API Privacy Policy
Last Updated: February 10th, 2026
This policy covers children's data only — voice recordings, first names, language preferences, and session data processed through the UG Labs API.
We do not use children's data for advertising, marketing, or sell it to third parties.
Developer data (account info, usage, billing) is covered in our Terms of Service.
This API Privacy Policy ("Policy") describes how Universal Grammar Ltd. ("UG Labs," "we," "us," or "our") collects, uses, stores, and protects data processed through the UG Labs API (the "API"). This Policy applies to all data processed by UG Labs in connection with applications that integrate the UG Labs API, including data relating to children.
This Policy is supplemental to and forms part of our Terms of Service. For information about data practices on the UG Labs website, please refer to our Website Privacy Policy. For information about data collected from developers and studios, please refer to the Data Processing Agreement in our Terms of Service.
1. Data Collection & Processing
The UG Labs API may collect and process the following categories of data in connection with applications developed by our partners ("Developers"):
Voice Recordings
The API captures voice recordings when end users interact with voice-enabled features within a Developer's application. Voice recordings are used for speech recognition, natural language understanding, and to power conversational AI experiences. Voice data is processed in real time and may be temporarily stored for the duration of a session.
Child's First Name
When provided by the Developer's application, the child's first name may be used to personalize the AI experience. First names are not used to identify individual children across different applications or sessions unless explicitly configured by the Developer.
Languages
Language preferences and spoken language data are collected to optimize speech recognition accuracy, select appropriate language models, and deliver content in the child's preferred language.
Usage and Session Data
The API collects technical usage data, including session identifiers, interaction timestamps, feature usage patterns, device type, operating system version, and SDK version. This data is used for service operation, performance monitoring, and debugging.
2. Data Uses
UG Labs uses the data collected through the API for the following purposes:
API Performance
Data is used to operate, maintain, and improve the performance of the API, including optimizing speech recognition accuracy, reducing latency, improving natural language understanding, and ensuring reliable service delivery.
Model Improvement
Anonymized and aggregated data may be used to train and improve UG Labs' machine learning models. Individual voice recordings are not used for model training without explicit Developer consent and are always anonymized before any such use.
Anonymization
UG Labs applies anonymization and de-identification techniques to personal data before using it for research, analytics, or model improvement purposes. Anonymized data cannot be used to re-identify individual users. UG Labs maintains technical and organizational safeguards to prevent re-identification.
3. Data Location
Data processed through the UG Labs API may be stored and processed in the following locations:
- Israel: UG Labs' primary offices and certain infrastructure components are located in Israel.
- United States (USA): Cloud hosting, voice transcription, PII detection, audio generation, and LLM inference services are operated through sub-processors located in the USA.
- European Union (EU): Certain cloud hosting and processing services are available in EU data centers to support compliance with EU data protection requirements.
UG Labs ensures that all international data transfers comply with applicable data protection laws, including the use of Standard Contractual Clauses (SCCs) and other approved transfer mechanisms where required.
4. Data Retention
UG Labs retains personal data processed through the API for the minimum period necessary to fulfill the purposes described in this Policy:
- Voice recordings: Processed in real time and deleted promptly after session completion, unless retention is required for legitimate service purposes (e.g., debugging). In no event retained longer than 4 years.
- Session and usage data: Retained for up to 4 years for analytics, service improvement, and compliance purposes.
- Anonymized data: May be retained indefinitely for research and improvement purposes — cannot be used to identify individuals.
Maximum retention: 4 years from the date of collection for any personal data, unless a shorter period is required by applicable law or requested by the Developer.
5. Data Disclosure
UG Labs may disclose data processed through the API in the following circumstances:
Service Providers (Sub-Processors)
UG Labs engages trusted third-party service providers to assist in delivering the API. These sub-processors are contractually obligated to process data only as instructed by UG Labs and to maintain appropriate security measures. The current list of sub-processors is provided in Section 10 (COPPA Notice) of this Policy.
Legal Compliance
UG Labs may disclose data when required by applicable law, regulation, legal process, or governmental request, including in response to lawful requests by public authorities for national security or law enforcement purposes.
Rights Protection
UG Labs may disclose data when UG Labs believes in good faith that disclosure is necessary to protect the rights, property, or safety of UG Labs, its users, or the public, including to enforce our Terms of Service or prevent fraud or other illegal activities.
6. Data Security
UG Labs implements comprehensive technical and organizational measures to protect data processed through the API:
- TLS Encryption: All data transmitted between client applications and UG Labs' servers is encrypted using Transport Layer Security (TLS) protocols.
- Encrypted Storage: Personal data stored at rest is encrypted using AES-256 or equivalent encryption standards.
- Access Controls: UG Labs employs role-based access controls, multi-factor authentication, and least-privilege principles to restrict access to personal data to authorized personnel only.
- Security Monitoring: UG Labs maintains continuous security monitoring, intrusion detection systems, and regular vulnerability assessments.
- Incident Response: UG Labs maintains documented incident response procedures and will notify affected Developers of any personal data breach within 72 hours of becoming aware of the breach.
