Last updated: June 2026

COPPA Compliant FERPA Compliant GDPR Aligned HIPAA BAA Stack SOPPA / State Laws ZDR Active No Training No Selling

This Data Privacy Agreement (the "DPA") is offered by Coffee & Fun LLC (operating as Helperbird), a Limited Liability Company organised under the laws of the State of Arkansas, USA ("Helperbird", "we", "us").

Helperbird's registered office address is provided to Customer at execution.

It is intended to be executed by any organisation that uses or wishes to use the Helperbird Service in a context where personal data, education records, or other regulated user data may be processed (a "Customer", "you").

Common Customers include school districts, individual schools, businesses, public-sector organisations, charities, libraries, and government agencies.

For healthcare organisations whose use of Helperbird will involve Protected Health Information (PHI) under HIPAA, please use our separate Business Associate Agreement instead of, or in addition to, this DPA.

To execute this DPA, email [email protected] with your organisation's legal name, address, signer details, and the Helperbird account(s) to be covered.

Why this DPA exists, in plain English

When a school district, business, or other organisation deploys Helperbird, that organisation often has legal duties about how its members' or students' personal data is handled.

This DPA is the contract that lets you delegate part of that responsibility to Helperbird in a way that satisfies GDPR (for EU/UK users), FERPA (for US schools), COPPA (for under-13 students), and a growing list of US state student-privacy laws.

It's also a one-page promise about what Helperbird will and won't do with the data we touch on your behalf.

It is backed by everything that's already true about how we built the product.

Helperbird's posture: what backs this DPA

Before the legal text, here is what is true about Helperbird today. Each statement is verifiable from our Privacy Policy and our published subprocessor list.

Zero retention of user content. When you use Helperbird's online AI features, your text or audio is processed only for the moment it takes to return your result and is then discarded. We do not store it, retain it, log its contents, or use it to train AI.

Zero Data Retention (ZDR) is Active on our OpenAI organisation. OpenAI confirms in our account dashboard that no API content is persisted or used for training.

The free tier transmits nothing to external AI services. AI features are Pro-only and require an active subscription. Schools that want to deploy only free-tier features incur no third-party data flow at all.

PII is removed on-device before transmission to AI services where technically possible, as described in our Privacy Policy.

Administrators can disable AI features entirely via managed storage policy (Google Admin Console for Chrome / ChromeOS, Microsoft Intune for Edge, equivalent Firefox enterprise policy). A district that wants Helperbird's accessibility features without any external AI calls can disable them with a single policy push. See our admin documentation for the exact policy keys.

Upstream contractual coverage is already in place with every infrastructure and AI subprocessor we use:

OpenAI. Business Associate Agreement signed; Zero Data Retention active.
Amazon Web Services (AWS). Business Associate Addendum active in AWS Artifact; standard EU Standard Contractual Clauses (SCCs) auto-incorporated in the AWS Customer Agreement.
Microsoft Azure. HIPAA BAA incorporated via the Microsoft Customer Agreement and Microsoft Products and Services Data Protection Addendum; SCCs included.
Stripe. Payment processor; standard DPA + SCCs auto-incorporated.

No advertising, no behavioural profiling, no selling of data. Ever. This is a property of how we built the product, not a policy that could be reversed quietly.

Security-framework readiness. Helperbird is preparing for SOC 2 Type II and ISO/IEC 27001 certification. Our existing technical and organisational controls are designed against the requirements of both frameworks. Until formal certification is complete, we describe ourselves as "audit-aligned" rather than "certified."

See our Privacy Policy for the current security-controls inventory and external scanning programme.

These properties make Helperbird unusually easy to deploy under FERPA, COPPA, and GDPR. The legal contract layer below is mostly documentation of what is already true.

