Privacy Policy

Effective Date: 2026-07-10

Last Modified: 2026-07-10

Service: Reading Compass, operated by BLEKS Education Technology Solutions, Inc.

A. Introduction and Scope

BLEKS Education Technology Solutions, Inc. (“BLEKS,” “we,” “us,” or “our”) respects the privacy of the children whose parents and legal guardians (collectively, “Parents”) choose Reading Compass for early-literacy assessment, and we are committed to protecting that privacy through compliance with this Privacy Policy (“Policy”). This Policy describes:

  • The types of information we collect or that you or your child may provide when you create a Parent account on readingcompass.ai (the “Website”), enroll one or more Children, use the Reading Compass iOS application (the “App”), or interact with our customer support, transactional email, or related services (collectively with the Website and App, the “Service”).
  • Our practices for collecting, using, maintaining, protecting, and disclosing that information.
  • The verifiable parental consent we obtain from Parents before collecting personal information from a Child under 13, as required by the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and its implementing rule, 16 CFR Part 312 (collectively, “COPPA”), including the Federal Trade Commission's 2025 amendments to the COPPA Rule, effective June 23, 2025, with a compliance deadline of April 22, 2026 (the “2025 Amended COPPA Rule”).

This Policy applies only to information we collect through the Service. This Policy does NOT apply to information that:

  • We collect offline or on any other BLEKS websites or applications that are not part of the Service.
  • You or your Child provide to or that is collected by any third party, including other apps, websites, services, or content that may link to or be accessible from or through the Service, except as described in Section F (Disclosures to Service Providers).

Please read this Policy carefully to understand our policies and practices regarding your and your Child's information and how we will treat it. If you do not agree with our policies and practices, do not create a Parent account on the Website, enroll any Child, or use the App. By creating a Parent account, enrolling a Child, or otherwise using the Service, you agree to this Policy. We may update this Policy from time to time (see Section O, Changes to This Policy). Your continued use of the Service after we revise this Policy means you accept those changes; please check this Policy periodically for updates.

The Website (where Parents create accounts, complete the verifiable-parental-consent flow, manage subscriptions, and view dashboards) and the App (which the Child uses on an iOS device to record reading sessions) are jointly governed by this Policy. There is no separate website privacy policy.

B. Summary for Parents

What Reading Compass is. Reading Compass is a reading-assessment service for children ages 3–11. A Child reads short passages aloud on an iOS device; the recordings are transcribed and scored, and a Parent reviews the results in a dashboard. The Service does not include behavioral advertising, ad networks, third-party social-media features, or chat with other users.

Who is in charge. BLEKS is the operator of the Service and the entity that decides what data is collected and how it is used. A Parent must verify identity and consent before any Child can use the Service.

What we collect from a Child. The categories of personal information we collect from or about a Child are: (i) the Child's first name or nickname (no last name); (ii) the Child's date of birth, used to derive an age band that determines reading content; (iii) audio recordings of the Child reading aloud; (iv) reading-performance scores and transcripts derived from the audio; and (v) a pseudonymous internal identifier the Service uses to link the Child's records to the Parent's account.

What we DO NOT collect from a Child. The App does not collect a Child's last name, home or school address, telephone number, email address, geolocation, contacts, photos or videos, persistent identifiers used for ad-targeting, behavioral-tracking data across other sites or services, or any analytics from third-party SDKs in the child-facing flow. The device camera provides a live on-screen framing view during a session solely to help the Parent position the Child; nothing from the camera is recorded, captured, or saved. There are no ad networks, analytics SDKs, or social-media plug-ins in the App's child-facing flow.

How we use it. We use the Child's audio and assessment data to generate the Child's reading assessment, deliver the results to the Parent, and operate, maintain, and improve the Service. We do not use the Child's data to advertise to the Child or to any other person.

Who we share it with. We share the Child's audio only with the subprocessors that need it to transcribe, score, and host it — OpenAI (speech-to-text transcription and AI-assisted scoring) and our cloud-hosting subprocessor(s) for storage; see Section F for the current named list and the integral-processor designation for OpenAI. Payment processing (Stripe) and transactional email (MailerLite) do not receive Child audio or any other Child personal information. Application crash reporting (Sentry) receives only device-diagnostic data and is contractually required to scrub any voice payload from crash traces before storage. The full subprocessor list is in Section F. We do not sell or rent personal information of any Child.

Your rights as a Parent. At any time, you may review, correct, or delete your Child's information, withdraw consent for further collection, or request deletion of all information associated with your Child. We explain how in Sections J and K.

How to contact us. See Section P (Contact Information).

