1. Who we are

VoiceBloom ("we", "us", or "our") operates the VoiceBloom communication platform, accessible at voicebloom.app. We provide AI-powered augmentative and alternative communication (AAC) tools for children, their families, therapists, and schools.

For questions about this policy, contact us at: privacy@voicebloom.app

2. Information we collect

Information you provide to us

• Account information: your name, email address, and password when you create an account
• Child profile: your child's first name, age, communication level, and interests — used solely to personalise the app
• Payment information: processed directly by Stripe. VoiceBloom never stores your credit card details
• Communications: emails you send to our support team

Information we collect automatically

• Symbol usage: which symbols your child taps, in which order, and at what time — used to generate progress reports and personalise the board
• Session data: session start and end times, tap counts
• Device information: browser type and device type — used for technical support and product improvement

Information we do not collect

• We do not record audio from your device's microphone
• We do not collect video or photos of your child
• We do not collect your location
• We do not track you across other websites

3. How we use your information

• To provide, operate, and improve VoiceBloom
• To personalise the symbol board and AI responses for your child
• To generate weekly AI progress reports and IEP notes
• To process payments and manage your subscription
• To send service emails (receipts, trial reminders, password resets)
• To respond to support requests
• To comply with legal obligations

We do not use your child's communication data to train AI models. Session data is processed by Claude (Anthropic) solely to generate your reports — it is not retained by Anthropic for training purposes under our Business Associate Agreement.

4. Children's privacy (COPPA and GDPR-K)

VoiceBloom is used with children but is operated by adults (parents, therapists, or school administrators). We do not knowingly collect personal information directly from children under 13.

All child profiles are created and managed by an adult account holder. Child data — including names and communication patterns — is associated with the adult account and subject to the adult's data rights.

If you believe we have inadvertently collected personal data directly from a child under 13, please contact us at privacy@voicebloom.app and we will delete it promptly.

5. HIPAA (Therapy and School plans)

Therapy and School/Clinic plan subscribers may use VoiceBloom in clinical contexts where the Health Insurance Portability and Accountability Act (HIPAA) applies. For these subscribers, VoiceBloom acts as a Business Associate.

• We sign a Business Associate Agreement (BAA) with Therapy and School plan subscribers on request
• Child communication data is encrypted at rest and in transit
• Access to data is logged and auditable
• We maintain the safeguards required by the HIPAA Security Rule

To request a BAA, email hipaa@voicebloom.app.

6. Data sharing

We do not sell, rent, or trade your personal information. We share data only with the following third-party service providers, solely to operate VoiceBloom:

• Supabase — database and authentication hosting (SOC 2 Type II certified)
• Anthropic (Claude API) — AI processing for reports and personalisation. Data processed under our API agreement; not used for model training
• Stripe — payment processing (PCI DSS Level 1 certified). Stripe handles all card data; we never see it
• Resend — transactional email delivery
• Vercel — application hosting (SOC 2 Type II certified)

We may disclose information if required by law, court order, or to protect the safety of any person.

7. Data retention

• Account and profile data: retained while your account is active, and for 30 days after account deletion
• Session and symbol tap data: retained for 24 months from collection, then anonymised
• Billing records: retained for 7 years as required by financial regulations
• Support communications: retained for 2 years

8. Your rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data and your child's data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your account and all associated data
• Portability: Request your data in a machine-readable format
• Objection: Object to certain types of processing
• Withdrawal of consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, email privacy@voicebloom.app. We will respond within 30 days.

9. Cookies

VoiceBloom uses only essential cookies required for authentication (keeping you logged in) and security. We do not use advertising cookies or cross-site tracking cookies.

10. Security

We protect your data using industry-standard safeguards including TLS encryption in transit, AES-256 encryption at rest, and role-based access controls. Our infrastructure providers hold SOC 2 Type II certifications.

Despite these measures, no internet transmission is 100% secure. If you suspect your account has been compromised, please contact us immediately.

11. International transfers

VoiceBloom is based in the United States. If you are located in the European Economic Area (EEA) or UK, your data is transferred to and processed in the US under Standard Contractual Clauses approved by the European Commission.

12. Changes to this policy

We will notify you of material changes to this policy by email and by posting a notice in the app at least 14 days before changes take effect. Your continued use of VoiceBloom after changes take effect constitutes acceptance of the updated policy.

13. Contact us

Privacy questions: privacy@voicebloom.app
General: hello@voicebloom.app
HIPAA: hipaa@voicebloom.app