Security and compliance

All traffic to VoiceBloom is encrypted in transit via HTTPS with TLS 1.2+. Data at rest is encrypted by our infrastructure providers — Supabase encrypts all database storage and Vercel encrypts static assets. Both providers hold SOC 2 Type II certifications. Payment data is handled entirely by Stripe and never touches VoiceBloom servers.

VoiceBloom enforces strict security headers including HSTS, X-Frame-Options, and Content-Type protection on all pages.

VoiceBloom is not a system of record for clinical care, electronic health records, or medical billing. Therapists, clinics, and schools who use VoiceBloom must maintain their primary clinical documentation in their own HIPAA-compliant or otherwise appropriate records system.

VoiceBloom is built on HIPAA-eligible infrastructure. Supabase and Vercel both offer Business Associate Agreements (BAAs) for healthcare use cases. If your practice or organisation requires a BAA, contact info@voicebloom.ca and we will work with you to put the appropriate agreements in place.

VoiceBloom uses Supabase Row Level Security (RLS) on every database table. RLS policies ensure that users can only read and modify their own data — including profiles, subscriptions, child profiles, sessions, symbol taps, weekly reports, billing events, and consent records. All API keys are stored in environment variables and never exposed in client-side code.

As a Canadian company, VoiceBloom is fully compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA). Our compliance includes:

• Express parental consent collected during onboarding before any child data is processed
• Consent records stored with timestamps in our database
• Self-service data export (download all your data as JSON)
• Self-service account deletion (permanently removes all data)
• Mandatory breach reporting procedures in place
• Privacy Officer contactable at info@voicebloom.ca

For full details, see our Privacy Policy and Your Privacy Rights page.

VoiceBloom respects your data rights under GDPR and CCPA. You can download all of your personal data or permanently delete your account directly from your account settings. You can also request access, corrections, or deletion by emailing info@voicebloom.ca. We respond to all requests within 30 days.

VoiceBloom is designed for use by adults (parents, therapists, teachers) on behalf of children. All accounts are created and managed by adults. We require express parental consent during onboarding before collecting any child data. We do not knowingly collect personal data directly from children under 13 without parental authorisation, in accordance with COPPA guidelines.

VoiceBloom relies on the following trusted third-party providers:

Provider	Purpose	Certifications
Supabase	Database and authentication	SOC 2 Type II
Vercel	Hosting and edge delivery	SOC 2 Type II
Stripe	Payment processing	PCI DSS Level 1
Anthropic	Cloud processing (Claude)	Data not used for training
Resend	Email delivery	—

VoiceBloom maintains a comprehensive breach response plan in accordance with PIPEDA's mandatory breach reporting requirements.

1. Detection and assessment. We monitor our systems for unauthorised access. When a potential breach is identified, we immediately assess the scope, severity, and type of data affected.

2. Containment. Affected systems are isolated, compromised credentials are revoked, and vulnerabilities are patched to prevent further exposure.

3. Notification. If a breach creates a real risk of significant harm, we will notify affected users within 72 hours and report the incident to the Privacy Commissioner of Canada. Notifications include what happened, what data was affected, and the steps we are taking in response.

4. Contact. If you believe your account has been compromised or you have a security concern, contact us immediately at info@voicebloom.ca.

Read our complete Data Breach Response Plan for full procedural details.