Skip to main content
epSpeak

Privacy Policy

Effective April 14, 2026

EnrichPoint (“we,” “us,” or “our”) operates the epSpeak mobile app and the web portal at enrichpoint.com/epspeak. This policy explains what information we collect, how we use it, and your choices. We wrote this in plain language because the people using epSpeak, including caregivers, practitioners, and end users, deserve to understand it without a lawyer.

1. Information we collect

We collect only what's needed to run the service:

  • Account info (Firebase Authentication): your email address and a secure password hash. We do not store your password in readable form. If you sign in with Google, we receive your email and display name from Google; no Google password ever touches our servers.
  • Profile info: display name, role (caregiver, practitioner, end user, admin), and the family or class you belong to. Caregivers and practitioners add profile details for the end users in their care (name, optional avatar).
  • Content you create: categories, items, notes, goals, photos, and any custom vocabulary you add. This is yours. We store it so the app works across your devices.
  • Usage analytics: which items the end user taps and when, how long sessions last, and which features are used. This powers the analytics dashboards caregivers and practitioners rely on. We do not collect audio recordings of speech, keystrokes outside the app, or activity from other apps on the device.
  • Device and log data: app version, device model, operating system, approximate location derived from IP, crash reports, and error logs. Used to keep the app working and fix bugs.
  • Push notification tokens: when enabled, we store the device token so we can send alerts (new notes, category updates, alert pings). Tokens are stored at fcmTokens/{userId} and rotated automatically.

2. Camera and photo library

epSpeak asks for camera and/or photo-library access so caregivers, practitioners, and end users can take or pick photos to use as category items (for example, a photo of a favorite food or toy). These photos are:

  • Captured only when you tap the camera / photo button inside the app.
  • Uploaded to your private Firebase storage bucket, tied to your account.
  • Visible only to you and the caregivers, practitioners, or family members you have authorized.
  • Never used for facial recognition, advertising, or training machine-learning models.

You can revoke camera or photo-library permission at any time in your device settings. Existing photos remain in your account until you delete them or delete your account.

3. How we use your information

  • To provide, maintain, and improve the service.
  • To sync your content across your signed-in devices.
  • To produce the analytics, notes, and alerts caregivers and practitioners use.
  • To send you transactional email (account verification, password reset, subscription receipts, weekly digest if you've opted in).
  • To respond to your support requests.
  • To detect fraud, abuse, or technical problems.

4. We do not sell your data

We do not sell, rent, or trade your personal information to third parties. Ever. We do not show you ads, and we do not share your content with advertisers, data brokers, or social networks.

5. Where your data is stored

epSpeak is built on Google Firebase (Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Cloud Messaging). Your data is stored in Google Cloud data centers and is protected by Google's infrastructure security, including encryption at rest and in transit. Google acts as our data sub-processor.

We use a small number of additional sub-processors, each for a narrow purpose:

  • Stripe: processes subscription payments. We never see your full card number.
  • OpenAI: used optionally when you request AI-generated categories or images. Prompts you submit are sent to OpenAI; we configure them not to train on your inputs.
  • SMTP email provider: sends transactional email on our behalf.

6. Who can see your data

  • You. Always.
  • Caregivers in your family can see end-user content, notes, goals, and analytics for the end users in that family.
  • Practitioners you've connected can see the end-user content and analytics for students on their roster. Connection requires your explicit pairing-code approval.
  • EnrichPoint staff access production data only when necessary to provide support or investigate bugs, and under a strict need-to-know policy.
  • Law enforcement only if compelled by a valid legal process, and we will tell you unless legally prohibited.

7. Children

epSpeak is designed for use by children as end users, under the supervision and account ownership of a caregiver or practitioner. A child's account is always created and managed by an adult caregiver in the same family, or by a practitioner with that caregiver's consent. We do not knowingly collect data directly from a child acting as an independent account holder. Caregivers may delete a child's account at any time from the portal.

8. Data retention and deletion

We keep your data for as long as your account is active. You can delete your entire account at enrichpoint.com/epspeak/delete-account, or erase just your personal content while keeping the account active at enrichpoint.com/epspeak/delete-data. Deletion removes your profile, content, analytics, and photos from Firebase within 30 days. Some backup copies may persist for up to 90 days before being purged. Anonymized, aggregated usage statistics that cannot be linked back to you may be retained for service improvement.

9. Your rights

Depending on your jurisdiction (for example, GDPR in the EU/UK, CCPA in California), you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data (most of this you can do yourself from the portal).
  • Delete your data (self-serve at the link above, or email us).
  • Export your data in a machine-readable format. Email us to request a copy.
  • Object to or restrict certain processing.
  • Withdraw consent for optional processing (push notifications, weekly digest) at any time.

To exercise any of these rights, email privacy@enrichpoint.com. We respond within 30 days.

10. Security

We use industry-standard practices: encryption at rest and in transit (TLS), role-based access control enforced by Firebase Security Rules, audit logging on sensitive operations, and regular dependency updates. No online service is 100% secure. If we ever discover a breach affecting your data, we will notify you and the appropriate regulators in accordance with applicable law.

11. HIPAA

epSpeak is not currently certified as HIPAA compliant. Full HIPAA certification (with Business Associate Agreements in place) is planned. If HIPAA compliance is required for your organization, please contact us before using epSpeak with Protected Health Information.

12. Changes to this policy

We may update this policy to reflect changes in the service or the law. If we make material changes, we'll email account holders and post a notice in the app. The “Effective” date at the top of this page always reflects the current version.

13. Contact us

Questions about this policy or your data? Email privacy@enrichpoint.com or write to:

EnrichPoint
Attn: Privacy
(mailing address available on request)