Privacy Policy

Last updated: May 21, 2026

This Policy describes how TaleTykes handles information across family learning, child learner accounts, teacher classrooms, school and district administration, AI-assisted learning, reports, exports, moderation, billing, and support.

This policy covers FERPA, COPPA, Ohio student data rules, PPRA where applicable, AI processing, service providers, security, retention, and parent and student rights.

Overview and Who We Are

This Privacy Policy explains how TaleTykes collects, uses, discloses, protects, retains, exports, and deletes information when families, child learners, teachers, schools, districts, administrators, and visitors use the platform.

The platform is operated by Optiarms, Inc. dba TaleTykes, an Ohio-based company. In this Policy, TaleTykes, Optiarms, Inc., we, us, and our refer to the operator and its affiliates, successors, and permitted assigns.

This Policy covers the public website, authenticated learning platform, child learner experience, parent controls, teacher tools, school and district administration tools, superadmin tools, AI generation and feedback features, moderation, reports, exports, notifications, support, and related services that link to this Policy.

For direct family use, we generally act as the operator or controller of the family account data we process.
For school or district use, the school or district generally controls education records and we act as a service provider, contractor, or school official under the applicable contract and law.
If a signed school, district, data privacy, or data processing agreement conflicts with this public Policy, the signed agreement controls for that customer relationship to the extent of the conflict.

Information We Collect

We collect only information that is reasonably connected to providing, securing, supporting, improving, administering, and documenting the platform. The exact categories depend on user role, plan, school contract, enabled features, parent controls, integrations, and how the platform is used.

Account, authentication, and identity data

Name, email address, role, account status, profile image, organization membership, invite status, invite metadata, password hash, reset-token metadata, email verification status, last login time, session cookie data, and Google OAuth identifiers for invited adult users when Google sign-in is enabled.
We do not intentionally require children to create unmanaged accounts or provide payment details. Child learner accounts are managed by authorized adults or schools.

Learner profile and family relationship data

Learner display name, first name, birth year, grade level, reading level, math level, writing level, avatar URL, language preference, interests, sensitivities, learning preferences, guardian links, relationship labels, permissions, parent controls, and consent records.
Parent controls may include story generation, image generation, read-aloud, school publishing, public publishing, approval-before-publish, allowed themes, blocked themes, maximum daily minutes, and data sharing settings.

School, district, class, and assignment data

Organization type, name, slug, hierarchy, settings, usage limits, memberships, classes, teacher assignments, class enrollments, schedule data, assignment instructions, assignment status, due dates, resource links, and assignment progress.
School and district administrators may also access aggregated dashboards, user lists, class data, reports, moderation queues, and organization settings based on role permissions.

Learning activity and educational record data

Skill states, assessments, assessment items, assessment attempts, books, book pages, reading sessions, current pages, minutes read, read-aloud use, clicked words, comprehension answers, comprehension scores, fluency metadata, writing projects, outlines, drafts, word counts, grammar scores, structure scores, creativity scores, clarity scores, writing feedback, math quests, math sessions, math attempts, strategies used, misconception tags, response times, hints used, achievements, and portfolio artifacts.
Reports and exports may include progress rows, reading minutes, books completed, comprehension indicators, math activity, writing activity, and other learner-linked data.

AI, moderation, audit, and operational data

AI prompts, user inputs, generated text, generated image prompts, generated image URLs, task purpose, provider, model, token counts, latency, estimated cost, safety result, moderation status, job status, errors, content flags, reviewer actions, audit log metadata, notification records, report export records, system health information, request metadata, rate-limit metadata, and server logs.
We may store enough AI and moderation metadata to support safety, quality, abuse prevention, billing, troubleshooting, school administration, legal compliance, and auditability.

Payment, support, and communications data

Plan selection, billing interval, subscription metadata, invoices, payment status, tax or billing information, and payment processor identifiers. Full payment card data is handled by the payment processor when payment features are enabled.
Support messages, emails, notification preferences, transactional email metadata, delivery status, attachments you provide to support, and records needed to resolve an issue.

Device, usage, cookie, and technical data

IP-derived security metadata, cookie identifiers, session identifiers, browser type, device type, operating system, referring URL, pages viewed, feature interactions, error logs, performance logs, approximate location inferred from network data, and security signals.
We use signed HTTP-only session cookies for authentication. We do not use child data for behavioral advertising.

How We Use Information

We use information to operate an educational platform, protect children and student data, support authorized users, comply with school instructions, and meet legal and contractual obligations. We do not use child personal information or school-controlled education records for targeted advertising.

