PrivacyFirebaseSecurityArchitecture

How We Built a Zero-Identity Kids Portal

Children get personalized AI storytelling without creating an account, without tracking, and without storing a single piece of their data. Anonymous Firebase Auth + custom claims + BYOK encryption.

The Problem

Most apps for children ask kids to "sign up." Name, age, email, sometimes even a photo. Then they track everything — what the child taps, how long they stay, what makes them click.

Aanchal's kids portal collects nothing. No name. No email. No account. No analytics. No tracking pixels. No third-party SDKs. The entire kids app has zero Google Analytics, zero Sentry user identification, zero localStorage PII.

And yet — when a 4-year-old opens their tablet and enters a 6-digit code, they see exactly their stories, in their language, with their name spoken by the AI narrator.

The Architecture: Anonymous Auth + Custom Claims

When a parent generates a PIN code on their phone, the server creates a ProfileAuth record that maps that PIN to the parent's account ID, the specific child's profile ID, and the family's group ID.

When the child enters the PIN on their tablet, the device creates a Firebase Anonymous Auth user. No email, no password, no identity. Just a random UID that exists only on that device.

The server then injects custom claims into that anonymous token:

{ "parentId": "...", "childId": "...", "groupId": "..." }

Now the anonymous user "knows" which family they belong to — without storing any of that on the device. The claims travel inside the encrypted Firebase token, verified server-side on every API call.

Firestore Security Rules: Default Deny

match /assignments/{id} {
  allow read: if request.auth.token.parentId == resource.data.parentId;
}

The child can only read assignments that belong to their parent. They can't see other families' data. They can't write anything except wishes (rate-limited to 3 per minute, safety-checked).

The anonymous user has no profile page. No settings. No data to export. Because there IS no data — just a token with three IDs.

BYOK: The Parent's AI Key, Never on the Child's Device

The parent brings their own Google Gemini API key (BYOK). It's AES-256-GCM encrypted at rest in Firestore. When the child starts a story:

  • Server decrypts the parent's key
  • Creates a short-lived ephemeral token (4 uses, 30-minute expiry)
  • Sends ONLY the ephemeral token to the child's device
  • Child connects to Gemini Live via WebSocket using that token

    • The raw API key never touches the child's browser. The ephemeral token self-destructs. The voice conversation streams directly from the child's device to Google's servers — Aanchal never sees or stores the audio.

    What Happens When the Session Dies?

    Firebase occasionally prunes anonymous users. When that happens:

  • Client-side: the token refresh fails → auto-redirect to PIN entry
  • Server-side: verifySessionCookie catches "no user record" → returns 401
  • Parent dashboard: detects the dead anonymous UID → auto-cleans the ghost terminal

    • The child just enters a new PIN. No data was lost because no data was stored on their side.

    Why This Matters

    India's DPDP Act (Digital Personal Data Protection) has strict requirements for children's data. Most edtech companies are scrambling to comply.

    We started from the other direction: what if we never collect the data in the first place?

  • Zero PII on the kids portal
  • Voice audio is transient (streamed, never stored)
  • Learning events are stored under the parent's account, not the child's
  • The child's "identity" is three custom claims in an anonymous token

    • The safest data is data that doesn't exist.

    Try Aanchal with your family

    AI learning adventures for children aged 3-12. Any language. Parent-controlled. Free to start.

    Get Started Free