Privacy Policy

Last updated: April 10, 2026

This Privacy Policy describes how Briefcase AI (“we,” “us,” or “Briefcase AI”) collects, uses, and discloses information through our speech therapy practice platform at speech.briefcaseai.io (the “Service”). The Service is designed for children under 13 who are practicing speech and language skills under the supervision of a parent or legal guardian. We are committed to complying with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulation at 16 CFR Part 312.

1. Operator Contact Information

Briefcase AI
Email: privacy@briefcasebrain.com
Website: speech.briefcaseai.io

If you have any questions about this Privacy Policy, our data practices, or your child’s personal information, please contact us at the email address above.

2. Information We Collect

2.1 Information Collected from Parents and Guardians

When a parent or guardian creates an account, we collect:

Name — used to personalize your account
Email address — used for account login, password reset, and important service communications
Password — stored only in hashed form using industry-standard one-way cryptographic hashing; we never store or have access to your plaintext password
Billing information — if you subscribe to a paid plan, payment is processed entirely by our payment processor, Stripe, Inc. We store only an opaque customer and subscription identifier; we do not store credit card numbers, bank account details, or other financial information on our servers

2.2 Information Collected About Children

When a parent or guardian adds a child profile during onboarding, we collect:

Child’s first name or nickname — used to personalize the practice experience (e.g., “Great job, Alex!”)
Age band — a range such as “5–6 years” (we do not collect the child’s date of birth, exact age, or any government-issued identifiers)
Interests — selected from a fixed list (e.g., “Animals,” “Dinosaurs,” “Space”) to theme practice content
Therapy domain selections — which areas of speech/language are being practiced (e.g., Speech Sounds, Expressive Language, Fluency)

2.3 Audio Recordings

During practice sessions, the child records audio of themselves saying therapy target words (e.g., “sun,” “snake,” “rabbit”). Each recording is:

Transmitted over an encrypted connection (TLS) to our servers
Processed by speech recognition models running on our infrastructure to generate text transcripts
Scored against the target word using disorder-aware pronunciation scoring
Stored in our cloud storage with a hashed, non-identifiable file path (the child’s identifier is cryptographically hashed before being used in the storage path, so audio files cannot be associated with a child by browsing the storage bucket)

Audio recordings are personal information under COPPA because they contain the child’s voice. We treat audio recordings with the same protections as all other child personal information.

2.4 Practice and Performance Data

As the child uses the Service, we automatically generate and store:

Transcripts — text generated from the child’s audio recordings by speech recognition
Pronunciation scores — a numeric score per exercise indicating error pattern, mild error, or correct pronunciation
Scoring metadata — non-personal technical information about how the score was computed
Session metadata — when the session started, how many exercises were completed, overall accuracy
Mastery estimates — a statistical estimate of the child’s skill level for each therapy target, used to adapt practice difficulty
Evaluation latency — how long the scoring took (used for system performance monitoring only)

2.5 Information We Do NOT Collect

We do not collect the child’s date of birth, Social Security number, or any government-issued identifier
We do not collect the child’s physical address or geolocation
We do not collect photographs or video of the child
We do not use cookies for behavioral advertising or cross-site tracking
We do not use any third-party analytics, advertising, or tracking services

3. How We Use Information

We use the information we collect solely for the following purposes:

Providing the Service — delivering speech therapy practice exercises, scoring pronunciation, adapting difficulty based on mastery
Personalizing content — selecting themed content (e.g., animal-themed words) based on the child’s chosen interests
Progress tracking — showing parents and SLPs the child’s practice history, accuracy trends, and skill mastery
Account management — authenticating users, processing password resets, managing subscriptions
Service improvement — monitoring system performance (latency, error rates) and scoring accuracy using aggregate, de-identified metrics

We do not use children’s personal information for marketing, advertising, or any purpose unrelated to the speech therapy practice Service.

4. How We Share Information

4.1 Service Providers

We share information with the following service providers, solely to operate the Service:

Provider	Data Shared	Purpose
Google Cloud Platform	All application data and audio files	Cloud infrastructure hosting (compute, storage, database)
Stripe, Inc.	Parent name, email, and account identifier	Subscription billing and payment processing
Amazon Web Services	Parent email address	Transactional email delivery (password reset only)

4.2 Speech Recognition Processing

Audio recordings are processed by speech recognition models running on our own infrastructure within the cloud providers listed above. Audio is transmitted only over encrypted internal network connections. Audio is not sent to any third-party speech recognition service.