C. Information We Collect

We collect personal information from a Child only after the Child's Parent has reviewed this Policy and provided verifiable parental consent (“VPC”) as described in Section E. Subject to those VPC requirements, we collect the following categories of personal information from or about a Child. Each category below is integral — that is, we collect it because it is reasonably necessary to provide the Reading Compass Service to which the Parent has subscribed and consented.

C.1 Information the Parent Provides at Enrollment

Parent contact information: Parent's full name, email address, and (optional) phone number, collected when the Parent creates an account on the Website. This is used to authenticate the Parent, to deliver the Service, to provide account notices, and to contact the Parent in connection with the VPC process. Parent contact information is not a Child's personal information under COPPA, but it is treated under this Policy with the same diligence as Child information.

Parent payment information: A credit card, debit card, or other payment-method token managed by our payment subprocessor, Stripe, Inc. (“Stripe”). BLEKS does not store unmasked card numbers. The payment-method transaction itself is also the primary mechanism by which we obtain VPC under 16 CFR §312.5(b)(2)(ii) (see Section E.1).

Child enrollment information: For each Child the Parent enrolls, the Parent provides the Child's first name or nickname only and date of birth. Date of birth is used to derive an age band (which determines which reading passages are presented) and is then stored as the derived age band; we retain the literal birth date in the Service after age-band derivation only for the purposes of adjusting the age band when necessary except as required to comply with COPPA's actual-knowledge-based protections.

What we do NOT collect at enrollment: We do not request or collect the Child's last name, home address, school name, telephone number, email address, photograph or video (the App's camera provides a live on-screen framing view during a session; no image or video is captured or stored), Social Security number, or any other category of personal information beyond what is listed above.

C.2 Information We Collect Automatically from the Child During a Reading Session

When a Child uses the App to complete a reading session, the App and the supporting Service automatically collect the following:

Audio recording: The full audio clip of the Child reading the assigned passage aloud. The audio is transmitted from the user device to our hosting environment (see Section F.2 for the current hosting subprocessors) using industry-standard encryption in transit, stored at rest under industry-standard encryption, and routed to our subprocessor OpenAI for automated speech-to-text transcription and AI-assisted scoring (see Section F.3 for subprocessor details).

Camera (live framing view only — nothing recorded): During a reading session the device camera provides a live, on-screen view used solely to help the Parent position the Child. Nothing from the camera is recorded, captured, stored, or transmitted. The Service does not collect photographs, video, or any image of the Child, and does not perform face recognition of any kind. If we add features that capture images or video in the future, we will update this Policy, provide direct notice to each affected Parent, and obtain any fresh verifiable parental consent required before such a feature is enabled (see Section O).

Pseudonymous Child identifier: A randomly-generated, non-guessable internal identifier the Service uses to associate a Child's audio recordings and assessment results with the Parent's account. The pseudonymous identifier is not the Child's first name or nickname, is not derived from the Child's date of birth, and is not reused outside the Service. It is, however, a “persistent identifier” within the meaning of 16 CFR §312.2. During the QR-code handoff from the Website to the App (where the Parent initiates a Child's session), the App receives only a short-lived, automatically expiring session token bound to the pseudonymous Child identifier; no Parent personally identifying information passes to the iOS device, and no durable Child identity is stored on the device.

Device-level diagnostic data: iOS device model, OS version, and App version, used solely to diagnose crashes and ensure App compatibility. Crash reports are routed through Sentry, which is contractually required to scrub voice payloads from any crash trace before storage (see Section F.5). No advertising identifier (IDFA), no IP-address-based location, and no third-party SDK collects analytics from the child-facing flow.

C.3 Information We Do NOT Collect Automatically

The App and Service do NOT collect any of the following from a Child:

  • Geolocation data (GPS, cell-tower, Wi-Fi, or IP-derived location).
  • Persistent identifiers used for cross-context behavioral advertising or for tracking the Child across other apps, websites, or services.
  • Contacts, calendar, photos or videos (see §C.2 — the camera provides a live framing view only; nothing is captured or stored), or other on-device content.
  • Biometric identifiers used for recognition of the individual Child.
  • Device advertising identifiers (IDFA, GAID, or equivalents).
  • Third-party SDK data in the child-facing flow.
  • Information from social-media plug-ins, chat features, or in-app user-to-user communication (there are none in the App).

D. Biometric Identifiers

D.1 What the Service Does With the Child's Voice

When the App captures the audio of a Child reading a passage aloud, the audio file is sent to BLEKS's hosting environment and from there to our subprocessor OpenAI for automated speech-to-text transcription and AI-assisted scoring of the Child's reading performance against the assigned passage. The output stored against the Child's pseudonymous internal identifier is the transcript and the scoring metrics; the audio file itself is retained for a defined dashboard-accessible playback window (see Section J) and then deleted.

