Privacy Policy.
How we protect your privacy.
Effective: October 1, 2025
Last Updated: October 15, 2025
Read below
Introduction
Worlds of Hello is committed to protecting the privacy and security of children who use our AI-powered language learning platform. This Privacy Policy explains how we collect, use, store, and protect personal information from children aged 2–5, in compliance with the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and NIST privacy framework standards.
Overview
Worlds of Hello provides speech and language development services through personalized audio content, adaptive learning paths, and real-time progress tracking. We understand the importance of safeguarding children's information and have implemented comprehensive security measures aligned with federal regulations and industry best practices.
Information We Collect
We collect limited information necessary to provide effective language learning services. All data collection occurs with verifiable parental consent as required by COPPA.
Student Information:
First and last name (collected from parent or school) for account identification.
Age or date of birth to ensure age-appropriate content delivery
Gender (optional) for voice model selection
School-assigned student ID for roster management
Username (selected by child, no real names required) for secure login
Avatar selection for profile personalization
Audio recordings during speech therapy sessions for real-time speech recognition processing
Speech progress data, including pronunciation metrics and therapy session logs
Usage data, including access times, time spent on the platform, and page views
Parent Information:
First and last name for account management
Email address for communication and login
Phone number (optional) for account recovery purposes
Password (encrypted) for secure access
School Information (for institutional accounts):
School name and address for account association and service delivery
Technical Information:
Browser type for technical support (automatically collected and anonymized)
Persistent identifiers for session management
Information We Do Not Collect
We do not collect student email addresses, physical addresses, phone numbers, social security numbers, ethnicity, geolocation data, or any information unrelated to language learning services.
How We Use Information
Information collected is used exclusively for the following purposes :
Providing personalized language learning experiences adapted to each child's developmental level
Processing speech input through AI-powered recognition technology to support pronunciation development
Tracking educational progress and generating reports for parents and educators
Maintaining secure accounts with appropriate authentication measures
Communicating with parents regarding their child's progress and platform updates
Improving platform functionality through aggregated, anonymized usage analytics
Ensuring compliance with screen time limits set by parental controls
Supporting diverse accents and dialects through adaptive learning algorithms
We never use children's information for targeted advertising, marketing, or any commercial purpose beyond service delivery.
Parental Consent and Control
As required by COPPA, we obtain verifiable parental consent before collecting any personal information from children under 13. Parents have comprehensive rights and controls:
Consent Process:
During onboarding, parents must provide affirmative consent by reviewing our privacy practices and agreeing to data collection through a secure verification process.
Parental Rights:
Review all information collected from their child
Request corrections or updates to information
Revoke consent and request deletion of their child's data at any time
Set screen time limits and customize learning preferences
Receive regular progress reports
Control communication preferences
School Agreements:
For institutional accounts, schools provide consent on behalf of parents in accordance with FERPA, with appropriate data processing agreements in place.
Information Sharing and Third-Party Services
We share information only with essential service providers who support platform functionality, and only to the extent necessary for service delivery. All third-party providers are contractually required to comply with COPPA and maintain equivalent security standards.
| Third Party | Purpose | Information Shared | Compliance |
|---|---|---|---|
| Supabase | Database and authentication services | Encrypted user accounts, progress data | COPPA-compliant DPA |
| Deepgram | Speech recognition processing | Temporary audio for real-time analysis (not stored) | COPPA-compliant DPA |
| ElevenLabs | Text-to-speech generation | Text phrases for audio generation | COPPA-compliant DPA |
| Google Cloud | Infrastructure and hosting | Encrypted application data | FedRAMP authorized |
| AWS S3 | Backup storage | Encrypted backups | FedRAMP authorized |
All third parties have been notified that our service is directed at children under 13 and have signed Data Processing Agreements (DPAs) that require :
Maintaining the confidentiality and security of all data
Using information only for specified purposes
Implementing COPPA-compliant security measures
Providing breach notification within 24 hours
Deleting data upon request or contract termination
Submitting to regular security audits
We conduct quarterly reviews of all third-party providers, with the most recent assessment completed in May 2025.
Data Security Measures
We implement comprehensive security protocols aligned with NIST standards to protect the confidentiality, security, and integrity of children's information.
