Last updated: June 2026
At Helperbird, we take privacy and security seriously. It's not just a policy. It's a promise to all our users.
Our dedication is especially deep when it comes to protecting the rights and safety of students, children, and anyone who relies on us for accessibility.
We are aligned and compliant with the rules and standards set out in the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), every major US state student‑privacy law, and the HIPAA Business Associate model for our subprocessor chain.
And we make it easy for schools, districts, and healthcare‑adjacent organisations to verify exactly how.
Standards we are aligned and compliant with
Here's the full list of frameworks and laws Helperbird is built to meet, with status for each. If you're a school IT director, a district procurement team, or an enterprise compliance reviewer, this is the snapshot you'll want first.
| Standard | Status | What it covers |
|---|---|---|
| COPPA (Children's Online Privacy Protection Act) | ✅ Compliant | No collection from children under 13; subscription-key activation requires no personal information |
| FERPA (Family Educational Rights and Privacy Act) | ✅ Compliant | No access to education records; designed to operate under the School Official Exception |
| GDPR (EU General Data Protection Regulation) | ✅ Aligned | Article 28 processor terms + SCCs included in our DPA; EU/UK Article 27 representative being appointed |
| UK GDPR + Brexit standards | ✅ Aligned | Same as GDPR with UK Addendum |
| HIPAA Business Associate model | ✅ Active BAA stack | Signed BAAs with OpenAI, AWS, and Microsoft Azure |
| OpenAI Zero Data Retention (ZDR) | ✅ Active | Confirmed Active on Helperbird's OpenAI organisation |
| NY Education Law § 2-d + Part 121 | ✅ Compliant | Bill of Rights for Data Privacy and Security |
| California SOPIPA (Student Online Personal Information Protection Act) | ✅ Compliant | Cal. Bus. & Prof. Code § 22584 |
| Texas Student Privacy Act | ✅ Compliant | Tex. Educ. Code § 32.1518 |
| Utah Student Data Protection Act | ✅ Compliant | Utah Code § 53E-9-301 |
| Illinois Student Online Personal Protection Act (SOPPA) | ✅ Compliant | 105 ILCS 85 |
| Connecticut Student Data Privacy Act | ✅ Compliant | Conn. Gen. Stat. § 10-234aa |
| Maryland Online Data Privacy Act (MODPA) + Maryland Student Privacy Act | ✅ Compliant | Md. Code Ann. § 14-4601 et seq. |
| SDPC National Data Privacy Agreement | ✅ Accepted | Multi-state model DPA accepted in our standard template |
| CASA Tier 2 (Cloud Application Security Assessment) | ✅ Self-attested | Google-recognised security assessment for Workspace apps |
| OWASP ASVS Level 2 | ✅ Self-attested | Application Security Verification Standard v4.0.3 |
| NIST Cybersecurity Framework 2.0 | ✅ Profile published | Tier 2 (Risk Informed) |
| SOC 2 Type II | 🟡 Preparing | Audit targeted 2027 |
| ISO/IEC 27001 | 🟡 Preparing | Certification targeted 2027 |
Family Educational Rights and Privacy Act (FERPA)
For the full deep‑dive, see our dedicated FERPA Compliance page.
Helperbird is built so that student privacy is respected and protected at every level. The simplest way to say it is this:
We do not access, use, or disclose any education records.
Helperbird does not access, collect, store, or disclose any education records. Ever.
Pro features are activated using a subscription key that requires no email, no name, no student data, and no personal information of any kind. Student data and education records simply never touch Helperbird's systems.
We operate under the FERPA School Official Exception.
When a district designates Helperbird as a "School Official" with legitimate educational interests under 34 C.F.R. § 99.31(a)(1)(i)(B), we operate under the school's direct control, never redisclose, and use any information solely to deliver the service the district has chosen to offer.
Online features are transient. Never stored, never trained on.
When you use an online feature (our AI tools, online natural voices, or online voice typing), only the specific text or image you choose is processed transiently by our subprocessors, solely to return your result. It is not stored, not used for advertising, and not used to train AI models.
Helperbird operates under Zero Data Retention (ZDR) on our OpenAI organisation, and Microsoft Azure Speech is non‑retaining by default.
Schools stay in full control of deployment.
Individual features can be disabled organisation‑wide via Google Admin Console (JSON policy), Microsoft Intune, or the equivalent Firefox enterprise policy at any time. Many districts choose to enable only the on‑device features for younger grades and add online features for older students.
We make signing a DPA easy.
We publish a standard Data Privacy Agreement that includes a FERPA "School Official" schedule, GDPR Article 28 + SCCs, COPPA "school as agent" terms, and state-specific exhibits (NY Ed‑Law § 2‑d, CA SOPIPA, TX Student Privacy Act, Utah, Illinois SOPPA, Connecticut, Maryland).
We also accept the SDPC National Data Privacy Agreement, and we'll happily counter‑sign a district's own template. Whatever's easiest for your team.
Children's Online Privacy Protection Act (COPPA)
For the full deep‑dive, see our dedicated COPPA Compliance page.
We take child safety seriously, and we've built Helperbird so that protecting children's privacy isn't a thing we have to remember to do. It's the default. The simplest way to say it:
We do not collect personal information from any user, child or adult.
Helperbird does not collect personal information from any user, child or adult.