The Service does NOT:

  • Generate, store, or derive a voiceprint, voice geometry, or any other recognition-capable artifact that could be used to identify the Child against an arbitrary other recording.
  • Use the Child's voice to authenticate the Child (the Service does not perform voice biometrics for login, access control, or any other identification function).
  • Make voice data available to any party for use in voice-recognition systems.

D.2 Conditional Aggregate-Training Language

In the future, BLEKS may use a Child's audio data for the purpose of computing population-level acoustic and phonetic features (such as aggregate distributions of phoneme duration, mispronunciation rates, or pause patterns across many Children at a given age band) to improve the accuracy of the Service's transcription and scoring for all users. Such use:

  • Is never linked to the Child's pseudonymous identifier in the training output.
  • Does not produce a voiceprint, a voice-recognition model that can be used to identify any specific Child, or any other recognition-capable artifact.

E. Verifiable Parental Consent

E.1 Primary VPC Method: Monetary Transaction

Before a Child can use the App, the Child's Parent must (i) create an account on the Website, (ii) review this Policy in full, (iii) complete a paid subscription transaction — or, during any free or beta period of the Service, a nominal card-verification charge that is promptly refunded — processed by Stripe (for Website checkouts) or by Apple In-App Purchase (for App Store checkouts) using a credit card, debit card, or other online payment method that notifies the primary account holder of each transaction, and (iv) affirmatively check a consent box stating that the Parent has read this Policy and consents to BLEKS's collection, use, and disclosure of the Child's personal information as described in this Policy.

The Parent's completion of the payment transaction described above is the verifiable-parental-consent event for purposes of 16 CFR §312.5. BLEKS retains a record of the consent event including the timestamp, the Parent's IP address, the version of this Policy in effect at the time of consent, and a transaction reference from Stripe (for Website checkouts) or Apple (for App Store checkouts).

E.2 Multi-Child Households

A single VPC event under Section E may cover all Children whom the Parent enrolls at the time of the event. If the Parent later adds an additional Child to the same Parent account, the Parent must complete a fresh consent event for that specific Child before the App will be made available to that Child. The fresh consent event may be implemented as either: (i) a new monetary-transaction event (which is the typical case where the additional Child is a new subscription); or (ii) an in-Service VPC re-confirmation linked to the Parent's existing payment-method on file, where the Parent affirmatively re-acknowledges this Policy and the new Child enrollment, and Stripe re-validates the payment instrument.

Per-Child Individuated-Consent Escape Hatch. A Parent may at any time elect to provide individuated, per-Child consent for one or more of the Parent's enrolled Children (for example, to revoke consent for one Child while preserving consent for another). The Parent may do so via the account-settings interface in the Service or by contacting BLEKS at the contact address in Section P.

E.3 Parental Right to Refuse Further Collection and to Review or Delete

Section J describes the Parent's rights to review, correct, or delete the Child's personal information and to refuse further collection. The Parent may withdraw consent at any time. Upon withdrawal of consent, BLEKS will: (i) cease all further collection of the Child's personal information; and (ii) delete the Child's personal information from active systems within the timeframe described in Section J.

F. Disclosures to Service Providers and Subprocessors

F.1 General Principle

We do not sell, rent, or share personal information of any Child to any third party except as described in this Section F. We disclose Child personal information only to service providers and subprocessors that: (a) are bound by written contractual confidentiality and security obligations no less protective than this Policy; (b) use the information solely to provide services to BLEKS; (c) are prohibited from using the information for their own purposes, including model training where applicable (see Section F.3); and (d) are required to return or destroy the information upon termination of the engagement.

F.2 Named Subprocessors — Reading Compass Subprocessor List

The following subprocessors are presently engaged by BLEKS to provide the Service:

