Privacy Policy

Last updated: April 2025 · Version 1.0

🔒 We take children's privacy seriously

Plain-language summary: Hailo collects the minimum data necessary to personalise learning for your child. We never sell your data. We never share it with advertisers. All sensitive child data is accessible only to the parent account holder. You can delete everything at any time.

1. Who We Are

Hailo App ("Hailo", "we", "us", "our") operates the Hailo mobile application, an educational companion app for autistic children. References to "you" or "your" mean the parent or legal guardian who created an account. References to "your child" mean the child whose profile you manage within the App.

Data Controller: Hailo App
Contact: privacy@gethailoapp.com
Website: gethailoapp.com

2. Data We Collect

2a. Parent / Account Holder Data

Data	Purpose	Legal Basis
Email address	Account creation, login, communications	Contract performance
Password (hashed)	Account security	Contract performance
Account creation date	Service management	Legitimate interest

2b. Child Profile Data

COPPA Notice (US): Hailo collects limited personal information about children under the direction and with the consent of the parent/guardian account holder. We do not direct our service to children independently, and children do not create their own accounts.

Data	Purpose	Storage
Child's first name	Personalisation	Firebase / Local
Age range (e.g., "3–5 years")	Content difficulty calibration	Firebase / Local
Diagnosis status (optional)	Feature recommendations	Firebase / Local
Support level (optional)	Content adaptation	Firebase / Local
Communication level	AAC board configuration	Firebase / Local
Learning challenges (optional)	Feature configuration	Firebase / Local
Favourite themes	Personalisation	Firebase / Local
Learning goals (optional)	Progress tracking	Firebase / Local
Sensory preferences	Accessibility configuration	Local device only

2c. Usage & Learning Data

Data	Purpose	Storage
Session logs (feature used, duration)	Progress tracking, Parent Hub	Firebase / Local
Learning milestones	Progress reports, PDF export	Firebase / Local
AAC symbol usage patterns (aggregated)	Adaptive content delivery	Local device only
Activity completion records	Progress tracking	Firebase / Local

2d. Technical & Device Data (via Firebase Analytics)

Data	Purpose
Device type and OS version	App compatibility and bug fixing
App version	Feature management
Crash reports	App stability
Feature usage events (anonymised)	App improvement
Session duration	Performance monitoring

Firebase Analytics data is anonymised and aggregated. We have disabled advertising-related analytics features.

3. How We Use Your Data

We use the data we collect to:

Create and manage your account and your child's profile.
Personalise the App's content, themes, difficulty, and features to your child's needs.
Provide adaptive learning and AAC communication tools.
Generate progress reports accessible to you in the Parent Hub.
Enable offline functionality by caching data on your device.
Improve the App's performance and fix bugs.
Communicate with you about service updates, changes to these policies, or security issues.
Comply with legal obligations.

We do not use your data or your child's data for advertising, profiling for commercial purposes, or to sell to third parties.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland: We process personal data on the following lawful bases under GDPR Article 6 and Article 9 (for special category data relating to health/disability):

Contract performance (Art. 6(1)(b)): Account creation, authentication, service delivery.
Legitimate interests (Art. 6(1)(f)): App improvement, security, fraud prevention.
Consent (Art. 6(1)(a) / Art. 9(2)(a)): Optional profile data including diagnosis status and support level. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws.

5. Children's Privacy — Special Protections

COPPA Compliance (United States): We comply with the Children's Online Privacy Protection Act. We collect only the minimum personal information from children under 13 that is necessary to provide the service, and only with verified parental consent provided through the parent account.

Children do not directly create accounts or provide personal data to Hailo independently.
All child data is collected indirectly via the parent's account, with the parent's explicit consent.
We collect only information necessary for the service. Diagnosis details, support level, and other sensitive fields are optional.
Parents may review, correct, or delete their child's data at any time through the Parent Hub or by contacting us.
We do not share children's data with third parties for marketing, advertising, or any purpose other than providing the service.
Child profiles are linked exclusively to the parent account and are not accessible to other users.
We do not enable communications between the child and external parties within the App.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data only as follows:

Firebase (Google LLC)

We use Firebase services (Firestore database, Authentication, Analytics) operated by Google LLC. Data may be stored on Google's servers globally. Google processes this data as our data processor under a Data Processing Agreement. See Firebase Terms and Google Privacy Policy.