1. Definitions

"Affiliate" means an entity that controls, is controlled by, or is under common control with a party.
"Customer Data" means any personal data that Helperbird processes on behalf of Customer in connection with the Helperbird Service.
"Data Subject" means an identified or identifiable natural person to whom Customer Data relates.
"Education Records" has the meaning given in 20 U.S.C. § 1232g(a)(4) (FERPA).
"GDPR" means Regulation (EU) 2016/679, and where applicable the United Kingdom General Data Protection Regulation as it forms part of UK domestic law.
"Helperbird Service" means the Helperbird browser extension, mobile applications, web apps, and any related online services made available by Helperbird.
"Personal Data" means information relating to an identified or identifiable natural person, with the meaning given by applicable data protection law (including GDPR and US state privacy laws).
"Processing" means any operation performed on Personal Data, with the meaning given by GDPR.
"School Official" has the meaning given in 34 C.F.R. § 99.31(a)(1)(i)(B).
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Decision (EU) 2021/914 of 4 June 2021, including the UK Addendum where applicable.
"Sub-processor" means any third party engaged by Helperbird to process Customer Data.
"Underlying Agreement" means Helperbird's Terms of Service and the Pro subscription agreement under which Customer uses the Helperbird Service.

Capitalised terms not defined here have the meanings given to them in applicable data protection law.

2. Scope, roles, and nature of processing

2.1 Roles

With respect to Customer Data, Customer is the controller (or, where applicable, the educational agency or institution under FERPA) and Helperbird is the processor (or School Official, where applicable).

2.2 Nature and purpose of processing

Helperbird processes Customer Data solely to provide the Helperbird Service in accordance with the Underlying Agreement: that is, to deliver accessibility and productivity features such as text-to-speech, voice typing, reading mode, translation, summarisation, dictionary lookup, and related functionality, and to verify subscription status.

2.3 Categories of Data Subjects

Data Subjects include Customer's authorised users (such as staff, students, teachers, employees, members) who use the Helperbird Service under accounts associated with Customer.

2.4 Categories of Personal Data

The categories of Personal Data processed are limited to:

account identifiers (email address, subscription state) processed via Stripe and Helperbird's licence-verification backend;
user-supplied content that the user actively submits to a feature (for example, text selected for translation, audio dictated for voice typing). This content is processed transiently and never retained, as described in our Privacy Policy;
user preferences and settings stored locally on the user's device or, where the user enables sync, in encrypted form via their browser vendor's sync infrastructure.

2.5 Duration of processing

Processing continues for the duration of the Underlying Agreement, plus any short period required for return or deletion as described in section 9.

3. Helperbird's obligations as processor

Helperbird will:

(a) process Customer Data only on documented instructions from Customer (the Underlying Agreement, this DPA, and Customer's use of the Helperbird Service in the ordinary course constitute such instructions), unless required to do otherwise by applicable law (in which case Helperbird will inform Customer of that legal requirement before processing, unless prohibited from doing so by that law);

(b) ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality;

(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in section 7;

(d) engage Sub-processors only in accordance with section 4;

(e) assist Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law (see section 5);

(f) assist Customer in ensuring compliance with its obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities;

(g) at the choice of Customer, delete or return all Customer Data after the end of the provision of services, and delete existing copies, unless retention is required by law. In practice, Helperbird's no-retention posture means there is typically nothing to delete or return. See section 9;

(h) make available to Customer all information necessary to demonstrate compliance with its obligations under this DPA, and allow for and contribute to audits as described in section 8;

(i) immediately inform Customer if, in Helperbird's opinion, an instruction infringes applicable data protection law.

3.1 What Helperbird will not do with Customer Data

Helperbird will not:

(a) sell Customer Data;

(b) use Customer Data for marketing or advertising;

(c) use Customer Data to train, fine-tune, or improve any artificial intelligence model, whether Helperbird's, a Sub-processor's, or a third party's;

(d) profile, score, or build behavioural inferences from Customer Data;

(e) use Customer Data for any purpose other than providing the Helperbird Service to Customer; or

(f) disclose Customer Data to any Sub-processor that has not agreed in writing to terms at least as protective as this DPA.