SubprocessorWhat it doesData it touches
OpenAI, LLC (“OpenAI”)Automated speech-to-text transcription of Child audio and AI-assisted scoring of the resulting transcript against the assigned reading passage. See Section F.3 for the integral-processor disclosure and §312.8 written-assurance posture.Child audio, transcripts, and scoring outputs
Stripe, Inc. (“Stripe”)Payment processing for Parent subscriptions and the monetary-transaction VPC event described in Section E.1.Parent payment information. Stripe does NOT receive Child audio, Child first name or nickname, or Child age band.
MailerLite, Inc. (“MailerLite”)Transactional email (subscription receipts, password resets, account-event notifications) and, for Parents who have separately opted in, marketing email.Parent email address and Parent name. MailerLite does NOT receive any Child personal information.
Amazon Web Services, Inc. (“AWS”)Hosting and storage of the Service backend, including the storage where Child audio is held at rest under industry-standard encryption and the databases where pseudonymous Child records and Parent account records are stored. All in-transit data is protected with industry-standard encryption.Child audio (encrypted in transit and at rest), pseudonymous Child identifiers, and Parent account records
Render Services, Inc. (“Render”)Hosting and storage of the Service backend, in the same categories described for AWS above.Child audio (encrypted in transit and at rest), pseudonymous Child identifiers, and Parent account records
Sentry, Inc. (“Sentry”)Application crash reporting and error monitoring. Sentry is contractually required to scrub any voice payload (audio file, transcript) from any crash trace before storage.Device-level diagnostic data (iOS version, App version, crash stack trace) and may incidentally receive non-content identifiers. Sentry does NOT receive Child audio content, Child first name or nickname, or assessment results.

F.3 OpenAI as Integral Processor

Role. OpenAI provides two integral processing functions for the Service: (i) automated speech-to-text transcription of the Child's audio recording; and (ii) AI-assisted scoring of the resulting transcript against the assigned reading passage to generate the Child's reading-performance score.

Contractual configuration. BLEKS engages OpenAI under OpenAI's standard commercial API terms, configured so that:

  • OpenAI does not train any of its models on Child audio or transcripts transmitted via the API. This non-training configuration is the default for OpenAI's commercial API and is preserved by contract.
  • OpenAI retains submitted API inputs for no more than 30 days for abuse-monitoring purposes, after which they are deleted.
  • OpenAI is contractually prohibited from using the Child's data for any purpose other than providing the transcription and scoring services to BLEKS, from disclosing the Child's data to any third party (other than OpenAI's own infrastructure subcontractors operating under flow-down obligations no less protective than OpenAI's obligations to BLEKS), and from selling, renting, or otherwise commercializing the Child's data.

Reasonable §312.8 assurances. BLEKS has determined that OpenAI is capable of maintaining the confidentiality, security, and integrity of Child personal information based on: (i) OpenAI's contractual commitments described above; (ii) OpenAI's published security practices including SOC 2 Type II reporting; (iii) OpenAI's compliance representations regarding applicable data-protection laws; and (iv) BLEKS's ongoing vendor-management review of OpenAI's practices on at least an annual basis.

F.4 Stripe, MailerLite, Render/AWS, Sentry — Standard Subprocessor Posture

Each of Stripe, MailerLite, Render, AWS, and Sentry is engaged under written contractual terms requiring: (i) use of the data solely for the purpose of providing the specified service to BLEKS; (ii) administrative, technical, and physical safeguards no less protective than those described in Section L; (iii) breach notification to BLEKS within the timeframes consistent with applicable law (and in any event without unreasonable delay); (iv) return or secure destruction of the data on termination of the engagement; and (v) subcontractor flow-down of these obligations.

F.5 Sentry Voice-Payload Scrubbing

Sentry is contractually required to apply server-side scrubbing rules to any incoming crash trace to remove payloads before storage. Stack traces that nonetheless contain residual voice content will be quarantined and deleted, not indexed.

F.6 Other Permitted Disclosures

In addition to the disclosures to subprocessors described above, we may disclose Child personal information:

  • To comply with law or legal process. We may disclose personal information to comply with any court order, law, or legal process, including to respond to any government or regulatory request (such as a subpoena, warrant, or civil-investigative demand). We will, where lawful, notify the affected Parent before complying.
  • To protect safety or rights. We may disclose personal information if we believe disclosure is necessary or appropriate to protect the safety of a Child, to protect the security and integrity of the Service, or to defend the legal rights of BLEKS.
  • To law enforcement. We may disclose personal information to law-enforcement agencies in connection with an investigation related to public safety or to the safety of a Child.
  • In connection with a sale or transfer of the business. If BLEKS is involved in a merger, divestiture, restructuring, reorganization, dissolution, asset sale, or similar transaction (including a bankruptcy or liquidation in which the business is not continuing as a going concern), Child personal information may be transferred as part of that transaction, subject to the receiving entity's written commitment to abide by this Policy (or a successor policy no less protective) and to provide Parents with notice and a meaningful opt-out before any use materially inconsistent with this Policy.

