Privacy Policy

1. Overview

ReadingVox ("we," "us," or "our") provides a text-to-speech accessibility platform for schools, districts, and website developers. This Privacy Policy describes how we collect, use, store, and protect information — with particular attention to student data — when you use our Chrome extension, website widget, website (readingvox.com), and related services (collectively, the "Service").

ReadingVox is operated by ReadingVox LLC, a company based in the United States. Our services are hosted entirely within the United States.

2. Definitions

• Student Data — personally identifiable information (PII) from education records that is provided to or collected by ReadingVox in connection with the Service, as defined by FERPA (34 CFR § 99.3).
• School — any K-12 school, school district, or educational agency that has entered into a license agreement with ReadingVox.
• Student — an individual enrolled in a School who uses the Service under a school-issued license.
• Operator — ReadingVox, acting as a "school official" under FERPA and as an "operator" under COPPA with school consent.
• Sub-Processor — a third-party service provider that processes data on behalf of ReadingVox to deliver the Service.
• De-Identified Data — data that has been stripped of all direct and indirect identifiers such that it cannot reasonably be used to identify a specific student.

3. Data We Collect

ReadingVox practices data minimization. We collect only the information strictly necessary to provide the text-to-speech service.

3.1 School License (Chrome Extension)

3.2 Developer Widget

When used as an embeddable website widget (non-school context), ReadingVox collects:

• Page URL and text content (for TTS generation and caching)
• API key (hashed; for authentication and usage metering)
• Aggregate usage metrics (pages generated, cache hits)

The developer widget does not collect any end-user personal information. No cookies, no user identifiers, no tracking pixels.

3.3 Website Visitors (readingvox.com)

Our marketing website does not use third-party analytics, advertising trackers, or behavioral tracking. We collect only:

• Information voluntarily submitted through forms (name, email, organization, for PO quotes or support requests)
• Server logs (IP address, user agent, timestamp) retained for 30 days for security monitoring

4. Data We Do Not Collect

ReadingVox does not collect any of the following:

• Student names, birthdates, physical addresses, phone numbers, or Social Security numbers
• Student grades, test scores, GPA, or academic records
• Student disability status, IEP/504 plan details, or health information
• Student race, ethnicity, religion, or demographic information
• Browsing history, search queries, or websites visited (we only receive the text sent for TTS)
• Biometric data (voice recordings of students, facial recognition, fingerprints)
• Geolocation data
• Social media profiles or contacts
• Device identifiers, IMEI, or advertising IDs

5. How We Use Data

We use collected data exclusively to:

1. Provide the text-to-speech service (convert text to audio, generate word-level timestamps)
2. Authenticate students under school-issued licenses
3. Count active student seats for license compliance
4. Cache generated audio to improve performance and reduce redundant processing
5. Provide aggregate usage reports to school administrators
6. Monitor service health, uptime, and security

We do not use Student Data for:

• Advertising or marketing of any kind
• Building student profiles or behavioral models
• Selling or renting to any third party
• Any purpose not directly related to providing the Service as described in the school agreement

6. Data Sharing & Sub-Processors

ReadingVox does not sell, rent, lease, or trade Student Data. We share data only with the following sub-processors, solely to operate the Service:

All sub-processors are contractually bound to protect data, use it only as instructed, and comply with applicable privacy laws. We maintain a current list of sub-processors and will notify schools of any changes with 30 days' notice.

We may disclose information if required by law, subpoena, or court order. In such cases, we will notify the affected school unless prohibited by law.

7. Data Storage & Security

7.1 Data Location

All data is stored and processed exclusively in the United States. Our infrastructure is located in:

• AWS US-East (Northern Virginia) — application servers and TTS generation
• Cloudflare R2 US regions — audio file storage
• US-based PostgreSQL database — application data

No student data is transferred to, processed in, or stored in any location outside the United States.

7.2 Security Measures

• Encryption in transit: All data transmitted between clients and servers uses TLS 1.2 or higher (HTTPS)
• Encryption at rest: All stored data is encrypted using AES-256
• API key security: API keys are SHA-256 hashed before storage and cannot be retrieved in plain text
• Access controls: Access to production systems is restricted to authorized personnel with multi-factor authentication
• Regular updates: Systems are patched regularly to address known vulnerabilities
• Monitoring: Automated security monitoring and anomaly detection
• Least privilege: Internal access follows the principle of least privilege

Our infrastructure providers (AWS, Cloudflare) maintain SOC 2 Type II, ISO 27001, and FedRAMP certifications.

8. Data Retention & Deletion

Upon license termination: All Student Data associated with the school license is permanently deleted within 60 calendar days. We provide written confirmation of deletion upon request.

On-demand deletion: Schools may request deletion of specific student records at any time by contacting privacy@readingvox.com. We will process deletion requests within 30 calendar days.

