Privacy Policy

This Privacy Policy explains what personal information giggletap LLC (“giggletap,” “we,” or “us”) collects when you use the giggletap website and applications (the “Service”), how we use that information, when we share it, and the choices you have about it.

The Service is designed for children in grades K through 6, used under the active management of a parent or legal guardian. Most of this policy is written for parents; Section 4 and Section 10 are the parts that focus specifically on children’s personal information and on the rights you exercise on behalf of your child.

This policy works together with our Terms of Service. Capitalised terms used and not defined here have the meaning given to them in the Terms.

We collect personal information in four ways:

2.1 Information you provide as a parent

• Account information. Your email address and (if you set a password) a one-way hash of your password. If you sign in with Google, we receive your Google account email, name, and a stable subject identifier from Google.
• Family profile. A family display name and a short human-shareable family code we generate for you.
• Verifiable parental consent. When you complete our COPPA consent flow we record your typed legal name, the signed consent form, the IP address from which you submitted consent, a timestamp, and the version of the consent document you agreed to.
• Billing details. Stripe collects and stores your card number on its own infrastructure. We receive only a Stripe customer identifier and subscription metadata (subscription state, period end, trial end). We never see or store your full card number.
• Support communications. Anything you write to us by email.

2.2 Information you provide about your child

• Child profile. A display name (which can be a first name, nickname, or initials — your choice), grade level, and the buddy/companion the child picks.
• Custom spelling lists. Any words you upload for your child to practice.

2.3 Information the child generates by using the Service

• Practice data. Each spelling attempt: the target word, what the child typed or picked, whether the answer was correct, the time the attempt happened, and a snapshot of the phonics pattern in play. We use this to decide what to practice next.
• AI coach context. When the AI coach generates a briefing, real-time tip, or end-of-session debrief, the prompt is constructed from the child’s recent practice data and is sent to AWS Bedrock for inference. The coach prompt is reviewed for redactions before transmission. We retain the prompt and the model’s response for product improvement and abuse review.
• Self-rating prompts. If the child taps words they want to practice more next session, we store that list of word IDs on the just-completed session row.
• Live-session signalling. During a live parent-and-child session we mirror the in-session state via Google Firebase so both screens see the same view in real time. Live data is short-lived; the canonical record lives in our PostgreSQL database.

2.4 Information collected automatically

• Device and connection info. Your IP address, browser user agent, approximate locale, and request timestamps. We use this to keep the Service secure (per- account login lockout, abuse detection) and to debug errors.
• Cookies. A small number of first-party cookies that keep you signed in — see Section 12.
• Error reports. When something crashes on a parent-facing page, the browser sends us the stack trace and the page URL through our own endpoint. We deliberately do not run any client error reporter on the /kid/* pages a child uses.

We do not collect biometric data. We do not ask for, store, or require a child’s real name, photo, or geolocation.

We use the information described in Section 2 to:

• Provide the Service: pick the next word, score attempts, track mastery, generate AI coach briefings and debriefs, show progress to parents.
• Manage your account: authenticate you, recover lost passwords, prevent account takeover, enforce daily synthesis caps that protect both you and us from runaway usage.
• Process payments through Stripe and run our subscription lifecycle (trial start, renewals, dunning on failed charges, cancellations).
• Send transactional email through Amazon SES: consent confirmations, billing receipts, dunning notices, security alerts. We do not send marketing email unless you explicitly opt in. Today there is no marketing list to opt in to.
• Improve the Service: analyse aggregate practice patterns, refine the curriculum, audit AI coach outputs, debug regressions. Where individual data is used for this we minimise to what’s needed.
• Comply with law: respond to lawful requests, enforce our Terms, investigate fraud and abuse, preserve records we are required to keep (notably COPPA consent records).

We do not use any personal information for behavioural advertising, and we never use information about a child for advertising of any kind.

We comply with the U.S. Children’s Online Privacy Protection Act (“COPPA”) and comparable laws.

Operator of record: giggletap LLC, 6545 Market Ave. North, STE 100, Canton, OH 44721, USA. Privacy inquiries: privacy@giggletap.com.

