nanoGOAT AAC

Children's Privacy Policy

COPPA Compliance

Effective Date: February 5, 2026

Important Notice for Parents and Guardians

nanoGOAT AAC is designed for children and families, including children under 13 years of age. We take our obligations under the Children's Online Privacy Protection Act (COPPA) seriously. This policy explains specifically how we handle the privacy of children who use our app.

Bottom line: We collect the minimum data necessary to provide the Service. We will never advertise to, monetize, or sell the data of our users. Any data collected is used solely to improve the experience for that user's account. Parents control their child's data and can review, modify, or delete it at any time.

1. What is COPPA?

The Children's Online Privacy Protection Act (COPPA) is a United States federal law designed to protect the privacy of children under 13 years of age. COPPA requires operators of websites, apps, and online services that are directed to children, or that have actual knowledge that they are collecting information from children, to:

  • Post a clear and comprehensive privacy policy
  • Provide direct notice to parents about data collection practices
  • Obtain verifiable parental consent before collecting personal information from children
  • Give parents the ability to review, modify, and delete their child's information
  • Limit data collection to what is reasonably necessary for the child to participate in the activity
  • Implement reasonable security measures to protect children's information

Because nanoGOAT AAC is designed for use by children, we comply with COPPA in full.

Note: nanoGOAT AAC is a communication tool, not a medical device. The app does not collect, store, or process any protected health information (PHI) as defined by HIPAA. While the app may be used in therapeutic or educational settings, it is not intended as a HIPAA-covered service.

2. Our Approach to Children's Privacy

nanoGOAT AAC is built with a "privacy by design" philosophy. Our architecture minimizes data collection at every level:

Parent-Managed Accounts

Only parents or guardians can create accounts. Children never interact with account creation or provide personal information directly to us.

Local-First Design

Communication boards and usage data are primarily stored on the device, not our servers. Cloud features are optional and parent-controlled.

No Hidden Tracking

We will never collect data beyond what is explicitly described in our Privacy Policy. If new features require additional data, we will notify you and obtain consent first.

No Advertising or Profiling

We do not show ads to children, do not build behavioral profiles, and do not share data with advertisers or data brokers.

3. Information We Collect from Children

We collect the minimum information necessary to provide AAC services. Here is a complete and transparent accounting of the information associated with a child's use of the app:

3.1 Information Collected with Parental Consent

Data Type Purpose Stored Where
Profile name (e.g., first name or nickname) Identify which profile belongs to which child on a shared device Device only (unless cloud sync is enabled)
Communication board configurations Provide personalized AAC boards Device only (unless cloud sync is enabled)
Custom images uploaded to boards Personalize communication buttons Device only (unless cloud sync is enabled)
App preferences and settings Customize the app experience Device only

3.2 Future Features and Data Collection

As nanoGOAT AAC evolves, we may introduce new features that use additional data to improve the communication experience for your child (for example, smarter board suggestions or personalized layouts). If any new feature requires collecting additional information, we will:

  • Update this policy before any new data collection begins
  • Notify parents via email and in-app notification
  • Obtain new parental consent before using the feature
  • Clearly explain what data is collected, how it is used, and where it is stored

Regardless of future features, our core commitments (no advertising, no data sales, no monetization of user data) will never change. Any data collected will be used solely to improve the experience for that user's account.

3.3 Information We Do NOT Collect from Children

We want to be absolutely clear about what we do not collect:

  • No email addresses from children (only parents have accounts)
  • No phone numbers from children
  • No physical addresses from children
  • No photos of children (image uploads are for board buttons, managed by parents)
  • No voice recordings — text-to-speech is processed on-device
  • No contact lists from the device
  • No persistent identifiers for behavioral advertising or cross-service tracking

If we ever need to collect additional types of data to support new features, we will update this list and obtain parental consent first. You will never be surprised by what we collect.

4. Parental Consent

4.1 How We Obtain Consent

Because nanoGOAT AAC accounts are created exclusively by parents or guardians (who must be at least 18 years old), the act of creating an account, setting up a child's profile, and enabling optional cloud features constitutes verifiable parental consent for the data collection described in this policy.

We provide direct notice of our data practices by presenting this COPPA policy during account creation. Parents must affirmatively acknowledge that they:

  • Are the parent or legal guardian of the child who will use the Service
  • Consent to the collection and use of information as described in this policy
  • Understand their rights to review, modify, and delete their child's information

We retain timestamped records of parental acknowledgments for compliance purposes.

