When we use the term “personal information” we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or de-identified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.

We collect the following categories of personal information from children:

• Voice recordings of the child, which we then transcribe into written text (transcripts) and shortly thereafter convert to de-identified voice and text that is anonymized and free of information that identifies, or could be used to identify, a child. With your consent, we will also retain the raw voice recordings of your child.

• A child’s first name or nickname.

• Languages spoken.

We use personal data for the following purposes:

• Voice Recordings and Transcripts: When using the Services, children talk to our SDK, which uses their voice recordings to generate transcripts. We use voice recordings and transcripts as follows:

  • For the performance and provision of our SDK. In order for our SDK to work and communicate with your child, it must use the voice recordings to generate transcripts, which are then processed to generate output responses. We do not store the voice recordings for this purpose and remove them once transcripts are generated. This is crucial for our SDK to function, and without the collection and processing of your child’s voice recordings and transcripts for this purpose, your child will not be able to engage with our SDK when using the Services. To the extent required by law, for example, where the EU or UK General Data Protection Regulation (GDPR) applies, we will obtain your consent prior to collecting the voice recordings for this purpose.

  • To improve and enhance our natural language understanding models. Subject to your consent, we will use voice recordings and transcripts to improve our understanding of how children interact with our SDK experiences, helping us make them more inclusive, safer, and better for everyone. This is done by running this data through our AI models and research servers, only if you specifically consent to the use of your child’s personal data for this purpose. If you consent, prior to storing the voice recordings, we will apply the following measures to ensure your child’s confidentiality:

    • We remove recordings that contain any personal information shared by the child.

    • We apply measures that prevent us from tracing them back to your child.

    • We only keep separate fragments.

  • If you choose not to consent, your child will still be able to use the Services and enjoy our SDK’s functionalities.

• Child’s First Name or Nickname. We use this data only to interact with the child in the context of the conversation.

• Language Spoken. We use this data to help our SDK communicate with children in the language they speak. This information is crucial for our SDK to be able to work properly and communicate with the child.

We do not sell personal information to third parties for marketing purposes, nor do we sell or sharepersonal information (as defined under the CCPA).

We and our authorized Service Providers (defined in Section 5 below) maintain, store and process personal data in Israel, the United States of America and the EU, depending on the location from which the Services and our SDK are used. We may transfer personal data to additional locations if required by law or subject to your explicit consent.

While privacy laws may vary between jurisdictions, UG is committed to protecting personal data in accordance with this privacy policy and customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

Universal Grammar Ltd. is headquartered in Israel, a jurisdiction which is considered by the European Commission, the Swiss Federal Council, and the UK Secretary of State to be offering an adequate level of protection for the personal data of residents of the European Economic Area (“EEA”), Switzerland and the UK, respectively. We transfer personal data from the EEA, Switzerland and the UK to Israel on this basis

For data transfers from the EEA, Switzerland or the UK to countries which are not considered to be offering an adequate level of data protection, we and the relevant data exporters and importers have entered into Standard Contractual Clauses as approved by the European Commission, the Swiss Federal Data Protection and Information Commissioner (FDPIC) and UK Information Commissioner’s Office (ICO). You can obtain a copy of these clauses by contacting us as indicated in Section 11 below.

Subject to your consent, we will retain your child’s voice recordings for as long as we deem it necessary in order to provide our services and to fulfil the purposes for which your consent has been obtained. We will not retain your child's personal data indefinitely; in any case, we will not retain it for more than four years. If you do not consent to the further retention of your child’s voice recordings for the purpose of improvement and enhancement of our natural language understanding models, as described in Section 2 above, we will delete the voice recordings promptly after we transcribe them, solely to provide the service. We also implement an additional precautionary measure to ensure the original recordings are not retained, if, for some reason, the recordings were not properly deleted after they were cleaned of identifiers.

Additionally, we may also retain personal data for as long as we deem it necessary in order to maintain our relationship with you and provide our services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and the applicable legal requirements.

If you have any questions about our data retention policy, please contact us by email via privacy@uglabs.io

We disclose personal data in the following ways:

• Service Providers: We engage selected third-party companies and individuals to perform services on our behalf or complementary to our own. Such service providers include conversational AI agents/providers, hosting and server co-location services, communications and content delivery networks (CDNs), data security services, billing and payment processing services, fraud detection and prevention services, web and product analytics, e-mail distribution and monitoring services, session or activity recording services, remote access services, content transcription and analysis services, and our legal, financial and compliance advisors (collectively, “Service Providers“). Our Service Providers may have access to personal data, depending on each of their specific roles and purposes in facilitating and enhancing our SDK, and may only use the data as determined in our agreements with them.

• Legal Compliance: If we are required to disclose the user’s information by a judicial, governmental, or regulatory authority, we will do so in accordance with our legal obligations. If the user engaged in wrongdoing, we share their information with authorities and third parties (such as legal consultants and advisors), for the purpose of handling the wrongdoing. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our products and services.

• Protecting Rights and Safety: We may share personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of UG, any of our users, or any members of the general public.

• Subsidiaries and Affiliates Companies: If the operation of UG is organized within a different framework, or through another legal structure or entity (such as due to a merger or acquisition), we will share the user’s information with the entities relevant to the reorganization, provided that those entities agree to be bound by this Privacy Policy.

• Other Disclosures: For the avoidance of doubt, UG may share personal data in additional manners, pursuant to your explicit approval or if we are legally obligated to do so.
  ‍
  For the purposes of the CCPA, in the past 12 months, we may have disclosed to our Service Providers/Developers the following categories of Personal Information, as defined in the CCPA: identifiers and audio, electronic and visual information.

We use various security measures to safeguard against unauthorized access and use of data. All data transmitted between the SDK and our servers is encrypted using Transport Layer Security (TLS). We store the personal information encrypted and under strict access controls: our employees do not have direct access to the data.

Individuals have rights concerning their personal data. Please contact us at privacy@uglangs.io to exercise your or your child’s privacy rights under applicable laws, including the EU or UK GDPR, the CCPA, the Swiss Federal Act on Data Protection (FADP), Israel’s Protection of Privacy Law (PPL) or COPPA. Such privacy rights may include – to the extent applicable - the right to know/request access to (specific pieces of personal data collected; categories of personal data collected; categories of sources from whom the personal data was collected; purpose of collecting personal data; categories of third parties with whom we have shared personal data), to request rectification or erasure of personal data held with UG, or to restrict or object to such personal data processing, or to port such personal data, or the right to equal services and prices (e.g., freedom from discrimination) (each to the extent available to you under the laws which apply to you). If your child is a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EU or the UK, as applicable.

To exercise any of these rights, please contact us at privacy@uglabs.io.

UG is committed to the highest standard of privacy and data protection and is aware of the sensitivity involved in the processing of personal data relating to children.

UG Labs has been awarded the kidSAFE+ COPPA Seal from the kidSAFE Seal Program. This means that UG Labs' conversational AI speech-recognition platform has been independently reviewed and certified by kidSAFE to meet certain standards of online safety and privacy, including COPPA compliance. Click here to see our official kidSAFE® membership page.

Certain data protection laws and regulations, such as the EU GDPR, UK GDPR, the CCPA, FADP and PPL, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “service provider”), who processes the data on behalf of the data controller (or business). Below, we explain how these roles apply to our Services, to the extent that such laws and regulations apply.

Certain data protection laws and regulations, such as the EU GDPR, UK GDPR, the CCPA, FADP and PPL, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “service provider”), who processes the data on behalf of the data controller (or business). Below, we explain how these roles apply to our Services, to the extent that such laws and regulations apply.

If we and the Developer process personal data as joint controllers (i.e., in case we jointly determine the purposes and means of the processing), we will enter into an appropriate data processing agreement allocating the parties’ responsibilities with respect to the personal data processed.

In some cases, we may process personal data as a data processor on behalf of the Developer. In such a case, the Developer will be solely responsible for determining whether and how they wish to use our SDK, and for ensuring that all individuals using the SDK whose personal data processed through it, have been provided with adequate notice and given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use or other processing of data through our SDK and the Services are fully met by the Developer. In addition, if we act as the Developer’s processor, the respective Developer is also responsible for handling data subject rights requests under applicable law by their users and other individuals whose data they process through the Services.

