Regulatory Commitment

We built compliance into the foundations.

This is every piece of legislation, every regulator, every code of practice we are working through before Haven launches. We publish it because we believe in transparency — and because this is what taking children's safety seriously actually looks like.

Building a children's network without getting this right is not an option.
Most networks treat regulatory compliance as a legal minimum. We treat it as a design principle. Every product decision at Haven is made with the ICO's Children's Code, the Online Safety Act, and UK GDPR in the room. This page exists to show our work — and to be honest about how much work there is.
Layer 1

Data Protection Foundation

UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 form the bedrock of everything Haven does with data. As of February 2026, the DUAA's new "children's higher protection matters" are now statute — not just guidance.

🔐
Regulation 01
UK GDPR & Data Protection Act 2018
The foundational framework. Every other obligation sits on top of this. Enforced by the ICO with fines up to £17.5 million or 4% of global turnover.
🔥 Pre-launch
Lawful basis mapping
Documented lawful basis for every category of data we process. Consent for children requires informed understanding — parental consent required under 13.
In progress
Data Protection Officer
Appointment of a qualified DPO given our user base of under-18s. Almost certainly mandatory for Haven's processing activities.
In progress
DPIA Programme
Data Protection Impact Assessments for all high-risk processing — AI safety features, parental visibility tools, geolocation, and profiling are all in scope.
Design stage
Right to erasure
Particularly relevant for data collected during childhood. Processes to honour erasure requests including from former child users who are now adults.
Design stage
Age-appropriate privacy notices
Plain-language, genuinely readable notices for children — not legal boilerplate. Separate versions for under-13s, 13–15s, and 16–17s.
In progress
No automated decision-making
Prohibition on decisions with significant effects on children based solely on automated processing, including profiling — with exceptions only where strong safeguards exist.
Design stage
📋
Regulation 02
Data (Use and Access) Act 2025
Now in force. Formalises children's higher protection matters into statute. Services likely to be accessed by children must account for children's specific needs at the design stage.
🔥 Pre-launch
Children's higher protection matters
Documented consideration of how Haven protects and supports children, including age and developmental stage, in every product decision.
In progress
Data protection by design — children
Children's needs embedded into Article 25 compliance. The DUAA amendment now requires this at a statutory level, not just as good practice.
Design stage
Complaint handling process
A statutory right for data subjects to complain to controllers directly. Process and communication mechanism required before June 2026.
Planned
📡
Regulation 03
Privacy and Electronic Communications Regulations (PECR)
Controls marketing communications and cookies. Distinct from UK GDPR but closely connected. Children have the same rights as adults to object to direct marketing.
⚠️ Pre-launch
Marketing consent rules
Children cannot be marketed to without explicit consent. SMS, email, push notifications all in scope. Must stop immediately on objection.
Design stage
Cookie and tracking consent
Any tracking beyond strictly necessary functionality requires PECR-compliant consent. Haven's privacy-first architecture minimises this exposure.
Design stage
Layer 2

ICO Age Appropriate Design Code

The 15 standards of the Children's Code are Haven's most operationally intensive compliance area. They are also the clearest expression of what we believe: that children deserve a network designed for them, not retrofitted.

🧒
Regulation 04
ICO Children's Code — All 15 Standards
The statutory code of practice for information society services likely to be accessed by children. The global gold standard in children's data protection. Haven is built around it.
🔥 Pre-launch
Best interests of the child
The primary lens for every product and design decision. Commercial interests of Haven or its partners cannot outweigh this principle.
In progress
Data protection by design & default
Highest privacy settings as the default. Children should not need to opt in to safety — safety is the starting position.
Design stage
Age-appropriate application
Different protections calibrated to different age groups. Under-13, 13–15, and 16–17 plans have distinct configurations and defaults.
In progress
Transparency
Privacy notices written at a level children can actually understand. No legal boilerplate dressed up as transparency.
In progress
Detrimental use of data
Absolute prohibition on using children's data against their own interests. No advertising targeting. No engagement optimisation at the expense of wellbeing.
Design stage
Geolocation — off by default
Location tracking off by default. Clear indicator when it's on. Automatically resets to off at the end of each session. No ambient location logging.
Design stage
Profiling — off by default
No profiling of children unless explicitly enabled. No behavioural advertising. No personality or user profiles built without active parental consent.
Design stage
No nudge techniques
Haven will not use any design patterns that push children toward sharing more data, weakening privacy settings, or extending their usage time.
Design stage
Data minimisation
Collect only what is strictly necessary for the service to function. Regular reviews to eliminate data collection that cannot be justified.
In progress
Parental controls — proportionate
Tools that inform parents without surveilling children. Weekly signals, not dashboards. Visibility calibrated to age and risk, not parental anxiety.
Design stage
Layer 3

Online Safety Act 2023

Children's safety duties came into force on 25 July 2025. Ofcom is actively enforcing. Fines reach £18 million or 10% of global turnover. Haven's app and platform almost certainly fall within scope as a user-to-user or interactive service.