4. Sub-processors

4.1 Authorisation

Customer authorises Helperbird to engage the Sub-processors listed in our Privacy Policy for the processing of Customer Data. The current list includes:

Sub-processor	Purpose	Contractual cover
OpenAI, L.L.C.	Pro AI features (summarise, simplify, translate, dictionary, image alt text, etc.)	OpenAI BAA signed; Zero Data Retention active; SCCs auto-incorporated
Microsoft Corporation (Azure AI Speech, Immersive Reader)	Pro online voices, Pro online voice typing, Pro Immersive Reader	Microsoft DPA + Product Terms (BAA auto-incorporated for HIPAA contexts); SCCs included
Amazon Web Services, Inc.	Backend infrastructure; processes account/subscription metadata only, never user content	AWS BAA active; SCCs auto-incorporated
Stripe, Inc.	Payment processing for Pro subscriptions; processes account email and payment details only	Stripe DPA; SCCs included

4.2 Change of Sub-processors

Helperbird will notify Customer of intended additions or replacements of Sub-processors by updating the subprocessor list in our Privacy Policy. Where the change materially affects the processing of Customer Data, we will notify by email or in-product notice with at least thirty (30) days' advance notice where reasonably practicable.

Customer may object to a new Sub-processor on reasonable data-protection grounds. If the parties cannot resolve the objection, Customer may terminate this DPA without penalty.

4.3 Liability for Sub-processors

Helperbird remains liable for any failure by a Sub-processor to comply with its data-protection obligations, to the same extent as if Helperbird had performed the relevant act itself.

5. Data Subject rights

Helperbird will assist Customer in responding to requests from Data Subjects to exercise their rights under applicable law. This includes access, rectification, erasure, restriction, portability, and objection.

Where a Data Subject contacts Helperbird directly, Helperbird will, without undue delay, refer the Data Subject to Customer.

Given Helperbird's no-retention posture, Helperbird typically holds no Customer Data that would respond to an access or erasure request beyond the account-level metadata (email, subscription state) processed via Stripe and Helperbird's licence backend.

6. International data transfers

Helperbird is established in the United States.

Customer Data may be processed in the United States and in other jurisdictions where Helperbird's Sub-processors operate.

For transfers of Personal Data subject to GDPR from the European Economic Area, the United Kingdom, or Switzerland to Helperbird in the United States, the parties incorporate by reference the Standard Contractual Clauses as follows:

Module Two (Controller-to-Processor) applies to transfers from Customer (as controller) to Helperbird (as processor).
Where applicable, Module Three (Processor-to-Processor) applies where Customer is itself a processor for the data of upstream controllers.

The UK Addendum issued by the UK Information Commissioner's Office applies to transfers governed by UK GDPR.

The Swiss Federal Data Protection and Information Commissioner's recognition of the EU SCCs applies to transfers governed by Swiss data protection law.

The SCCs are deemed populated as follows:

The data exporter is Customer; the data importer is Helperbird.
The competent supervisory authority is determined by the location of the data exporter.
Annex I.B (categories of data, Data Subjects, processing operations) is populated by sections 2.2–2.5 of this DPA.
Annex II (technical and organisational measures) is populated by section 7 of this DPA and the security section of the Privacy Policy.
Annex III (Sub-processors) is populated by section 4 of this DPA.

7. Security measures

Helperbird implements the following technical and organisational measures to protect Customer Data:

Encryption in transit for all communication between the Helperbird Service and Helperbird's backend, and between Helperbird's backend and Sub-processors (TLS 1.2 or higher).
Encryption at rest for all data persisted in Helperbird's AWS infrastructure.
Least-privilege access controls with IAM-based authorisation, multi-factor authentication required for administrative access, and no shared credentials.
Audit logging of administrative actions via AWS CloudTrail; application logs are scoped to metadata and never contain Customer-supplied content.
AWS Web Application Firewall in front of the Helperbird API, with managed rule sets for common attack patterns and rate limiting.
No raw user content stored by Helperbird. AI feature payloads pass through transiently and are discarded immediately on completion.
On-device processing as the default for the free tier, and as the preferred path for all features where it is technically feasible.
Subprocessor selection restricted to vendors with documented HIPAA, GDPR, and SOC-equivalent compliance posture and signed BAAs/DPAs.
Framework readiness. Helperbird is preparing for SOC 2 Type II and ISO/IEC 27001 certification; existing controls are designed against the requirements of those frameworks pending formal third-party audit.

