Legal

Privacy Policy

Effective date: March 17, 2026 · Speak AAC · support@speakaac.org

Plain-language summary: Speak collects as little data as possible. The app runs entirely on your device for core communication. If you create an account, we store your profile settings and event logs in a secure database so they sync across devices. We never sell your data. We never advertise. We have no third-party trackers.

If your child is under 13, a parent or guardian must create and manage their account. The child themselves does not create an account.

1. Who we are

Speak AAC is operated by Speak AAC LLC, a Kansas company. You can reach us at support@speakaac.org.

2. What data we collect and why

If you use the app without an account (Free plan, local only):

No data leaves your device. All settings, profiles, and communication history are stored only in your browser's local storage.
We cannot see it. We do not transmit it.

If you create an account (paid plans or cloud sync):

Email address — used for login and account communication only.
Child's first name and age range — used to personalize the app interface. We do not collect full names, birthdates, or school information.
Diagnosis profile selection — used only to configure the appropriate symbol set and layout. Never shared or sold.
Communication event logs — a timestamped record of which symbols were tapped, which categories were used, and whether the safety channel was activated. Stored securely and accessible only to the account holder and designated teacher/provider accounts.
Safety contact name and email — stored only on your device (local storage). Not transmitted to our servers. Used solely to send the silent safety alert.

What we never collect:

Social Security numbers or government IDs
Precise location data
Microphone recordings or audio
Behavioral advertising profiles
Data from any source other than your direct use of Speak

Custom symbol photos: If you upload photos to create custom symbols (in Provider Settings → My Symbols), those photos are stored only on your device in local browser storage. They are never transmitted to our servers.

3. Children under 13 — COPPA compliance

Speak is designed to be used by nonverbal children but set up and managed by a parent, guardian, or provider. We comply with the Children's Online Privacy Protection Act (COPPA).

Children under 13 do not create Speak accounts directly. Accounts are created and controlled by a parent, guardian, therapist, or school administrator.
We do not knowingly collect personal information directly from children under 13.
The communication event log (what symbols the child taps) is stored under the parent or guardian's account, not the child's.
If you believe we have inadvertently collected information from a child under 13 without parental consent, contact us immediately at support@speakaac.org and we will delete it within 5 business days.

4. How we store and protect your data

Account data is stored in Supabase, a secure cloud database provider that uses AES-256 encryption at rest and TLS 1.2+ in transit. Supabase is SOC 2 Type II certified. Row-level security (RLS) is enabled on all tables — your data is only accessible to your account. No Speak employee or contractor has routine access to user data.

Safety contact information is stored only on your device in browser local storage. It is never transmitted to our servers.

5. Safety alerts

When the private safety channel is activated, the app sends an email to the trusted contact address you configured using EmailJS, a third-party email delivery service. The content of that email includes the child's first name, the reason selected, and the last message the child tapped. This email is sent directly from your browser — Speak's servers never see it or store it. EmailJS's privacy policy is available at emailjs.com.

6. Payments

Payments are processed by Stripe. We never see or store your full card number. Stripe is PCI DSS Level 1 certified. Your billing information is governed by Stripe's privacy policy at stripe.com/privacy.

7. HIPAA — Clinic and Institution users

If you are a licensed healthcare provider, speech-language pathologist, school district, rehabilitation center, or care facility using Speak under a Clinic or Institution subscription, additional protections apply under the Health Insurance Portability and Accountability Act (HIPAA).

Business Associate Agreement (BAA): Before any patient data enters the Speak system under a clinical account, you and Speak AAC LLC must execute a signed Business Associate Agreement. To request a BAA, email support@speakaac.org with the subject line "BAA Request." We will return a signed copy within 3 business days.
Minimum necessary standard: We access, use, or transmit only the minimum protected health information (PHI) necessary to deliver the service. Patient identifiers are stripped before any data is passed to AI services (§ 164.502(b)).
Patient rights under HIPAA: Patients and their guardians have the right to access their PHI (§ 164.524), request amendments (§ 164.526), receive an accounting of disclosures (§ 164.528), and request restrictions on certain uses (§ 164.522). Submit requests to support@speakaac.org. We will respond within 30 days.
Breach notification: In the event of a breach of unsecured PHI, we will notify the Covered Entity within 5 business days of discovery, consistent with 45 CFR § 164.410 and the terms of your BAA.
Subprocessors with BAAs: Our infrastructure vendors who may process ePHI under clinical accounts — Supabase (database), Netlify (hosting), and Anthropic (AI sentence generation) — each maintain signed BAAs with Speak AAC LLC.
Complaint to HHS: If you believe your HIPAA rights have been violated, you may file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr/complaints without retaliation from Speak.

8. Third-party services we use

Supabase — database and authentication (supabase.com)
Anthropic — AI sentence generation via Claude API (anthropic.com) — patient identifiers are never included in prompts
EmailJS — safety alert delivery (emailjs.com)
Stripe — payment processing (stripe.com)
Mulberry Symbols — AAC symbol pictograms by Garry Pye, used under Creative Commons BY-SA 4.0 (mulberrysymbols.org)
Netlify — web hosting (netlify.com)

We have no advertising networks or social media trackers embedded in Speak. Analytics (Google Analytics) are loaded only with your explicit consent and do not run on any page that handles clinical data.

9. Data retention and deletion

Your account and all associated data can be deleted at any time by emailing support@speakaac.org with the subject line "Delete my account." We will permanently delete all stored data within 5 business days and confirm by email.

Local-only data (no account) can be deleted at any time by clearing your browser's site data for speakaac.org.

For clinical accounts: upon termination of the service agreement, all PHI will be returned or securely destroyed within 30 days, with written confirmation provided.

10. Your rights

Depending on where you live, you may have rights under COPPA (US), GDPR (EU/UK), CCPA (California), or HIPAA (clinical accounts) to access, correct, or delete your data. To exercise any of these rights, email support@speakaac.org. We will respond within 30 days.

11. Changes to this policy

If we make material changes to this policy, we will update the effective date at the top and notify account holders by email at least 14 days before the change takes effect.

Questions or data requests

Email support@speakaac.org — Speak AAC LLC, Kansas.

For COPPA inquiries use subject "COPPA Request" · For HIPAA/BAA inquiries use subject "BAA Request" · We respond within 5 business days.