Provide reading, writing, math, adaptive practice, spaced review, stories, writing feedback, math hints, assessments, dashboards, assignments, approval queues, parent controls, reports, exports, portfolio artifacts, and content libraries.
Authenticate users, maintain signed sessions, enforce role-based access, protect accounts, process invites, reset passwords, and route users to the correct role surface.
Generate AI-assisted content and feedback, moderate prompts and outputs, validate child-facing content, estimate AI usage costs, and support provider routing.
Create and maintain learner progress, mastery signals, skill states, class activity, completion status, reading records, writing records, math records, and school or family reports.
Send transactional communications such as invites, password reset links, account notices, approval notifications, support responses, billing notices, policy notices, and security alerts.
Detect, investigate, prevent, and respond to abuse, unauthorized access, safety concerns, content-policy issues, security incidents, fraud, billing disputes, and platform misuse.
Maintain audit logs, consent records, data export records, deletion request records, moderation records, and operational records needed for compliance and accountability.
Improve, maintain, develop, support, diagnose, secure, and debug the platform, including using deidentified or aggregate information where appropriate.

FERPA and Education Records

When the platform is used by a school or district that is subject to the Family Educational Rights and Privacy Act, student information maintained through the platform may be an education record. The school or district controls those education records. We process them under the applicable school or district contract and only for authorized educational, administrative, security, support, compliance, and service-delivery purposes.

Where permitted, we may be designated as a school official with legitimate educational interests because we perform institutional services or functions that the school or district would otherwise use employees to perform, we are under the school's or district's direct control with respect to the use and maintenance of education records, and we are subject to restrictions on use and redisclosure.

We do not sell education records.
We do not use education records for targeted advertising or unrelated commercial profiling.
We restrict access to education records to personnel, contractors, and subprocessors who need access to perform authorized duties.
We support school and district requests related to parent or eligible student access, amendment, export, transfer, correction, and deletion workflows.
Parents and eligible students should normally direct FERPA access or amendment requests to the school or district that controls the education records.
We may disclose education records as directed by the school or district, with appropriate consent, under a FERPA-permitted exception, to service providers bound to appropriate restrictions, or as otherwise required by law.

COPPA and Children Under 13

The platform is designed to be used by children under adult, parent, guardian, school, or district management. For children under 13, we collect, use, and disclose personal information only with verifiable parent consent, school-authorized consent where legally permitted, or another legally recognized basis.

When a school authorizes use for an educational purpose, the school may provide consent on behalf of parents where permitted by the Children's Online Privacy Protection Act and related guidance. In that context, we use the child's personal information only to provide the school-requested educational service and related support, security, safety, and compliance functions.

We do not condition participation in a child educational activity on collecting more child personal information than is reasonably necessary for that activity.
We do not sell children's personal information.
We do not use child personal information for targeted advertising.
We do not knowingly allow third-party targeted advertising networks to collect child personal information through the authenticated child experience.
Parents may request review, correction, export, or deletion of their child's personal information through available parent tools, support, or the relevant school, depending on who controls the account.
If we later use age-verification or age-estimation tools, we will use information collected for age verification only for that purpose, retain it only as long as needed, use reasonable safeguards, provide notice, and require appropriate written assurances from any age-verification provider.

Ohio Student Data and Technology Provider Commitments

For Ohio school and district customers, we structure the platform to support obligations under Ohio student data and technology provider laws, including Ohio Revised Code sections 3319.325, 3319.326, and 3319.327 where applicable. This public Policy is not a substitute for a district-specific contract, but it states our baseline commitments.

Education records created, received, maintained, or disseminated by us pursuant or incidental to a school district contract are treated as the property of the school district for that relationship.
We do not sell, share, or disseminate education records except as permitted by the school contract, law, valid delegation, authorized service provider relationship, or written instructions.
We do not use education records for commercial purposes, including marketing or advertising to students or parents. Using aggregate information with personally identifiable information removed for service improvement, maintenance, development, support, or diagnostics is permitted where allowed by law and contract.
We maintain security safeguards for education records and restrict employee and contractor access to those who need access to perform official duties.
If education records we maintain for an Ohio school district are subject to a qualifying breach, we will disclose to the district the information reasonably necessary for the district to fulfill its legal obligations.
Unless contract renewal is reasonably anticipated or a contract states otherwise, we will return or destroy school district education records within the legally required period after contract expiration, subject to lawful retention needs and backup deletion cycles.
We do not electronically access or monitor school-issued device location-tracking, audio, visual, recording, keystroke, or web-browsing features except if a separate written school contract and applicable law expressly authorize a permitted educational, technical support, exam proctoring, missing-device, safety, legal compliance, funding, warrant, subpoena, or emergency purpose.

PPRA-Aware Commitments

The current platform is not designed to administer Protection of Pupil Rights Amendment protected-information surveys, marketing surveys, or non-emergency invasive physical examinations. The platform's learning activities focus on reading, writing, math, assignments, progress, content generation, feedback, and educational reports.

