Privacy Policy

TaleTykes is a reading, writing, and educational technology service operated by SpaltX Industries. This Privacy Policy applies to the TaleTykes website, applications, dashboards, APIs, communications, and related support interactions that link to or reference this policy.

This policy applies differently depending on how the service is used. When a family creates and manages an account directly, TaleTykes generally controls the information described here. When a school, district, teacher, or other educational institution deploys TaleTykes for classroom or school use, the institution may direct how certain student information is collected, accessed, corrected, exported, and deleted, subject to applicable law and contract terms.

We collect information that is reasonably necessary to operate, secure, personalize, and support TaleTykes. Depending on the account type and enabled features, that information may include:

• Account data: name, email address, account role, school affiliation, parent-child links, teacher-student links, login credentials, single sign-on identifiers, and profile images or avatars.
• Learner profile data: date of birth for age verification, age or grade-band information, reading level, phonics level, preferences, goals, interests, support strategies, learning context, parent notes, teacher-entered observations, and similar profile settings used to personalize the reading experience.
• Education and usage records: books read, pages viewed, reading session duration, quiz and comprehension results, assignment activity, vocabulary encounters, progress indicators, streaks, achievements, classroom participation, and analytics generated from in-product activity.
• Content and submissions: prompts, stories, writing drafts, feedback, messages, support plan materials, reports, moderation submissions, and contact form messages.
• Transaction and subscription data: plan type, subscription status, Stripe customer or checkout references, billing events, and credits usage. Full payment card details are handled by our payment processor rather than stored by TaleTykes.
• Technical and security data: log data, approximate network and device information, session identifiers, browser data, security events, rate-limiting signals, audit trails, and diagnostics reasonably necessary to operate and defend the service.

We may collect information from the following sources:

• Directly from parents, guardians, teachers, school staff, and other adult users.
• From children or students when they use reading, writing, or classroom features.
• From schools and districts through roster uploads, class assignments, or administrative setup.
• From authentication and single sign-on providers such as Google, Clever, or ClassLink, when enabled.
• From payment and communications vendors when transactions or support workflows occur.
• From automated system activity, analytics, moderation, and security monitoring generated during service use.

We use personal information to:

• Provide access to TaleTykes and authenticate users.
• Personalize reading content, writing tools, accessibility settings, and learning pathways.
• Support school, family, and classroom workflows, including dashboards, assignments, and progress reporting.
• Process subscriptions, payments, credits, renewals, and account administration.
• Send service communications, security alerts, consent notices, and support responses.
• Detect abuse, fraud, unsafe content, technical failures, or violations of our terms.
• Maintain compliance with COPPA, FERPA, contractual obligations, legal process, and recordkeeping requirements.
• Improve, troubleshoot, and measure the performance of the service using aggregated or de-identified insights where appropriate.

TaleTykes is designed for child and student use, but children do not independently receive unrestricted access to the service. Where required, we seek verifiable parental consent before collecting personal information from a child under 13, and we restrict access until the required authorization is in place.

For direct family accounts, we may collect a child's date of birth to verify exact age, apply COPPA rules, and support family linking workflows that require both a one-time child code and the child's date of birth.

In a school-authorized context, a school or district may authorize the collection and use of a student's information for a school purpose consistent with applicable law. In those cases, the school or district remains responsible for its institutional notices, consents, and determinations regarding lawful disclosure of student information.

Consistent with FTC guidance for educational technology, school authorization is limited to a school-authorized educational purpose. TaleTykes does not rely on a school to authorize child-data uses for advertising, unrelated commercial profiling, or other non-educational commercial purposes.

We may disclose information in the following circumstances:

• Within the service: to authorized parents or guardians, linked teachers, school administrators, and other users who have a legitimate need to access the information through the product.
• Service providers and subprocessors: to companies that provide infrastructure, hosting, storage, authentication, email delivery, payment processing, moderation, analytics support, queueing, and AI functionality on our behalf and under contractual restrictions.
• School-directed disclosures: when a school or district instructs us to import, export, disclose, or delete student data in connection with school operations.
• User-directed sharing: when a user or account administrator chooses to publish content, share a book, or otherwise disclose material through available sharing tools.
• Legal and safety reasons: when reasonably necessary to comply with law, protect safety, prevent fraud, respond to lawful requests, or enforce our agreements.
• Corporate transactions: in connection with a merger, acquisition, financing, restructuring, or asset sale, subject to customary confidentiality and transition protections.

TaleTykes may use automated systems and third-party model providers to generate stories, generate illustrations, adapt prompts, assist with writing, help with moderation, recommend content, and support reading analytics. In our current implementation, text-generation workflows may use Anthropic and image-generation workflows may use OpenAI, along with related internal orchestration, logging, and storage systems.