4.3 Text-to-Speech

The Service generates audio exemplars of therapy target words so children can hear the correct pronunciation. This text-to-speech processing sends only the therapy target word (e.g., “sun”) to the synthesis model — no child personal information, audio recordings, or identifiers. The primary synthesis model runs on our own infrastructure. Certain words may optionally be synthesised by a third-party voice provider under contract; only the target word itself is transmitted, never child personal information.

4.4 No Sale of Data

We do not sell, rent, or trade any personal information — including children’s personal information — to any third party for any purpose.

4.5 Speech-Language Pathologists

If a parent’s child is assigned a speech-language pathologist (SLP) through the Service, the SLP may view the child’s name, therapy targets, practice scores, and mastery progress. SLPs access this information solely to support the child’s therapy goals. SLPs are bound by their own professional ethical and legal obligations regarding client confidentiality.

5. Parental Consent (COPPA Compliance)

Because the Service collects personal information from children under 13 — specifically, the child’s name and audio recordings of the child’s voice — we require verifiable parental consent before collecting this information, in accordance with COPPA (16 CFR §312.5).

We use the “email plus” method of verifiable parental consent: when a parent creates an account, we send a confirmation email to the parent’s email address. The parent must click the verification link in that email before they can create a child profile or begin practice sessions. This ensures that the person creating the account has access to the email address provided and has affirmatively consented to the collection of their child’s information.

By verifying your email and creating a child profile, you consent to our collection and use of your child’s personal information as described in this Privacy Policy. You may withdraw your consent at any time (see Section 6).

6. Parental Rights

Under COPPA, parents and legal guardians have the right to:

Review their child’s personal information — you can view your child’s practice history, scores, and profile data at any time through the Service
Request deletion of their child’s personal information — you can delete your child’s profile and all associated data (including audio recordings, transcripts, scores, and session history) through the Settings page or by contacting us at privacy@briefcasebrain.com
Refuse further collection — you may delete your child’s profile at any time to stop all further collection of your child’s personal information; you may also delete your entire account
Consent to collection without third-party disclosure — the Service does not disclose children’s personal information to third parties for their own use; service providers receive data only as necessary to operate the Service

To exercise any of these rights, use the Settings page within the Service or email privacy@briefcasebrain.com. We will respond to verified requests within 30 days.

7. Data Retention and Deletion

We retain your child’s personal information only for as long as reasonably necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

Active accounts: data is retained for the duration of the account
After child profile deletion: all child data (profile, audio recordings, transcripts, scores, session history) is deleted within 30 days
After account deletion: all data associated with the account is deleted within 30 days; parent email is anonymized within 90 days
Audio recordings: deleted from Google Cloud Storage within 30 days of the associated child profile or account being deleted

We may retain de-identified, aggregate data (e.g., total number of practice sessions across all users) for service improvement purposes. This aggregate data cannot be used to identify any individual child or parent.

8. Data Security

We implement reasonable security measures to protect children’s personal information:

Encryption in transit: all data is transmitted over TLS (HTTPS)
Encryption at rest: application data and audio files are encrypted at rest
Password security: parent passwords are stored as one-way cryptographic hashes and are never retained in plaintext
Audio path hashing: child identifiers are cryptographically hashed before being used in audio file storage paths, so that audio files cannot be associated with a child by browsing the storage
Access controls: role-based access control limits data access to authorized users (parents see only their own children; SLPs see only assigned students; administrators have limited operational access)
Infrastructure security: the Service runs on hardened cloud infrastructure with private network isolation and authenticated administrative access

9. Cookies and Tracking

The Service uses a single session cookie to maintain your login session. This cookie is:

Strictly necessary for the Service to function (authentication only)
Set with HttpOnly, Secure, and SameSite attributes
Expires after 30 days of inactivity

We do not use any advertising cookies, tracking pixels, analytics SDKs, or behavioral tracking technologies. We do not participate in any cross-site tracking or interest-based advertising.

10. Children’s Privacy Protections

We do not condition a child’s participation in the Service on the disclosure of more personal information than is reasonably necessary to provide the speech therapy practice features (16 CFR §312.7). The information we collect (child name, age band, interests, audio recordings, and practice scores) is the minimum necessary to deliver personalized, adaptive speech therapy practice.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes to how we collect, use, or disclose children’s personal information, we will notify parents by email at the address associated with their account and post the updated policy on this page at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your parental rights, or have concerns about how we handle your child’s information, please contact us:

Briefcase AI
Email: privacy@briefcasebrain.com
Subject line: “COPPA Privacy Request”