If a school or district uses the platform in the future for a survey, analysis, evaluation, curriculum material, marketing-related collection, or other activity subject to PPRA, the school or district remains responsible for required notices, consents, opt-outs, policy adoption, inspection rights, and local compliance decisions unless a written contract expressly assigns a support obligation to us.

AI Processing, Model Providers, and Safety Logs

AI features may process prompts, learner context, instructional goals, reading level, writing drafts, answers, safety signals, and related metadata. AI requests may be routed to configured providers such as Anthropic, xAI, deterministic development providers, or future providers selected by us or by the customer contract.

We design child-facing AI features with layered safety controls, including input moderation, prompt sanitization, schema validation, output moderation, image prompt review, logging, rate limiting, and human review workflows where appropriate. These controls reduce risk but cannot guarantee that every output will be correct or appropriate.

We may send the minimum reasonably necessary prompt and context to AI providers to perform the requested feature.
We may log provider, model, purpose, token count, cost estimate, latency, status, and safety result for audit, safety, billing, and operations.
We do not use school-controlled education records to train our own general-purpose AI models unless a school contract expressly permits that use.
We do not authorize AI providers to use school-controlled education records or child personal information for targeted advertising.
Adults must review AI-generated materials before using them for instruction, publication, reports, or important learner decisions.

Subprocessors and Third-Party Services

We use third-party services to operate the platform. The specific providers may change over time and may vary by environment, customer, plan, and feature. We require service providers to process information only for authorized purposes and to maintain appropriate confidentiality, security, and privacy commitments.

Hosting and deployment providers may process application traffic, server logs, build artifacts, and operational telemetry.
Database and storage providers may store account data, learner data, education records, exports, portfolio artifacts, media, logs, backups, and related records.
Email providers such as SendGrid may process recipient email addresses, message content, delivery metadata, and suppression metadata for transactional email.
Authentication providers such as Google OAuth may process adult sign-in information when the user chooses or the organization enables that login method.
Payment processors such as Stripe may process payment method, billing, subscription, invoice, tax, fraud, and transaction data under their own terms.
AI providers such as Anthropic or xAI may process prompts, context, generated outputs, and technical metadata needed to perform AI features.
Rate limiting, caching, logging, and security providers may process identifiers, IP-derived security metadata, request metadata, and abuse-prevention signals.

Cookies, Sessions, and Analytics

We use cookies and similar technologies to keep users signed in, protect sessions, remember limited preferences, prevent abuse, understand service performance, and operate authenticated features. The primary platform session cookie is designed to be signed and HTTP-only so client-side scripts cannot read it.

We do not use child learner data or school-controlled education records for behavioral advertising. We may use privacy-preserving, aggregate, or deidentified analytics to understand usage, diagnose errors, improve reliability, evaluate feature adoption, and support customers.

Blocking cookies may prevent sign-in or authenticated platform features from working.
We may use logs and aggregate metrics to detect errors, abuse, suspicious sign-ins, generation spikes, failed requests, and system health issues.
If we later add optional marketing analytics to public pages, authenticated child and student surfaces will remain separated from behavioral advertising uses.

Security Safeguards

We use administrative, technical, and organizational safeguards designed to protect information from unauthorized access, use, disclosure, alteration, and destruction. These safeguards include role-based access controls, signed sessions, password hashing, multi-factor authentication for privileged accounts, suspicious-login monitoring with privacy-preserving IP fingerprints (not full IP retention in security logs by default), invite and reset-token hashing, audit logging, authorization checks, input sanitization, moderation, rate limits, provider gating, and environment-based configuration. Security telemetry is used only for fraud prevention and incident response, not for learning analytics or marketing.

No system is perfectly secure. Schools, districts, parents, and adult users must protect credentials, use appropriate devices, limit exports, remove accounts when access is no longer needed, and report suspected incidents promptly.

Production deployments should use a strong authentication secret, configured database, secure email provider, appropriate content security policy, provider keys, and production-ready rate limiting.
We recommend that customers limit administrator access, use unique accounts, avoid shared credentials, and download exports only when needed.
Security reports may be sent to security@taletykes.com.

Retention, Return, Deletion, and Backups

We retain information for as long as reasonably necessary to provide the platform, fulfill the purpose for which it was collected, comply with school or district instructions, satisfy legal and contractual obligations, maintain security and auditability, resolve disputes, collect payments, enforce agreements, and support backups and disaster recovery.

Retention periods vary by data type. Learner profile data, education records, learning activity, reports, AI logs, audit logs, payment metadata, support records, and backups may have different retention rules. School and district data return and deletion are governed by the applicable contract and law.

