Privacy Policy

SpEd Bot ("we," "our," or "the Service") is committed to protecting the privacy of our users and the student data they manage. This Privacy Policy explains how we collect, use, store, and protect information when you use our documentation platform for speech-language pathology services.

This Service is designed for school-based professionals working with student educational records governed by the Family Educational Rights and Privacy Act (FERPA). Please review our Terms of Service for important scope limitations.

Account Information

• Name and email address
• Password (stored securely using bcrypt hashing)
• Authentication tokens from third-party providers (e.g., Google OAuth)

Student Educational Records

You may enter student information as part of your professional documentation:

• Student names (first and last)
• Date of birth, grade level, school information
• IEP goals and objectives
• Therapy session notes and progress data
• Assessment results and accuracy percentages
• Progress reports and narratives

Usage Information

• Log data (IP address, browser type, access times)
• Feature usage patterns (for service improvement)
• Error reports and crash logs

We use the information we collect to:

• Provide and maintain the Service
• Authenticate your identity and secure your account
• Generate AI-assisted reports and documentation
• Improve and develop new features
• Send service-related communications
• Comply with legal obligations

Our Service uses artificial intelligence to help generate reports and provide assistance. Here's how we handle data sent to AI services:

What We Send to AI

• Student first names only - Last names are never sent
• Session notes and goal information (as needed for report generation)
• Your questions and prompts in the AI chat feature

AI Provider (OpenAI)

• We use OpenAI's API (not ChatGPT consumer product)
• Data sent via API is not used to train OpenAI's models
• OpenAI retains API data for up to 30 days for abuse monitoring, then deletes it
• See OpenAI's Privacy Policy for details

Other Third-Party Services

• Supabase: Database hosting and authentication
• Vercel: Application hosting
• Google: OAuth authentication (if you choose to sign in with Google)

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data is transmitted over HTTPS using TLS 1.3
• Encryption at Rest: Database is encrypted using AES-256
• Row-Level Security: Database policies ensure users can only access their own data
• Secure Authentication: Passwords are hashed using bcrypt; OAuth tokens are securely managed
• Security Headers: CSP, HSTS, X-Frame-Options, and other protections are enabled
• Rate Limiting: API endpoints are protected against abuse

For more details, see our Security & Privacy page.

We retain your data for as long as your account is active or as needed to provide the Service:

• Account data: Retained until you delete your account
• Student records: Retained until you delete them or your account
• AI chat history: Retained until you delete conversations or your account
• Audit logs: Retained for 90 days for security purposes

Upon account deletion, we will delete your personal data and student records within 30 days, except where retention is required by law.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. As a tool used by school-based professionals, we support your FERPA compliance:

• We act as a "school official" with a "legitimate educational interest"
• Student data is accessible only to the user who entered it
• We do not disclose student information to third parties without consent
• You can export or delete student records at any time
• We use reasonable security measures to protect educational records

You remain responsible for ensuring your use of the Service complies with your school or district's policies and any applicable state laws.

You have the right to:

• Access: View all data associated with your account
• Correction: Update or correct your account information
• Deletion: Delete your account and all associated data
• Export: Export your data in standard formats (PDF, DOCX)
• Restriction: Request limitation of certain data processing

To exercise these rights, contact us at hello@spedbot.app.

The Service is intended for use by adult professionals (SLPs and educators), not by children directly. While the Service processes student data entered by professionals, students do not create accounts or directly interact with the Service.

We do not knowingly collect personal information directly from children under 13. If you believe a child has directly provided us with personal information, please contact us immediately.

We use cookies and local storage for:

• Authentication: To keep you logged in
• Preferences: To remember your settings
• Security: To prevent fraud and abuse

We do not use cookies for advertising or tracking across other websites.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top indicates when the policy was last revised.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: hello@spedbot.app

For security-related concerns, contact hello@spedbot.app.