ConstanceAI, Inc.
Last updated: 2026-06-05

COMPLIANCE
FOR CUSTOMERS

This is operational guidance, not legal advice. The binding documents are the Customer Agreement, DPA, AUP, Privacy Policy, and User Agreement. Where this guide conflicts with those, those control. Run your specific deployment past your own counsel before going live.

What this page is. A scan-friendly checklist that turns the obligations in our legal docs into things you can do this week. AGEWARDEN is the processor; you are the controller. Most of the visible compliance surface lives on your side of the line. This is the operational version of it.

How to use it. Start with the universal checklist. Then read only the regional sections that match your traffic. End at the templates if you need starting language. Anything you copy is yours to adapt.

1 Before you go live: universal checklist

Applies everywhere, regardless of jurisdiction. These four items are the minimum.

  • Give End Users notice before the widget collects voice. AGEWARDEN presents its own User Agreement and Privacy Policy inside the widget; your obligation is your own notice as the controller, detailed in the regional sections below.
  • Decide what you will do with the pass/fail result, and document it. Gate access, record a verification timestamp against an account, refuse service on a fail, prompt for retry. All fine. What is not fine: behavioral advertising, profiling, demographic inference, marketing segmentation, or any non-gating use. This is the AUP Section 2 purpose-limitation. Pin it in your internal docs.
  • Decide your re-verification or human-review fallback. Voice estimation has a non-zero error rate. Where Article 22 applies, offer meaningful human review, retry, or another lawful fallback.
  • Name an internal owner for data-subject access and deletion requests. Under GDPR the response deadline is one month. CCPA and most US state laws are 45 days. Pick a person, give them an inbox, and write down the runbook before traffic starts.

2 If your traffic includes Illinois (BIPA)

The Illinois Biometric Information Privacy Act (740 ILCS 14) treats voice as biometric information. The case law (Rogers v. BNSF, Cothron v. White Castle) is punishing. Get this right.

  • You are the "private entity of record" under 15(b). AGEWARDEN processes voice on your behalf, but the entity that "collects" the biometric for BIPA purposes is the website embedding the widget. The notice-and-release obligation is yours.
  • Present a BIPA-compliant notice and obtain informed written release before AGEWARDEN captures voice. Not after. Front-load it. SB 2979 (effective August 2024) confirms electronic consent satisfies the "written" requirement, so a checkbox plus a notice page is fine if it is genuinely informed.
  • Your 15(b) notice must include three things: (1) that biometric information is being collected and stored, (2) the specific purpose, and (3) the term for which it is collected, stored, and used. See the template in Section 8 for starter language.
  • Publish your own 15(a) public retention and destruction policy. You may link AGEWARDEN's Privacy Policy for processor retention. Your policy still has to be yours.
  • Treat Texas (CUBI, Tex. Bus. & Com. Code § 503.001) and Washington (RCW 19.375) the same way. Neither has a private right of action, but both require notice and consent. Same operational pattern. Reuse the BIPA notice with light edits.

3 If your traffic includes the EU, UK, or Switzerland (GDPR)

You are the controller. AGEWARDEN is the processor. Our DPA confirms this and provides the transfer mechanism. The visible surface is still on your side.

  • Provide an Article 13/14 notice to End Users. It must cover: your identity, the purposes of processing, the legal basis you are relying on, the existence of a processor (us), retention (we destroy within one hour, plus whatever you retain on your side), recipients, the transfer mechanism (Standard Contractual Clauses Module Two, see Annex 2 of our DPA), data-subject rights, and the supervisory authority.
  • The Article 22 obligation is on you. Where Article 22 applies, provide meaningful human review, retry, or another lawful fallback. We assist as processor under the DPA.
  • Pick a legal basis and document it. Pick an Article 6 basis. Where GDPR applies, treat voice as special-category biometric data and obtain Article 9 consent where required.
  • If you operate in the EU, mirror the EDPB Statement 1/2025 wording where useful: "the age-assurance process should not enable the further targeting or profiling of users." Saying this verbatim in your notice signals you read it and you mean it.
  • UK GDPR and the Swiss FADP follow the same operational pattern. The DPA's SCCs cover UK transfers via the UK Addendum and Swiss transfers under the FADP framework.

