Privacy Policy - nanoGOAT AAC

nanoGOAT LLC ("nanoGOAT," "we," "us," or "our") is committed to protecting the privacy of all users of the nanoGOAT AAC application and related services (collectively, the "Service"). Because our app is designed for children and families, we take privacy obligations especially seriously.

This Privacy Policy explains what information we collect, how we use it, and the choices you have. If you are a parent or guardian setting up nanoGOAT AAC for a child, this policy applies to both your information and your child's information.

nanoGOAT LLC is based in the State of Colorado, United States.

Health and therapy disclaimer: nanoGOAT AAC is a communication tool, not a medical device. The app does not collect, store, or process any protected health information (PHI) as defined by HIPAA. While the app may be used in therapeutic or educational settings, it is not intended as a HIPAA-covered service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address — used for authentication, account recovery, and service communications
Password — stored in encrypted (hashed) form; we never have access to your plaintext password
Display name (optional) — if you choose to provide one

1.2 Communication Board Data

The core of nanoGOAT AAC is the communication boards you create. This data includes:

Board configurations — button layouts, labels, colors, and settings
Custom images — photos or images you upload for communication buttons
User profiles — communication profiles you create (e.g., different profiles for different users of the same device)
Board sets — collections of boards you organize together

This data is stored locally on your device. If you use our cloud sync or sharing features, this data may also be stored on our servers to enable those features.

1.3 Usage Information

We may collect limited technical information to maintain and improve the Service:

Device type and operating system — to ensure compatibility
App version — to provide appropriate updates and support
Crash reports — to identify and fix bugs (these do not contain communication board content)

1.4 Information We Do NOT Collect

We do not collect contact lists or address books
We do not collect microphone or camera data (except images you intentionally upload)
We do not use advertising trackers or third-party analytics that profile users
We do not collect any biometric data

2. How We Use Your Information

We use the information we collect to:

Provide the Service — authenticate your account, store and sync your boards, and enable sharing features
Improve the Service — fix bugs, improve performance, and develop new features
Personalize your experience — your data may be used within your account to improve the Service for you (e.g., smarter suggestions, better defaults)
Communicate with you — send account-related notifications, respond to support requests, and provide important updates about the Service
Ensure security — detect and prevent fraud, abuse, or unauthorized access

Our Data Commitments

These commitments are fundamental to how nanoGOAT operates and will not change:

No advertising. We will never use your data to serve ads or allow third-party advertising in the app.
No data sales. We will never sell, rent, or trade your personal information or your child's data to anyone.
No user monetization. You are not the product. We will never monetize your data or your child's data.
No hidden tracking. We will never track or collect data about you or your child beyond what is explicitly described in this policy. If we introduce new features that involve additional data collection, we will update this policy and notify you before any new collection begins.
No willful exposure. We will never intentionally expose your data or provide it to third parties beyond what is necessary to operate the Service as described herein.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

Service providers — We use Supabase for authentication and data storage. These providers process data on our behalf under strict contractual obligations and cannot use your data for their own purposes.
Board sharing — If you choose to share a board set via QR code or link, the board content you share will be accessible to anyone with that code or link. You control what you share.
Legal requirements — We may disclose information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect the rights, property, or safety of nanoGOAT, our users, or the public.
Business transfers — If nanoGOAT is acquired or merged with another company, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

4. Children's Privacy

nanoGOAT AAC is designed for use by children, including children under the age of 13, with the involvement of a parent or guardian. We comply with the Children's Online Privacy Protection Act (COPPA) and take additional steps to protect children's privacy.

Please see our COPPA Compliance Policy for detailed information about how we protect children's privacy, what data we collect from children, and the rights of parents and guardians.

Key commitment: We do not collect personal information directly from children. All accounts are created by parents or guardians, and we require verifiable parental consent before any child's data is collected through the Service.

5. Data Security

We implement industry-standard security measures to protect your information:

All data transmitted between your device and our servers is encrypted using TLS/SSL
Cloud-synced data is encrypted at rest on our servers (AES-256 via our infrastructure provider)
Passwords are hashed using modern, secure algorithms and are never stored in plaintext
Access to user data is restricted to authorized personnel on a need-to-know basis
We conduct regular security reviews of our infrastructure and practices
Communication board data stored locally on your device is protected by your device's own security features

While no system is perfectly secure, we are committed to protecting your information and will notify you promptly if we become aware of any security breach that affects your data.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

Account information is retained until you delete your account
Board data stored on our servers is retained until you delete the data or your account
Local data on your device is under your control and is not affected by account deletion
Crash reports are retained for up to 90 days

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required by law to retain it.

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information. We honor these rights for all users regardless of location:

All Users

Access — You can request a copy of the personal information we hold about you
Correction — You can update or correct your account information at any time
Deletion — You can delete your account and all associated data
Data portability — You can export your communication boards from the app

Colorado Privacy Act (CPA)

As a Colorado-based company, we comply with the Colorado Privacy Act. Colorado residents have additional rights including:

The right to opt out of the sale of personal data (we do not sell personal data)
The right to opt out of targeted advertising (we do not engage in targeted advertising)
The right to opt out of profiling (we do not profile our users)
The right to appeal a denial of a privacy request

California (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete that information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us using the information below.

International Users (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we process personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where relevant. Our legal basis for processing is consent (provided during account creation) and legitimate interest (to provide and improve the Service). If you have questions about international data transfers or wish to exercise your rights under GDPR, please contact us at [email protected].

8. Third-Party Services

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you interact with.

Our current third-party service providers include:

Supabase — Authentication and cloud data storage
Cloudflare — Website hosting and content delivery
Apple App Store / Google Play Store / Amazon Appstore — App distribution (subject to their own privacy policies)

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Effective Date" at the top of this page
Notify you via email or in-app notification for significant changes
Obtain renewed parental consent if changes affect how we handle children's data

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your information, please contact us:

nanoGOAT LLC

Colorado, United States

Email: [email protected]

We will respond to your request within the timeframes required by applicable law (typically 30–45 days). If you are not satisfied with our response, you may file a complaint with the Colorado Attorney General's office or your local data protection authority.