🛡️
Regulation 05
Online Safety Act — Children's Safety Duties
Ofcom's Children's Codes are now in force. Ofcom has stated it is actively checking compliance and is ready to enforce against non-compliant services immediately.
🔥 Pre-launch
Children's Access Assessment
Documented assessment of whether children can normally access Haven's services or parts thereof. Must be evidenced and retained.
In progress
Children's Risk Assessment
Suitable and sufficient assessment of harms children could encounter on Haven's platform. Must be updated before significant design changes.
In progress
Age Assurance
Robust age verification or estimation mechanisms that comply with UK data protection law. Collect only necessary information, retained only as long as needed.
Design stage
Content moderation systems
Systems and processes to detect, remove, and prevent harmful content. Including proactive detection tools, not just reactive takedown.
Design stage
CSAM hash-matching
Mandatory use of IWF hash-matching technology to detect and remove known child sexual abuse material. Non-negotiable and built in from day one.
Planned
Grooming protections
Children's profiles and locations not visible to strangers. Non-connected accounts cannot send direct messages to children by default.
Design stage
Content reporting mechanisms
Easy routes for children, parents, and affected persons to report harmful content. Systems must be genuinely accessible, not buried.
Planned
Transparency reporting to Ofcom
Annual or periodic reporting obligations to Ofcom on children's safety measures and compliance status.
Planned
Layer 4

Ofcom General Conditions

As an MVNO, Haven is a communications provider under the Communications Act 2003 and must comply with Ofcom's General Conditions of Entitlement. No licence required — but the conditions are binding, and Ofcom has substantial enforcement powers.

📞
Regulation 06
Communications Act 2003 — General Conditions
The full suite of consumer protection conditions applies to Haven on the same basis as major mobile network operators. No carve-outs for size.
⚙️ Operational
GC A1 — General requirements
Network access obligations. Registration with Ofcom's General Authorisation Regime as an electronic communications service provider.
In progress
GC B1/B2 — Number portability
Customers can port their mobile number within one working day. One Touch Switch compliance — the gaining provider leads the switching process.
Planned
GC C1–C8 — Consumer protection
Contract transparency, switching rights, complaint handling processes. Must match the standards of major network operators in full.
In progress
Emergency services access
999 and 112 must be accessible on all Haven plans — including basic calling plans for under-14s. Non-negotiable by design.
Design stage
Lawful Interception
Obligations under the Investigatory Powers Act to cooperate with law enforcement. Contractually managed through host network agreement.
Planned
Quality of service reporting
Periodic reporting to Ofcom on network performance and customer complaints. Accuracy is mandatory — failure to respond can itself trigger enforcement.
Planned
Layer 5

Network Safety and Content

Haven doesn't just meet the regulatory minimum on content filtering — our network-level safety is our core product. But that means the regulatory obligations are also more complex to navigate than for a standard MVNO.

🔒
Regulation 07
Network-Level Safety & Content Filtering
Ofcom's active choice framework, IWF blocklist integration, SIM registration, and the specific obligations created by Haven's own content policies.
⚠️ Design-time
IWF blocklist integration
Internet Watch Foundation blocklist applied at the network layer. Mandatory for any MVNO serving children. Built into the infrastructure, not bolted on.
Design stage
Default content filtering
Haven inverts the standard model: filtering is on by default, not opt-in. Regulatory framework requires careful documentation of how parents can adjust this.
Design stage
SIM registration / KYC
Know Your Customer obligations for SIM issuance. Complex where the customer is a child and the account holder is a parent or guardian — careful process design required.
In progress
Anti-spam & nuisance calls
PECR and Ofcom obligations on preventing spam SMS and nuisance calls from reaching Haven subscribers, particularly children.
Planned
VPN & proxy blocking — legal basis
Haven blocks VPNs and proxies at the network layer. This policy must be clearly documented in consumer contracts and privacy notices to be lawfully enforceable.
In progress
Layer 6

Consumer Protection and Commercial

The standard commercial regulatory layer for any business, with additional complexity given Haven's target market and the sensitive context of children's mobile services.

