Privacy Policy

1. Introduction

Veloris, LLC, a Delaware limited liability company doing business as SpellingJoy ("SpellingJoy," "we," "us," or "our"), operates the SpellingJoy.com website and related services (collectively, the "Service"). SpellingJoy provides a spelling practice platform designed for use by teachers, schools, parents, and students.

This Privacy Policy describes the types of information we collect, how we use and protect that information, the choices available to you regarding your information, and how you can contact us about our privacy practices.

When the Service is used by a school or school district ("School") in an educational setting, the collection and use of student data is governed by our agreements with the School, including any applicable Data Privacy Agreement ("DPA"), in addition to this Privacy Policy. In the event of a conflict between a DPA and this Privacy Policy, the DPA controls with respect to student data covered by that agreement.

When you use the Service directly (not through a School), your use is governed by this Privacy Policy.

2. Quick Summary

3. Information We Collect

3a. Student Information

SpellingJoy is designed to collect the minimum amount of student information necessary to provide the Service. We collect the following from students:

• First name (required, entered by the teacher or the student when joining a class)
• Last initial (optional, configurable by the teacher at the class level)
• Avatar selection (shape and color chosen by the student)
• Session token (a system-generated UUID stored in an httpOnly cookie for authentication; the student does not create or enter a password)
• Class membership (which class or classes the student belongs to)
• Practice data: words attempted, correct and incorrect responses, typed answers, and time spent per word
• Scores and achievements: stars earned, accuracy percentages, streaks, and badges
• Lifetime statistics: total number of practices completed and total words practiced
• Practice calendar: which dates the student completed practice sessions
• Student tags: teacher-assigned labels (for example, "ELL" or "Extra practice") used for organizational purposes
• Timestamps: last active date and last practice date

We do NOT collect the following from students: email address, phone number, home address, date of birth, gender, ethnicity, Social Security number, password, photographs, biometric data, or any other sensitive personal information.

3b. Teacher and Educator Information

When a teacher or educator creates an account, we collect the following:

• Account information: email address, name, and display name
• School information: school name, city, state, and country
• Professional information: grade levels taught and years of teaching experience
• Onboarding survey responses: role, goals for using SpellingJoy, class size, and how the teacher heard about us
• Marketing attribution: UTM parameters, referral source, referrer URL, and landing page
• Communication preferences: marketing email opt-out preference
• Optional profile information: username, bio, and avatar URL

Authentication: Teachers sign in using one-time password (OTP) email codes or Google OAuth. SpellingJoy does not store passwords for any user.

3c. Information Collected Automatically

• Cookies: We use essential session cookies for authentication and site functionality. See Section 11 (Cookies and Tracking) for details.
• Analytics: We use Google Analytics on teacher-facing and marketing pages only, with IP anonymization enabled. Google Analytics is completely excluded from all student-facing pages (including /play, /join, /student, and /c/ paths). See Section 11 for details.
• Device and browser information: We may automatically collect general device information such as browser type, operating system, and screen resolution for the purpose of ensuring the Service functions correctly.
• Server logs: Our hosting provider (Vercel) may automatically collect standard server log information, including IP addresses, request timestamps, and page URLs, for security and operational purposes.

4. How We Use Information

We use the information we collect for the following purposes:

• Providing the Service: To operate SpellingJoy, including creating and managing accounts, delivering spelling practice activities, tracking student progress, generating reports for teachers, and producing printable worksheets.
• Product improvement: To understand how the Service is used and to develop new features, fix bugs, and improve performance. Student data is used only in aggregate or de-identified form for this purpose.
• Teacher communications: To send teachers product updates, new feature announcements, and educational content (with the ability to opt out at any time). We never send marketing communications to students.
• Security and integrity: To protect the Service and our users from fraud, abuse, and unauthorized access.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

We do not use student personal information for any purpose other than providing and improving the educational Service. We do not use student data for advertising, marketing, or building profiles unrelated to the educational purpose.

