Privacy Policy

Last Updated: June 11, 2026

HIPAA-Ready Controls

Production PHI use requires verified safeguards, vendor evidence, and compliance signoff.

COPPA Safeguards

Designed for parent- and clinician-mediated use with consent checks before child-related data is collected.

Data Ownership

You own your data. We do not sell your personal information to third parties.

Kapps Systems LLC ("WhisperWise", "we", "us", or "our") operates the WhisperWise website and the WhisperWise Guide caregiver mobile application (collectively, the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

1. Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you.

Types of Data Collected

  • Personal Data: Email address, First name and Last name, Cookies and Usage Data.
  • Child Data: Name, age or birth date, developmental profile, sensory preferences, and DIR/Floortime practice context.
  • Therapy and Session Data: Session logs, Activity circles, care-plan inputs, guided session notes, and audio transcripts (transiently processed, not stored as raw audio unless explicitly authorized for clinical review).

2. Use of Data

WhisperWise uses the collected data for various purposes:

  • To provide and maintain the Service
  • To notify you about changes to our Service
  • To provide customer care and support
  • To provide analysis or valuable information so that we can improve the Service
  • To monitor the usage of the Service
  • To detect, prevent and address technical issues
  • To preserve clear reporting between Studio planning activity, caregiver-led Guide activity, and clinician-supported workflows

3. Data Security (HIPAA & COPPA)

The security of your data is important to us.

  • Encryption: Sensitive production services are expected to use encryption in transit and platform-managed encryption at rest, with additional controls documented before PHI release.
  • Audio Privacy: Our "Audio-First" AI processing is designed to be transient. Raw audio from the Guide app is processed for affect and intent and then immediately discarded from memory, unless you explicitly choose to save a "Moment" or share a clip with a clinician.
  • Access Controls: Strict role-based access controls ensure that only authorized personnel (and your designated clinicians) can access your data.
  • Role-Based Controls: Parent, caregiver, therapist, and administrator access paths are separated so each user sees only the information they are authorized to use.
  • Infrastructure Hardening: Production rollout requires documented BAA status where applicable, High Compliance controls, Point in Time Recovery, SSL enforcement, and network restrictions in the shared Supabase environment.

4. Introduction to AI Processing

AI-assisted features may be used to analyze bounded, authorized session context and provide guidance suggestions only when the configured provider path has required compliance evidence.

  • Anonymization: Data sent to third-party AI providers is stripped of direct personal identifiers where possible.
  • Provider Gate: AI features are disabled unless required provider configuration, budget controls, and compliance evidence are present.
  • AI Boundaries: AI output is designed to support caregiver and clinician decision-making. It is not a diagnosis, emergency service, or replacement for professional judgment.

5. Service Providers

We may employ third party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used. Third parties may access data only for authorized service purposes, and production PHI use requires documented Business Associate Agreement and configuration evidence where applicable.

6. Children's Privacy

Our Service does not address anyone under the age of 18 ("Children") directly. We do not knowingly collect personally identifiable information from anyone under the age of 18 without parental consent. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us.

7. Data Rights, Export, and Deletion

Account owners can request export or deletion coverage for profile records, care-plan inputs, caregiver-led Guide records, session logs, support records, and related summaries. Deletion requests are reviewed against legal, clinical, safety, and backup-retention obligations before records are removed.

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective.

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@whisperwise.org.