G. Persistent Identifiers and Internal Operations Limits

The Service uses one or more persistent identifiers within the meaning of 16 CFR §312.2 — most notably the pseudonymous internal identifier described in Section C.2 used to associate a Child's audio recordings and assessment results with the Parent's account. The Service's use of persistent identifiers is strictly limited to support for the internal operations of the Service, as that term is defined in 16 CFR §312.2.

Permitted internal-operations uses. The Service uses persistent identifiers solely to:

  • Maintain and analyze the functioning of the Service (including detection of errors and unauthorized access).
  • Perform network communications necessary to deliver the Service.
  • Authenticate the Parent's account.
  • Protect the security and integrity of the Service, including detection of fraudulent VPC events.
  • Comply with legal obligations.

Prohibited uses. The Service does NOT use any persistent identifier for any of the following purposes:

  • Behavioral advertising or targeted advertising of any kind, to a Child or otherwise.
  • Building or augmenting a profile of a specific Child for any purpose other than the Child's own reading assessment within the Service.
  • Cross-context tracking of a Child across other apps, websites, or services.
  • Sharing with advertising networks, data brokers, or analytics vendors that operate behavioral advertising or audience-targeting services.
  • Direct contact with a Child (the Service does not contact the Child directly; all communications are routed to the Parent).
  • Collection beyond what is necessary for internal operations.

H. Future Data Uses (AI Improvement Consent)

H.1 The AI Improvement Consent Setting

Use of a Child's identifiable recordings (audio, or any transcript linked to the Child's pseudonymous identifier) for training, accuracy improvement, or research purposes beyond the de-identified, aggregate uses described in Section D.2 is governed by a separate, optional “AI Improvement Consent” setting associated with the Parent's account. This setting is OFF by default for every account. The Service functions identically whether or not the Parent enables it: no feature, discount, content, or level of quality is conditioned on the Parent's choice.

H.2 Activation Notice

Before BLEKS begins using any data under this Section H for any account, BLEKS will provide fresh direct notice to each affected Parent describing the actual data flow, update this Policy accordingly, and obtain any additional consent then required by law.

H.3 Per-Recording Consent State

Each recording is stamped at collection with the setting's then-current state. Recordings collected while the setting is OFF are not used for the purposes described in this Section H even if the Parent later turns the setting ON; enabling the setting affects only data collected afterward.

H.4 Revocation

If the Parent turns the setting OFF, or deletes the Parent's account, BLEKS will cease use of the Child's data under this Section H within 30 days: new processing will exclude the Child's data, in-flight processing will drop it, and any archived contributions will be flagged as withdrawn.

I. State Law Overlays

I.1 Texas — Student Privacy Act

BLEKS is foreign-registered in Texas and committed to the privacy protections that the Texas Student Privacy Act, Tex. Educ. Code §§ 32.151–32.157, provides to Texas students. Although Reading Compass is presently a consumer-purchase Service (purchased by a Parent rather than by a Texas school district) and therefore is not within the literal scope of the Texas Student Privacy Act's “operator” definition, BLEKS voluntarily aligns with the Act's substantive protections, including:

  • No sale of child personal information.
  • No targeted advertising on the basis of student personal information.
  • No building of a personal profile of a student for non-educational purposes.
  • Restrictions on disclosure of student personal information to third parties.
  • Deletion of student personal information on request.

I.2 Texas — App Store Accountability Act (SB 2420)

The Texas App Store Accountability Act, Tex. SB 2420, was enacted in 2025 and imposes certain age-verification, deletion-on-request, and data-handling obligations on app operators in Texas. The Act's enforceability is currently the subject of ongoing federal litigation. Regardless of the Act's current status, BLEKS voluntarily commits to a regime consistent with the privacy-best-practice substance of the Act, including:

  • Deletion of Child personal information on Parent request within the timeframes described in Section J.
  • Age verification through the Parent's VPC event described in Section E rather than through any device-level age signal mandated by SB 2420.
  • No reliance on App Store age signals for COPPA compliance; COPPA compliance is achieved through the Parent VPC process.

BLEKS monitors the litigation and will update this Policy if additional compliance steps become required.

I.3 Texas — Capture or Use of Biometric Identifier Act (CUBI)

The Service's audio processing does not generate a recognition-capable artifact and therefore does not trigger CUBI's notice-and-consent requirements at Tex. Bus. & Com. Code § 503.001(b).

I.4 Illinois — Biometric Information Privacy Act (BIPA)

The Service's audio processing does not generate a “voiceprint” within the meaning of 740 ILCS 14/10 and therefore does not trigger BIPA's written-policy, notice, and consent requirements at 740 ILCS 14/15.

