Privacy Policy

1. Who we are

OpenSpeak AAC ("OpenSpeak," "we," "us," or "our") is a free, open-source augmentative and alternative communication (AAC) application and accompanying website operated by the team behind the OpenSpeak AAC Foundation initiative.

Our nonprofit status: OpenSpeak is preparing to operate as a fiscally sponsored project of Social Good Fund, a California 501(c)(3) public charity. Until fiscal sponsorship is finalized, we operate as an unincorporated initiative committed to the same standards of transparency and accountability that a sponsored project would maintain. We will update this policy and add Social Good Fund's EIN here once sponsorship is finalized.

Contact: support@openspeakaac.org

Data Protection Inquiries: privacy@openspeakaac.org (you can email this address even if it forwards to the same inbox ... we monitor it for privacy-specific requests).

2. What information we collect

a. Information you give us directly

• Letter of Intent / Pledge form (corporate partners): Company name, contact name, title, work email, partnership-tier interest, and any optional notes. Used solely to follow up about partnership.
• iOS notification list (signup form): First name, last name, and email address. Used solely to notify you when iOS launches and to send occasional updates about the Foundation. You can unsubscribe at any time.
• Sign-in information (optional): If you choose to sign in with Google (Android) or Apple (iOS), we receive your email address and display name from the identity provider. We do not receive your password.
• Child or learner profile (in-app): A name or nickname, an avatar selection, a preferred language, a grid size, and voice settings ... all created and managed by a parent, caregiver, educator, or clinician.
• Custom symbols (in-app): Optional labels and icon selections you create to personalize the symbol library. Custom-symbol data stays on the device unless you sign in for cloud backup.
• Support communications: If you contact us by email, we receive the content of your message and your email address.

b. Information generated by your use of the app

• Communication history: Sentences the learner builds and speaks are stored locally for review and progress reports. Cloud-synced only if you sign in.
• Usage data: Symbol taps, sessions, category usage, and similar interaction events that power on-device progress reports.
• Device identifier: A locally generated UUID stored only on your device. It is not linked to your real identity unless you sign in.
• Crash and diagnostic data: If the app crashes, anonymous crash logs may be transmitted via the Google Play or Apple App Store crash-reporting services so we can fix bugs. These reports do not contain learner profile contents or communication history.

c. What we never collect

3. How we use information

• To provide, maintain, and improve OpenSpeak.
• To sync a learner's data across the parent's or caregiver's devices when they choose to sign in.
• To generate on-device progress reports for parents, educators, and clinicians.
• To respond to support requests and partnership inquiries.
• To notify iOS-list subscribers about the iOS launch and Foundation updates.
• To diagnose crashes and improve stability.
• To comply with legal obligations or enforceable government requests.

We do not use your information for behavioral advertising, profile-based marketing, automated decision-making with legal effects, or sale to third parties.

4. Legal bases for processing (EU/UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following GDPR/UK GDPR legal bases:

• Contract (Art. 6(1)(b)): To deliver the app and account features you've requested.
• Consent (Art. 6(1)(a)): For optional features such as the iOS notification list and marketing emails. You may withdraw consent at any time.
• Legitimate interests (Art. 6(1)(f)): To diagnose crashes, prevent abuse, and protect users ... balanced against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Where law requires us to retain or disclose information.

5. Who we disclose information to

We disclose information only with the limited set of service providers we need to deliver OpenSpeak. We do not sell personal information, and we do not disclose it for cross-context behavioral advertising.

Provider	Purpose	Data disclosed
Supabase Inc.	Cloud backup database + authentication (only if you sign in)	Account email, encrypted learner data
Google LLC	Sign-In (optional), Google Play crash reports, Play Store distribution	Account email + display name; anonymous crash logs
Apple Inc.	Sign in with Apple (optional, iOS), App Store distribution	Anonymized/relay email + name; anonymous crash logs
Vercel Inc.	Hosting of openspeakaac.org	Standard server logs (IP, user agent)
Resend (resend.com)	Sending welcome and partnership notification emails	Recipient email + email content we send
ARASAAC	Symbol library source (one-way licensing, no user data disclosed)	None

We also disclose information if required by law, valid legal process (subpoena, court order), or to protect the rights, property, or safety of OpenSpeak, our users, or the public.

6. Offline-first design

7. Data storage, security, and retention

• Local data: Stored in an on-device SQLite database. Sensitive credentials are stored in the device's secure keychain (Android Keystore / iOS Keychain).
• Cloud data: Stored in Supabase with row-level security. Each authenticated user can only access their own rows.
• Parent PIN: Stored only as a hash on the device. We never see it.
• Encryption in transit: All connections to our servers use HTTPS/TLS 1.2 or higher.
• Retention: Local data remains on your device until you delete it. Cloud data is retained while the account is active; on deletion, we remove it within 30 days. iOS-list email information is retained until you unsubscribe, plus a short additional period to honor your unsubscribe request. Partnership/LOI data is retained for the duration of our partnership conversations plus 7 years for audit purposes.

No security system is impenetrable. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

8. International data transfers

OpenSpeak's primary servers (Supabase, Vercel) are located in the United States. If you use OpenSpeak from outside the U.S., your information may be transferred to and processed in the U.S. or other countries where our service providers operate.

For users in the EEA, UK, or Switzerland, transfers outside your country are made pursuant to the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or another lawful transfer mechanism. You may request a copy of the relevant transfer safeguards by emailing privacy@openspeakaac.org.