We have configured Firebase to: (a) disable advertising identifiers; (b) anonymise analytics where possible; (c) not enable cross-app tracking.

ARASAAC

The App queries the ARASAAC API (operated by the Government of Aragón, Spain) to retrieve pictogram images. Only the search keyword (a plain word, e.g. "happy") is sent. No personal data is transmitted. See ARASAAC Terms.

Legal Requirements

We may disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of Hailo, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users and provide options in accordance with applicable law.

7. Data Retention

Data Type	Retention Period
Account and profile data	Until account deletion, then 30 days
Session logs and milestones	2 years from creation, or until deletion
Analytics data (Firebase)	14 months (Firebase default, configurable)
Locally cached data (Hive)	Until app uninstall or manual data clear
Deleted account data	Fully purged within 30 days of deletion request

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit: All data transmitted to/from Firebase uses HTTPS/TLS.
Encryption at rest: Firebase Firestore encrypts data at rest.
Access controls: Firebase Security Rules ensure each parent account can only access their own family's data.
Local storage: On-device data is stored in Hive (a key-value store), isolated to the app's sandbox.
Authentication: Secure email/password authentication via Firebase Auth.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

🔍 Right to Access

Request a copy of data we hold about you and your child.

✏️ Right to Rectification

Correct inaccurate or incomplete data through the app or by contacting us.

🗑️ Right to Erasure

Request deletion of your account and all associated data.

⏸️ Right to Restriction

Restrict processing of your data in certain circumstances.

📦 Right to Portability

Request your data in a machine-readable format (GDPR).

🚫 Right to Object

Object to processing based on legitimate interests.

🔄 Right to Withdraw Consent

Withdraw optional consent at any time without affecting prior processing.

👶 Parental Rights (COPPA)

Review, correct, or delete your child's data at any time.

To exercise any of these rights, contact us at privacy@gethailoapp.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

10. Regional Privacy Rights

European Economic Area, UK & Switzerland (GDPR / UK GDPR)

You have the rights listed in Section 9. You also have the right to lodge a complaint with your national data protection authority. Our primary supervisory authority will be determined based on our establishment. For a list of EEA authorities, visit edpb.europa.eu.

California, United States (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act:

Right to Know: The categories and specific pieces of personal information we collect about you.
Right to Delete: Request deletion of personal information we have collected.
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is required.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Sensitive Personal Information: We collect limited sensitive data (child's disability status). We use this only to provide the service.

Canada (PIPEDA / Provincial Laws)

We obtain meaningful consent before collecting personal information. You may withdraw consent at any time. You have rights to access, correct, and have your data deleted. Contact our privacy officer at privacy@gethailoapp.com.

Australia (Privacy Act / APPs)

We comply with the Australian Privacy Principles. You have rights to access and correct personal information we hold. You may also complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Brazil (LGPD)

Brazilian users have rights under the Lei Geral de Proteção de Dados, including access, correction, portability, deletion, and objection rights. Contact our Data Protection Officer at privacy@gethailoapp.com.

Other Jurisdictions

Users in other countries are protected by locally applicable data protection laws. We comply with applicable requirements and will respond to all legitimate privacy requests regardless of jurisdiction.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States (where Google/Firebase infrastructure operates). These transfers are made:

Under Standard Contractual Clauses (SCCs) with Google where applicable for EEA/UK users.
Subject to appropriate safeguards as required by applicable law.

12. Cookies & Tracking

The Hailo mobile App does not use browser cookies. We use Firebase Analytics, which collects anonymised usage data as described in Section 2d. You can opt out of analytics collection by contacting us or adjusting Firebase-related settings on your device.

13. Links to Third-Party Sites

The App may contain links to third-party websites or resources. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the App or by email at least 14 days before they take effect. If you disagree with the changes, you may delete your account before they take effect.

The current version is always available at gethailoapp.com/privacy and within the App.

15. Contact & Data Protection Officer

For any privacy questions, data requests, or concerns, please contact:

Privacy & DPO: privacy@gethailoapp.com
General enquiries: hello@gethailoapp.com
Website: gethailoapp.com

We are committed to resolving privacy concerns promptly and will respond to all requests within 30 days.