Depending on the feature used, AI-related inputs may include prompts, story settings, current draft text, reading targets, age or grade-band information, phonics or vocabulary goals, curriculum instructions, themes, accessibility settings, and educational content submitted by a child, parent, teacher, or school user.

• Story generation may process learner reading targets, prompt settings, story structure, and book text to generate personalized reading content.
• Writing assistance may process the text a user submits so the service can return questions, spelling feedback, punctuation feedback, or style suggestions.
• Image generation may process story context and visual prompts to produce illustrations associated with a book.
• Safety and moderation tooling may process submitted content to detect potentially unsafe, abusive, or policy-violating material.
• Prompt, output, token, credit, and trace information may be logged and retained as reasonably necessary for product operation, abuse prevention, billing support, debugging, and auditability.

Automated outputs are probabilistic and may be incomplete or inaccurate. Parents, teachers, and school staff remain responsible for reviewing generated educational content before relying on it for instruction, intervention decisions, disciplinary action, or other high-impact contexts.

Users should avoid entering unnecessary sensitive personal information into prompts or drafts, including Social Security numbers, government identification numbers, full medical records, or financial account information, unless clearly necessary and lawfully authorized for the specific use case.

We use cookies, session tokens, and similar technologies to maintain login state, secure accounts, remember preferences, operate accessibility settings, prevent abuse, and support basic service analytics. Some browser-level controls may allow users to limit or clear these technologies, but doing so may affect core functionality.

We do not use children's personal information for third-party ad targeting. If we ever introduce optional analytics or advertising technologies that materially change our practices, we will update this policy and any required notices before doing so.

We retain personal information for as long as reasonably necessary to provide the service, comply with legal obligations, resolve disputes, enforce our agreements, and maintain appropriate business and security records. Retention periods may differ by account type, feature, and customer relationship.

1. Direct family account information is generally retained while the account remains active and for a limited period afterward to support restoration, compliance, and security needs.
2. School-managed student information is retained in accordance with the school or district relationship, contract terms, customer instructions, and applicable law.
3. AI prompts, outputs, generation traces, and usage logs may be retained for a limited period where reasonably necessary to deliver the feature, investigate misuse, support billing or credits, document authorization, or maintain security and audit records.
4. Consent records, audit logs, billing records, and fraud-prevention data may be retained longer where reasonably required to document authorization, detect misuse, or satisfy legal obligations.
5. Backups and archival copies may persist for a limited period until overwritten in the ordinary course.
6. We may retain de-identified or aggregated information that no longer reasonably identifies a person.

We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, destruction, loss, alteration, or disclosure. Those safeguards may include encryption in transit, credential protection, access controls, audit logging, role-based permissions, rate limiting, backup controls, and vendor due diligence.

Our current application controls also include short-lived revocable sessions, request correlation IDs, no-store headers on authenticated APIs, and encrypted storage for private learner photos before they are written to blob storage.

No security measure is perfect or impenetrable. Users are responsible for maintaining the confidentiality of their credentials and notifying us promptly if they suspect unauthorized access to an account.

Depending on the context of use and applicable law, the following rights may be available:

• Parents and guardians: may request access to, correction of, or deletion of their child's information, subject to identity verification and any school-managed account structure.
• Schools and districts: may request access, exports, corrections, suppression, or deletion of student records we process on their behalf, subject to contract terms and applicable law.
• Eligible students: may have rights under FERPA once those rights transfer from a parent to the student under applicable law.
• Adult users: may request access to or deletion of their account information, subject to legal exceptions and reasonable verification steps.
• Certain state residents: may have additional privacy rights under applicable U.S. state law.

To exercise privacy rights, contact privacy@taletykes.com. We may need to verify identity, confirm authority over the account, or coordinate with the applicable school or district before acting on a request.

Depending on the context, those requests may include AI-related prompts, generated outputs, stored drafts, story content, and usage records associated with the applicable account or school deployment.

TaleTykes is operated in the United States and may be hosted or processed by service providers that store or process information in the United States or other jurisdictions where they operate. By using the service, users understand that information may be transferred to and processed in jurisdictions that may have different data protection laws than the user's place of residence.

We may update this Privacy Policy from time to time to reflect product changes, legal requirements, or operational needs. Material changes will be posted on this page and, where appropriate, communicated through the service or by direct notice. The updated policy becomes effective on the stated "Last updated" date unless a different date is specified.

For privacy questions, data rights requests, COPPA matters, or school privacy reviews, contact privacy@taletykes.com.

For general support, contact contact@taletykes.com. For legal notices or contract questions, contact legal@taletykes.com.