4.1 Personal information we collect from children

We collect only what is needed to deliver the spelling- practice experience. From a child the Service collects:

• The display name and grade the parent supplied (not a real name or birthday);
• The child’s spelling attempts and the timing of those attempts;
• Any optional “practice these more’’ selections the child taps at the end of a session;
• Persistent identifiers needed to keep the child signed in on their device.

We do not request, and we do not knowingly collect, any other personal information from a child — no photos, videos, voice recordings of the child, location data, contact information for friends, or sensitive identifiers.

4.2 How we use that information

We use it to deliver the Service to your child — to choose the next word, score answers, advance the mastery ladder, and give the parent a record of practice. We do not use it for advertising, profiling for marketing purposes, or sale to third parties.

4.3 Disclosure practices

We share the categories of children’s information described in Section 4.1 only with the service providers in Section 6 (and only the categories each provider needs), and we may disclose information when required by law. We do not sell children’s personal information and do not disclose it for behavioural advertising.

4.4 Parental consent

Before a child can use the Service we ask the parent or legal guardian to complete a verifiable parental consent flow. This includes typing your legal name, reviewing and signing the consent document, and confirming a follow-up email approximately 24 hours later (the COPPA “Email Plus” method). For children enrolled through a school or clinic, the organisation may collect consent on paper and attest to having it on file; we record that attestation in addition to the signed form.

4.5 Parental rights

As the parent or legal guardian you can at any time:

• Review the personal information we hold about your child;
• Refuse to permit further collection or use of your child’s information by revoking consent;
• Have your child’s information deleted from the Service;
• Request a list of third parties to which we have disclosed your child’s personal information.

You can revoke consent from your account at /parent/privacy or by writing to privacy@giggletap.com. Revoking consent will end your child’s access to the Service. We will delete the child’s personal information per Section 7, retaining only what we’re legally required to retain (notably the consent record itself, for evidentiary integrity).

We share personal information only in the four situations below. Outside these, we do not disclose your information to anyone.

• With service providers that help us run the Service. Each provider receives only the categories of information needed for the task we engaged them for, and each is bound by terms that prohibit using the information for their own purposes. See Section 6 for the named list.
• With organisations you belong to. If your child is enrolled with a school, clinic, or tutoring provider through their giggletap organisation seat, we share that child’s practice history with authorised staff of that organisation. The organisation’s own privacy notices govern further uses on their side.
• For legal reasons. We may disclose information when we believe in good faith that disclosure is necessary to comply with a law, regulation, legal process, or governmental request, or to investigate violations of our Terms, fraud, security incidents, or technical issues.
• In a business transfer. If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will provide notice (by email and on the Service) before personal information becomes subject to a materially different privacy policy.

We do not sell personal information, do not share it for cross-context behavioural advertising, and do not allow third parties to track users across the Service or across other sites. This includes the meanings of “sale” and “share” in the California Consumer Privacy Act, as amended.

We use the providers below to operate the Service. The sub-bullet under each names the categories of information that provider processes on our behalf.

• Amazon Web Services (AWS) — hosting, database (RDS PostgreSQL), object storage (S3, for cached audio), transactional email (SES), AI inference (Bedrock), and log ingestion (CloudWatch). All categories of information described in Section 2 rest on AWS infrastructure in the us-east-1 region.
• Stripe — payment processing. Card numbers and direct billing details. Stripe collects card data on its own forms; we receive only a Stripe customer identifier and subscription metadata.
• ElevenLabs — one-time text-to-speech synthesis of curriculum words. We send the word text to ElevenLabs once per word, cache the resulting MP3 on our own S3 bucket, and serve every subsequent playback from our cache. Children’s identifiers are not sent to ElevenLabs; only the word text and rate parameters.
• Google Firebase — real-time signalling for live parent-and-child practice sessions. Session-scoped state (current word, progress markers); the authoritative record is in our PostgreSQL database.
• Google Sign-In (optional) — parent federated login. Email, name, and a stable subject identifier returned by Google when a parent chooses this sign-in method.

We periodically reassess this list. When we add or change a provider in a way that materially affects how your information is processed, we will update this section and, where required by law, notify you.

