🌐 Ver en Español

Privacy Policy

# VoxNovaAAC Privacy Policy

**Version:** 2026-05-19-v3  
**Last Updated:** 2026-05-19  
**Company Legal Name:** VoxNova Inc. ("Company," "we," "us," or "our")

## 1) Overview

This Privacy Policy explains how Company collects, uses, discloses, and safeguards information when you use VoxNovaAAC (the "Service"), including the VoxNovaAAC web application and the VoxNova mobile/tablet application (Capacitor-based) distributed for sideload or through app channels.

The Service is designed to be used by adults (for example, Teachers, Parents, District Administrators, and School Administrators) and may be used by Students under adult supervision. A single account may legitimately hold more than one role (for example, a Teacher who is also a Parent of a Student in the same system).

This Privacy Policy is incorporated into and governed by our Service Agreement, which is available at /terms. Capitalized terms used but not defined here have the meanings given in the Service Agreement.

## 2) Information We Collect

We may collect the following categories of information:

### 2.1 Account and Profile Information

- name, email address, and account role(s) (for example, Teacher, Parent, Student, District Admin, School Admin, App Admin);
- authentication identifiers from Firebase Authentication (for example, Firebase UID, Google sign-in identifiers);
- school, district, and organization information you provide (for example, district name, school name, NCES identifiers);
- classroom/class membership, roster assignments, and teacher-parent-student relationships;
- accessibility and communication preferences (for example, voice, speech rate, output mode, caption/large-tile preferences);
- service agreement acceptance records (version, hash, timestamp, and clickwrap evidence).

### 2.2 Student Information (Where Provided by Adults/Organizations)

If you are a Teacher, Parent, District/School Administrator, or authorized organization representative, you may provide student-related information to enable the Service.

This may include:

- student first/last name, nickname, student ID, and date of birth;
- classroom, class, roster, and teacher/parent assignment information;
- IEP goals, progress-monitoring entries, assessment records, prompt-level tagging, and related special-education data you choose to enter;
- lesson assignments, board assignments, and classroom planning entries linked to the student;
- images, photos, and audio/video recordings you choose to attach to buttons, boards, lessons, or communications;
- any other information an adult user chooses to enter into the Service about a student.

### 2.3 User Content

The Service enables creation and upload of content such as:

- communication boards, buttons, labels, speech text, and button-level audio (recorded or text-to-speech);
- lesson decks, individual lessons, lesson objects (text, images, charts, shapes, audio, video), and linked standards;
- IEP goals, goal charts, progress notes, and data-collection forms (including ARIS-style data sheets and scans);
- planning and calendar entries (district-level, school-level, and teacher-level);
- messages, attachments, reactions, and read receipts exchanged between users (for example, teacher-parent, teacher-teacher, or teacher-administrator messaging);
- invitations you send to other users (for example, parent-invite emails, teacher-peer invitations);
- support communications you send to us.

### 2.4 Usage, Device, Session, and Technical Data

We may collect information about how the Service is accessed and used, including:

- IP address, user-agent, browser type, device identifiers (where available), operating system, and timestamps;
- session and device-registration information (the Service may limit the number of concurrently active devices per account and may sign out the oldest active session when that limit is exceeded);
- pages visited, buttons pressed, lesson playback events, board navigation events, and other interactions with features;
- event and audit logs, including per-request correlation identifiers (for example, request IDs and `X-Request-Id` headers) used for diagnostics;
- error and crash telemetry, including structured error-group records used for triage and automated ticket creation;
- push-notification tokens and delivery metadata (where you enable push notifications, for example via Firebase Cloud Messaging).

### 2.5 Offline Activity and Synchronization Data

The Service provides offline-capable student playback and teacher features. When offline, the Service may:

- cache boards, buttons, lesson content, and media (images/audio/video) locally on the device;
- queue interaction events, data-collection entries, and messages locally and upload them when connectivity is restored.

Offline activity carries a timestamp indicating it occurred offline and is associated with the responsible account upon synchronization.

### 2.6 Billing and Payments

If you purchase a paid plan or add-ons, payment processing is handled by Stripe, Inc. Company may receive limited billing-related information (for example, subscription status, plan tier, add-on quantity, renewal/cancellation state, currency, and the card brand or last four digits where provided by Stripe), but Company does not receive or store your full payment card number.

The Service uses a tiered plan model (for example, a free tier with limited boards/buttons/users, a base subscription tier, and add-on units that increase quotas). Billing records reflect the plan, add-ons, and quota usage associated with your account.

### 2.7 Beta Access and Waitlist

The Service may offer beta access with capacity caps. If you join a waitlist or are granted beta access, we may record your email, role context (teacher/parent; free/paid), and the state of your beta access (waitlisted, granted, active).