I.5 California — CCPA/CPRA, AB 2273, and ARL

If you or your Child is a California resident, the following rights and protections apply:

CCPA/CPRA (Cal. Civ. Code §§ 1798.100 et seq.). Reading Compass does not “sell” or “share” personal information for cross-context behavioral advertising. California residents have the right to (i) know what personal information is collected, used, disclosed, and sold or shared; (ii) delete personal information; (iii) correct inaccurate personal information; (iv) limit the use and disclosure of sensitive personal information; and (v) opt out of the sale or sharing of personal information (which, for Reading Compass, is moot because no such sale or sharing occurs); and (vi) to the extent applicable under the California Privacy Protection Agency's automated decision-making technology (“ADMT”) regulations, opt out of automated decision-making and access information about it. Reading Compass's reading-assessment scoring is automated; BLEKS will honor applicable ADMT rights as those regulations come into force against operators of BLEKS's size.

CCPA Opt-In for Minors (Cal. Civ. Code §§ 1798.120(c)–(d)). Reading Compass does not sell or share personal information of any user under 16, and we obtain affirmative VPC for all Children under 13 as described in Section E.

AB 2273 (Cal. Civ. Code §§ 1798.99.28–1798.99.40). To the extent AB 2273 applies and is enforceable, BLEKS aligns with its data-protection-by-default, age-appropriate-design, and impact-assessment substantive standards.

ARL (Cal. Bus. & Prof. Code §§ 17600 et seq., as amended by AB 2863 effective July 2025). Reading Compass subscription auto-renewal disclosures and cancellation mechanisms comply with ARL. Specifically, before the Parent's subscription auto-renews, BLEKS provides the renewal notice required by Cal. Bus. & Prof. Code § 17602(b) and the cancellation mechanism required by § 17602(c) (as amended).

To exercise any California right, please contact us using the methods described in Section P.

I.6 Delaware — DOPPA

Reading Compass is operated by BLEKS, a Delaware corporation. The Delaware Online Privacy and Protection Act, Del. Code tit. 6, ch. 12C, applies to operators of online services directed to Delaware residents (and, for some provisions, Delaware children). Reading Compass complies with DOPPA, including the prohibition on marketing certain categories of products to minors and the requirement to maintain a privacy policy that meets the content requirements of Del. Code tit. 6, § 1205C.

I.7 Other States

If you or your Child is a resident of Colorado, Connecticut, Indiana, Iowa, Kentucky, Maryland, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Utah, Virginia, or another state with a general consumer privacy law, you may have additional rights under that state's law, including the right to confirm processing, access, correct, delete, port, and (where applicable) opt out of sales, targeted advertising, or profiling. To exercise any such right, please contact us using the methods described in Section P. We will respond consistent with the applicable state law.

I.8 Other Laws — Voluntary Alignment

While certain privacy regulations may not strictly govern our specific data-handling activities or corporate structure, BLEKS remains dedicated to upholding high standards of data stewardship. Consequently, we often align our internal operations with the protective principles found in various statutes even when not legally compelled to do so. Our voluntary adoption of these industry best practices for the benefit of our users does not, however, constitute a waiver of our jurisdictional defenses or a formal submission to the authority of those non-applicable legal frameworks.

J. Retention, Deletion, and Parental Rights

J.1 Retention Schedule

BLEKS retains Child personal information only as long as is reasonably necessary to fulfill the purposes for which it was collected and to comply with legal obligations. The table below describes our default retention by data class.

Data classDefault retention
Child audio recordingRetained in dashboard-accessible storage for 90 days from the date of the reading session, to enable the Parent to review the recording. After 90 days, the recording is purged from active storage.
Child transcript and assessment scoreRetained for the duration of the Parent's account, to support longitudinal reading-progress tracking. The Parent may delete any or all transcripts and scores at any time via the account-settings interface.
CameraNo retention — nothing from the camera is recorded, captured, or stored.
Pseudonymous Child identifier and age bandRetained for the duration of the Parent's account. Deleted on Parent's request or on account closure.
OpenAI 30-day abuse-monitoring retentionOpenAI may retain API-input data (audio submitted for transcription) for up to 30 days after the API call for abuse-monitoring purposes; after that, OpenAI deletes the data. BLEKS has no access to or control over OpenAI's abuse-monitoring archive during the 30-day window.
Crash diagnostic data (Sentry)Retained by Sentry per Sentry's standard policy of 30–90 days, then deleted. Voice payloads are scrubbed before storage.
Parent account recordsRetained for the duration of the Parent's account and for a reasonable period (typically up to 7 years) after account closure for tax, accounting, and legal defense purposes, subject to applicable law.