We keep personal information for as long as we have a need to. In practice:

• Account and practice data — for as long as your account is active. After you close the account we delete it within 30 days, retaining backups for up to 7 days for disaster recovery.
• Verifiable parental consent records — 1 year after the underlying consent is revoked or the related child profile is deleted, to preserve evidentiary integrity under COPPA.
• Billing records — for the period required by tax, accounting, and financial-services regulation in your jurisdiction.
• Security and audit logs — for up to two years, longer if a specific log entry is implicated in an ongoing investigation.
• AI coach prompts and responses — up to 90 days for quality-assurance review, then purged or de-identified.

We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including:

• TLS for all data in transit;
• Encryption at rest for the application database (AWS RDS default encryption) and S3 object storage (AES-256 server-side encryption);
• Per-account login lockout after repeated failed sign-in attempts, and bcrypt for stored password hashes;
• Role-based access controls; production data access is restricted to a short list of named operators;
• An audit log of consequential staff actions;
• Point-in-time database recovery (7 days) and short-window S3 versioning.

No security control is perfect. If you believe your account has been compromised, contact us immediately at support@giggletap.com.

Subject to applicable law, you have the following rights with respect to your own personal information. Where laws require us to verify your identity before responding, we will reasonably verify you against the contact details on your account.

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct information that is inaccurate or incomplete.
• Deletion. Ask us to delete information, subject to legal-retention obligations we describe in Section 7.
• Portability. Receive a machine-readable copy of information you provided to us, where technically feasible.
• Objection or restriction. Object to processing that relies on our legitimate interests, or ask us to restrict processing while a request is pending.
• Withdraw consent. Where processing is based on consent (notably the verifiable parental consent under COPPA), withdraw it at any time. Withdrawal does not affect processing already carried out.
• Complaint. Lodge a complaint with the data protection authority in your country. EU/UK residents can find their authority at edpb.europa.eu and ico.org.uk respectively.
• Non-discrimination. We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email privacy@giggletap.com. We will respond within the period required by the law that applies to your request — in most cases within 30 days, with a single 60-day extension where reasonably necessary.

California residents may also designate an authorised agent to make a request on their behalf, and may request a list of the categories of personal information disclosed to third parties for the past 12 months. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined in the CCPA/CPRA.

Section 9 sets out your rights as an adult user. Many of those same rights, plus additional rights specific to COPPA and similar children’s privacy laws, are available to you as a parent or legal guardian acting on behalf of your child:

• Review the personal information we hold about your child;
• Refuse to permit further collection or use of your child’s information by revoking consent;
• Request deletion of your child’s personal information;
• Request a list of third parties to which we have disclosed your child’s information.

The fastest way to exercise these rights is from your authenticated account at /parent/privacy. You can also email privacy@giggletap.com from the email address on file. We may require additional verification before disclosing or acting on a child’s information.

The Service is operated from the United States and the information we collect is stored and processed in AWS data centres in the us-east-1 region. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.

The Service is offered to users in the United States and is not directed at children or adults in the European Economic Area, the United Kingdom, or Switzerland. We do not knowingly collect personal information from individuals located in those regions. If you are located in the EEA, UK, or Switzerland, please do not register for or use the Service. If you believe a child located in those regions has been registered for the Service, write to privacy@giggletap.com and we will delete their information.

We use a small set of first-party cookies. We do not use any third-party tracking cookies, advertising cookies, or pixels on the Service.

• Session cookies (giggletap_session for parents, giggletap_kid_session for a kid’s device) keep you signed in. They contain a signed identifier; no personal information is stored in the cookie value itself.
• Authentication cookies set by Google when you choose to sign in with Google. Google’s policies govern those cookies.
• Local storage caches small amounts of UI state (e.g. the active scene variant) on the child’s device.

We do not run third-party analytics on the Service. We handle our own server-side metrics through AWS CloudWatch using log lines emitted by our application; those log lines do not include the cookie values above.

The Service does not respond to Do Not Track signals, because we do not engage in the kind of cross-context tracking those signals were designed to limit. We respect the underlying preference by not setting tracking cookies at all.

We may update this policy from time to time. The “Effective” date at the top of this page always reflects the current version. If a change materially affects how we treat previously collected personal information, we will provide notice to the email on your account and, where COPPA or other law requires, obtain renewed parental consent before applying the change to children’s information.

Privacy questions and rights requests: privacy@giggletap.com.

Product and account help: support@giggletap.com.

Mailing address:
giggletap LLC
6545 Market Ave. North, STE 100, Canton, OH 44721, USA