FERPA Notice

This page describes how TaleTykes, a service provided by SpaltX Industries, supports compliance with the Family Educational Rights and Privacy Act ("FERPA") when TaleTykes is used by schools, districts, teachers, or other educational institutions.

FERPA applies to educational agencies and institutions that receive applicable federal funding, and it governs certain education records maintained by or for those institutions. Whether a specific record in TaleTykes is an "education record" under FERPA depends on the context in which the service is used, the nature of the record, and the role of the institution using the service.

When TaleTykes is used in a school context, information processed through the service may include records that are directly related to a student and maintained by the school or by TaleTykes for the school. Depending on deployment and feature usage, that may include:

• Student roster information, school identifiers, class enrollment data, and account role information.
• Reading sessions, time spent, pages viewed, comprehension activity, vocabulary progress, assignments, and other academic usage records.
• Teacher or school-entered notes, support plans, accommodations, intervention data, alerts, and classroom observations.
• Books, writing drafts, prompts, and other educational content created or submitted by students in connection with school use.
• Parent-teacher communications, progress summaries, reports, and administrative audit trails tied to a student.

In many school implementations, TaleTykes operates as a service provider under the school or district's direct control and for a school-authorized educational purpose. In that role, the school or district may disclose student information to TaleTykes without separate parent consent where FERPA allows disclosure to a school official with a legitimate educational interest.

Schools and districts remain responsible for determining whether they may rely on the applicable FERPA exception, for including any required school-official criteria in annual notices, and for ensuring that TaleTykes is used only for authorized educational purposes.

When AI-assisted features are used in a school deployment, TaleTykes may process student prompts, reading targets, curriculum instructions, writing text, and related educational context to generate school-authorized outputs. That processing is intended to support the educational purpose for which the information was disclosed, not unrelated commercial profiling or advertising.

TaleTykes is designed to limit access to student information based on role and educational need. Access may be restricted so that:

• Teachers view only students assigned to their classes or otherwise linked to them through authorized workflows.
• School administrators view information for their institution and can manage exports or school-level operations where permitted.
• Parents or guardians view only the records of linked children or students associated with their account.
• Operational personnel access records only on a need-to-know basis for support, security, maintenance, compliance, or other authorized internal functions.

We maintain system controls and audit trails intended to help schools demonstrate that student records are accessed only by authorized users for legitimate educational interests.

FERPA generally provides parents, and later eligible students once rights transfer under law, with the right to:

• Inspect and review the student's education records.
• Request amendment of records believed to be inaccurate, misleading, or otherwise in violation of privacy rights.
• Provide written consent before certain disclosures of personally identifiable information, unless an exception applies.
• File a complaint with the U.S. Department of Education concerning alleged FERPA violations.

FERPA rights generally transfer from the parent to the student when the student turns 18 or attends a postsecondary institution, subject to applicable law.

Requests relating to school-managed student records should generally be directed first to the applicable school or district, because the institution is typically the party responsible for FERPA compliance, record inspection decisions, amendment determinations, and any response timelines.

Where appropriate and authorized, TaleTykes may assist schools and districts with exports, corrections, suppression, or deletion of student records processed through the platform. Where family-managed tools are available, parents may also have access to certain export or account management workflows in-product.

Depending on the feature set in use, those records may include AI prompts, generated stories, generated illustrations, writing-assist outputs, moderation records, and usage logs associated with the student's educational activity.

TaleTykes does not disclose FERPA-protected student information except as directed by the school or district, as permitted by applicable law, or as otherwise authorized by contract or valid consent. When TaleTykes receives student information under a FERPA exception, we use that information only for the authorized purpose for which it was provided.

We expect subprocessors and downstream service providers used on our behalf to be contractually bound to confidentiality, security, and use limitations consistent with our role in delivering the service.

FERPA compliance in a school deployment is a shared operational model. TaleTykes supports compliance, but schools and districts remain responsible for:

• Determining whether disclosure of student information to TaleTykes is authorized under FERPA.
• Providing any required annual FERPA notices and school-official criteria.
• Configuring classes, administrators, permissions, and linked users correctly.
• Determining whether AI-assisted features may be enabled for student use under the institution's own policies, notices, and contracts.
• Avoiding submission of unnecessary sensitive personal information into prompts or free-text fields, including Social Security numbers, government IDs, full medical records, or financial account details unless clearly necessary and lawfully authorized.
• Reviewing and responding to parent or eligible student requests under applicable legal timelines.
• Directing TaleTykes regarding contract-specific retention, return, or deletion obligations.

TaleTykes uses administrative, technical, and organizational controls designed to protect student information against unauthorized access, loss, misuse, alteration, or disclosure. These controls may include authentication safeguards, role-based access restrictions, logging, rate limiting, security monitoring, and contractual controls for subprocessors.

In our current application implementation, protected APIs emit request IDs and `private, no-store` cache directives, sessions are short-lived and revocable, and learner photos are encrypted before storage and served back only through authenticated routes.

If we become aware of an incident affecting school-managed student information, we will respond consistent with applicable law, our contractual commitments, and the facts of the event, including working with the affected institution as appropriate.

Student information processed on behalf of a school or district is retained for the period reasonably necessary to provide the service, comply with law, maintain security and backup integrity, and satisfy applicable customer instructions or contractual obligations.

Upon valid school instruction, account closure, or contract termination, TaleTykes may return, delete, or de-identify applicable student information in accordance with the governing agreement, documented retention practices, and backup or archival limitations.

TaleTykes does not sell student personal information and does not use student personal information for behaviorally targeted advertising. We use student data to deliver reading, writing, classroom, accessibility, and related educational features authorized by the customer or family context in which the service is deployed.

We do not intentionally use school-authorized student data to train our own general-purpose AI models.

For TaleTykes FERPA questions, school privacy reviews, or student record support requests, contact privacy@taletykes.com.

Complaints alleging a FERPA violation may also be submitted to the U.S. Department of Education's Student Privacy Policy Office through the Department's official FERPA complaint process.

For general support, contact contact@taletykes.com. For legal notices, contact legal@taletykes.com.