J.2 Parental Right to Review, Correct, and Delete

At any time during the operation of the Parent's account, the Parent may:

  • Review the Child's personal information by logging into the Parent's account on the Website and visiting the Child's profile page.
  • Correct the Child's personal information through the account-settings interface or by contacting BLEKS at the contact address in Section P.
  • Delete the Child's personal information through the account-settings interface or by request to BLEKS. Deletion takes effect within 30 days of the request, except for data that BLEKS is required to retain for legal compliance.
  • Refuse further collection of the Child's personal information by withdrawing VPC, which will cause BLEKS to cease the Child's access to the App and delete the Child's personal information per Section J.1.

For privacy and security, BLEKS may require the Parent to authenticate identity through the Parent's existing account credentials or, where the Parent is unable to authenticate in that manner, through another reasonable identity-verification process.

K. Parent and California Resident Rights Request Procedure

To exercise any of the rights described in Sections I and J, please:

  • Submit a request through the account-settings interface on the Website, if the request relates to your own account or a Child enrolled under your account; or
  • Contact BLEKS using the contact information in Section P, identifying yourself, the nature of your request, and (if applicable) the Child to which the request relates.

BLEKS will acknowledge receipt of the request within 10 business days and respond to the substance of the request within 45 days (extendable by an additional 45 days where reasonably necessary and where notice of the extension is provided), consistent with the response timeframes generally applicable under the CCPA/CPRA and analogous state consumer privacy laws. For requests submitted under COPPA, BLEKS will respond as soon as reasonably practicable, consistent with 16 CFR §312.6.

Appeal Process (State-Law Right). Several state consumer privacy laws (including in Colorado, Connecticut, and Virginia) provide consumers with a right to appeal an adverse decision on a rights request. To appeal, the Parent or other rights-holder may send an appeal to privacy@readingcompass.ai with “APPEAL” in the subject line. The appeal will be reviewed by a different BLEKS reviewer than the reviewer who handled the initial request. BLEKS will respond to the appeal within the timeframe required by the applicable state law.

L. Information Security

BLEKS maintains a written Children's Information Security Program (“CISP”) that addresses the four elements of 16 CFR §312.8. The current CISP is available to Parents, regulators, auditors, and counsel on request via privacy@readingcompass.ai.

L.1 Administrative Safeguards

  • Information Security Coordinator. BLEKS has designated its Chief Operating Officer as Information Security Coordinator, accountable for the CISP. The Information Security Coordinator reviews the CISP at least annually and after any material change to the Service.
  • Workforce Training. Every BLEKS employee and contractor with access to Child personal information completes information-security training on hire and at least annually thereafter.
  • Least-Privilege Access. Access to Child personal information is granted to employees and contractors only on a documented business-need basis. Access is reviewed at least annually and is revoked promptly on role change or termination.
  • Background Checks. BLEKS conducts background checks on employees and contractors with access to Child personal information, consistent with applicable law.
  • Policies and Procedures. BLEKS maintains written policies and procedures governing the collection, use, disclosure, retention, and disposal of Child personal information.

L.2 Technical Safeguards

  • Encryption in transit. All data transmitted to and from the Service is protected with industry-standard encryption protocols.
  • Encryption at rest. Child audio is stored at rest under industry-standard server-side encryption. Pseudonymous Child records, transcripts, and assessment scores are stored in databases encrypted at rest.
  • Network segmentation. Child-data systems are logically segmented from non-Child-data systems.
  • Authentication. Parent account access requires authentication via a password meeting industry-standard strength requirements. Multi-factor authentication is available and recommended for Parent accounts.
  • Vulnerability management. BLEKS conducts vulnerability scans of the Service on at least a quarterly basis and applies security patches promptly.
  • Logging and monitoring. Access to systems containing Child personal information is logged and monitored for unauthorized access.
  • Secure development. BLEKS follows secure-development practices including code review and dependency-vulnerability scanning.

L.3 Physical Safeguards

  • Cloud provider physical security. Child audio and records are stored in the data centers of our hosting subprocessors, which maintain industry-standard physical-security controls including access control, video monitoring, and environmental controls.
  • Office security. BLEKS's offices maintain physical access controls. Workforce members do not store Child personal information on local devices except as necessary for development and testing, and any such storage is encrypted and access-controlled.
  • Disposal. Devices that have stored Child personal information are securely wiped or physically destroyed before disposal.

