Curriculum Associates logo.
i-Readyi-Ready Teacher Login

Soapbox API Privacy Policy

Last Updated: April 16, 2026

Table of Contents

  1. Who we are and scope of this Privacy Policy
  2. Definitions
  3. Information we collect from Children
  4. How we use the information and our role
  5. With whom we share information
  6. Third-party service providers
  7. Children’s privacy and parental consent
  8. Privacy certifications
  9. Parental rights and other user rights
  10. Data retention
  11. Data storage
  12. Security
  13. Updates to this Privacy Policy
  14. Contact information

1. Who we are and scope of this Privacy Policy

This Soapbox API Privacy Policy describes how SoapBox Labs Limited, an Irish company (“SoapBox”, “we”, “us”, or “our”), collects, uses, stores, and protects data processed through its speech recognition application programming interface (the “API” or “SoapBox API”).

This Privacy Policy applies to all data processed by SoapBox in connection with applications and services developed and operated by third-party Customers that purchase and integrate the API to provide voice‑enabled functionality. SoapBox provides the API as a technical service provider and does not operate or control the Customer applications in which the API is embedded.

The Soapbox API is designed for use in educational and child‑directed contexts, including applications intended for students and children under the age of 13.

We take privacy seriously and apply data protection by design and by default, including strict data minimization and purpose limitation principles. We process Personal Information only to the extent necessary to provide and operate the API in accordance with our Customers’ instructions and applicable data protection and privacy laws.

2. Definitions

Child means an individual under the age of 16. For clarity, this Privacy Policy applies the same privacy protections and safeguards to all Children, including those under the age of 13 and those aged 13 to 15. 

Customer means a company or other legal entity that has entered into a contract with SoapBox to integrate the API into its own application or service.

User means the end user of an application or service that integrates the API. The majority of Users are Children using educational or child‑directed applications.

Personal Data means any information relating to an identified or identifiable natural person, as defined under the GDPR and the UK GDPR. 

Personal Information means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, as defined under the U.S. Children’s Online Privacy Protection Act and other applicable U.S. privacy laws. 

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 

UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 

COPPA means the U.S. Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506, and the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312. 

Data controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. 

Data processor means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.

3. Information we collect from Children

When Users access applications or services that integrate our API, SoapBox collects voice recordings submitted through the application or service for the purpose of providing speech recognition functionality. SoapBox processes these voice recordings solely on behalf of, and in accordance with the instructions of, the Customer operating the application or service.

With each API request, we also collect a unique identifier (UUID). The UUID is used to associate the request with a specific audio file and to enable deletion of that audio file in accordance with our data retention policy or earlier upon request.

In addition, we collect the IP address from which the API request originates. This is typically the IP address of the Customer’s cloud service provider rather than that of the individual User. IP addresses are collected for security, operational, and abuse‑prevention purposes only.

4. How we use the information and our role

Children’s Personal Data and Personal Information are used solely to provide and operate the API. This includes processing voice recordings to deliver speech recognition functionality, maintaining and securing the API, troubleshooting and error resolution, and ensuring reliable service performance. 

We do not use Children’s information for advertising, marketing, profiling, or behavioral tracking purposes.

For most integrations of the API, SoapBox acts as a Data Processor under the GDPR and UK GDPR and as a service provider under COPPA and other applicable U.S. privacy laws. We process Personal Data and Personal Information only on behalf of, and in accordance with the instructions of, the Customer that integrates the API, and only for the limited purposes of providing the API services.

SoapBox does not use Personal Data or Personal Information, including voice recordings or audio files, to train generative or non‑generative artificial intelligence or machine learning models. 

Where necessary to provide the API, voice recordings may be accessed or listened to by authorized personnel under strict confidentiality obligations for the limited purposes of generating transcriptions, validating transcription quality, or labeling data to support the operation and accuracy of the speech recognition service. Such access is limited, tightly controlled, and conducted solely in accordance with applicable law and Customer instructions.

5. With whom we share information

SoapBox does not sell, rent, or share Children’s Personal Data or Personal Information for advertising, marketing, profiling, or behavioral tracking purposes.

We may disclose Personal Data or Personal Information where required to do so to comply with applicable laws, regulations, legal processes, or binding governmental or regulatory requests, or where necessary to enforce our contractual terms or to protect the rights, property, or safety of SoapBox, our Customers, Users, or others.

SoapBox may disclose information to trusted third‑party service providers that support the delivery and operation of the API, such as infrastructure and hosting providers. These third‑party service providers act as sub‑processors and are contractually required to process data solely on our behalf and in accordance with our instructions, to apply appropriate technical and organizational security measures, and to comply with applicable data protection and privacy laws.