5. AI-Powered Features (Joy Teaching Assistant)

SpellingJoy includes an AI-powered teaching assistant called "Joy," which helps teachers manage their classes, create assignments, and review student progress. Joy is powered by Anthropic's Claude language model.

Key facts about Joy:

• Teacher-facing only. Joy is available exclusively to teachers. Students do not interact with Joy.
• Data shared with Anthropic. When a teacher uses Joy, the conversation context may include student first names and last initials if the teacher asks about specific students or views class data through the assistant. No other student personal information (such as email, date of birth, or address) is shared because SpellingJoy does not collect such information.
• No model training. Anthropic does not use data sent through its API to train its models. This is specified in Anthropic's API terms of service and their data processing agreement.
• Data retention by Anthropic. Anthropic retains API inputs and outputs for up to 7 days for safety and abuse monitoring purposes, after which the data is automatically deleted. API data is never used for model training.
• Purpose limitation. Data sent to Anthropic is used solely to generate responses within the Joy assistant. It is not used for advertising or any purpose unrelated to providing the assistant functionality.

For more information about Anthropic's data practices, please refer to Anthropic's privacy policy at anthropic.com/privacy.

6. How We Share Information

SpellingJoy does not sell, rent, or trade personal information to any third party for any purpose, including advertising or marketing.

We share information only with the following categories of service providers ("subprocessors") that help us operate the Service:

• Supabase — Database hosting and authentication. Stores all Service data. Hosted on AWS us-east-1 (Virginia, USA). Data Processing Agreement signed.
• Vercel — Application hosting and content delivery network (CDN). US-primary infrastructure. Data Processing Agreement available.
• Anthropic — Powers the Joy AI teaching assistant (Claude). Teacher-facing only. Student first names and last initials may be included in conversation context when teachers discuss student progress. Anthropic does not train models on API data. Data processing terms included in API agreement.
• Resend — Email delivery for teacher communications only. No student data is shared with Resend.
• Google Cloud (Text-to-Speech) — Provides pronunciation audio for spelling words. Only the spelling words themselves are sent; no student identity or personal information is included.
• Google Analytics — Page view analytics on teacher-facing and marketing pages only. Completely excluded from all student-facing pages. IP anonymization is enabled.

A current list of our subprocessors is maintained at /subprocessors.

We require all subprocessors to maintain appropriate security measures and to process personal information only as instructed by us for the purposes of providing the Service.

Law enforcement and legal requests: We may disclose personal information if required to do so by law, regulation, subpoena, court order, or other governmental request. If we receive a law enforcement request for student data associated with a School, we will direct the requesting party to the School and notify the School of the request (unless legally prohibited from doing so), so the School can decide how to respond.

Business transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of the transaction. We will notify affected Schools and users before personal information is transferred and becomes subject to a different privacy policy.

7. Student Data Privacy

SpellingJoy is committed to protecting student data. We operate in compliance with the Family Educational Rights and Privacy Act (FERPA) and applicable state student privacy laws.

• School Official designation. When SpellingJoy is used by a School, we operate as a "School Official" under FERPA, with a legitimate educational interest in the student data we process. Our access to student education records is limited to the educational purposes specified in our agreements with Schools.
• School controls data. Student education records obtained by SpellingJoy from a School remain the property of and under the control of the School. Teachers control student accounts within their classes, including the ability to view, modify, and delete student data.
• Educational purpose only. Student data is used exclusively for the educational purposes for which it was collected: providing spelling practice, tracking progress, and supporting instruction. Student data is never used for advertising, marketing, or any non-educational commercial purpose.
• No student profiles. Student information is not made visible to the public, to other students, or to anyone outside the student's class and teacher. There are no public student profiles.
• Data Privacy Agreements. We enter into Data Privacy Agreements (DPAs) with school districts upon request. We have a signed 16-state Student Data Privacy Agreement through the Student Data Privacy Consortium (SDPC). Contact info@spellingjoy.com to request a DPA.

8. Children's Privacy (COPPA)

SpellingJoy complies with the Children's Online Privacy Protection Act (COPPA). We do not permit children under the age of 13 ("Children") to create accounts or use the Service without the involvement of a teacher, school, or parent.