L.4 Vendor (Service Provider) Oversight

  • Due diligence. Before engaging a subprocessor that will have access to Child personal information, BLEKS conducts pre-engagement due diligence including review of the subprocessor's security practices, certifications (e.g., SOC 2, ISO 27001), data-handling representations, and incident-response capability.
  • Written contractual assurances. Each subprocessor is bound by written contractual terms requiring data protection no less than this Policy and the CISP, including the purpose limitations, security obligations, breach-notification, audit rights, return-or-destruction, and subcontractor-flow-down provisions described in Section F.
  • Periodic review. BLEKS reviews each subprocessor at least annually, including reviewing any updated security certifications, breach disclosures, and policy changes.
  • Audit rights. BLEKS retains contractual audit rights as to each subprocessor's handling of Child personal information, exercisable on reasonable notice.
  • Termination. BLEKS reserves the right to terminate engagement with any subprocessor that fails to maintain reasonable security or to comply with the contractual obligations.

L.5 Incident Response

BLEKS maintains a written incident-response plan as part of the CISP. In the event of a confirmed security incident affecting Child personal information, BLEKS will:

  • Contain and mitigate the incident, preserving forensic evidence where appropriate.
  • Investigate the incident, including with outside counsel and forensic consultants as warranted and under attorney-client privilege where applicable.
  • Notify affected Parents and applicable regulators in compliance with applicable law (including state breach-notification statutes and any sector-specific requirements such as those addressed in any applicable state insurance data-security laws).
  • Implement remediation measures, including any recommended changes to the CISP, to reduce the risk of recurrence.

L.6 Limitations

The safety and security of the Child's information also depends in part on the Parent. The Parent is responsible for maintaining the confidentiality of the Parent's account credentials and for notifying BLEKS promptly if the Parent suspects unauthorized access. Although BLEKS uses reasonable measures to protect Child personal information, no information system is perfectly secure and no transmission over the internet is fully immune from risk. We cannot and do not guarantee absolute security; we commit to the reasonable security measures described above.

M. International Use

Reading Compass is operated from the United States and is intended for use by Parents and Children in the United States. The Service is not directed to users outside the United States, and we do not intentionally collect personal information from users outside the United States. If you access the Service from outside the United States, you do so at your own risk and you understand that your information will be processed in the United States and may be subject to U.S. law (including COPPA), which may differ from the privacy laws of your home jurisdiction. If you do not consent to that processing, do not use the Service.

N. App Store and Platform Representations

Reading Compass, when listed in the Apple App Store, will be listed under the Education category with an age rating of 4+. Reading Compass is not submitted to the App Store's “Kids Category”; COPPA compliance for the Service is achieved through the Parent-VPC architecture described in Section E rather than through Kids Category designation. BLEKS's App Store privacy-label representations are consistent with this Policy. If the App Store privacy-label representations and this Policy ever diverge, this Policy controls as to BLEKS's actual practices, and BLEKS will promptly correct the App Store representations.

O. Changes to This Policy

BLEKS may update this Policy from time to time. If we make a material change to how we treat Child personal information — including any change to the integral-versus-non-integral characterization, the named-subprocessor list, the retention schedule, the security architecture, or the VPC method — we will (i) provide direct notice to each affected Parent by email to the Parent's account email address; (ii) post the updated Policy on the Website with the new “Last Modified” date; or (iii) where the change is material to the Parent's previously-granted VPC, obtain fresh VPC consistent with Section E before any collection, use, or disclosure under the changed practice.

Non-material changes (such as clarifications, typo fixes, or restructuring that does not change substantive practices) will be reflected in the updated “Last Modified” date but will not require fresh VPC.

BLEKS maintains a record of every superseded version of this Policy so that the Parent or a regulator may at any time review the version that was in effect at a particular date and to which the Parent's then-current VPC related.

P. Contact Information

To exercise any right under this Policy, to ask a question, to make a complaint, or to provide any COPPA-related communication, please contact BLEKS at:

BLEKS Education Technology Solutions, Inc.

Attn: Legal

8 The Green, Suite B, Dover, DE 19901

Email: legal@readingcompass.ai

Phone: 1-832-263-8469

For Service-level support (account, billing, technical issues unrelated to a COPPA right):

Email: support@readingcompass.ai

Operators. BLEKS Education Technology Solutions, Inc. is the sole operator of the Service that collects or maintains personal information from Children. The subprocessors named in Section F process personal information only on behalf of BLEKS under written contractual restrictions as described in Sections F and L and are NOT independent “operators” within the meaning of COPPA.

Complaint Resolution. If you have a privacy concern that BLEKS has not resolved to your satisfaction, you may contact the Federal Trade Commission at https://reportfraud.ftc.gov or your state Attorney General's office. California residents may also contact the California Privacy Protection Agency.