Under the requirements of the U.S. federal Children’s Online Privacy Protection Act and its regulations (COPPA), UG is required to provide certain information to parents of children whose personal information is collected by the SDK. If the processing of your child’s personal information is subject to COPPA, please read this COPPA Notice carefully and make sure you understand it and fully agree to it.

Contact Details. Universal Grammar Ltd. is a company incorporated under the laws of the State of Israel. Our postal address is 8 Ha’Arbaa Street, Tel Aviv-Yafo, Israel. If you have any questions, please write to us by email via privacy@uglabs.io or by phone at +1(646)7364500.

Collection and Use of Personal Information. As a part of the SDK, we collect the following types of personal information from children: Voice recordings and transcripts thereof; A child’s first name or nickname; Age (but not a precise date of birth); Languages spoken; Contact details of parents/legal guardians; and Support information. To learn more about the personal information we collect, please see Section 1 of this policy.

We use personal information for the following purposes:

• To provide our SDK, operate and maintain it;

• To personalize the manner in which our SDK engages with the child;

• To enhance our SDK and improve it, including through the use of algorithms, model training and research servers (subject to your consent);

Note that the SDK does not enable the child to make their personal information publicly available.

We do not sell personal information to third parties for marketing purposes.

To learn more about the purposes for which we use personal information, see Section 2 of this privacy policy.

Our Operators. To maintain, operate and provide our SDK, we use the services of the following operators:

• Google Cloud Platform: Running our servers, including gamekeeping. Storing the game’s data and analytics. Providing real-time LLM answers that run our games.

• Amazon Web Services: Running our servers, including voice transcription. Detecting PII on user input.

• Eleven Labs Inc.: Generating audio for our virtual characters.

• Deep Infra: Providing real-time LLM answers that run our games.

If you have any inquiries concerning the operators’ data practices, please contact us at privacy@uglabs.io.

Retention of Personal Information. As described in Section 4 above, we will only retain the voice recordings of your child if we have your consent, and only for the purpose of enhancing and improving our SDK as described above. Unless parental consent is obtained, we will not retain voice recordings, and we will only use them in order to generate transcripts and delete them immediately afterwards. The transcripts will then be used to provide the service to your child.

Disclosure of Personal Information. We will only disclose the personal information in the following instances:

• To the Developer of the Services your child uses;

• To our authorized operators listed above;

• As required by a judicial, governmental, or regulatory authority;

• If the user engaged in wrongdoing, we will share their information for the purpose of handling the wrongdoing; or

• If the operation of UG is organized within a different framework, or through another legal structure or entity.

For more information on how we disclose personal information, see Section 5 of this privacy policy.

Your COPPA Privacy Rights. As a parent, you may review the personal information we collected from your child or ask for a description of the specific types or categories of personal information we collected from your child.

You may also request to have that personal information deleted or refuse to permit further collection of the child’s information.

To exercise any of these rights, please contact us at privacy@uglabs.io.

Means For Verifiable Parental Consent. Our SDK is a third-party plug-in that is incorporated into the Services of the Developer your child uses. As such, we are not in a position that enables us to obtain verifiable parental consent without the help of the respective Developer or other service providers used for this specific purpose. The means for obtaining verifiable parental consent may vary dependingon the Services that incorporate our SDK. To learn more about how such consent is obtained, please refer to the privacy policy or relevant consent forms or pages of the specific Services your child uses.

Updates and Amendments. If we make significant changes to this privacy policy, we will make an effort to proactively notify you about it with the help of the Developer who has your contact information.

Data Protection Officer. UG has appointed PrivacyTeam Ltd. as its Data Protection Officer (DPO) for monitoring and advising on UG’s ongoing privacy compliance and service as a point of contact on privacy matters for data subjects and supervisory or competent authorities. If you have any comments or questions regarding our privacy policy, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your child’s personal data is being processed by UG, you can contact privacy@uglabs.io.