Privacy Policy

Reading Compass is a service of BLEKS Education Technology Solutions, Inc., a Delaware corporation registered as a foreign corporation in Texas.

Reading Compass is submitted to the Apple App Store under the Education category with a 4+ age rating. Reading Compass is an education app sold to parents and educators for use by their children. It is not a Kids Category app, and it is not designed for child-directed browsing or play.

This Privacy Policy applies to Reading Compass, the readingcompass.ai website, the Reading Compass iOS application, and any related services that link to this policy. It does not apply to third-party websites, apps, or services that may be linked from our materials.

Understanding the service architecture helps make the rest of this policy clearer. Reading Compass works as follows.

The parent registers and pays for Reading Compass on our website at readingcompass.ai. During registration, the parent provides their email address, sets a password, adds a payment method through Stripe, and provides verifiable parental consent for their child's participation. The consent the parent provides at signup covers all of the uses of the child's information described in this policy, including the improvement and model-training use described in Section I. The parent then creates a child profile by entering the child's first name and date of birth. No last name, school, address, or phone number is collected for the child. A parent may authorize an educator to administer or review assessments inside the parent's account; the educator operates within the parent's account and does not have a separate identity or separate consent path in the data model.

After the child profile is created, the parent (or the educator the parent has authorized) generates a QR code on the dashboard. The QR code carries a short-lived signed token (typically valid for fifteen minutes) that lets the iOS app start an assessment for that child profile. The token is not a name, an email address, or a durable identifier. It is bound to a single child session.

The child uses the iOS app on an iPhone or iPad. The child scans the QR code, and the assessment begins. During the assessment, the iOS app records audio and short video frames as described in Section D, and captures a single still image of the child for the dashboard. When the assessment finishes, the audio, the still image, and the responses are uploaded to our backend. The iOS app does not keep the parent's name, email address, or payment information. It does not have a durable identity for the child beyond the short-lived session token.

Our backend processes the audio through OpenAI's Whisper service for transcription, then through OpenAI's comparator service for scoring. The transcripts and the scores are stored and made available on the parent's dashboard. The parent (or authorized educator) reviews the results on the website after authenticating with their email and password.

The dashboard a parent sees after each session includes the child's score and per-item results, audio playback of the session, the snapshot still image, and session metadata. The dashboard also surfaces the child's progress over time across multiple assessment sessions, so the parent can see trends in performance as the child uses Reading Compass over weeks, months, and years.

We also maintain a separate internal administrative dashboard that is used by BLEKS staff and our engineering team for product testing, quality assurance, debugging, and product-improvement purposes. Parents and educators have no access to the internal administrative dashboard. Internal access to child information is governed by the role-based access controls described in Section L and is limited to staff with a current need for that access.

This architecture concentrates the sensitive data behind the parent's web account. The iOS app collects only what is needed to administer the assessment. We describe the data flows in detail in the sections that follow.

We use the information described in Section D for the following purposes:

To run the assessment and generate the report. This is the core service. Audio and video go through transcription and scoring; results appear on your dashboard.

To render the longitudinal progress view on your dashboard. We use session data and per-session scoring outputs to show your child's progress over time, so that you can see trends in performance as your child uses Reading Compass over weeks, months, and years.

To communicate with you transactionally. Account confirmations, password resets, billing notifications, support responses, important policy updates.

To send marketing email if you opt in. When you create your account, you can choose whether to receive non-essential marketing email about Reading Compass. You can opt out at any time using the link in any marketing email. Marketing email never contains your child's information.

To support internal operations of the service. Our staff and engineering team review session data and metrics, through our internal administrative dashboard, for the purposes of debugging, quality assurance, accuracy validation, and product improvement. This use is permitted under the internal-operations principles described at 16 C.F.R. § 312.4(d)(7). Access is role-based and limited to staff with a current need for that access; see Section L.

For aggregate, de-identified analytics that supports core operations. Counts of how many parents complete signup, retention rates, drop-off points in the assessment flow. This information cannot be linked back to any individual child.

To improve and train Reading Compass (see Section I). We use retained audio, video, and transcripts to train Reading Compass's own scoring and analysis models, improve the accuracy of the assessment, and inform product research and design. This is a first-party use, disclosed to you before signup, and covered by the consent you provide at signup. We describe it in detail in Section I. We do not sell this data and we do not disclose it to any third party for that third party's own purposes.