7. Data Subject Rights
UG Labs supports the exercise of data subject rights under applicable data protection laws. Depending on your jurisdiction, you or the parent/guardian of a child user may have the following rights:
GDPR Rights (European Economic Area)
- Right of Access: Request confirmation of whether personal data is being processed and obtain a copy of such data.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of personal data where there is no compelling reason for continued processing.
- Right to Restriction: Request restriction of processing in certain circumstances.
- Right to Data Portability: Receive personal data in a structured, commonly used, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
CCPA Rights (California Residents)
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected.
- Right to Delete: Request deletion of personal information collected.
- Right to Opt-Out: Opt out of the sale of personal information. UG Labs does not sell personal information.
- Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment.
Other Jurisdictions
UG Labs respects the data protection rights of individuals in all jurisdictions where it operates. If you are located in a jurisdiction with specific data protection rights not listed above, please contact us and we will work to accommodate your request in accordance with applicable law.
To exercise any of these rights, please contact us at privacy@uglabs.io. Requests will be processed within the timeframes required by applicable law.
8. Children's Privacy
UG Labs is committed to protecting the privacy and safety of children. Our API is specifically designed and built for applications that serve children:
- We process children's data only as described in this Policy and in accordance with the Developer's documented instructions.
- We do not use children's data for behavioral advertising or targeted marketing.
- We do not sell children's personal information to third parties.
- We apply enhanced security measures and access controls to children's data.
- We require Developers to obtain verifiable parental consent before collecting or processing children's data through the API.
kidSAFE+ COPPA Certification
UG Labs has been certified by the kidSAFE Seal Program, an FTC-approved COPPA Safe Harbor Program. This certification verifies that UG Labs' data practices meet the requirements of the Children's Online Privacy Protection Act (COPPA). For more information about our kidSAFE certification, visit our kidSAFE certification page.
9. Processing Role
UG Labs' role in the processing of personal data depends on the specific implementation and the nature of the Developer's application:
- Data Processor: In most cases, UG Labs acts as a data processor on behalf of the Developer (the data controller), processing personal data solely as instructed by the Developer for the purpose of providing the API.
- Joint Controller: In certain configurations where UG Labs independently determines the purposes and means of processing (e.g., for model improvement with Developer consent), UG Labs and the Developer may act as joint controllers.
The specific processing role is defined in the Data Processing Agreement (DPA) attached to the Terms of Service.
10. COPPA Notice
This section provides notice to parents and guardians regarding UG Labs' data practices as required by the Children's Online Privacy Protection Act (COPPA).
Information We Collect from Children
Through the API integrated into a Developer's application, UG Labs may collect the following information from children under the age of 13:
- Voice recordings for speech recognition and conversational AI;
- First name for personalization;
- Language preferences;
- Session and usage data (non-identifying).
How We Use Children's Information
Children's information is used solely to provide the API services, including powering speech recognition, delivering conversational AI experiences, personalizing interactions, and maintaining service performance. We do not use children's personal information for advertising or marketing purposes.
Parental Consent
The Developer (the "Operator" for COPPA purposes) is responsible for obtaining verifiable parental consent before collecting personal information from children through their application. UG Labs provides tools and documentation to support Developers in meeting this obligation.
Parental Rights
Parents and guardians have the right to:
- Review the personal information collected from their child;
- Request deletion of their child's personal information;
- Refuse further collection or use of their child's information;
- Request that the child's information not be disclosed to third parties.
To exercise these rights, parents should contact the Developer of the application their child uses. Parents may also contact UG Labs directly at privacy@uglabs.io.
Operators (Sub-Processors)
The following third-party operators (sub-processors) may process children's data in connection with the API:
| Operator | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting, storage | USA / EU |
| Google (Gemini) | LLM inference | USA / EU |
| Amazon Web Services | Voice transcription, PII detection | USA / EU |
| Eleven Labs Inc. | Audio generation (TTS) | USA |
| DeepDub | Audio generation (TTS) | USA |
| Bria | Image generation | USA |
| Replicate | Image generation | USA |
All operators are contractually obligated to process children's data only as instructed by UG Labs and to maintain appropriate security and confidentiality measures.
11. Additional Notices & Contact Details
Changes to This Policy
UG Labs may update this API Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. Material changes will be communicated to Developers via email notification or through the UG Labs developer dashboard. The "Last Updated" date at the top of this Policy indicates the most recent revision.
Data Protection Officer
UG Labs has appointed an external Data Protection Officer (DPO) to oversee compliance with applicable data protection laws:
PrivacyTeam Ltd.
Data Protection Officer for Universal Grammar Ltd.
Email: privacy@uglabs.io
Contact Us
If you have any questions, concerns, or requests regarding this API Privacy Policy or UG Labs' data practices, please contact us:
Universal Grammar Ltd.
11 Amos Oz
Hertzliya, Israel 4651641
Email: privacy@uglabs.io
Phone: +1 (646) 736-4500
Supervisory Authority
If you are located in the European Economic Area and believe that UG Labs has not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en