Pro features are activated using a subscription key that requires no email, no name, no personal information of any kind. This is how the vast majority of our school customers deploy Helperbird.
Children and adults alike use the same subscription-key activation method, so there is no separate data path for under‑13 users to begin with.
No personal information is required. Ever.
The free version requires no login or email and works offline on your device. The Pro subscription key requires no personal information at all.
We recommend the subscription-key method for any school deployment involving students under 13. It's the cleanest path, and it's what most of our schools use.
Email-based activation is optional, and protected by school‑as‑agent VPC.
For organisations that prefer email-based activation, an optional path is available. Where this path is used for a student under 13, we ask the school or teacher to obtain verifiable parental consent on the parent's behalf under the FTC-recognised "school as agent" doctrine.
That email is used solely to check subscription status, never for marketing, profiling, or advertising, and we don't retain it beyond the verification request.
No cookies. No tracking. No profiling. No advertising. Ever.
We do not use cookies, third-party tracking, advertising, behavioural profiling, or any technology that could compromise children's privacy. By architecture, not just by policy. And never quietly reversible.
Ensuring Privacy for All Ages
Understanding the importance of accessibility and privacy for users of all ages, Helperbird is committed to the principles set by COPPA and FERPA. We strive to create a safe and accessible online environment for everyone, including the most vulnerable users:
For Basic Features
We offer our services without requiring a login, ensuring that these tools are readily accessible to all users. This approach allows us to not knowingly collect or store any personal information, ensuring ease of access while maintaining strict privacy.
The free version (including reading tools, dyslexia fonts, colour overlays, and local (built-in) text-to-speech) runs entirely on the user's device and works offline, sending nothing to Helperbird or any third party.
Optional online features (natural Pro voices, online voice typing, and AI tools) are Pro-only and can be disabled by administrators at any time.
For Helperbird Pro
Those interested in Helperbird Pro can sign up at Helperbird.com/pricing/. Payment is handled through Stripe (PCI DSS Level 1 certified). Helperbird does not see or store credit card details.
Helperbird Pro is activated in one of two ways. We recommend the subscription-key method for all school and organisation deployments.
Subscription Key Method (recommended)
A subscription key activates Pro features with no email, no name, no student data, no personal information whatsoever. This is how the vast majority of our schools and organisations deploy Helperbird.
It's the cleanest path for FERPA, COPPA, and GDPR posture because there is simply nothing personal to collect. Subscription keys are distributed by administrators to staff and students through whatever channel the organisation prefers (LMS, email, posted materials, etc.).
In-App (Extension) Email Verification (optional alternative)
For organisations that prefer email-based activation, an optional path is available. The user allows Helperbird to read the email associated with their browser profile, solely so we can check subscription status.
We do not track users, store the email beyond the verification request, or share it with anyone.
Where this path is chosen for a student under 13, the school or teacher must obtain verifiable parental consent under the FTC-recognised "school as agent" doctrine.
Continuous Compliance and Improvement
We are continuously working to ensure our services comply with the latest standards, conducting regular reviews and updates to our practices.
This commitment to ongoing improvement helps us stay in line with compliance laws and maintain the highest levels of privacy and security for our users.
Verifiable Parental Consent
The subscription-key method is our recommended path for any school deployment involving under-13 students because it requires no personal information at all. There is nothing for Helperbird to collect, and therefore no parental consent question to resolve.
For organisations that choose to use the optional email-verification path for a student under 13, the school or teacher must obtain verifiable parental consent on the parent's behalf under the FTC-recognised "school as agent" doctrine before the student's email is used.
This is consistent with established Federal Trade Commission guidance for educational online services.
To be crystal clear: even when the email-verification path is used, the email is used solely to check subscription status. It is not used for marketing, profiling, advertising, or any other purpose.
Helperbird does not retain it beyond the verification request.
Have Questions or Concerns?
Your trust and safety are paramount to us. We genuinely love hearing from districts, teachers, parents, and compliance teams. Even (especially) when the questions are tough.
- General questions: [email protected]
- Privacy or data‑subject requests: [email protected]
- HIPAA BAA, DPA, audits, compliance attestations: [email protected]
- Security disclosures: [email protected]
- Legal and DMCA: [email protected]
We're here to make sure your experience with Helperbird is secure, private, and enriching for everyone. Students, staff, parents, and compliance officers alike.
Subprocessor BAA chain
Helperbird uses no third-party tracking or analytics.
We rely on a small set of subprocessors, strictly to deliver features you choose to use, and each subprocessor that could touch user content operates under an active HIPAA Business Associate Agreement (BAA):
- OpenAI. Signed HIPAA BAA; Zero Data Retention (ZDR) Active on Helperbird's organisation.
- Amazon Web Services. Business Associate Addendum Active in AWS Artifact.
- Microsoft Azure (online voices, online voice typing, Immersive Reader). HIPAA BAA auto-incorporated via the Microsoft Customer Agreement and the Microsoft Products and Services Data Protection Addendum.
- Stripe (payments). Standard DPA; PCI DSS Level 1 certified; does not see Helperbird user content.
None of our subprocessors use user content to train AI models or for advertising, and your content is not retained.
See our privacy policy, our standard Data Privacy Agreement, and our HIPAA Business Associate Agreement template for the full, current list and the underlying contractual language.