Data Processing Agreement

This Data Processing Agreement (“DPA”) applies to schools, clinics, and educational institutions (“School” or “LEA”) using SpeechTherapyMagic to process student data. By using the Service with student accounts, the School agrees to this DPA.

1. Definitions

For purposes of this DPA, the following terms have the meanings set out below:

• “Student Data” means any personally identifiable information about a student that is collected, generated, or maintained through the use of the Service, including but not limited to student name or nickname, age or grade level, target speech sounds, session scores, and practice history.
• “School” or “LEA” means the educational institution, school district, local education agency, or licensed practitioner that has agreed to this DPA and is using the Service to provide speech therapy practice to students.
• “Provider” means SpeechTherapyMagic, the operator of the Service.
• “Authorized User” means a speech-language pathologist (SLP), teacher, or educator employed by or contracted with the School who holds a verified account and has been granted access to the Service for legitimate educational and therapeutic purposes.

2. School Official Designation (FERPA)

The School hereby designates the Provider as a “School Official” under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, with a legitimate educational interest in Student Data as necessary to perform the services described in this DPA. The Provider will operate under the direct control of the School with respect to the use and maintenance of Student Data.

Provider will use Student Data solely for the educational purposes specified in this DPA and will not use Student Data for any commercial purpose, including behavioral targeting, advertising, or sale to data brokers. Provider will not re-disclose Student Data to third parties except as strictly required to provide the Service (e.g., subprocessors listed at /subprocessors) or as otherwise required by applicable law or court order.

3. Scope of Data Processing

What we collect: Provider collects and processes the following categories of Student Data on behalf of the School: student first name or nickname, age or grade level, target speech sounds, session scores, activity completion history, and pronunciation practice recordings (processed transiently for scoring and not stored beyond the active session unless explicitly saved).

What we do NOT collect: Provider does not collect student last names (unless voluntarily provided), social security numbers or government-issued identifiers, financial information, precise geolocation data, biometric identifiers, health or disability diagnoses, or any data unrelated to speech therapy practice. Provider does not build behavioral advertising profiles on students.

Purpose of processing: Student Data is processed for the sole purpose of delivering speech therapy practice activities, tracking individual progress over time, generating personalized practice content (such as AI-generated stories targeted to a student’s speech sounds), and enabling the School’s Authorized Users to review student performance.

4. COPPA Consent

Schools using the Service with students under the age of 13 provide consent on behalf of parents and guardians acting in loco parentisunder FERPA, consistent with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., and applicable Federal Trade Commission regulations. By entering into this DPA and enabling student accounts for children under 13, the School represents and warrants that it is authorized under FERPA to provide such consent and has made the necessary disclosures to parents and guardians as required by applicable law.

Private practitioners, sole-practitioner SLPs, and other non-FERPA entities who use the Service with children under 13 must obtain direct, verifiable parental or guardian consent before creating student accounts for those children. Such practitioners may not rely on the School Official designation under this section and are solely responsible for their own COPPA compliance.

Schools warrant that they have obtained or will obtain all legally required parental and guardian consents before adding student profiles to the Service, and that use of the Service for student accounts is consistent with the School’s annual FERPA notification to parents.

6. Subprocessors

Provider may engage third-party subprocessors to assist in delivering the Service (for example, cloud hosting, pronunciation scoring engines, and AI content generation services). An up-to-date list of subprocessors that may process Student Data is maintained at speechtherapymagic.com/subprocessors.

Each subprocessor is contractually bound by data processing terms that require it to handle Student Data only as directed by Provider and only for the purpose of delivering the Service. Provider remains responsible for ensuring that its subprocessors comply with obligations equivalent to those in this DPA with respect to Student Data.

Provider will provide at least 30 days’ advance notice before adding a new subprocessor that will process Student Data, by updating the subprocessors page and, where feasible, sending an in-app notification to School account holders.

Schools may object to a proposed new subprocessor by notifying Provider in writing within the 30-day notice period. If Provider and the School cannot resolve the objection in good faith, either party may terminate this DPA and the underlying Service subscription without penalty, and Provider will provide a pro-rated refund for any unused prepaid subscription period.

7. Data Subject Rights

Schools, as the responsible party for Student Data, may exercise the following rights on behalf of students at any time by submitting a request via the contact form at speechtherapymagic.com/contact:

• Access: Request a copy of all Student Data held by Provider for a specific student.
• Correction: Request correction of inaccurate Student Data.
• Deletion: Request deletion of all Student Data for a specific student or for all students associated with the School. Provider will fulfill deletion requests within 30 days of receipt.
• Export: Request a machine-readable export of Student Data prior to account closure or deletion.

Upon termination of the School’s Service account, Provider will delete all associated Student Data within 30 days, unless the School has requested a data export first, in which case deletion will occur within 30 days following delivery of the export.

8. School Responsibilities

By entering into this DPA, the School agrees to the following obligations:

• Obtain all required parental and guardian consents before enrolling students under the age of 13 in the Service, and maintain records of such consents as required by applicable law.
• Ensure that all Authorized Users are trained on this DPA and comply with its terms and all applicable student data privacy laws, including FERPA and COPPA.
• Promptly notify Provider — within 24 hours where practicable — of any known or suspected unauthorized access to student accounts or Student Data, so that Provider may investigate and take appropriate remedial action.
• Use the Service only for legitimate educational and therapeutic purposes and refrain from using the Service to collect or share Student Data for any commercial, marketing, or non-educational purpose.
• Ensure that student account credentials are kept confidential and are not shared beyond the student and their assigned Authorized User.

9. Term and Termination

This DPA is effective as of the date the School first uses the Service with student accounts and remains in effect for as long as the School maintains an active Service account or continues to process Student Data through the Service.

Either party may terminate this DPA by providing 30 days’ written notice to the other party. Notice from the School may be submitted via the contact form at speechtherapymagic.com/contact. Notice from Provider will be sent to the School’s primary account email address.

Termination of this DPA requires termination of the School’s underlying Service account. Provider will assist the School with a data export prior to account closure upon request. Following account closure, Student Data will be deleted in accordance with Section 7 above.

10. Governing Law

This DPA is governed by and construed in accordance with the laws of the United States and applicable state law, without regard to conflict-of-law principles. The parties acknowledge that student data privacy laws vary by state and agree to interpret this DPA in a manner consistent with FERPA, COPPA, and applicable state student privacy statutes (including, without limitation, the Student Online Personal Information Protection Act (SOPIPA) and similar state laws where applicable).

For disputes arising out of or relating to this DPA, see the Arbitration clause in the Terms of Service.