Except as described in this Privacy Policy, SoapBox does not disclose Children’s Personal Data or Personal Information to any other third parties. A current list of our sub‑processors is provided in Section 6 of this Privacy Policy.

6. Third-party service providers

The API is hosted exclusively on Microsoft Azure. All Customer data is stored and processed within the Azure cloud environment and remains subject to Microsoft’s security and compliance controls.

We do not transfer, disclose, or otherwise make Customer data available to third-party analytics, debugging, customer support, marketing, or customer relationship management (CRM) providers. Customer data is not shared with any third parties except as necessary for the provision and operation of the service through Azure, or as required by applicable law.

7. Children’s privacy and parental consent

All Customers that integrate the API are required to enter into contractual agreements with SoapBox. For purposes of the U.S. Children’s Online Privacy Protection Act (COPPA), these Customers act as the “operators” or “companies operating the service” that is directed to Children.

SoapBox acts as a service provider and processes Children’s Personal Data and Personal Information solely on behalf of its Customers. We require our Customers to obtain verifiable parental consent, where required by applicable law, before collecting or processing Children’s data through the API.

SoapBox does not use Children’s data for behavioral advertising, profiling, or retargeting, and does not sell Children’s Personal Data or Personal Information to third parties.

8. Privacy certifications

SoapBox Labs Limited is a member of the PRIVO Kids Privacy Assured Program (“the Program”) for COPPA Safe Harbor Certification and GDPRkids™. PRIVO is an independent, third-party organization committed to safeguarding children’s personal information collected online.

COPPA Safe Harbor Certification

The Program certification applies to the digital properties listed on the validation page that is viewable by clicking on the PRIVO COPPA certification Seal. The certification Seal posted on this page indicates SoapBox Labs Limited has established COPPA compliant privacy practices and has agreed to submit to PRIVO’s oversight and consumer dispute resolution process. If you have questions or concerns about our privacy practices, please contact us at privacy@cainc.com. If you have further concerns after you have contacted us, you can contact PRIVO directly at privacy@privo.com.

GDPRkids Privacy Assured

The Program applies to the digital properties listed on the validation page that is viewable by clicking on the PRIVO GDPRkids™ Verified Shield. The PRIVO GDPRkids™ Privacy Assured Program supports child directed services known as Information Society Services under the General Data Protection Regulation (GDPR), to comply with the requirements of this legislation. It impacts any child directed service in an EU Member State and any service globally that collects and or processes the personal data of children and minors. There is no safe harbour for the GDPR to date, but to ensure this company’s services meet the program requirements, we conduct regular monitoring and consulting.

9. Parental rights and other user rights

Depending on the User’s location and the applicable law, Users, or their parents or legal guardians, may have certain rights in relation to Personal Data or Personal Information processed through the API.

Parental rights (United States)

Under the U.S. Children’s Online Privacy Protection Act (COPPA), parents and legal guardians of Children have the right to:

  • review the Personal Information collected from their Child;
  • request the deletion of their child’s Personal Information;
  • refuse further collection or use of their Child’s information; and
  • request that their Child’s Personal Information not be disclosed to third parties, except as permitted by law.

Because SoapBox acts as a service provider and does not operate the applications and services that integrate the API, parents are encouraged to exercise these rights by contacting the Customer that operates the application or service their Child is using. Customers are responsible for verifying parental identity and responding to parental access requests.

Parents may also contact SoapBox directly at privacy@cainc.com. In some cases, we may be unable to independently verify a parent or legal guardian’s identity. Where this occurs, we will forward the request to the relevant Customer and provide reasonable assistance as appropriate.

User rights (European Economic Area or the United Kingdom)

Users located in the European Economic Area or the United Kingdom have the rights provided under the GDPR and UK GDPR, including the right to:

  • obtain confirmation as to whether Personal Data is being processed and access such data (right of access);
  • request correction of inaccurate or incomplete Personal Data (right to rectification);
  • request deletion of Personal Data where there is no compelling lawful reason for continued processing (right to erasure);
  • request restriction of processing in certain circumstances (right to restriction);
  • receive Personal Data in a structured, commonly used, and machine‑readable format (right to data portability); and
  • object to processing based on legitimate interests, where applicable (right to object).

As SoapBox generally acts as a Data Processor, requests to exercise these rights should be directed primarily to the relevant Customer acting as Data Controller. SoapBox will assist Customers in responding to such requests where required by law.