A current detailed description of Helperbird's security measures is available on request to [email protected].

8. Audit rights

On reasonable written notice (not less than thirty (30) days) and no more than once per twelve-month period, Helperbird will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. This may take the form of:

(a) responses to a reasonable data-security questionnaire;

(b) summary documentation of Helperbird's technical and organisational measures and Sub-processor BAAs/DPAs; or

(c) where (a) and (b) are not sufficient and Customer has a documented regulatory requirement for further verification, an on-site or remote audit, at Customer's cost, conducted by an independent third party reasonably acceptable to Helperbird, under appropriate confidentiality terms, and scoped to materials directly relevant to Customer's use of the Helperbird Service.

More frequent audits may be conducted where required by Customer's supervisory authority.

9. Security incidents and breach notification

Helperbird will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach as defined in GDPR Article 4(12), or within the timeframe required by applicable law if shorter.

For PHI subject to HIPAA, the Business Associate Agreement breach-notification timeframes (sixty (60) calendar days) apply.

The notification will include, to the extent known and required:

the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
the likely consequences;
the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects; and
the name and contact details of Helperbird's point of contact.

10. Termination and return / deletion of data

10.1 Term

This DPA is effective on the date both parties sign and continues for the duration of the Underlying Agreement.

10.2 Termination

Either party may terminate this DPA on thirty (30) days' written notice. Termination of this DPA terminates Customer's permission to use the Helperbird Service in a way that involves processing Customer Data covered by this DPA.

10.3 Return or deletion

On termination of the Underlying Agreement, Helperbird will, at Customer's election, return or delete all Customer Data in its possession, including any held by Sub-processors.

Because Helperbird does not retain user content, in practice this means deletion of account-level metadata (email, subscription state) on the schedule described in our Privacy Policy.

Where return or deletion is infeasible (for example, data retained in immutable backup), Helperbird will extend the protections of this DPA to that data and limit further uses to those purposes that make return or deletion infeasible.

11. FERPA: schools deploying Helperbird

This section 11 applies where Customer is an "educational agency or institution" subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

11.1 School Official designation

Customer designates Helperbird as a School Official with legitimate educational interests under 34 C.F.R. § 99.31(a)(1)(i)(B), for the purpose of providing the Helperbird Service to Customer's authorised users.

11.2 Direct control

Helperbird agrees to perform the Helperbird Service under Customer's direct control as it relates to the use and maintenance of Education Records, as required by 34 C.F.R. § 99.31(a)(1)(i)(B)(2).

11.3 Use and re-disclosure limitations

Helperbird will use Education Records only for the purpose of providing the Helperbird Service to Customer.

Helperbird will not re-disclose Education Records to third parties except as permitted by FERPA and this DPA.

Sub-processors that may incidentally process Education Records are bound by terms at least as protective as this DPA, as set out in section 4.

11.4 Helperbird's posture supporting FERPA compliance

Helperbird's no-retention, no-training, no-advertising, no-profiling posture (described above and in our Privacy Policy) is designed to minimise Helperbird's contact with Education Records to the maximum extent compatible with providing the Service.

11.5 Administrative controls

Customer may, at its discretion, disable individual Helperbird features for its users via managed storage policy (see admin documentation), including features that would otherwise transmit content to third-party AI services.

12. COPPA: under-13 student use

This section 12 applies where Customer is an educational agency or institution permitting users under thirteen (13) years of age to use the Helperbird Service.

