For Parents and Caregivers

Children's Privacy Notice

A direct, parent-facing explanation of how OpenSpeak treats a child's information ... what we collect, what we don't, the rights you have, and how to exercise them. Required by the U.S. Children's Online Privacy Protection Act (COPPA) and matched by our own commitment.

Effective Date: May 22, 2026 · Version 1.0

Dear parent or caregiver,

This page is for you. It's the plain-language explanation of what happens with your child's information when they use OpenSpeak. The most important thing to know: OpenSpeak is built to be used by the adult who supports the child, not by the child alone. The adult creates the profile, sets the PIN, and controls all settings. The child taps symbols to communicate.

OpenSpeak runs almost entirely on the device. The sentence builder, grammar engine, text-to-speech, learner profile, and progress tracking all work without an internet connection. Symbol images are fetched once from the public ARASAAC library (arasaac.org) and then cached on the device ... so after a symbol has been displayed once, it is available offline. The only optional feature that requires an active internet connection is cloud backup, which only activates if the adult signs in. There are no ads, no behavioral tracking, and no data sale.

We collect the minimum information needed for the app to work. Most data stays on the device. Nothing leaves the device unless you (the adult) sign in for cloud backup. There are no ads. There is no behavioral tracking. There is no data sale.

If anything in this notice is unclear, write to privacy@openspeakaac.org and a human will respond.

1. Who this notice is for

This notice supplements our main Privacy Policy and is directed to:

  • Parents and legal guardians of children under 13 (United States, COPPA).
  • Parents and guardians of children under 16 (most of the EU/EEA), or whatever lower age your country specifies for "child" under GDPR Article 8.
  • Schools, educators, and speech-language pathologists who deploy OpenSpeak in classroom or clinical settings on behalf of children.

2. The information we collect from or about a child

Always (created locally by the adult):

  • A name or nickname you enter for the child's profile (you control whether to use a real name).
  • An avatar selection (a pictographic icon).
  • App-preference settings: preferred language, grid size, voice, theme.

Generated by use of the app (stays on device unless you sign in):

  • Sentences the learner builds and speaks (communication history).
  • Symbol-tap events, sessions, and category usage (so you can see progress).
  • A locally generated device UUID, not tied to identity.

Optional (only if you specifically opt in):

  • Cloud sync: The above data is uploaded to our cloud database (Supabase) only if the adult chooses to sign in with Google or Apple. It is row-level secured: nobody else can read your child's data.

What we never collect about a child:

  • Child's full legal name, unless the parent voluntarily enters it.
  • Child's email, phone number, home address, or geolocation.
  • Audio or video recordings.
  • Persistent identifiers for advertising or cross-app tracking.
  • Contacts, calendar, browsing history, or other on-device data outside OpenSpeak.

3. Why we collect this information

  • To present the child's communication board the way the adult has configured it.
  • To save sentences the learner builds so they (or you) can revisit them.
  • To generate on-device progress reports for parents, educators, and clinicians.
  • To sync the configuration across the family's devices if you've signed in.

We never use a child's information for advertising, profiling, behavioral targeting, sale to third parties, or any purpose unrelated to delivering the app's core communication features.

4. Who we disclose a child's information to

The only third parties that ever touch a child's information are infrastructure providers that we need to deliver the app, and only to the extent strictly necessary:

  • Supabase ... cloud database storage, only if you've opted into sync.
  • Google or Apple ... identity verification at sign-in, only if you've opted in.
  • Crash-reporting services in the Google Play and Apple App Store SDKs ... if the app crashes, anonymous diagnostic data is sent. No learner profile contents are included.

We do not disclose a child's data to marketers, advertisers, data brokers, or social platforms.

5. Your rights as a parent or guardian

Under COPPA (U.S.), GDPR Article 8 (EU/UK), and the parallel statutes in many jurisdictions, you have the right to:

  • Review the personal information we have collected from or about your child.
  • Delete that information.
  • Refuse further collection or use.
  • Correct inaccuracies.
  • Receive a copy of the information in a portable format.

