1. Who we are

VoiceBloom ("we", "us", or "our") operates the VoiceBloom communication platform, accessible at voicebloom.ca. We provide augmentative and alternative communication (AAC) tools for children, their families, therapists, and schools.

VoiceBloom is based in Canada. This privacy policy is written in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), as well as GDPR and CCPA where applicable.

Privacy Officer: For questions about this policy or to exercise your data rights, contact our Privacy Officer at info@voicebloom.ca.

2. Information we collect

Information you provide to us

• Account information: your name, email address, and password when you create an account
• Child profile: your child's first name, age, communication level, and interests — used solely to personalize the app
• Payment information: processed directly by Stripe. VoiceBloom never stores your credit card details
• Communications: emails you send to our support team

Information we collect automatically

• Symbol usage: which symbols your child taps, in which order, and at what time — used to generate progress reports and personalize the board
• Session data: session start and end times, tap counts
• Device information: browser type and device type — used for technical support and product improvement

Information we do not collect

• We do not record audio from your device's microphone
• We do not collect video or photos of your child
• We do not collect your location
• We do not track you across other websites

3. How we use your information

• To provide, operate, and improve VoiceBloom
• To personalize the symbol board and Responses for your child
• To generate weekly progress reports and IEP notes
• To process payments and manage your subscription
• To send service emails (receipts, trial reminders, password resets)
• To respond to support requests
• To comply with legal obligations

We do not use your child's communication data to train models. Session data is processed by Claude (Anthropic) solely to generate your reports — it is not retained by Anthropic for training purposes under our API agreement.

4. Consent

Under PIPEDA, we collect and use your personal information only with your knowledge and consent. By creating a VoiceBloom account, you consent to the collection and use of information as described in this policy.

• Express consent: We obtain express consent when you create an account, add a child profile, or start a subscription
• Implied consent: Your continued use of VoiceBloom after being notified of policy changes constitutes implied consent to the updated terms
• Withdrawing consent: You may withdraw consent at any time by deleting your account from your account settings or by emailing info@voicebloom.ca. Withdrawing consent may result in us being unable to provide the service. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal

5. Parental consent and children's privacy (COPPA)

VoiceBloom is used with children but is operated by adults (parents, therapists, or school administrators). We do not collect personal information directly from children under 13. All child data is provided by an adult account holder on the child's behalf.

Verifiable parental consent

Before any child data is collected, the responsible adult must provide consent during onboarding, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA) and applicable Canadian privacy law (PIPEDA, with provincial extensions where they apply, including Quebec's Law 25 and BC's PIPA):

• Parent / legal guardian: sign in under an account you control, attest that you are the parent or legal guardian of the child, and confirm that you are at least 18 years old (we record the year of your date of birth as evidence of adult attestation; we do not store the full date of birth)
• School / clinic / therapist proxy: a school or licensed clinical provider may consent on behalf of the parent under the FERPA / institutional-proxy framework, after verifying parental authorization through their own consent process, and after explicitly confirming that VoiceBloom will not be used as a system of record

Consent records (method, timestamp, account identity, and adult-attestation evidence) are stored in our database and can be produced on request. You may withdraw consent at any time and request deletion of all child data — see the section below.

For families on a paid Family or Therapy plan, VoiceBloom relies on credit-card collection at signup as the verifiable parental consent (VPC) mechanism under COPPA. The Federal Trade Commission's COPPA Rule (16 CFR § 312.5(b)) recognises monetary transactions through a payment system as a valid VPC method — by entering a card and authorising the (initially zero-dollar) trial through Stripe, the account holder demonstrates adult identity and authority over the account. The same payment record provides an audit trail of who consented and when. Together with the account-holder authentication, adult-age attestation, and contractual data-use restrictions on our service providers, this satisfies FTC COPPA VPC requirements for the data we collect.

For School / District accounts, consent is collected under the FERPA "school official" framework: the school stands in for the parent under 34 CFR § 99.31(a)(1) and is responsible for parental notice and any direct consent the school's own policy requires. See our FERPA addendum for details.

If a future regulatory requirement makes an even stronger verification method necessary for your jurisdiction, we will add it before further data collection and update this policy accordingly.

Specific uses of child data

Child data — communication events, session activity, profile information, and any IEP / progress notes generated — is used only to:

• Operate the AAC communication board for that specific child
• Generate progress reports and recommendations for the parent and any therapist the parent has linked
• Allow the parent or therapist to export, modify, or delete the data

We do not use child data for advertising, profiling, behavioral targeting, or any secondary purpose. We do not sell child data. Our third-party service providers are contractually prohibited from using child data for any purpose other than operating VoiceBloom.

Optional features and opt-out

Several features that process child data are optional and can be turned off without deleting the account: weekly progress reports, IEP note generation, Coach conversations, and therapist sharing via a linked code. You can toggle these from account settings or simply not use them.

Child data handling

All child profiles are created and managed by an adult account holder. Child data — including names, ages, communication levels, and session activity — is associated with the adult account and subject to the adult's data rights.

