Age Appropriate Design Code

Every spec touching a child user passes a best-interests design-review gate. The TutorStudio entitlements model hardcodes safeguarding, DSAR, and age-transition infrastructure as ungated at every commercial tier so no pricing decision can suppress child-safety surfaces. The DPO validates borderline calls.

The DPIA registry lives under docs/legal/. Current DPIAs include AADC transitions, safeguarding log, session recording, J26 mock-trajectory AI, and J27 wellbeing alert. Features touching child data are feature-flag-gated FALSE until production DPO countersignature per the interim-dpo-dsl-self-sign protocol. Expired DPIAs architecturally disable the feature flag.

Four AADC age bands are implemented across the platform: under_13, 13_to_15, 16_to_17, and adult. Fail-strict default: an unknown age maps to under_13. A birthday-transition cron job moves accounts between bands at the appropriate moment with 30/14/7/0-day pre-notifications. The tf_aadc_band() function derives the band from date of birth at read-time. Date of birth is captured at every signup path; Gillick competence (ADR-0066) extends maturing-minor autonomy at 13+.

TutorStudio commits to three banded privacy notices: under-13 (plain language with read-aloud), 13–17 (simplified with visuals), and adult (full legal text). Just-in-time data-use explainers appear at every collection point. Pre-notification dispatch fires at 30/14/7/0 days before each age-band transition.

Prohibited at architectural level: peer-percentile displays, streak-protection loss-aversion mechanics, late-evening study prompts, and manipulative AI reinforcement loops. Quiet hours default to 21:00–07:00 with no notifications. Student-facing motion is opacity-only — no scale transforms, no looping animation — and this is enforced as a bright line of the tenant customisation surface regardless of agency theme. AI output to minors passes a Haiku-tier child-safe classifier before display, and canUseAIForMinor() gates every AI access path.

TutorStudio's enforcement infrastructure is built: an append-only safeguarding log restricted by RLS to DSL, DPO, and compliance roles; quarterly consistency review planned. Each published policy will land with an enforcement playbook.

A defaults register is maintained per age band. Settings UIs invite opt-in rather than opt-out. Any default change on an under-18 account requires DPO sign-off and a written best-interests argument. Tenant customisation is constrained at a bright-line level: privacy controls cannot be repositioned, and safeguarding pathway visual signals cannot be de-emphasised by any agency theme.

Every child-data column carries a necessity justification in the data dictionary with EP-15 classification, PII tagging, and retention period. AADC CI Gate 1 blocks any new PII column on a student-facing table without a DPIA reference and Classification annotation. The recording pipeline collects only when consent is granted (ADR-0068). The AADC-transitions DPIA shows that date of birth is not persisted on derived tables.

The TutorStudio Record of Processing Activities (RoPA) lists every named sub-processor with the relevant Article 28 data processing agreement. Sub-processors that carry child data carry an explicit A-10 compelling-reason record. PostHog and Sentry receive T0/T1 fields only — no email, no raw IP, no date of birth. Sentry's beforeSend composer (ADR-0096) redacts student_email, parent_email, safeguarding.*, dsar.*, and academic profiling fields before transmission. AADC CI Gate 2 blocks any cross-tenant data join on student records.

TutorStudio captures no child geolocation as an architectural exclusion. Family location is stored at postcode or local-authority granularity only — never as latitude / longitude. Tutor mileage uses postcode-to-postcode distance. No device-location tracking is performed. A schema audit confirms no lat/lng columns on user tables. AADC CI Gate 3 blocks any lat/lng or precise postcode column on student records without an explicit consent annotation.

The student portal carries a per-category visibility indicator: the child sees exactly what the parent has viewed via the access log. The 16–17 band exposes child-side controls over parent visibility, per UK maturing-minor practice. Under-13 accounts default to full parent visibility with overt child-side awareness UI. AI consent requires explicit parent opt-in (ADR-0065) and the student always sees the consent state. Recording consent is dual at 13+: student refusal overrides parental consent (Gillick, ADR-0068). The J27 wellbeing-alert flow gives parents a DSL-authored summary only; the child is aware that an observation was logged.

Profiling is default-off. AADC CI Gate 6 (warn) blocks algorithmic ranking or scoring of students without a matching profile_score_audit log entry. The J26 mock-trajectory AI uses a tutor-mediated decision pattern to preserve the Article 22 right; a static fallback is always available, and the DPO has signed off on the J26 DPIA. The student AI three-gate model (ADR-0065) requires the balance gate, AI Lock, and AADC pipeline to all pass before any AI output is rendered. AI output is validated against a Zod schema before persistence or display.

Signup, permission, profile-completion, and notification flows use neutral framing. Required versus optional fields are visually distinguished. “Skip” is given equal prominence to “continue”. There are no “Allow (recommended)” labels and no visually de-emphasised restrictive options. AADC CI Gate 7 blocks any timed notification to a student between 22:00 and 07:00 local time. Crisis notifications bypass quiet hours per the documented dispatch pattern.

Not applicable. TutorStudio ships no connected hardware, no audio toys, no smart devices, and no companion physical products. The standard will be re-assessed in full if hardware enters scope.

The student portal exposes “My data” (Article 15), “Fix my data” (rectification), “Delete my data” (erasure with a 30-day grace period), “Download my data” (JSON and PDF export), “Stop using my data for X” (restriction and objection), and “Report a concern”. The surface is age-appropriate and mobile-accessible. Under-13 accounts route through a parent-assisted flow. A tutor-excluded student-voice channel (ADR-0077) lets a student raise concerns with TutorStudio platform staff directly, with a published response-time SLA. The crisis helpline catalogue (ADR-0089) is age-banded and jurisdiction-aware.