How to exercise these rights:

  1. Most rights, immediately, in the app: Open Settings > Data & Privacy. You can view, export, or delete any learner profile and its associated data.
  2. For cloud-stored data: Visit openspeakaac.org/delete-account or email privacy@openspeakaac.org.
  3. To stop further data collection: Sign out of the app, or simply uninstall it. The app fully works without an account.

We respond to verified COPPA / parental requests within 10 business days, and to other privacy requests within the timeframes specified in our main Privacy Policy.

7. Verifying that a request is from a parent

To protect children, we verify that requests are coming from the actual parent or guardian. We may ask you to:

  • Confirm the email address on the account.
  • Confirm details that only an account holder would know (e.g., the child profile name, approximate sign-up date).
  • In rare cases, provide a signed statement attesting that you are the parent or legal guardian.

If we cannot reasonably verify your relationship to the child, we may decline to act on the request. We will tell you why and what additional information would let us proceed.

8. Verifiable parental consent

Today, OpenSpeak operates on the premise that the adult installing the app is the parent or authorized caregiver of the child for whom the profile is being created. By creating a child profile or enabling cloud sync, the adult attests that they have authority to consent on the child's behalf.

If, in the future, we add features that under COPPA would require verifiable parental consent (e.g., enabling child-initiated cloud sharing), we will implement an FTC-approved verifiable parental consent mechanism such as:

  • Signed consent form returned by mail, fax, or upload.
  • A government-issued ID verification via a third-party service.
  • A nominal credit/debit card transaction.
  • A phone or video call to a trained representative.

We will notify parents in advance and obtain consent before implementing any such feature.

9. School and clinical use

When OpenSpeak is deployed in a school district, classroom, or clinical practice by an educator, IT administrator, or speech-language pathologist, the institution may, consistent with FTC COPPA guidance, provide consent on behalf of parents for educational purposes only. The institution is responsible for:

  • Ensuring its use of OpenSpeak is consistent with its own privacy obligations (FERPA, state student-privacy laws, etc.).
  • Providing notice to parents before deploying OpenSpeak to their children.
  • Confirming it has authority to consent in its jurisdiction.

Schools and clinics seeking a Student Data Privacy Agreement (SDPA) or Data Processing Addendum (DPA) can email privacy@openspeakaac.org.

10. Where a child's information is stored

Most of it stays on the device. Cloud-synced data is stored on Supabase servers in the United States. If you are outside the U.S., your child's data may be transferred to and processed in the U.S. We use Standard Contractual Clauses and equivalent safeguards for transfers from the EEA, UK, and Switzerland. See our main Privacy Policy for details.

11. How long we keep a child's information

  • On-device data: Until you delete it or uninstall the app.
  • Cloud-synced data: While the account is active. Deletion requests are processed within 30 days.
  • Inactive accounts: If a cloud-synced account is inactive for more than 24 months, we will email you (the parent/account holder) and, absent a response, delete the cloud-stored learner data.

12. Changes to this notice

If we materially change our practices around children's information, we will:

  • Update this notice and the "Effective Date" above.
  • Provide direct notice to account holders (in-app banner and email).
  • Where required by law, obtain renewed parental consent before applying the change to existing children's data.

13. Contact

For privacy questions, requests, or concerns about a child's information:

Email: privacy@openspeakaac.org
Subject line: "Children's Privacy Request" (helps us route quickly)
Response window: 10 business days for verified COPPA requests.

If you believe we have collected a child's information without proper consent, please write to us right away and we will investigate and remove the information.

Notice for legal counsel reviewing this draft. Items to confirm: (1) the FTC's preferred phrasing of the Direct Notice to Parents under 16 C.F.R. ยง 312.4(c), (2) whether to enroll in an FTC-approved Safe Harbor program (iKeepSafe, kidSAFE Seal, or PRIVO) and the implications for ongoing certification, (3) the verifiable parental consent mechanism we will use when we expand collection, (4) any additional disclosures required if educators in California or Illinois (CIPA / SOPPA) deploy the app at scale, (5) FERPA-DPA template for school districts, and (6) GDPR Article 8 age-of-consent variability across EU member states.