9. Children's privacy (COPPA)

OpenSpeak is designed to be used on behalf of non-verbal children by their parents, caregivers, educators, or speech-language pathologists. We have built the app to minimize the collection of personal information from children to the greatest practical extent.

a. What we collect from or about a child

• A name or nickname you choose to enter in the child's profile.
• An avatar selection (a pictographic icon).
• App-preference settings (language, grid size, voice).
• On-device communication history (sentences the learner builds) and usage events (symbol taps, sessions). These remain on the device unless the parent enables cloud sync.

We do not collect a child's full name (unless a parent voluntarily enters one), email address, home address, phone number, geolocation, photographs, audio or video recordings, or any "persistent identifier" used for behavioral advertising.

b. Parental consent

By creating a child or learner profile, the adult who controls the device represents that they are the parent or legal guardian of the child, or an educator or clinician with the relevant institutional authority. The adult is providing consent on behalf of the child to the limited processing described in this policy.

For the optional cloud-sync feature (which requires sign-in), an in-app consent prompt is presented before any data leaves the device.

If we ever expand our collection of personal information from children in a way that would, under COPPA, require verifiable parental consent, we will implement an FTC-approved verifiable parental consent mechanism (such as a signed consent form, a credit-card transaction, or a phone-based verification) before doing so, and we will update this policy.

c. Parent and guardian rights under COPPA

Parents and legal guardians of children whose information we have collected have the right to:

• Review the personal information we have collected from or about the child.
• Delete that information.
• Refuse further collection or use of the child's information.

Most of these rights can be exercised directly inside the app: profiles, communication history, and usage data can be reviewed and deleted from the parent-mode Settings. For cloud-synced data, write to privacy@openspeakaac.org from the email associated with the account. We respond to verified COPPA requests within 10 business days.

d. School and clinical authorization exception

When OpenSpeak is used in a school or clinical setting under the direction of an educator or speech-language pathologist, the educational institution or clinic may, consistent with the FTC's "School Authorization Exception" guidance, provide consent on behalf of parents for educational purposes only. Schools and clinics are responsible for providing notice to parents and for confirming they have authority to consent in their jurisdiction.

e. No advertising or third-party tracking

We do not show advertisements to anyone, child or adult. We do not embed third-party trackers, social plug-ins, or behavioral profiling SDKs in the app.

f. Safe Harbor

We are not currently certified by an FTC-approved COPPA Safe Harbor program. We plan to evaluate Safe Harbor certification (such as iKeepSafe or kidSAFE) as part of the next phase of our compliance work.

10. Your rights and how to exercise them

Regardless of where you live, you can:

• Access the information stored in the app via Settings > Data & Privacy.
• Delete a learner profile and all its data from the device.
• Export communication and progress data via the Progress screen.
• Opt out of cloud sync simply by not signing in.
• Unsubscribe from email lists via the link in any email or by writing to privacy@openspeakaac.org.
• Submit a privacy request for cloud-stored data at openspeakaac.org/delete-account.

11. U.S. state-specific privacy rights

If you reside in California, Virginia, Colorado, Connecticut, Utah, or any other U.S. state that grants statutory privacy rights, you have additional rights summarized below. To exercise them, email privacy@openspeakaac.org with the subject line "State Privacy Request" and include the state you reside in.

California (CCPA / CPRA)

• Right to know categories of personal information collected, sources, purposes, and third parties.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt-out of "sale" or "disclosure" ... we do not sell or disclose personal information, so there is nothing to opt out of, but you can confirm this status with us in writing.
• Right to limit use of sensitive personal information ... we do not use sensitive PI for inferences or profiling.
• Right to non-discrimination for exercising privacy rights.
• Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)

• Right to confirm whether we process your personal data and access that data.
• Right to correct inaccuracies.
• Right to delete personal data.
• Right to obtain a portable copy of personal data.
• Right to opt out of targeted advertising, sale, and profiling that produces legal or similarly significant effects ... none of which we engage in.

Authorized agents

You may designate an authorized agent to submit a privacy request on your behalf. We will require written proof of authorization and may need to verify your identity directly.

Appeals

If we deny your request, you may appeal by replying to our response email or writing to privacy@openspeakaac.org with the subject line "Privacy Appeal." We will respond within 45 days.

12. EU/UK GDPR rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR give you the following rights:

• Right of access (Art. 15).
• Right to rectification (Art. 16).
• Right to erasure / "right to be forgotten" (Art. 17).
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20).
• Right to object to processing based on our legitimate interests (Art. 21).
• Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with your local supervisory authority (such as the UK ICO or your country's data protection authority).

Requests can be sent to privacy@openspeakaac.org. We respond within one month and may extend by up to two further months for complex requests, notifying you of any extension.

13. Artificial intelligence and automated processing

OpenSpeak does not use any third-party artificial intelligence service, large language model, or cloud-based AI provider. We do not transmit user-typed content, child data, or any personal information to OpenAI, Anthropic, Google AI, AWS AI, or any equivalent provider.

OpenSpeak does contain on-device features that may be characterized as "automated processing" under data-protection law, including: sentence prediction and next-word suggestions, an on-device grammar engine, and rule-based communication modes. These features run entirely on the device using deterministic logic and pattern matching. They do not involve a foundation model or generative AI, they do not transmit data off the device, and they do not result in legal or similarly significant effects about a user (such as diagnoses, eligibility determinations, or scoring) within the meaning of GDPR Article 22.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective Date" and "Version" at the top of the page. If the changes are material, we will provide additional notice (through the app, by email, or by a banner on the website) at least 14 days before they take effect, and where required by law, we will obtain renewed consent.