4 If your traffic could include children under 13 (COPPA)

The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501-6506, with 2025 amendments) applies if your service is "directed to children" or if you have actual knowledge that a specific user is under 13. Voice is "personal information" under COPPA. Get parental consent first or do not collect.

  • If your service is directed to children: you are the COPPA "operator." AGEWARDEN is a support service provider under our Privacy Policy Section 9.
  • Provide notice that voice will be collected as part of an age-screen. Direct and clear, in language a parent will understand.
  • Obtain verifiable parental consent before collecting voice from a child under 13. The practical pattern: front-load an "are you under 13?" branch before AGEWARDEN captures voice. If yes, route to a parent-only consent flow and only reach voice estimation after parental consent is recorded.
  • General-audience services: the "actual knowledge" standard applies. If your threshold or other data gives you actual knowledge a user is under 13, treat the resulting data accordingly. We destroy the underlying voice within one hour regardless, but your downstream handling is your responsibility.
  • Coordinate with KOSA and state child-safety laws. Several US states (California, Utah, Arkansas, Texas) have layered child-safety statutes on top of COPPA. Check the ones that apply to where your traffic comes from.

5 California (CCPA/CPRA)

If you have California traffic and meet the CCPA thresholds, you are the business; AGEWARDEN is the service provider. Our DPA confirms there is no "sale" or "share" within the meaning of CPRA.

  • Voice and the age result may be "personal information" under CPRA. Apply the higher standard where doubt exists.
  • Provide a notice at collection. Categories collected, purposes, retention period, and how to exercise rights. A link from your existing privacy notice is fine; a discrete sentence on the page that loads the widget is better.
  • Route CCPA rights requests to your existing intake. Access, deletion, correction, opt-out of sale or share (not applicable here), limit use of sensitive PI. We will assist under the DPA; your CCPA response window is generally 45 days.
  • Other US state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.) follow a similar pattern. One privacy notice typically covers all of them; rights intakes can share an inbox.

6 Australia, Canada, Brazil, and other regional regimes

Briefly: most modern privacy regimes converge on the same operational expectations. Notice. Consent where the legal basis requires it. A retention statement. A path for data-subject requests.

  • Australia (Privacy Act 1988, APP 3 and APP 5). Consent for sensitive information; notice at or before collection. The OAIC has signaled increased focus on biometric processing.
  • Canada (PIPEDA, Quebec Law 25). Meaningful consent for biometrics. Quebec Law 25 layers a biometric-specific declaration requirement on top.
  • Brazil (LGPD). Article 11 treats biometrics as sensitive personal data. Consent or another specific legal basis required; controller-processor structure aligns with our DPA.
  • UK Online Safety Act, EU Digital Services Act, French SREN Law. These do not change the privacy obligations above; they sit on top, typically requiring age assurance for certain content categories. AGEWARDEN supports age assurance; you must confirm it fits your law, risk tier, and regulator guidance.

Run your specific country footprint past local counsel. Our DPA provides the transfer terms. Your notice, consent, and local-law analysis still sit with you.

7 What you must NOT do

This mirrors the Acceptable Use Policy Section 2. If anything below describes your planned use, stop and re-read the AUP, or contact us first.

  • Do not use AGEWARDEN outputs for behavioral advertising, profiling, demographic inference, or marketing segmentation. The age result is for the gating decision and legally required records. That is the entire purpose.
  • Do not build a biometric database from the voice or acoustic features. Do not capture voice outside AGEWARDEN.
  • Do not resell or sublicense AGEWARDEN access. You can integrate AGEWARDEN into your own product so your End Users benefit; you cannot package it as a verification API for someone else without our written consent.
  • Do not deploy in jurisdictions where voice processing for age estimation is prohibited. A small number of jurisdictions restrict biometric processing categorically. Confirm permissibility before turning on traffic.
  • Do not send production traffic through test credentials. Test credentials exist for CI and integration; production traffic on test credentials is a billing violation and an AUP violation.

8 Templates you can copy

Starter language for the most common deployments. Adapt to your specific context: your company name, your retention period on the result (we destroy the voice within one hour; your own retention of the pass/fail is up to you), your jurisdictions, your support inbox. You are responsible for adapting these. AGEWARDEN is not your lawyer.

