How StoryRetriever handles data
A plain-language summary for families, professionals, and institutional buyers. If you need additional documentation for a procurement or compliance review, email us at support@storyretriever.com.
How we handle child data
StoryRetriever does not collect data directly from children. All accounts belong to a parent or guardian (family accounts) or a Speech-Language Pathologist or other licensed professional (professional accounts). Children interact only with content their parent or professional has created and shared. We are designed with COPPA requirements for educational and family-facing platforms in mind.
Encryption
- Data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted in our cloud infrastructure, including backups.
Where data is stored
Customer data is stored in cloud infrastructure operated by reputable providers in the United States.
Specific provider, region, and sub-processor details available on request.
Incident response
If we identify a security incident affecting customer data, we notify affected accounts within 72 hours of confirming the issue. We are working toward a third-party security audit and will publish a summary here when complete.
Data Privacy Agreements (DPAs)
We provide a Data Privacy Agreement to any school, clinic, or institutional buyer on request. Most are returned within three business days.
Request a DPAAccount deletion
Any user can delete their account and data at our delete account page. When a parent or professional deletes their account, all stories, communication boards, and child profiles tied to it are removed within 30 days.