4.2 Withdrawing Consent

Parents may withdraw consent at any time by:

  • Deleting their child's profile within the app
  • Deleting their account entirely
  • Contacting us at [email protected] to request data deletion

Withdrawing consent will result in the deletion of the child's data from our servers (if cloud sync was enabled). Local data on the device remains under the parent's control.

5. Parental Rights

Under COPPA, parents and guardians have the right to:

1

Review Their Child's Information

Parents can view all data associated with their child's profile directly within the app. You can also request a complete data export by contacting us.

2

Modify Their Child's Information

Parents can edit their child's profile name, communication boards, and all settings directly within the app at any time.

3

Delete Their Child's Information

Parents can delete their child's profile and all associated data from within the app. To delete cloud-synced data, parents can disable cloud sync or delete their account. We process deletion requests within 30 days.

4

Refuse Further Collection

Parents can withdraw consent and refuse further data collection at any time without losing access to the core local features of the app. Cloud-dependent features may become unavailable if consent for cloud data storage is withdrawn.

6. Data Sharing and Third Parties

We apply the strictest standards to how children's data is shared:

  • We do not sell children's data to any third party, for any reason, ever
  • We do not share children's data with advertisers or ad networks
  • We do not share children's data with data brokers or analytics companies that profile users
  • Service providers (Supabase for authentication and storage) may process children's data solely on our behalf, under strict contractual obligations that prohibit them from using the data for any other purpose
  • Board sharing is parent-initiated — if a parent chooses to share a board set via QR code, the board content (not the child's profile information) is shared with the recipient

7. Data Security

We implement security measures appropriate for the sensitivity of children's data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest on our servers is encrypted
  • Access to children's data is limited to personnel who require it to provide the Service
  • We use secure authentication mechanisms and do not store plaintext passwords
  • We review our security practices regularly
  • Local data on the device is protected by the device's own security features (device lock, encryption)

8. Data Retention and Deletion

We retain children's data only for as long as necessary to provide the Service:

  • Active accounts: Data is retained while the account is active and the child's profile exists
  • Profile deletion: When a parent deletes a child's profile, the associated data is deleted from our servers within 30 days
  • Account deletion: When a parent deletes their account, all associated children's data is deleted from our servers within 30 days
  • Inactive accounts: If an account is inactive for more than 24 months, we will notify the parent via email and provide 60 days to reactivate before deleting the account and all associated data

9. Age Verification and Safeguards

We employ the following safeguards to ensure children's privacy:

  • Account creation requires an email address and is designed for adults (parents/guardians)
  • There is no mechanism for a child to independently create an account
  • The app's Editor Mode (where boards are configured) is designed for parent/therapist use
  • Communication Mode (the child-facing interface) does not collect or transmit data
  • Sharing features are accessible only through the parent-controlled Editor Mode

10. Safe Harbor

While nanoGOAT LLC is not currently a member of an FTC-approved COPPA Safe Harbor program, we voluntarily comply with all COPPA requirements and regularly review our practices against FTC guidance. We are committed to maintaining compliance and may seek Safe Harbor certification in the future as our organization grows.

This policy addresses US COPPA requirements. Users outside the United States may have additional rights under local laws (e.g., GDPR for the European Economic Area). Please see our Privacy Policy for details on international data protection rights.

11. Changes to This Policy

If we make material changes to how we collect, use, or share children's personal information, we will:

  • Update this policy with a new effective date
  • Notify parents via the email address associated with their account
  • Obtain new verifiable parental consent before using previously collected children's data in any materially different way

We will never retroactively apply less-protective practices to children's data that was collected under a more protective version of this policy without obtaining new consent.

12. Contact Us

If you are a parent or guardian and have questions about this COPPA Compliance Policy, want to exercise your parental rights, or have any concerns about your child's privacy, please contact us:

nanoGOAT LLC

Colorado, United States

Email: [email protected]

Subject line: "COPPA Request — [Your Name]"

We will respond to all parental requests within the timeframes required by applicable law (typically 30–45 days). For urgent privacy concerns involving a child's safety, please include "URGENT" in the subject line and we will prioritize your request.

13. FTC Information

For more information about COPPA and children's online privacy, you can visit the Federal Trade Commission's website: