Boba · Privacy

Privacy Policy

Effective: April 26, 2026 · Last updated: April 26, 2026

The short version

We don't sell your data. Ever. We don't run advertising. We don't track your child across other apps.

To make Boba work, we use trusted AI providers (OpenAI for language, ElevenLabs for voice) and standard infrastructure (Supabase, Vercel, Resend). They process data on our behalf under strict contracts and are never permitted to use your child's data for their own training or advertising.

You can delete your account and all associated data at any time, in two taps inside the app or by emailing us.

1. Who we are

"Boba" is a voice-first AI friend and teacher for children, designed for ages 2 to 18. This policy describes how Boba ("we", "us", "our") collects and handles personal information when you visit our website (boba.app), join our waitlist, or use the Boba mobile and tablet app.

If you have a question about this policy, email us at privacy@boba.app.

2. Information we collect

From parents (or legal guardians)

Account information. Email address, name, password (stored as a one-way hash), and the parental consent record.
Communication. Messages you send to us by email or in-app feedback.
Billing information. If you subscribe, payment is handled by Apple (in-app purchase). We never see your card details.

From the child profile (provided by the parent)

Profile. The child's first name (or nickname), age, and the learning topics the parent selects.
Voice and conversation data. When your child speaks to Boba, the audio is sent to our speech-to-text provider for transcription. The resulting text and Boba's responses are stored only to give Boba memory of past sessions and to improve the experience for that specific child.
Session activity. Topics covered, visuals shown, mini-games played. Used to power the parent dashboard and Boba's continuity.

Automatically (limited)

Device basics. Operating system, app version, language, and crash logs needed to keep Boba working.
Website analytics. Aggregated, privacy-respecting page-view counts (no fingerprinting, no third-party advertising cookies).

What we do not collect. We do not collect your contacts, your photo library, your calendar, your precise location, your social-media profiles, or your browsing on other apps and websites.

3. How we use information

To run Boba: power the voice conversation, generate visuals, remember your child between sessions, and surface progress in the parent dashboard.
To send transactional emails you asked for: waitlist confirmation, account verification, important changes to the service.
To respond to your messages and provide support.
To detect and prevent abuse, fraud, or harm to the service.
To meet our legal obligations.

We do not use any information you provide to train any third-party large language model, and we contractually require our AI providers not to do so either.

4. Third-party providers we use

Boba is built on top of established AI and infrastructure providers, listed in full below. Each one is a "data processor" acting on our instructions under a written agreement (a Data Processing Addendum or equivalent). We do not "sell" your data to any of them. They handle data only for the limited purpose described.

Provider	Purpose	What it sees
OpenAI	Language model + speech-to-text transcription	The transcript of what your child said, the system prompt, Boba's reply. We use OpenAI's API with the "no training on customer data" setting enabled.
ElevenLabs	Text-to-speech (Boba's voice)	Boba's reply text, returned to the device as audio.
Supabase	Authentication, database, file storage	Your account email, hashed password, child profile, conversation memory. Hosted on encrypted Postgres.
Resend	Transactional email (waitlist confirmation, account email)	Email address and the body of the email we send you.
Vercel	Website hosting and serverless API	Standard server logs (IP, request path, timestamp), retained briefly for security and debugging.
Apple	App distribution, in-app purchase billing	Standard purchase metadata governed by Apple's privacy policy.

If we add or change a critical provider, we will update this list and notify active users by email at least 14 days in advance.

We may also disclose information when required by law (a valid subpoena or court order), to enforce our Terms, or to protect the rights, safety, or property of users and the public. We will challenge overbroad requests where we can.

5. Children's privacy (COPPA, GDPR-K, and similar)

Boba is designed for children, including children under 13. We follow the U.S. Children's Online Privacy Protection Act (COPPA) and applicable equivalents (GDPR Article 8, the UK Children's Code).

No child mode without parental consent. Before a child can use Boba in child mode, a parent must complete the parental consent flow inside the app.
No advertising. Boba contains no third-party advertising, no behavioral targeting, and no cross-app tracking.
No social features. Boba contains no chat with other users, no public profiles, no comments, and no link-sharing surfaces.
Minimal data. We collect only what is needed to make Boba work and to remember your child between sessions.
Parental controls. A parent can review, export, or delete the child's data at any time from the parent area in the app, or by emailing privacy@boba.app.

If we learn we have collected personal information from a child without verified parental consent, we will delete it as soon as we become aware.

6. Data retention

Voice audio is processed for transcription and is not retained after the response is generated.
Conversation transcripts and memory are kept while your account is active so Boba can remember your child between sessions. You can clear them at any time from the parent area.
Account information is retained while your account is active. Once you delete your account, we permanently delete it (and all associated child profiles, transcripts, and memory) within 30 days, except where law requires us to keep limited records (for example, to detect fraud).
Waitlist and email-list entries are kept until you unsubscribe or ask us to remove them.
Backups roll over within 30 days, after which deleted records are no longer recoverable.

7. Your rights

Wherever you live, you can:

Access a copy of the personal information we hold about you and your child.
Correct anything that is inaccurate.
Delete your account and all associated data. Inside the app: Settings → Delete account. By email: privacy@boba.app.
Object to or restrict certain processing (where applicable under law).
Port your data to another service in a portable format on request.
Withdraw consent at any time. Withdrawing consent does not affect lawful processing already done.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data-protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights, including the right to know, the right to delete, and the right to opt out of "sales" or "sharing" of personal information. We do not sell or share personal information.

8. Security

We protect your information with industry-standard measures: encryption in transit (TLS), encryption at rest for stored data, hashed passwords, scoped access controls, and least-privilege permissions for our team. No system is perfectly secure; we will tell you promptly if we ever experience a breach that affects you, in line with applicable law.

9. International transfers

Our providers operate primarily in the United States. If you are outside the U.S., your information will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses or equivalent legal mechanisms where required.

10. Cookies and similar technologies

The Boba website uses a small number of strictly-necessary cookies (for example, to remember if you've already joined the waitlist on this device). We also use privacy-respecting, aggregate analytics that do not fingerprint your browser. The app stores authentication tokens and child profile data on the device using the operating system's secure storage.

We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers.

11. Do Not Track

We do not track users across third-party sites, so we treat all visitors as if they had Do Not Track enabled.

12. Changes to this policy

We will update this page when our practices change. If a change is material (for example, adding a new processor or a new category of data), we will email active users at least 14 days before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

For privacy questions, data requests, or anything else covered by this policy, email privacy@boba.app. We try to reply within five business days.