Where Customer permits under-13 users to use Helperbird in an educational context, Customer represents that it acts as the agent of the parent for the purpose of providing consent under the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., consistent with U.S. Federal Trade Commission guidance permitting schools to consent on behalf of parents for educational online services.

12.2 Limited use

Helperbird will use any Personal Data of under-13 users solely for the educational purposes for which Customer engaged the Helperbird Service.

Helperbird will not use such data for marketing, advertising, behavioural profiling, or any commercial purpose not directly related to the educational use authorised by Customer.

12.3 Free-tier default

For under-13 users in particular, Helperbird recommends (and Customer may enforce via managed storage policy) the use of only the free tier and on-device features, which transmit nothing to external AI services.

13. US state student-privacy law schedules

This DPA is designed to satisfy the substantive requirements of major US state student-privacy statutes, including but not limited to:

New York Education Law § 2-d and Part 121 of the Regulations of the Commissioner of Education ("Bill of Rights for Data Privacy and Security").
California Student Online Personal Information Protection Act (SOPIPA), Cal. Bus. & Prof. Code § 22584.
Texas Student Privacy Act, Tex. Educ. Code § 32.1518.
Utah Student Data Protection Act, Utah Code § 53E-9-301 et seq.
Illinois Student Online Personal Protection Act (SOPPA), 105 ILCS 85.
Connecticut Student Data Privacy Act, Conn. Gen. Stat. § 10-234aa et seq.

Where a state-specific exhibit is required (for example, the New York Parents' Bill of Rights signature, or a California SOPIPA-specific certification), Customer may attach or request the relevant exhibit and Helperbird will execute it as a schedule to this DPA.

The SDPC National Data Privacy Agreement is also accepted. Please reference it in your request to [email protected].

14. Miscellaneous

14.1 Conflict

If there is a conflict between this DPA and the Underlying Agreement, this DPA controls with respect to Customer Data.

If there is a conflict between this DPA and a separately executed schedule (such as a state-specific student-privacy exhibit or the SCCs), the more protective provision controls.

14.2 Amendment

The parties may amend this DPA only by written agreement.

The parties will negotiate in good faith to amend this DPA as needed to comply with changes in applicable data-protection law.

14.3 Governing law

Except where applicable data-protection law requires otherwise (for example, the GDPR for EU/UK transfers under the SCCs), this DPA is governed by the laws of the State of Arkansas and the federal laws of the United States, without regard to conflict-of-laws rules.

14.4 Notices

Notices under this DPA must be sent to [email protected] (for Helperbird) and to the email address provided by Customer at execution.

Notices are deemed given when sent.

14.5 Entire agreement

This DPA, together with the Underlying Agreement, the Privacy Policy, the Terms of Service, and any Business Associate Agreement executed separately between the parties, is the entire agreement between the parties with respect to data protection and supersedes any prior agreement on that subject.

How to execute this DPA

Email [email protected] with:

Customer's legal name, registered address, and the name and title of the authorised signer.
A list of the Helperbird account(s) to be covered.
Confirmation that Customer has reviewed Helperbird's Privacy Policy, Terms of Service, and this DPA.
Any state-specific exhibits or alternative DPA templates (such as the SDPC National DPA) you would prefer to use.

Helperbird will then send a counter-signature-ready version (DocuSign or PDF) for execution.

We aim to turn around DPA execution within five (5) business days of a complete request.

Have Questions or Concerns?

Your trust and safety are paramount to us. We genuinely love hearing from districts, teachers, parents, and compliance teams. Even (especially) when the questions are tough.

DPA execution, FERPA / COPPA / GDPR questions, compliance attestations: [email protected]
Privacy or data‑subject requests: [email protected]
Security disclosures: [email protected]
Legal and DMCA: [email protected]
General questions: [email protected]

For broader privacy details, see our Privacy Policy, Compliance page, FERPA Compliance page, and COPPA Compliance page.

Data Privacy Agreement