Privacy Policy

Stridesy ("we," "us," or "our") operates the Stridesy application, a parent coaching and child development tracking platform. This Privacy Policy applies to all personal information collected through our website and application. Questions or data requests can be directed to legal@stridesy.app.

This policy is designed to comply with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the California Online Privacy Protection Act (CalOPPA), the Children's Online Privacy Protection Act (COPPA), and other applicable U.S. privacy laws.

We collect the following categories of personal information:

Identifiers: Email address, account ID. We do not collect your legal name, phone number, or government-issued ID.

Child profile information: Your child's first name, age (in months), general gender category, and an optional general diagnosis category (e.g., "autism spectrum disorder"). We do not collect your child's last name, date of birth, school, insurance ID, Medicaid number, or any other government-issued identifier.

Sensitive personal information: Under the CPRA, health-related and developmental information is classified as sensitive personal information. The child diagnosis category and assessment responses you provide fall into this category. We collect this information solely to personalize the Service for your child. We do not use it for advertising, profiling, or any purpose beyond operating and improving the Service. You may request that we limit our use of this information at any time (see Section 11).

Assessment and intake responses: Your answers to developmental and behavioral questions about your child during the intake process. These inform goal recommendations and are stored associated with your account.

Session and progress data: Practice session records you create, including trial outcomes, session dates, duration, notes, and linked routine data.

Usage and technical data: Standard server logs including IP address, browser type, device type, and pages accessed. This information is used for security monitoring, abuse prevention, and system performance. It is stored separately from child records and is not used to profile you for advertising.

Do Not Track: California's CalOPPA requires us to disclose how we respond to Do Not Track (DNT) signals. We do not use cross-site tracking and do not alter our data collection practices in response to DNT signals, because we do not engage in the tracking behaviors DNT is designed to restrict.

We use the information you provide only for the following purposes:

• Creating and maintaining your account and providing the Service
• Generating goal and activity recommendations personalized to your child
• Displaying your child's progress and session history to you
• Sending transactional communications (password resets, billing receipts, product updates)
• Responding to support and data rights requests
• Detecting and preventing fraud, abuse, and security incidents
• Complying with applicable legal obligations
• De-identified research as described in Section 5

We do not:

• Sell your personal information (as defined under the CCPA/CPRA)
• Share your personal information for cross-context behavioral advertising
• Use your child's sensitive information for advertising, profiling, or automated decision-making that produces legal or similarly significant effects
• Share identifiable information with insurers, employers, marketers, or government agencies except as required by law
• Use social media tracking pixels or third-party behavioral analytics tools that share data externally

Under the California Privacy Rights Act (CPRA), you have the right to direct us to limit our use of sensitive personal information (including health and diagnostic data) to only what is necessary to provide the Service. We already operate this way by default — we do not use sensitive information for any secondary purpose such as advertising, profiling, or sale. If you wish to formally invoke this right, contact us at legal@stridesy.app.

We may use de-identified, aggregated data — data stripped of all information that could identify you or your child — for internal research, product improvement, and potentially for sharing with academic researchers or publication. De-identification means we remove or irreversibly transform: names, email addresses, exact ages (replaced with age brackets), geographic information below the state level, diagnosis labels (replaced with broad category codes), and any other field that could directly or indirectly re-identify a specific family.

De-identified data is not personal information under the CCPA/CPRA and is not subject to the same rights. However, we are committed to using it responsibly. We never sell it. Research partners who receive it must contractually maintain its de-identified status.

You may opt out of having your data included in any research use (even de-identified) by contacting legal@stridesy.app. This will not affect your access to or use of the Service.

We use a limited number of vetted third-party service providers to operate the Service, including database hosting, transactional email delivery, and payment processing. These providers act as our service providers (not independent data controllers) and are contractually prohibited from using your data for their own purposes, from selling it, and from sharing it with additional parties except as necessary to deliver their service to us.

We do not use third-party advertising networks, data brokers, social media platforms, or analytics tools that would constitute "sharing" of personal information under the CPRA.

Shine the Light (California Civil Code § 1798.83): California residents may request information about disclosure of their personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Your data is stored in encrypted databases hosted on infrastructure within the United States. We implement industry-standard safeguards including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and audit logging of access to records containing sensitive child information.

Data breach notification: In the event of a security breach involving unencrypted personal information, we will notify affected California residents and, where required, the California Attorney General, consistent with California Civil Code § 1798.82. We will also notify users in other states as required by applicable law. Notification will occur without unreasonable delay.

Stridesy is intended for use exclusively by adults (parents and legal guardians). We do not knowingly allow anyone under 18 to create an account. Child information entered by a parent is treated as part of the parent's account and is subject to the parent's privacy rights and controls described in this policy.

We do not build advertising profiles of children, display advertising to children, or use children's data for any purpose other than providing the Service to the parent who entered it. Consistent with California's Minor Online Privacy Protection Act (MOPPA) and COPPA, we take additional care to ensure child-related data is not used for marketing or advertising of any kind.

We retain your personal information for as long as your account is active. We also retain data for a reasonable period after account closure to comply with legal obligations, resolve disputes, and enforce agreements. If you delete your account, we will delete or irreversibly anonymize your personal data within 30 days, except:

• Where retention is required by law (e.g., financial records)
• Where data has already been incorporated into a de-identified aggregate dataset (such records contain no personal information and cannot be reversed)

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out is required, but you may confirm this in writing by contacting us.
• Right to Limit Use of Sensitive Personal Information: Request that we limit our use of sensitive personal information (including health/diagnostic data) to what is necessary to provide the Service. We already do this by default.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
• Right to Use an Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority.

How to submit a request: Contact us at legal@stridesy.app with "California Privacy Request" in the subject line. We will respond within 45 days. If we need an extension (up to 90 days total), we will notify you within the initial 45-day period.

We will verify your identity before processing any request that involves access to, deletion of, or correction of personal information.

• Access and correction: You can view and update most of your information directly within the App. For requests beyond what the App allows, contact us.
• Account deletion: Delete your account via the Account settings page. We will process the deletion within 30 days.
• Data portability: Contact us to request an export of your data in a machine-readable format.
• Opt out of research use: Email us at any time to exclude your data from de-identified research datasets.
• Limit sensitive data use: Contact us to formally invoke your right to limit how we use sensitive personal information.

To exercise any right, contact legal@stridesy.app. We will respond within 30 days (45 days for California residents).

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you via your registered email address or a prominent in-app notice at least 30 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

CalOPPA requires us to state how we notify users of changes: we do so via the email address associated with your account for material changes, and by updating the "Last updated" date for minor changes.

For privacy questions, data requests, or to report a concern, contact us at legal@stridesy.app. For California privacy rights requests, include "California Privacy Request" in your subject line.