### 2.8 Communications with Support

If you contact us for support or email us, we may retain the content of those communications along with associated metadata (for example, sender, timestamp, and case identifiers).

## 3) How We Use Information

We may use information to:

- provide, operate, maintain, secure, and improve the Service across web, tablet, and mobile surfaces;
- create and manage accounts, roles, permissions, and linkages between Teachers, Parents, Students, and administrators;
- enable offline features and synchronize data (including events, messages, and data-collection entries) when connectivity is restored;
- enforce device/session limits, authentication, and anti-abuse controls;
- deliver the communication board, lesson, planning, calendar, IEP/goals, messaging, and reporting features;
- generate reports (for example, most-used buttons, usage over time, prompt distribution, and CSV exports) for authorized adult users;
- process transactions, manage subscriptions, add-ons, quotas, and beta access;
- send service-related notifications (for example, invitations, password/reset flows, service updates, and error/ticket emails to administrators);
- operate diagnostic and error-triage tooling, including correlation IDs, error grouping, and (where configured) automatic creation of internal tickets;
- prevent fraud, abuse, and security incidents;
- comply with legal obligations and enforce our agreements.

## 4) How We Share Information

We may share information with:

- **Service providers** that help us operate the Service, including:
  - **Stripe, Inc.** — payment processing and subscription billing;
  - **Google LLC / Google Cloud** — hosting and operations via **Cloud Run**, **Firebase Authentication**, **Cloud Firestore**, **Cloud Storage**, **Firebase Hosting**, **Firebase Cloud Messaging**, and related infrastructure;
  - email delivery providers used to send invitations, notifications, and support mail;
  - error-tracking and ticketing integrations (for example, internal GitHub Issues automation) used for diagnostics.
- **Other users within your organization or linkage**, consistent with role-based permissions you configure. For example:
  - Teachers may share boards, lessons, student data charts, and goals with other Teachers, Parents, or Administrators connected to the same student;
  - Parents may share boards with connected Teachers;
  - Administrators may view organization-level records consistent with their role.
- **Schools, districts, and authorized organizations** that administer accounts used on their behalf.
- **Legal and safety disclosures** where required by law, court order, or to protect rights, safety, and security, or in connection with a corporate transaction (for example, merger, acquisition, or asset transfer), subject to appropriate protections.

We do not sell or rent your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use student personal information for behavioral advertising or any commercial purpose unrelated to providing the Service. These commitments apply to all users, including California residents and users in other jurisdictions with similar statutory rights.

## 5) Cookies, Local Storage, and Similar Technologies

The Service may use cookies, browser storage (for example, localStorage and IndexedDB), service workers, and similar technologies for:

- authentication and maintaining sessions (on Firebase Hosting, the Service uses a `__session` cookie so sessions work behind Firebase Hosting rewrites to Cloud Run);
- storing preferences (for example, voice and accessibility settings);
- supporting offline functionality, including caching boards, lesson content, and media;
- queuing offline activity until synchronization.

You can control cookies and local storage through your browser and device settings. Clearing site data may remove offline content, sign you out, and require re-login. On the mobile/tablet app, uninstalling the app removes locally cached content.

## 6) Data Retention

We retain information for as long as needed to provide the Service and for legitimate business purposes, such as:

- maintaining account functionality, rosters, linkages, and records;
- retaining student records across school years where an adult user or organization chooses to preserve them (for example, removing a student from a class does not automatically delete the student record, which may be re-assigned by another Teacher);
- security, fraud prevention, abuse monitoring, and audit;
- diagnostics and error-triage history (including per-request correlation IDs);
- complying with legal obligations, tax, and contractual requirements with schools/districts;
- dispute resolution and enforcement of agreements.

Retention periods may vary depending on role, subscription status, and contractual requirements with schools/districts. The following categories and general approaches apply absent a specific legal or contractual obligation requiring a different period:

| Data Category | General Retention Approach |
|---|---|
| Active account and profile data | Retained for the duration of the account |
| Student records (linked to an active organization) | Retained for the duration of the organization's account |
| Student records (after account deletion or org offboarding) | Retained for a limited period as needed for continuity, then deleted or anonymized |
| Interaction logs and event telemetry | Retained for a limited period for operational and reporting purposes |
| Billing and payment records | Retained as required by applicable tax and legal obligations |
| Error and diagnostic telemetry | Retained for a limited period for diagnostic and triage purposes |
| Support communications | Retained for a reasonable period for support continuity and dispute resolution |
| Deleted account data | May persist in backups for a limited period before permanent deletion |

These categories are illustrative. We may retain data longer where required by law, active dispute, or contractual obligation, and may delete data sooner where technically and legally feasible.

