.api.family.create_charter(...)
    — creates the row + dispatches the parent invitation email.
  • app.utils.charter_gate.require_active_charter(user_id)
    — used as a FastAPI dependency on protected endpoints; raises
    HTTPException(423)
    when not active.

HiBFF — Brave Friends Forever. Brave conversations, in a safe place.

HiBFF uses essential cookies only — to keep you logged in and remember your preferences. We do not use advertising or tracking cookies. Privacy Policy