Withdrawing consent for child data

You may withdraw consent for your child's data at any time by:

• Deleting your child's profile from your account settings
• Deleting your entire account, which removes all child data permanently
• Emailing info@voicebloom.ca to request selective data removal

Withdrawing consent will result in the permanent deletion of your child's communication data, session history, and progress reports. This action cannot be undone.

If you believe we have inadvertently collected personal data directly from a child under 13, please contact us at info@voicebloom.ca and we will delete it promptly.

6. HIPAA (Therapy and School / District plans)

VoiceBloom is not a system of record for clinical care, electronic health records, or medical billing. Therapists, clinics, and schools who use VoiceBloom must maintain their primary clinical documentation in their own HIPAA-compliant or otherwise appropriate records system. VoiceBloom is intended as a collaboration and progress-sharing tool, not a substitute for an EHR.

That said, VoiceBloom is built on HIPAA-eligible infrastructure. Our providers Supabase and Vercel both support Business Associate Agreements (BAAs) for healthcare use cases.

• We will work with Therapy and School / District plan subscribers to put appropriate BAAs in place on request
• Data is encrypted in transit (TLS 1.2+) and at rest by our infrastructure providers
• Row Level Security ensures users can only access their own data

To discuss HIPAA requirements or request a BAA, email info@voicebloom.ca.

7. Data sharing

We do not sell, rent, or trade your personal information. We share data only with the following third-party service providers, solely to operate VoiceBloom:

• Supabase — database and authentication hosting (SOC 2 Type II certified)
• Anthropic (Claude API) — Cloud processing for reports and personalization. Data processed under our API agreement; not used for model training
• Stripe — payment processing (PCI DSS Level 1 certified). Stripe handles all card data; we never see it
• Resend — transactional email delivery
• Vercel — application hosting (SOC 2 Type II certified)
• Sentry — error and crash monitoring (loaded conditionally; receives stack traces, page URL, and anonymous user ID — no symbol-tap content or child names)
• Google Fonts — typography on public marketing pages only (your IP address is sent to Google to fetch fonts; no cookies are set)

We may disclose information if required by law, court order, or to protect the safety of any person.

8. Data retention

• Account and profile data: retained while your account is active, and for 30 days after account deletion
• Session and symbol tap data: retained for 24 months from collection, then anonymized
• Billing records: retained for 7 years as required by financial regulations
• Support communications: retained for 2 years

You can trigger the 30-day deletion window yourself at any time from account settings → "Delete my account". See section 9 below for the full self-service flow.

9. Your data rights

Under PIPEDA, GDPR, and CCPA, you have the following rights over your personal data:

• Access: Request a copy of all personal data we hold about you and your child
• Correction: Update inaccurate or incomplete information via your account or by contacting us
• Deletion: Permanently delete your account and all associated data, including all child profiles, session history, and progress reports
• Portability: Download all your data in a machine-readable JSON format
• Objection: Object to certain types of processing
• Withdrawal of consent: Withdraw consent at any time without affecting prior processing

How to exercise your rights

We have built self-service tools so you can exercise your rights immediately:

• Download your data: Go to account settings and click "Download My Data" to export all your data as a JSON file. This includes your profile, subscription, child profiles, all session data, symbol taps, weekly reports, billing events, and consent records
• Delete your account: Go to account settings and click "Delete My Account". This permanently deletes all your data from our systems, cancels any active Stripe subscription, and removes your authentication credentials. This action cannot be undone
• Other requests: For corrections, objections, or any other data request, email info@voicebloom.ca

We respond to all data rights requests within 30 days. For full details about your rights, see our Your Privacy Rights page.

10. Cookies

VoiceBloom uses only essential cookies required for authentication (keeping you logged in) and security. We do not use advertising cookies or cross-site tracking cookies.

11. Security

We protect your data using industry-standard safeguards including TLS encryption in transit, encryption at rest provided by our infrastructure providers, and row-level access controls ensuring users can only access their own data. Our infrastructure providers hold SOC 2 Type II certifications. For full details, see our Security and Compliance page.

Despite these measures, no internet transmission is 100% secure. If you suspect your account has been compromised, please contact us immediately.

12. International transfers

VoiceBloom is based in Canada. Our infrastructure providers (Supabase, Vercel, Stripe) may process data in the United States. Where data is transferred outside of Canada, we ensure that our providers maintain adequate safeguards consistent with PIPEDA requirements. For users in the European Economic Area (EEA) or UK, transfers are governed by Standard Contractual Clauses.

13. Changes to this policy

We will notify you of material changes to this policy by email and by posting a notice in the app at least 14 days before changes take effect. Your continued use of VoiceBloom after changes take effect constitutes acceptance of the updated policy.

14. Contact us

VoiceBloom is operated by a Canadian business. Counter-party legal details (registered business name, BIN, CRA numbers) are provided on signed agreements upon request.

Privacy Officer / data requests: info@voicebloom.ca
General / support: info@voicebloom.ca
HIPAA / BAA requests: info@voicebloom.ca
EU / UK GDPR representative: to be appointed and listed before public launch in EU/UK markets

You also have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), and, depending on your residence, your local data protection authority (e.g., your EU supervisory authority for GDPR matters, the ICO in the UK, or the California Privacy Protection Agency for CCPA matters).