California privacy rights

California residents may have additional rights under applicable California privacy laws, including the right to:

  • request disclosure of the categories and specific pieces of Personal Information collected (right to know);
  • request deletion of Personal Information (right to delete);
  • opt out of the sale of Personal Information, where applicable;
  • And exercise their rights without discriminatory treatment (right to non‑discrimination).

SoapBox does not sell Personal Information and processes Personal Information solely as a service provider on behalf of its Customers.

10. Data retention

SoapBox retains Children’s Personal Data and Personal Information only for the minimum period necessary to provide the speech recognition services requested by our Customers and in accordance with our contractual obligations and applicable law.

In most cases, voice recordings containing a Child’s voice are processed in real time and deleted immediately after the processing session is completed.

Where explicitly agreed with a Customer, voice recordings may be retained after initial processing for a limited period for specific operational purposes, such as service reliability, troubleshooting, quality assurance, or fulfillment of deletion requests. In such cases, retention is limited to the duration of the applicable academic or school year plus an additional six months. This retention occurs only where authorized by the Customer and, where required by applicable law, subject to appropriate verifiable parental consent.

SoapBox does not use voice recordings or audio files to train generative or non‑generative artificial intelligence or machine learning models.

Voice recordings are never retained beyond the termination or expiration of the applicable Customer contract, plus a maximum of ninety days, after which they are securely deleted.

SoapBox may retain anonymized or aggregated data for an indefinite period for research and product improvement purposes. Such data is anonymized using industry‑standard techniques, does not contain voice recordings, cannot reasonably be used to identify an individual, and is not subject to re‑identification attempts.

11. Data storage

Data is stored in accordance with the geographic region applicable to the Customer’s deployment. 

All Personal Data processed for U.S. Customers is stored in Microsoft Azure data centers located in the United States.

Where a Customer or User is located in the European Economic Area (“EEA”) or the United Kingdom, Personal Data may be transferred to and stored in countries outside of the EEA or the UK, including the United States of America, where our Azure hosting environment or sub‑processors are located.

Where such international transfers occur, SoapBox ensures that appropriate safeguards are in place to protect Personal Data in accordance with applicable data protection laws. These safeguards typically include the use of European Commission‑approved Standard Contractual Clauses (“SCCs”) and, where applicable, supplementary technical and organizational measures designed to ensure an essentially equivalent level of data protection.

SoapBox does not rely on user or parental consent as the legal basis for international data transfers. Transfers are carried out solely for the purpose of providing the API services and in compliance with our contractual obligations and applicable law.

12. Security

We maintain a comprehensive information security program designed to protect the confidentiality, integrity, and availability of audio files, transcripts, and other Personal Data or Personal Information processed through our speech recognition API.

For Children data, SoapBox complies with the U.S. Children’s Online Privacy Protection Act (COPPA) by limiting the collection of Personal Information to what is reasonably necessary to provide the speech recognition service and by maintaining reasonable procedures to protect the confidentiality, security, and integrity of Children’s Personal Information.

Our infrastructure is hosted on Microsoft Azure, which provides robust physical, environmental, and operational security safeguards. All audio and text data are encrypted in transit and at rest using industry‑standard encryption technologies. Our API endpoints are protected by industry‑standard firewalls and secure communication protocols.

Access to Personal Data and Personal Information is restricted through role‑based access controls and the principle of least privilege. Strong authentication measures are enforced, including multi‑factor authentication for all administrative access. We conduct regular vulnerability assessments, automated code scanning, and patch management to maintain application security.

SoapBox trains its employees on information security and data protection and privacy practices and enforces strict access control and device security requirements. We maintain incident response and business continuity procedures designed to promptly detect, contain, investigate, and remediate security incidents.

If unauthorized access to Student Data or other Personal Data or Personal Information is confirmed, SoapBox will notify affected Customers without unreasonable delay and will provide timely updates regarding mitigation and remediation efforts, in accordance with applicable law and contractual obligations.

13. Updates to this Privacy Policy

We may modify this Privacy Policy at any time to reflect changes in our API or legal requirements. We will post the updated version and revise the "Last Updated" date at the top of this page. For material changes that substantively affect the collection, use, or disclosure of Children’s Personal Information, we will work with our Customers to provide prior notice, a prominent notification within their applications and services integrating our API, and, where required by law, obtain any legally required consents.

14. Contact information

SoapBox Labs 
3-8 Hume Street, Stephen’s Green
Dublin 2, Ireland D02 C624
privacy@cainc.com
(800) 225-0248

If you are in the EEA, please note that our Data Protection Officer (DPO) can be contacted at privacy@cainc.com. If you are in the EEA and have further concerns after you have contacted us, you can lodge a complaint with the Irish Data Protection Commission directly at info@dataprotection.ie.