School consent mechanism. When the Service is used in a school setting, we rely on the school to provide consent for the collection of limited student information on behalf of parents, as permitted under COPPA (16 CFR § 312.5(c)(1)). Schools agree to obtain necessary parental consent, or provide consent on behalf of parents, before allowing Children to use the Service.

Minimal data collection. We collect only the minimum information necessary to provide the educational Service to Children: first name, optional last initial, avatar selection, and spelling practice data. We do not collect email addresses, phone numbers, addresses, dates of birth, photographs, or any other sensitive information from Children.

No direct marketing to students. We never send marketing communications, push notifications, or promotional content to students.

No behavioral advertising. We do not serve behavioral or targeted advertising to any user, including Children. No analytics tracking is active on student-facing pages.

Parental Rights

Parents and legal guardians of Children who use SpellingJoy through a School have the following rights:

• Review: Request to review the personal information collected about their child.
• Delete: Request deletion of their child's personal information.
• Refuse: Refuse to permit further collection or use of their child's personal information.

To exercise these rights, parents may contact their child's school or teacher directly, or contact SpellingJoy at info@spellingjoy.com. If we receive a request directly from a parent regarding a student account associated with a School, we will work with the School to verify the parent's identity and fulfill the request. We will respond to verifiable parental requests within 30 days.

9. Data Security

SpellingJoy implements administrative, technical, and physical safeguards designed to protect personal information. These measures include:

• Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption.
• Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
• Row Level Security (RLS): Database-level access controls ensure that users can only access data they are authorized to view.
• No student passwords: Students authenticate using system-generated UUID session tokens stored in httpOnly cookies. There are no student passwords to be compromised.
• Teacher authentication: Teachers authenticate using one-time password (OTP) email codes or Google OAuth. No passwords are stored.
• Access controls: Internal access to personal information is limited to personnel with a legitimate need to access such data for purposes of operating, developing, or improving the Service.
• Subprocessor security: We require our subprocessors to maintain security measures appropriate to the sensitivity of the data they process.

For additional details about our security practices, please visit our Data Security & Privacy Plan page.

10. Data Retention and Deletion

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

• Active accounts: Student and teacher data is retained for as long as the associated account or class remains active.
• Student data deletion (class or teacher deletion): When a teacher deletes a class, or when a teacher account is deleted, all associated student data is deleted through cascading deletion.
• Teacher account deletion: Upon request, teacher accounts and all associated data (including classes and student data) are deleted within 30 days.
• School/district deletion requests: Upon receiving a verified deletion request from a school district, we will export and/or delete the requested data within 30 to 60 days, depending on the scope of the request.
• Backups: Our database provider (Supabase) maintains point-in-time recovery (PITR) backups for up to 7 days. After deletion, personal information may persist in backups for up to 7 days before being permanently removed.
• De-identified and aggregated data: We may retain de-identified or aggregated data that can no longer be associated with an individual for product improvement purposes.

11. Cookies and Tracking

SpellingJoy uses the following categories of cookies and tracking technologies:

Essential Cookies (All Pages)

• Session cookies: Used for authentication and maintaining your session while using the Service. These cookies are necessary for the Service to function and cannot be disabled.
• Student session token: An httpOnly cookie containing a UUID that identifies the student's session. This cookie does not contain any personal information and is used solely for authentication.

Analytics Cookies (Teacher and Marketing Pages Only)

• Google Analytics: Used on teacher-facing and marketing pages to understand how the Service is used and to improve the user experience. IP anonymization is enabled, meaning full IP addresses are not stored by Google Analytics.

Pages Where Analytics Are NOT Present

Google Analytics and all non-essential tracking are completely excluded from the following student-facing pages:

• /play (student practice pages)
• /join (student login page)
• /student (student dashboard)
• /c/ (class join pages)

Cookies We Do NOT Use

• No advertising or targeting cookies
• No social media tracking pixels
• No third-party behavioral tracking on any page

Do Not Track: SpellingJoy does not track users across third-party websites and does not serve targeted advertising. Because we do not engage in cross-site tracking, our practices are consistent with Do Not Track (DNT) signals regardless of browser settings.