⚖️
Regulation 08
Consumer Rights, Advertising & Competition
Consumer Rights Act 2015, Consumer Contracts Regulations 2013, ASA/CAP advertising rules, and CMA competition law obligations.
⚙️ Operational
Contract fairness — Consumer Rights Act
All contract terms must be fair, transparent, and in plain language. Terms that disadvantage consumers as against businesses are voidable.
In progress
Cancellation rights — distance selling
14-day cooling off period under Consumer Contracts Regulations. Clear cancellation process required at point of sale and in ongoing communications.
Planned
ASA/CAP — marketing to families
Marketing that targets or features children has additional rules. No exploitative claims. No exaggerated safety claims without substantiation.
In progress
CMA competition compliance
Pricing, bundling, and market conduct must comply with competition law. Particular scrutiny likely given Haven's challenger positioning in a concentrated market.
Planned
FCA authorisation assessment
If Haven ever offers device insurance, credit, or payment plans: Financial Conduct Authority authorisation required. Proactive assessment needed now to shape product roadmap.
Planned
Layer 7

Safeguarding and Duty of Care

Beyond legal compliance, Haven has a genuine duty of care obligation as a service specifically designed for children. These are the internal practices that underpin every external-facing regulation.

🤝
Regulation 09
Safeguarding, Security and Incident Response
Formal safeguarding policy, safer recruitment, Cyber Essentials certification, and mandatory reporting obligations if CSAM is ever encountered on Haven's network.
⚠️ Pre-launch
Formal safeguarding policy
Written policy covering how Haven identifies and responds to safeguarding concerns. Required wherever staff or contractors may interact with or about children.
In progress
Safer recruitment practices
DBS checks and appropriate vetting for any employees or contractors with access to children's data or any potential contact with child users.
Planned
Cyber Essentials certification
Not mandatory for MVNOs, but the expected baseline for a children-focused service. Demonstrates minimum security hygiene to parents, partners, and regulators.
Planned
CSAM incident response
Mandatory reporting to the NCA and IWF if CSAM is encountered on Haven's network. Response plan and escalation path required before launch.
Design stage
Mental health & wellbeing design
Ofcom increasingly expects services to consider mental health impacts. Aligned with Haven's SFC roots — no engagement-maximising design patterns.
Design stage
Vulnerability provisions
Ofcom's General Conditions require communications providers to have provisions for vulnerable customers — children are definitionally a vulnerable category.
Planned
Summary

Every obligation, prioritised.

A single view of where everything sits in Haven's compliance programme from now to UK launch and beyond.

Area
Why it matters for Haven
Status
UK GDPR + DPA 2018
Legal foundation. Everything else fails without it. Mandatory DPO appointment given under-18 user base.
🔥 Pre-launch
ICO Children's Code — all 15 standards
Most design-impactful obligation. Shapes the entire product architecture from privacy defaults to parental controls.
🔥 Pre-launch
Online Safety Act — children's duties
In force July 2025. Ofcom actively enforcing. Risk assessment and age assurance required before Haven goes live.
🔥 Pre-launch
Ofcom General Conditions registration
The operational gate to launching as an MVNO. Must be in place before the first SIM is activated.
🔥 Pre-launch
Age assurance architecture
Must be embedded at product design stage. Retrofit is expensive and potentially non-compliant.
✦ Design-time
Geolocation & profiling defaults
Off by default is a Children's Code requirement. Architectural decision that cannot be changed post-launch without a DPIA.
✦ Design-time
Data (Use and Access) Act 2025
In force February 2026. Children's higher protection matters now in statute. Review DPIAs and product governance.
✦ Design-time
IWF integration + CSAM response plan
Legal and moral baseline. Non-negotiable. Must be in place before any child user is on the network.
🔥 Pre-launch
Complaint handling + SIM KYC
Required as a communications provider. Parent/guardian as account holder adds complexity to standard KYC flows.
⚙ Operational
Safeguarding policy + Cyber Essentials
Trust and legal baseline. Required before Haven can credibly claim to be the safest network for children in the UK.
⚙ Operational
Digital age of consent bill
Progressing through Parliament. Could raise consent age from 13. Haven's age-tier architecture accommodates this already.
👁 Monitor
ICO AI & automated decision-making code
Will govern Haven's AI safety layer. Code under development — Haven's privacy-first AI architecture is designed to meet it.
👁 Monitor
US COPPA (for Spring 2027 launch)
Different framework to UK GDPR. Product architecture decisions made now should accommodate COPPA requirements to avoid costly re-engineering.
👁 Monitor

This is what building responsibly looks like.

We publish this list not because we have to, but because families deserve to know what we're doing before they trust us with their children's mobile network. If you're building in this space without working through all of the above, you're not ready.

Join the waitlist →