How We Protect Kids

CyberScale is operated by BXAR Inc., a Canadian cybersecurity consulting company. Our professional work involves protecting organizations from cyberattacks, conducting penetration tests, and assessing security posture for clients across North America. We built CyberScale because we believe cybersecurity awareness should be accessible to every young person — and we built it with the same security standards we apply to our professional engagements.

This page explains in detail how we protect the children and teenagers who use our platform. If you are a parent, guardian, educator, or school administrator evaluating CyberScale, this page is written for you.

No one under 18 creates an account on CyberScale. No child or teenager ever provides us with an email address, a password, a name, a date of birth, or any personal information. All accounts are held by adults — parents, guardians, or educators.

This is the strongest possible privacy architecture. You cannot breach data that was never collected.

3.1 At Home: Through a Family Code

A parent or guardian creates an account using their own email and password. The parent then creates a family group, which generates a unique join code (e.g., CYBER-XXXX). The parent shares this code with their children. Each child enters the code and chooses:

• A nickname (like "Alex" or "CyberNinja" — not required to be their real name)
• A selected avatar (a cartoon character image)
• An age tier (Explorer, Defender, or Operative)
• An optional 4-digit PIN (for returning to their session later)

That's it. No email. No password. No date of birth. No personal information about the child.

The child — whether they are 8 or 17 — begins learning immediately after joining. All progress, XP, achievements, and activity are visible to the parent from their dashboard. The parent can change the child's age tier or remove them at any time.

This model works the same way for an 8-year-old Explorer user and a 17-year-old Operative user. The parent controls the family group. The child learns through it.

3.2 At School: Anonymous Class Code

An educator creates a classroom and provides students with a class code (example: CYBER-7X4K). Students enter the code, pick a temporary nickname and avatar, and begin learning. No personal information is collected. The educator sees only anonymous nicknames and learning progress. If a student clears their browser, the session ends — there is no persistent identity.

What we collect from children and teens: Nothing. A parent-chosen nickname and avatar selection do not constitute personal information identifiable to the child.

What we collect from parents and educators: Email address, password (stored as a cryptographic hash — we never see your actual password), display name, and login activity metadata.

What we NEVER do with data:

• We never sell data. Not to advertisers. Not to data brokers. Not to anyone.
• We never serve ads. There is no advertising on CyberScale.
• We never track users across websites. No third-party cookies, no tracking pixels, no browser fingerprinting.
• We never build behavioral profiles.
• We never share data for commercial purposes.

5.1 Age-Appropriate Content by Track

• Explorer (Ages 8-10): Grade 3-4 reading level, friendly language, concrete metaphors, Cypher mascot, no violence/dating/adult themes, no scare tactics.
• Defender (Ages 11-13): Grade 6-7, cyberbullying/phishing/scams in age-appropriate context, school/gaming scenarios, no dating references.
• Operative (Ages 14-17): Grade 9-10, real-world concepts, dark web/financial fraud/legal consequences, career exploration, educational non-sensational treatment.

Cross-Tier Access: Older users can access younger tiers. Younger users cannot access above their tier. Parents can adjust tier.

5.2 No Social Features Between Users

No messaging, no chat, no friend lists, no public profiles, no comments, no forums, no file sharing, no live streaming. No way for one child to contact another.

5.3 No External Links in Child-Facing Content

Explorer and Defender tracks have no clickable external links. References to external resources are informational text for parent/educator follow-up.

• AI conversations from children in a family group are stored under the parent account.
• AI is configured to stay on cybersecurity education, never ask for personal info, and recommend a trusted adult if distress is detected.
• No AI system is infallible.
• Parents may request deletion of AI conversations by contacting service@bxar.io.

7.1 Technical Security Measures

• Encryption in transit: TLS 1.3
• Password security: Argon2id with per-user salts — we never store, transmit, or log plaintext passwords
• Infrastructure: dedicated servers, physical access controls, network segmentation
• Access controls: role-based, need-to-know
• Monitoring: automated detection of unauthorized access

7.2 Security Testing

We conduct regular security assessments using the same methodologies as our professional client engagements.

7.3 Incident Response

In the event of a data breach, we will notify affected users within 72 hours, provide regulatory notification as required, and share clear information about the nature of the incident.

7.4 Responsible Disclosure

Security researchers are welcome to report vulnerabilities to service@bxar.io. We acknowledge reports within 5 business days and take no legal action against good-faith reporters.

From the parent dashboard:

• Create a family group — generate a join code (CYBER-XXXX) and share it with your kids
• See who joined — view all children who joined with your code, their nicknames, and avatars
• Change age tiers — switch a child between Explorer, Defender, and Operative at any time
• View all learning progress — every lesson, quiz score, and XP earned
• Remove a child — permanently remove them and all associated data from the family group
• Delete account — directly from the dashboard, or contact service@bxar.io

9.1 Student Privacy

No student personally identifiable information (PII) is collected. Educators see only anonymous data.

9.2 Institutional Deployments

Data Processing Agreements (DPAs) are available for institutional deployments. Contact service@bxar.io.

9.3 Educator Responsibilities

Educators are responsible for notifying parents, monitoring nicknames chosen by students, and ensuring use of the platform is consistent with school policies.

All deletions are permanent and irreversible.

11.1 COPPA (Children's Online Privacy Protection Act)

Our parent-account architecture means no personal information from users under 18 is collected. We acknowledge the "directed to children" factors relevant to our platform. Compliance is achieved through our zero-minor-data architecture. We recommend formal legal review before launch.

11.2 PIPEDA and Quebec Law 25

As a Canadian corporation, we operate in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25.

11.3 GDPR

If users access the platform from the European Economic Area, we process their data in accordance with GDPR. Canada is recognized by the European Commission as providing adequate data protection.

11.4 State Laws (CCPA/CPRA, AADC)

We monitor developments under the California Consumer Privacy Act (CCPA/CPRA) and the Age-Appropriate Design Code (AADC). Our zero-minor-data architecture provides the strongest available compliance posture.

11.5 FERPA

Our anonymous classroom model means no education records are maintained, placing us outside the scope of FERPA obligations.

Can my child accidentally share personal information on the Platform?

No. There is no chat, no comments, no forums, no public profiles, and no messaging. The only text input available to a child is the nickname field, which is chosen by the parent. There is no mechanism for a child to share personal information.

My teenager is 16 — do they really need me to create an account?

Yes. All accounts are held by adults. This protects your teenager's privacy. Your teen selects their profile within your account and has full access to Operative content. You can create a profile specifically for them.

Can my teenager access the Explorer or Defender lessons?

Yes. Older users can access all content at their tier and below.

Can I change my child's age tier?

Yes, from your dashboard at any time.

Is the Platform safe for use in schools?

Yes. Zero student PII is collected. Participation is anonymous. Data Processing Agreements are available on request.

Do you share data with advertisers?

No. We never have and never will. There is no advertising on CyberScale.

What happens if your company is acquired or goes out of business?

In the event of an acquisition, the acquiring entity will be bound by our Privacy Policy. In the event we cease operations, we will delete all data and provide advance notice to users.

For all inquiries — privacy, security, legal, partnerships, or general questions:

service@bxar.io

BXAR Inc., Montreal, QC, Canada | bxar.io

This page supplements our Privacy Policy and Terms of Service. In case of conflict, the Privacy Policy and Terms of Service prevail.

Maintained by BXAR Inc. Last updated April 2026.