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Deletion: Request that we delete your personal information, subject to certain exceptions (such as legal retention requirements).
• Data portability: Request a copy of your personal information in a structured, commonly used, machine-readable format (JSON or CSV).
• Objection: Object to processing of your personal information in certain circumstances.
• Restriction: Request that we restrict the processing of your personal information in certain circumstances.

To exercise any of these rights, please contact us at info@spellingjoy.com. We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law, if shorter). There is no fee to exercise your rights unless a request is manifestly unfounded or excessive.

13. US State Privacy Rights

This section provides additional disclosures required by state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), and similar state laws. These disclosures supplement the rest of this Privacy Policy.

Categories of Personal Information Collected

Your Rights Under State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another state with an applicable consumer privacy law, you have the following rights:

• Right to know / access: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct: You may request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: SpellingJoy does not sell or share personal information for cross-context behavioral advertising. There is no sale or sharing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
• Right to data portability: You may request your personal information in a portable format.

Exercising Your Rights

• Submit a request by emailing info@spellingjoy.com.
• We will verify your identity before processing your request by confirming your email address and, where necessary, additional identifying information.
• You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide proof of written authorization and we may still verify your identity directly.
• Response timeframe: We will respond to verifiable requests within 45 days of receipt. If additional time is needed (up to an additional 45 days), we will notify you of the extension and the reason.

Appeal Process

If we decline to take action on a request, we will inform you of the reason and provide instructions for how to appeal the decision. To appeal, email info@spellingjoy.com with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days (or within the timeframe required by applicable state law). If your appeal is denied, you may contact your state's attorney general to file a complaint.

Colorado-Specific Disclosures

Colorado residents may opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. SpellingJoy does not engage in any of these activities. We will recognize universal opt-out signals (such as the Global Privacy Control) as valid opt-out requests under the Colorado Privacy Act.

14. California Student Data (AB 1584)

In compliance with California AB 1584 (Buchanan) regarding the privacy of pupil records:

• Student records obtained by SpellingJoy from an educational institution continue to be the property of and under the control of the educational institution.
• SpellingJoy users may retain possession and control of their own generated content.
• SpellingJoy will not use any information in a student record for any purpose other than those required or specifically permitted by the contract with the School.
• Parents, legal guardians, or eligible students may review personally identifiable information in the student's records and correct erroneous information by contacting the School or by contacting SpellingJoy at info@spellingjoy.com.
• SpellingJoy is committed to maintaining the security and confidentiality of student records through the measures described in Section 9 (Data Security) of this Policy.
• In the event of an unauthorized disclosure of a student's records, SpellingJoy will promptly notify the educational agency or institution in accordance with the timelines described in Section 19 (Data Breach Notification).
• SpellingJoy will delete or de-identify personal information when it is no longer needed, when requested by the School, or as described in Section 10 (Data Retention and Deletion).
• SpellingJoy will not use personally identifiable information in student records to engage in targeted advertising.

15. New York Education Law § 2-D

In compliance with New York Education Law § 2-D and its implementing regulations (8 NYCRR Part 121), SpellingJoy shall:

• Limit internal access to education records to those individuals that are determined to have legitimate educational interests.
• Not use the education records for any purposes other than those explicitly authorized in the contract with the educational agency.
• Not disclose any personally identifiable information to any other party without prior written consent of the parent or eligible student, except as permitted by law.
• Maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personally identifiable student information in its custody.
• Use encryption technology to protect data while in motion or in its custody from unauthorized disclosure, using industry-standard encryption (AES-256 at rest, TLS 1.2+ in transit).
• Not sell personally identifiable information nor use or disclose it for any marketing or commercial purpose.
• Notify the educational agency in the most expedient way possible and without unreasonable delay of any breach of security resulting in an unauthorized release of personally identifiable information, in accordance with applicable breach notification requirements.
• Implement an Incident Response Plan that includes procedures for notification, investigation, and remediation of security incidents.

