Back to Home

Privacy Policy

Last Updated: April 2026

1. What We Collect

When you sign in with Google, we receive your email address, name, and Google account ID. When you run an assessment, we collect a child label (which you control via the nickname field), an age band, and the behavioural observations you choose to share. We also keep audit metadata for every API call (timestamp, method, trace ID) for security review.

2. How We Use It

Your observations are forwarded to Google Gemini in redacted form — the child's name is replaced with [CHILD] before the request leaves our backend. Gemini returns a strength-based profile and strategies, which we store on your account so you can come back to them later.

We do not sell your data, share it with advertisers, or use your observations to train any AI model.

3. Sub-processors

The following service providers process data on our behalf:

  • Google Cloud (GCP) — hosting in northamerica-northeast2.
  • Google Identity — authentication via Google OAuth.
  • Google Generative Language (Gemini) — strategy generation, redacted inputs only.
  • Stripe — payment processing for premium subscriptions.
  • New Relic — APM (no payload contents forwarded).
  • GitLab — feedback issue tracking when you submit feedback.

4. Security

Data is encrypted at rest using customer-managed keys (Cloud KMS) and in transit (TLS 1.2+). The database is reachable only over a private VPC peering link — it has no public IP. Audit logs are append-only at the database level. PHI candidate fields are redacted before reaching our request-body audit capture.

5. Retention

Assessments and child profiles are retained for as long as your account exists, plus a 30-day grace period after deletion. Audit logs are retained for one year for SOC2 evidence. AI usage logs (token counts and costs only, no payload text) are retained for two years.

6. Your Rights

  • Export your data via Account Settings → Export.
  • Permanently delete your account via Account Settings → Delete Account.
  • Request a copy of any audit log row that mentions you (PIPEDA / HIPAA right of access) by reaching out on our Support & Contact Page.
  • Withdraw consent for AI processing — your prior assessments remain accessible read-only.

7. Children's Data

Spectrum Assist is intended for use by parents and legal guardians. We require explicit parental confirmation at onboarding. We do not knowingly collect data directly from children under 13. The child labels stored on your account are the labels you choose to enter — we encourage using a nickname or initials.

8. Contact

For privacy questions or data-subject requests, reach our Data Protection lead on our Support & Contact Page.