For direct family use, parents may request deletion or export through available tools or by contacting privacy@taletykes.com.
For school or district use, deletion and export requests should normally go through the school or district unless the contract allows direct requests.
We may anonymize learner identifiers while preserving aggregate learning evidence where permitted by law and contract.
Hard deletion may be delayed by backups, security logs, legal holds, dispute records, payment records, fraud prevention, and audit obligations.
When a school contract ends, we will return or destroy education records according to the contract and applicable law, including Ohio-specific timing where applicable.

Privacy Rights and Choices

Depending on your role, location, relationship to a learner, school contract, and applicable law, you may have rights to access, correct, delete, export, restrict, object to, or receive information about the personal information we process. We will honor requests as required by law and contract after verifying identity and authority.

Parents and guardians may request review, correction, export, or deletion of direct family learner information.
For school-controlled education records, parents and eligible students should contact the school or district first for FERPA access, amendment, disclosure, and complaint processes.
Adult users may request access, correction, or deletion of their own account information, subject to legal, security, school, billing, and operational limits.
Organizations may request exports, deletion, or account administration under their written contract and role permissions.
Residents of states with consumer privacy laws may have additional rights where those laws apply, including rights related to access, correction, deletion, portability, opt-out, appeal, and sensitive data. Student data and employment-style data may be exempt or handled under separate education laws.
We do not sell personal information as the term is commonly used in state privacy laws, and we do not share child or student data for cross-context behavioral advertising.

Publishing, Public Content, and Directory-Style Information

The platform may support private, class, school, district, family, or public publication of learner work, generated stories, books, writing projects, library resources, or portfolio artifacts, depending on the feature and controls. Publication may require parent, teacher, school, administrator, or platform approval.

We do not treat learner work as public simply because it exists in the platform. School or public sharing should occur only under the applicable parent controls, school settings, consent records, publication workflow, and law. Schools remain responsible for directory-information decisions and FERPA notices where those apply.

Parents can restrict school or public publishing where parent controls are available and applicable.
Schools may impose additional publishing approvals and takedown rules.
We may remove public or shared content for safety, privacy, copyright, policy, legal, or contract reasons.
Takedown requests may be sent to legal@taletykes.com.

Security Incidents and Breach Notice

If we discover a security incident involving information processed by the platform, we will investigate, take steps designed to contain and remediate the issue, and notify affected customers, users, regulators, or others as required by law and contract.

For Ohio residents, Ohio private breach notification law generally requires notice in the most expedient time possible and no later than forty-five days after discovery or notification of a qualifying breach, subject to law enforcement needs and investigation requirements. For Ohio school district data, we will cooperate with the district and disclose information necessary for the district to fulfill its obligations where required.

Not every security incident is a legally reportable breach.
We may delay notification if permitted by law enforcement or if delay is necessary to determine scope, restore integrity, or comply with legal requirements.
Users and organizations must promptly notify us if they suspect unauthorized access, exposed exports, compromised credentials, lost devices, or improper disclosure.

Aggregate, Deidentified, and Anonymized Data

We may create and use aggregate, deidentified, or anonymized information for platform improvement, diagnostics, reliability, security, cost management, product planning, research, benchmarking, and public or customer-facing summaries, provided the information does not reasonably identify an individual learner, child, family, school user, or other person.

Where school or district contracts restrict deidentified data use, those contract terms control. We do not attempt to reidentify deidentified data except as needed to test deidentification, investigate misuse, comply with law, or enforce contractual restrictions.

Location of Processing and Accessibility

The platform is intended for use in the United States unless we agree otherwise in writing. Information may be processed in the United States and in other locations where our service providers operate. If international privacy laws apply, we will address them through appropriate contracts, notices, transfer mechanisms, and customer-specific terms.

We aim to provide privacy information in a clear and accessible manner. If you need this Policy in an alternative format, contact privacy@taletykes.com.

Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice by posting the updated Policy, changing the last updated date, sending email, displaying in-app notice, notifying organization administrators, or using another reasonable method. Continued use after an updated Policy becomes effective means information will be handled under the updated Policy to the extent permitted by law and contract.

For school and district customers, changes that materially affect student data processing may also be governed by the notice, amendment, or approval terms in the applicable contract.

Contact, Requests, and Complaints

Privacy questions, access requests, deletion requests, consent questions, school contract questions, and student data questions may be sent to privacy@taletykes.com. Legal notices may be sent to legal@taletykes.com. Support requests may be sent to support@taletykes.com. Security reports may be sent to security@taletykes.com.

If your account or learner profile is managed by a school or district, we may direct your request to that school or district or ask for confirmation from the school or district before acting. We may need to verify identity, authority, guardian relationship, organizational role, or legal right before fulfilling a request.