Encryption:
All data transmissions use TLS 1.3 minimum encryption
Database encryption using AES-256-GCM
File storage with AES-256 encryption and unique keys per file
API certificate pinning for enhanced security
Key management through AWS KMS with automatic rotation
Access Controls:
Role-based access control (RBAC) limits employee access to the necessary data only
Multi-factor authentication for all administrative accounts
Principle of least privilege enforcement
Comprehensive access logging and quarterly audits
Immediate access revocation upon employee termination
Physical Security:
SOC 2 certified data centers with 24/7 monitoring
Biometric access controls
Environmental monitoring systems
Redundant power and cooling infrastructure
Vulnerability Management:
Monthly scanning and remediation of security vulnerabilities
Annual third-party penetration testing
Critical security patches applied within 24 hours
Weekly maintenance for non-critical updates
Formal Security Program:
As required by updated COPPA regulations, we maintain a written information security program including annual risk assessments, vendor due diligence procedures, regular testing and monitoring, and continuous evaluation of security measures.
Data Retention and Deletion
We retain information only as long as necessary to provide services and comply with legal obligations.
Retention Periods:
Active student data: Duration of service agreement plus 180 days
Educational records (progress reports): 3 years per FERPA requirements
Backup data: 90-day rolling backup window
Inactive accounts: Purged after 12 months of inactivity
Transaction logs (no PII): 2 years for security and audit purposes
Secure Deletion Process:
Upon account closure or deletion request, we implement :
Cryptographic erasure using AES-256 encryption key destruction
Multiple overwrite passes for physical media
Verification of deletion across all backup systems
Certificate of destruction provided upon request
30-day processing timeframe from receipt of deletion request
Data Excluded from Deletion:
The following data may be retained after account deletion :
Aggregated, anonymized statistics for program effectiveness (no PII)
Data subject to legal holds or law enforcement requests with proper warrants
Minimal transaction logs for security audit purposes (no PII, retained 2 years)
Parents and schools can request data deletion at any time by contacting: privacy@worldsofhello.com
Data Storage and Location
All data is stored within the United States and never transferred internationally.
Storage Locations:
Primary database: Google Cloud US-East region
Backup storage: AWS S3 US-East region
Both providers are FedRAMP authorized with extensive compliance certifications
Multi-Tenancy Protections:
Information from different schools and organizations is stored with complete logical separation using :
Unique database schemas per school
Row-level security policies
Separate encryption keys per tenant
API-level isolation to prevent cross-contamination
Student Interactions and Content Moderation
Worlds of Hello is designed as a non-social platform focused exclusively on individual language learning.
Limited Interactive Features:
Children can create a private profile by selecting an avatar and username (no real names or personal information) solely for personalizing the therapy experience, not for social interaction.
No Social Features:
The platform does NOT include :
Text or video chat with any users
Message boards or public forums
Image or video uploads
Public profiles or social networking features
Communication between children
All interaction occurs between the child and the AI-powered learning system or between the child and pre-recorded family member audio content.
Marketing and Communications
We do not market products to children. All communications regarding platform features or updates are sent exclusively to parent or school administrator accounts via email withopt-in consent. Parents can control communication preferences through their account settings at any time.
Incident Response and Data Breach Procedures
We maintain a comprehensive incident response plan following NIST guidelines :
Response Protocol:
Initial threat assessment within 2 hours of detection
Immediate containment procedures to limit impact
School notification within 72 hours
Parent notification support and remediation resources
Law enforcement notification if criminal activity is suspected
Forensic investigation to determine the scope and cause
Regulatory notifications per applicable state and federal requirements
Post-incident review and security enhancement implementation
Employee Background Checks and Training
All employees with access to student data or systems undergo :
Comprehensive background checks before employment
Regular privacy and security training
Confidentiality agreement signing
Annual compliance certification
FERPA Compliance for Educational Records
For school-based implementations, Worlds of Hello complies with FERPA by :
Treating all student progress data as protected educational records
Obtaining appropriate consent from schools acting as educational agencies
Providing schools with the ability to review, correct, and delete student records
Restricting disclosure of personally identifiable information
Maintaining records for appropriate educational purposes
Supporting schools' obligations to parents regarding access to educational records
Changes to Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Parents and schools will be notified of material changes via email at least 30 days before the effective date. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your child's information, please contact:
Email: privacy@worldsofhello.com
Phone: +1 301-485-6254
Parents have the right to review, correct, or delete their child's information at any time.
Regulatory Compliance
This Privacy Policy and our data practices comply with :
Children's Online Privacy Protection Act (COPPA) and 2025 amendments
Family Educational Rights and Privacy Act (FERPA)
NIST Privacy Framework standards
State-specific privacy laws where applicable
Student Privacy Pledge commitments
We are pursuing COPPA Safe Harbor certification to demonstrate our commitment to exceeding minimum regulatory requirements.