To comply with legal obligations. We respond to lawful requests, comply with applicable laws, and cooperate with regulatory and law enforcement inquiries when required.

To detect fraud and protect the service. We monitor for unusual activity, abuse, and security incidents.

We do not use any of the information described in Section D to create a profile of your child for advertising. We do not engage in behavioral advertising of any kind.

We work with a small number of named service providers to run Reading Compass. Each is bound by a written agreement that limits its use of information to the services it provides to us and prohibits secondary use. We describe each one below.

We do not share your child's information with third parties for marketing, advertising, or research purposes outside Reading Compass. We do not sell your child's information.

We do not use HeyGen, Inc. as a runtime sub-processor at this time. Our avatar instruction videos were produced by HeyGen prior to deployment and are now served as static animated content from our content delivery network; no child data is transmitted to HeyGen's infrastructure during any assessment session. If we activate a feature that transmits child data to HeyGen in the future, we will execute a Data Processing Addendum with HeyGen and update this policy before the feature is enabled.

We are migrating our hosting from Render, Inc. to Amazon Web Services. Until the migration completes, some workloads may run on Render, Inc. infrastructure under Render's service-provider terms.

We may also disclose information in the following limited situations: (a) to comply with a lawful request from a government authority, (b) to protect the rights, safety, or property of BLEKS, our users, or others, and (c) in connection with a corporate transaction such as a merger, acquisition, or sale of assets. If a corporate transaction would result in your child's information being treated under different practices, we will notify you and give you a meaningful opportunity to delete your child's data first.

We retain information only as long as we need it for the purposes described in this policy. Federal law prohibits indefinite retention of children's personal information.

A core feature of Reading Compass is the parent dashboard's longitudinal view of your child's progress over time. To support that feature, and to improve and train the Reading Compass models as described in Section I, we retain your child's per-session audio, video segments, snapshot still, transcripts, scoring outputs, and session metadata for the life of your child's profile. You can delete your child's data at any time using the mechanisms described in Section K, and we will complete deletion within thirty days of your request.

The table below describes our default retention by data class. The full per-element retention windows are specified in our Data Retention and Deletion Policy, which is available on request and which this policy incorporates by reference.

The iOS Identifier for Vendor (IDFV) is a string Apple provides to apps from the same developer. We use it for the following internal-operations purposes and only these purposes:

Crash reporting. When the iOS app crashes, we use the IDFV to correlate the crash report with the session in our logs so we can diagnose and fix the issue.

Anti-fraud on session tokens. We use the IDFV alongside the short-lived session token to detect attempts to reuse or share tokens across devices.

Engineering debugging. When you contact support about an issue with a specific assessment, we use the IDFV to find the related session in our logs.

We do not use the IDFV for behavioral advertising. We do not use it to track your child across other apps. We do not use it to build a profile of your child. We do not share it with advertising networks or analytics providers outside Reading Compass.

This describes the internal-operations purposes referenced in 16 C.F.R. § 312.4(d)(7) and the safeguards required by 16 C.F.R. § 312.7.

This section describes how we use your child's retained audio, video, and transcripts to improve and train Reading Compass. This is a first-party use that is part of how the service works. It is disclosed to you in plain terms before you complete signup, and the verifiable parental consent you provide at signup (Section J) covers it. There is no separate optional toggle for this use, because it is integral to operating and improving the assessment you are signing up for. You retain the right at any time to delete your child's data and to refuse further collection, as described in Section K.

Federal law (16 C.F.R. § 312.5) requires us to obtain verifiable parental consent before we collect personal information from a child under thirteen. We use the following method:

Primary method: monetary transaction through Stripe. When you subscribe to Reading Compass, you provide a payment method through Stripe. Stripe processes a transaction that notifies the primary card account holder. This satisfies the monetary-transaction method described in 16 C.F.R. § 312.5(b)(2)(ii). The transaction also serves to confirm that you, as the parent or legal guardian, have the authority to provide consent for your child's participation.

If you are participating in a free beta or trial period, your card is not charged during that period. The card capture still serves to verify parental consent. You receive at least fourteen days' notice before any charge is made, and you can cancel before any charge.

Fallback methods for edge cases. If the monetary-transaction method is not available in your circumstances (for example, a declined card or a gift subscription), we will offer one of the alternative methods described in 16 C.F.R. § 312.5. The specific fallback we offer will be determined at the time of the edge case and disclosed to you.