BIPA notice template (Illinois, Texas, Washington)

Display this notice before AGEWARDEN captures voice. Pair with a checkbox or equivalent affirmative action that records the End User's release.

BIOMETRIC INFORMATION NOTICE

We use a voice-based age estimation service (AGEWARDEN, operated by
ConstanceAI, Inc.) to confirm you meet our minimum age requirement.

	When you proceed, your voice will be processed by AGEWARDEN to
	estimate your age and deleted within one hour. We receive the result,
	not the recording. Dashboard analytics are aggregate only.

We use this result solely to determine whether to grant you access. We
do not use it for advertising, profiling, or any other purpose. Our
retention and destruction policy is published at [your URL].

By clicking "I agree" below you provide your written release under the
Illinois Biometric Information Privacy Act and equivalent laws to
collect, use, and process your voice for this purpose.

[ ] I agree    [ Continue ]

Adapt the retention statement and linked policy URL to match your deployment.

GDPR Article 13/14 disclosure template (EU, UK, Switzerland)

Include in your privacy notice or in an in-flow disclosure linked from the page that loads the widget.

AGE VERIFICATION: PROCESSING DISCLOSURE

Controller: [Your company name and contact]
Purpose: To verify that you meet the minimum age required to access
this service.
Legal basis: [Article 6(1)(c) legal obligation / Article 6(1)(f)
legitimate interests; choose and document the basis].
	Processor: ConstanceAI, Inc. (AGEWARDEN), United States. Voice is
	processed to estimate age and deleted within one hour. We receive the
	result, not the recording. Dashboard analytics are aggregate only.
	International transfer: Standard Contractual Clauses (Module Two,
	Commission Decision 2021/914), the UK Addendum where applicable, and
	Swiss FADP adaptations where applicable (see Annex 2 of our DPA at
	agewarden.ai/data-processing-agreement).
Retention: Voice is destroyed within one hour by the processor. We
retain the pass/fail result for [your period] for [your purpose].
	Recipients: ConstanceAI and its subprocessors; [add your other
	recipients].
Your rights: access, rectification, erasure, restriction,
portability, objection, and the right not to be subject to a solely
automated decision (Article 22). To exercise these rights or to
request human review of the age decision, contact [your inbox].
Supervisory authority: [your country's DPA].

The age-assurance process is not used to target or profile you.

The final sentence is the EDPB Statement 1/2025 Principle 2.3 commitment. Keep it.

COPPA pre-screen template (US, children under 13)

Display this before any voice is collected. The point is to route under-13 users to parental consent before AGEWARDEN captures voice.

BEFORE YOU CONTINUE

Are you 13 years old or older?

[ Yes, I am 13 or older ]   [ No, I am under 13 ]

If "No":
  STOP. To use this service, a parent or guardian must provide
  consent. Please ask a parent or guardian to complete the next step.
  [ Parental consent flow link ]

If "Yes":
	  You will be asked to speak briefly into your microphone so AGEWARDEN
	  can estimate your age. Your voice is deleted within one hour. We
	  receive the result, not the recording.

  [ Continue to voice age check ]

The parental consent flow itself must satisfy the FTC's verifiable parental consent methods (16 CFR § 312.5). This template only handles the routing; the actual VPC mechanism is your build.

CCPA notice at collection template (California)

Short notice at or before the point of voice collection. Link to your full California privacy notice for the rest.

NOTICE AT COLLECTION

Categories collected: voice recording (biometric / sensitive personal
information), and the age-band result.
Purpose: age verification for access to this service.
Retention: voice destroyed within one hour by our service provider
(ConstanceAI, Inc.); the result retained for [your period].
We do not sell or share this information for cross-context behavioral
advertising. We do not use it for any purpose other than age
verification.

To exercise your CCPA rights (access, deletion, correction, limit use
of sensitive PI), contact [your inbox] or visit [your CCPA page].

9 Where to go from here

If you have a question this page does not answer, the legal docs are the source of truth: Customer Agreement, DPA, AUP, Privacy Policy, User Agreement. For enterprise questions or signed-DPA requests, see Enterprise. For abuse or compliance reports about another customer, write to aw-abuse@constance.ai. For legal questions about your specific deployment, write to legal@constance.ai, and also retain your own counsel.