## 7) Security

We use reasonable administrative, technical, and physical safeguards to protect information, including:

- transport encryption (HTTPS);
- authentication via Firebase Authentication;
- role- and permission-based access controls within the application;
- a process designed to store secrets in Google Secret Manager rather than in source code or shared logs;
- endeavoring to maintain separation between production and development environments.

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

### 7.1) Security Incidents and Breach Notification

In the event of a security incident involving personal information, we will:

- investigate and take reasonable steps to contain the incident;
- notify affected users and/or relevant authorities as required by applicable law (including, where required, the North Carolina Identity Theft Protection Act and other applicable state breach notification laws);
- provide notification within the timeframes required by applicable law, generally without unreasonable delay.

If you believe your account or information may have been compromised, please contact us immediately at CustomerSupport@VoxNovaAAC.com.

## 8) Student and Children's Privacy

The Service is intended to be used by adults (Teachers, Parents, and Administrators) and may be used by Students under adult supervision.

Teachers, Parents, and customer organizations are responsible for obtaining any required notices, permissions, and consents for student information and any uploaded content (including student images, audio, and video), consistent with applicable law (including, where relevant, education-record privacy laws, children's privacy laws, and state student-privacy protections).

Where a school or district is our customer, student information is processed at that school/district's direction, and adult organizational users are responsible for the lawful basis, notice, and consent applicable to their jurisdiction.

**Data Processing Agreements:** Schools, districts, or other organizations with education-record obligations that require a Data Processing Agreement or similar data processing terms may request one by contacting us at CustomerSupport@VoxNovaAAC.com. We will work in good faith to provide appropriate data processing terms consistent with applicable law.

## 9) Your Choices and Requests

You may request access, correction, or deletion of certain information by contacting us at the address in the Contact section below.

- Adult users may manage account settings, linkages, and some content directly through the Service (for example, by editing profile information, removing students from a class, or deleting user-created content where supported).
- For Student information, requests should generally be made by the responsible Parent, Teacher, or organization.
- Users with rights under applicable U.S. state privacy laws (including California, Virginia, Colorado, Connecticut, and other states with comprehensive privacy statutes) may submit requests to exercise those rights — including access, correction, deletion, and opt-out of sale or sharing — by contacting us at CustomerSupport@VoxNovaAAC.com. We will respond consistent with applicable law.

**Parent and Guardian Education-Record Requests:** Parents and guardians seeking access to or correction of school-controlled student education records should generally submit requests through the responsible school or district. We will coordinate with schools and districts as appropriate to facilitate lawful requests.

**Limits on Export and Deletion:** Access, export, and deletion of student information may be limited by education-record retention obligations, audit requirements, security needs, contractual commitments to schools and districts, or other legal requirements. We may retain certain data as required or permitted by applicable law, contract, or legitimate business needs.

## 10) Jurisdiction and International Users

The Service is operated from the United States and is governed by the laws of the State of North Carolina. Information may be processed and stored in the United States or other countries where our service providers operate. By using the Service, you understand that your information may be transferred to, processed, and stored in those locations.

### 10.1) U.S. State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, Texas, Montana, Oregon, and other U.S. states with comprehensive consumer privacy laws may have additional rights regarding their personal information, which may include:

- the right to know what personal information we collect, use, disclose, and sell or share;
- the right to access a copy of personal information we hold about you;
- the right to correct inaccurate personal information;
- the right to request deletion of personal information, subject to legal exceptions;
- the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising (we do not sell or share personal information for this purpose);
- the right not to be discriminated against for exercising these rights.

To exercise these rights, contact us at CustomerSupport@VoxNovaAAC.com with the subject line "Privacy Rights Request." We will respond within the timeframes required by applicable law (generally 45 days, with a possible 45-day extension where permitted).

**California Residents:** Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you may also designate an authorized agent to submit requests on your behalf. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.

### 10.2) EEA, UK, and Swiss Users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, please note:

- The Service is not directed at EEA/UK/Swiss residents and is not currently designed to meet EEA/UK GDPR compliance obligations.
- If you choose to use the Service from those regions, your data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
- You may have rights under the GDPR or UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. To submit a request, contact us at CustomerSupport@VoxNovaAAC.com.
- If you have unresolved concerns, you may have the right to lodge a complaint with your local supervisory authority.

## 11) Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the version/effective date above and, for material changes, provide notice as required by law or contract.

## 12) Contact

Privacy questions and requests:

- **Email:** CustomerSupport@VoxNovaAAC.com