Direct parental notice. Before we collect any personal information from your child, we send you a direct parental notice that:

• States that the consent process collected your contact information
• Describes the information we will collect from your child, how it will be used, and who it is disclosed to
• Links to this policy
• Explains that we do not disclose your child's information to any third party for that third party's own purposes, so there is no separate non-integral disclosure for you to consent to, and that all uses, including the improvement and model-training use in Section I, are covered by the consent you provide
• States how you can provide and revoke consent

The notice is sent automatically as part of the signup flow. You can request a copy of the notice at any time at privacy@readingcompass.ai.

No non-integral third-party disclosures. Federal law lets a parent consent to collection and use of a child's information without being required to consent to disclosing it to third parties for purposes that are not integral to the service. Reading Compass has no such disclosures: we do not sell your child's information and we do not give it to any third party for that third party's own purposes. The service providers in Section F act only on our behalf. The improvement and model-training use in Section I is a first-party use, disclosed to you before consent, and is part of the service you are consenting to. There is therefore no separate disclosure consent to present.

You can exercise the following rights over your child's information at any time:

Review. You can review your child's data on your account dashboard at readingcompass.ai. The dashboard shows the assessments your child has completed, the scores, the snapshot still images, the progress trend over time, and (subject to retention) playback of the recorded audio. We can also send you a copy of your child's data on request.

Correction. You can correct your child's first name, date of birth, or pseudonym in your dashboard. If you need help correcting other information, contact us at privacy@readingcompass.ai.

Deletion. You can delete your child's data at any time. We complete deletion within thirty days of your request.

Refuse further collection. You can refuse further collection of your child's information by deleting the child profile, by canceling the subscription, or by contacting us. After you refuse further collection, we will not collect new information about your child.

Revoke consent. You can revoke the parental consent you have given at any time. Because the uses described in this policy, including the improvement and model-training use in Section I, are integral to the service, revoking consent ends your child's access to Reading Compass and is treated as a deletion request. We complete deletion within thirty days. You do not have to revoke consent to stop a specific use; deleting your child's data or canceling the subscription stops further collection while leaving prior results on your dashboard until you delete them.

You can exercise these rights through the following mechanisms:

• Email: privacy@readingcompass.ai (we respond within two business days; deletion is completed within thirty days)
• Web: sign in at readingcompass.ai, go to your dashboard, choose Privacy

An in-app privacy controls screen is planned for a future update of the Reading Compass iOS application. Until that update ships, the email and web mechanisms above are the supported paths.

We use reasonable, scaled, and proportionate safeguards to protect your child's information. Specifically:

Encryption. Object storage of audio, snapshot stills, and any retained video uses AWS KMS-managed encryption (AES-256) with a bucket policy that denies any upload not using KMS. Transport between your device, our backend, and our sub-processors uses TLS 1.2 or higher. Database storage is encrypted at rest in our cloud provider's managed-database service.

Access controls. Role-based access control. Employees, contractors, and vendors who do not need access to your child's data do not have it. Internal access to child information by BLEKS staff and our engineering team occurs through our internal administrative dashboard, is bound by the role-based controls described in this section, and is limited to staff with a current need for that access for the internal operational purposes described in Section E.

Storage-key minimization. Object-storage keys for child audio, the snapshot still, and any retained video use pseudonymous numeric identifiers only. No child names, dates of birth, email addresses, or other personal information appear in object-storage keys.

Vendor oversight. Each service provider is bound by a written agreement that requires it to use information only to provide its services to us, prohibits secondary use, and requires deletion on termination. We review our service providers' security practices.

Designated security coordinator. Our Chief Operating Officer serves as the designated coordinator for our information-security program for children's information, as required by 16 C.F.R. § 312.8.

Incident response. We maintain a written incident-response procedure. If we discover a security incident affecting your child's information, we will notify you and take appropriate corrective action consistent with applicable law.

Written program. The full Children's Information Security Program is a separate document available to regulators, auditors, and counsel on request. This policy summarizes the program's key elements; the program is the controlling document for our internal practices.

Reading Compass is intended for children ages three to eleven, taking the assessment under their parent's supervision. We do not knowingly collect personal information from children under thirteen except through the parent-led consent flow described in Section J. If we learn that we have collected information about a child under thirteen without verifiable parental consent, we will delete that information promptly.

If you believe we have collected information about your child without your consent, please contact us at privacy@readingcompass.ai. We will investigate and delete the information if we cannot verify consent.