9. Parental & Student Rights

Parents and eligible students have the following rights regarding Student Data processed by ReadingVox:

• Right to access: Request a copy of Student Data we hold
• Right to correction: Request correction of inaccurate data
• Right to deletion: Request deletion of Student Data
• Right to portability: Receive Student Data in a structured, machine-readable format
• Right to opt out: The School may disable the Service for specific students at any time

To exercise these rights, parents should contact their child's school, which may then submit a request to ReadingVox. Parents may also contact us directly at privacy@readingvox.com and we will coordinate with the school.

10. School Responsibilities

Under FERPA and COPPA, schools are responsible for:

• Providing consent on behalf of students and parents for ReadingVox to collect and process Student Data as a "school official" under FERPA
• Providing "verifiable consent" under COPPA for students under 13
• Notifying parents/guardians that ReadingVox is being used and directing them to this Privacy Policy
• Managing student accounts and disabling access when a student no longer needs the Service
• Contacting ReadingVox to request data access, correction, or deletion on behalf of students

11. AI-Powered Features

ReadingVox includes an optional AI vocabulary simplification feature that uses a large language model to replace difficult words with simpler alternatives.

How AI Processing Works

• When activated, the text of the current paragraph is sent to our server for processing
• Our server sends only the text content to the AI model — no student identifiers, no email addresses, no metadata
• The AI model returns a simplified version of the text, which is displayed on the page
• Simplified text is cached locally (in the browser) for performance; it is not stored on our servers

AI Data Commitments

• No student PII is sent to AI model providers
• Text sent for simplification is not used to train AI models
• Text is processed in real time and not retained by the AI provider after the response
• The AI feature is optional and can be disabled by school administrators

12. Cookies & Tracking

Chrome Extension: The ReadingVox Chrome extension does not use cookies. User preferences (voice, speed, theme) are stored locally via chrome.storage.sync (managed by the Chrome browser) and are not sent to our servers.

Website Widget: The embeddable widget does not set any cookies or use any tracking technologies.

Marketing Website: readingvox.com uses only essential cookies required for authentication (for logged-in dashboard users). We do not use third-party analytics, advertising cookies, or behavioral tracking of any kind.

13. FERPA Compliance

ReadingVox complies with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99.

• ReadingVox acts as a "school official" with a legitimate educational interest as defined by FERPA § 99.31(a)(1)
• We use Student Data only for the purposes specified in the school agreement
• We do not re-disclose Student Data except as permitted by FERPA or directed by the school
• We maintain direct control of Student Data and do not allow sub-processors to use it for their own purposes
• Schools retain ownership of all Student Data at all times
• We support schools in responding to parent requests for access, correction, and deletion

14. COPPA Compliance

ReadingVox complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6506; 16 CFR Part 312.

• We rely on school consent (acting in loco parentis) for the collection of limited student information for students under 13, as permitted under COPPA § 312.5(c)(3)
• We collect only information reasonably necessary to provide the Service
• We do not condition participation on providing more information than is reasonably necessary
• We provide schools the ability to review, delete, and refuse further collection of their students' information
• We maintain reasonable security procedures to protect student information
• We retain student information only for as long as necessary to fulfill the purpose for which it was collected

15. SOPIPA Compliance

ReadingVox complies with the Student Online Personal Information Protection Act (SOPIPA), California Business and Professions Code §§ 22584-22584.5, and equivalent laws in other states.

• We do not use Student Data for targeted advertising
• We do not use Student Data to create advertising profiles
• We do not sell Student Data
• We do not use Student Data for any purpose other than providing the educational service
• We implement reasonable security procedures
• We delete Student Data when no longer needed for the educational purpose
• We disclose material changes to this policy to schools before they take effect

16. State Student Privacy Laws

ReadingVox is designed to comply with state student privacy laws, including but not limited to:

• California — SOPIPA, CalOPPA, CCPA (as applicable to non-student data)
• New York — Education Law § 2-d
• Colorado — Student Data Transparency and Security Act
• Connecticut — PA 16-189
• Illinois — Student Online Personal Protection Act (SOPPA)
• Texas — HB 89, Student Privacy Act
• Virginia — Student Personal Information Privacy Act
• And all other states with student privacy legislation

We are happy to sign your state or district's specific Data Processing Agreement. Contact privacy@readingvox.com with your DPA template.

17. Breach Notification

In the event of a security breach that results in unauthorized access to Student Data:

1. We will notify affected schools within 72 hours of discovering the breach
2. Notification will include: the nature of the breach, the data involved, steps taken to contain and remediate, and recommended actions for the school
3. We will cooperate fully with school and law enforcement investigations
4. We will provide free identity monitoring services to affected individuals if personal information was compromised
5. We will provide a post-incident report with root cause analysis and prevention measures

We maintain an incident response plan that is reviewed and tested annually.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will provide 30 days' advance notice to schools before material changes take effect
• Notice will be sent via email to the school's primary contact and posted on our website
• Schools may terminate their agreement if they do not accept the changes
• Non-material changes (clarifications, formatting) may be made without advance notice

The "Last Updated" date at the top of this policy reflects the most recent revision.

19. Contact Information

For questions about this Privacy Policy, to request a Data Processing Agreement, or to exercise data rights:

We aim to respond to all privacy-related inquiries within 5 business days.