SpellingJoy's data security practices are aligned with the NIST Cybersecurity Framework (NIST CSF) as referenced in the NY Ed. Law § 2-D regulations. For details, see our Data Security & Privacy Plan.

16. School District Data Privacy Agreements

SpellingJoy supports the use of Data Privacy Agreements (DPAs) with school districts and educational agencies. We currently have a signed 16-state Student Data Privacy Agreement through the Student Data Privacy Consortium (SDPC).

• School districts that wish to execute a DPA with SpellingJoy may contact us at info@spellingjoy.com.
• We are prepared to sign the SDPC National DPA, state-specific DPA addenda, or district-specific DPAs as needed.
• In the event of a conflict between a DPA and this Privacy Policy, the terms of the DPA control with respect to the student data covered by that agreement.

17. Marketing Communications

Teacher communications only. We may send product updates, new feature announcements, and educational content to teachers who have created an account. All marketing communications are sent to teacher email addresses only.

• Opt-out: Every marketing email includes a one-click unsubscribe link. Teachers can also manage their communication preferences in their account settings.
• CAN-SPAM compliance: All marketing emails identify SpellingJoy as the sender, include our physical mailing address, and honor unsubscribe requests within 10 business days.
• Never to students: We never send marketing communications, promotional emails, push notifications, or any non-educational communications to students.

18. International Users

SpellingJoy is a US-based service. All data is stored and processed in the United States (AWS us-east-1, Virginia). If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

European Economic Area (EEA), United Kingdom, and Switzerland: If you are located in the EEA, UK, or Switzerland and use the Service, the transfer of your personal data to the United States is necessary for the performance of the Service. We process personal data on the following legal bases:

• Contractual necessity: To provide the Service as described in our terms.
• Legitimate interests: To improve the Service, ensure security, and communicate with teachers about the Service, where those interests are not overridden by your rights.
• Consent: Where required by applicable law, such as for marketing communications.

EU/EEA users have the right to access, rectify, erase, restrict processing, object to processing, and data portability as described in Section 12. You may also have the right to lodge a complaint with your local data protection authority.

Under Article 8 of the GDPR, where the Service is used in a school setting within the EU, the school is responsible for ensuring appropriate legal basis and parental consent for children under 16 to use the Service.

19. Data Breach Notification

Despite our security measures, no system is completely secure. In the event of a security breach resulting in the unauthorized access, disclosure, or loss of personal information, SpellingJoy will:

• Investigate promptly: Initiate an investigation to determine the scope, nature, and impact of the breach.
• Notify affected Schools: Notify affected educational agencies and school districts as expeditiously as possible and in compliance with applicable law. Where state law requires specific timelines:
  • Virginia: Notification within 24 hours of discovery, as required by Virginia law for student data breaches.
  • Standard timeline: Notification within 72 hours of discovery for all other applicable jurisdictions.
  • We will comply with all applicable state breach notification statutes, which may specify different timelines.
• Notify affected individuals: Where required by applicable law, notify affected individuals of the breach, including a description of the information involved and steps they can take to protect themselves.
• Remediate: Take reasonable steps to contain and remediate the breach, including securing affected systems and preventing further unauthorized access.
• Document: Maintain a record of the breach, our response, and any corrective actions taken.

SpellingJoy maintains an Incident Response Plan that governs our response to security incidents. For details about our security practices, see our Data Security & Privacy Plan.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this page.
• For material changes, we will notify affected users by email or through a prominent notice on the Service.
• For school districts with active Data Privacy Agreements, we will provide at least 15 days' advance notice before material changes take effect, as required by the Colorado Privacy Act and as a matter of best practice.
• If required by your applicable DPA, we will obtain consent before making material changes that affect the handling of student data.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acknowledgment of the updated Privacy Policy.

21. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you believe SpellingJoy has not complied with this Privacy Policy or applicable data protection laws, you may file a complaint by emailing info@spellingjoy.com with the subject line "Privacy Complaint." We will investigate and respond to all complaints within 30 days.

You also have the right to lodge a complaint with your applicable data protection authority or state attorney general.