We do not market directly to children. The Reading Compass website, the iOS app, and our marketing materials are addressed to parents and educators.

This policy applies to users in the United States. The following state laws apply in addition to federal law where relevant.

Texas. We comply with the Texas Education Code §§ 32.151–32.157 (the Student Online Privacy Protection Act, or SOPIPA). We do not engage in targeted advertising directed to your child or use your child's covered information to amass a profile for non-educational purposes. We comply with the Texas App Store Accountability Act: any age-verification information passed to us by Apple's App Store after age verification is completed is used only for that purpose and deleted promptly thereafter.

Delaware. We comply with the Delaware Online Privacy and Protection Act (Del. Code tit. 6, § 1204C). We do not engage in targeted advertising to children, do not use the personal information of children for the purpose of marketing or advertising specific products or services, and do not knowingly compile, use, or share personal information of children for purposes other than those described in this policy.

California. Although Reading Compass does not currently operate as a California-resident-focused service, we voluntarily align with the California Consumer Privacy Act in providing the access, deletion, and minimization rights described in Sections K and Section D. California residents may contact us at privacy@readingcompass.ai to exercise CCPA-equivalent rights.

If you are subject to a state children's privacy law not listed here, please contact us. We are committed to compliance with applicable laws.

The Reading Compass iOS app is distributed through the Apple App Store. In addition to this policy, Apple maintains an "App Privacy Details" entry on Reading Compass's App Store listing. The App Privacy Details entry mirrors the data collection and use practices described in this policy and provides Apple's standardized format for users browsing the App Store.

If the App Privacy Details and this policy ever appear to differ, this policy is the controlling document. We will update the App Privacy Details to match this policy as soon as practical.

We have completed or will complete Apple's 2025 age-rating questionnaire to receive the 4+ age rating in the Education category. The questionnaire response on file with Apple discloses the AI features used in Reading Compass — OpenAI Whisper for transcription and OpenAI's Responses API as the comparator/evaluator that scores the transcribed responses. When we activate any feature that materially changes that disclosure (for example, the future side-by-side-comparison feature in Section I, the activation of the HeyGen avatar deferred from the first release, or the activation of Sentry crash reporting), we will update the questionnaire response and this policy.

We may update this policy from time to time. The "Last Updated" date at the top of the policy reflects the most recent revision.

Notice for material changes. When we make a material change — for example, adding a new sub-processor that processes child information, activating any of the future uses described in Section I, or changing a retention window in a way that reduces your privacy protections — we will notify you by email, by a banner on readingcompass.ai, and by an in-app notification before the change takes effect.

Notice for non-material changes. For non-material changes (such as clarifying language or correcting typos), we update the policy and the "Last Updated" date without separate notice.

Reasonable notice period. Material changes that reduce privacy protections will not take effect for at least thirty days after notice, giving you time to review and, if you choose, delete your child's data and cancel the subscription before the change applies.

Version history. We retain prior versions of this policy and can provide them on request at privacy@readingcompass.ai.

If you have questions, concerns, or requests about this policy or about your child's information, please contact us:

If you have a complaint about our privacy practices that we have not resolved, you may also contact the Federal Trade Commission at https://reportfraud.ftc.gov, the Texas Attorney General's Office (for Texas residents), or your state attorney general's office.

This version (v0.4): 2026-05-15 — substantive revision. Adopts a single-consent architecture: audio and video are recorded and retained, and used to operate and to improve and train Reading Compass, disclosed as a primary purpose covered by the verifiable parental consent obtained at signup. Removes the separate optional default-off future-use consent toggle that appeared in v0.1 through v0.3. Parental rights to delete data and refuse further collection are unchanged.

Previous version (v0.3): 2026-05-14 — publication-ready cleanup of v0.2 (placeholder fill-in, internal drafting notes removed, contact addresses corrected). No substantive policy change at v0.3.

v0.2 supersedes v0.1 (dated 2026-05-04). The v0.2 revision incorporates the results of the CloudEva pre-publication legal-and-technical audit dated 2026-05-12 and the two-dashboard product clarification (parent-facing dashboard with longitudinal progress tracking + internal administrative dashboard for BLEKS staff and engineering use).

This policy supersedes the prior internal Reading Compass / BLEKS privacy policy drafts dated July 11, 2025, July 16, 2025, and August 10, 2025, none of which were published.

The policy is effective as of the Effective Date listed at the top of this document.