Last updated: June 2026

COPPA Compliant FERPA Compliant GDPR Aligned HIPAA BAA Stack ZDR Active No Training No Selling

See our Compliance page for the full list of standards Helperbird is aligned and compliant with.

Our Commitment

At Helperbird, privacy is built into everything we do. We designed our product so that your data stays on your device. We do not track you, profile you, or sell your information. This policy explains exactly what data we handle, how we handle it, and what rights you have.

In plain English

Helperbird doesn't collect, store, train AI on, or sell your data.

The free version runs almost entirely on your device. Visual tools (fonts, colours, screen masking, the reading ruler) and built‑in text‑to‑speech voices all work offline with no network requests.

Voices and voice typing come in two flavours. Built‑in voices read aloud on your device. Built‑in voice typing uses your browser's own speech service (Google on Chrome, Apple on Safari, Microsoft on Edge) — not Helperbird's subprocessors. Pro adds online "natural" voices and online dictation via Microsoft Azure, only when you choose them.

Pro AI features are opt‑in and online. They only run when you trigger them, and only the text or image you choose is sent. AI features include summarising, simplifying, translating, grammar, OCR, maths, comprehension questions, and image alt‑text.

Personal details are removed first. Helperbird strips personal information (PII) from your text on your device before any AI feature sees it.

Our subprocessors don't keep your data. Zero Data Retention (ZDR) is Active on our OpenAI organisation; Microsoft Azure Speech and Immersive Reader are non‑retaining by default.

Nothing is ever used to train AI. We have disabled API logging on our OpenAI organisation, and contractually prohibited training across every subprocessor that could touch user content.

You can turn AI features off any time. Individual users in their Helperbird settings. Administrators across whole schools or organisations via Google Admin Console (JSON policy), Microsoft Intune, or the equivalent Firefox enterprise policy.

No advertising. No profiling. No selling. Ever. This is a property of how we built the product, not a policy we could quietly reverse.

The rest of this policy explains exactly how each of these statements is true, what data we do collect for billing, and what rights you have.

What Data We Collect

For Free Users

We collect nothing. No email, no name, no browsing data, no usage data. The free version of Helperbird works without any login or account.

For Pro Users (Individual)

We collect your email address through Stripe, our payment processor, solely to verify your subscription status. We do not store your email on our own servers. Stripe holds your payment information under their PCI DSS Level 1 certification.

Alternatively, you can use a subscription key instead of your email. This method requires no personal information at all.

For Schools and Organizations (Pro Unlimited)

We require only the domain of the organization's email addresses (for example, @school.edu) or a subscription key to activate the service. We do not collect or store individual user email addresses for school or organization accounts.

Settings and Preferences

Your Helperbird settings (font choices, color preferences, reading options, notes, highlights) are stored locally in your browser using the browser's built-in storage. If you enable browser sync in Chrome or Edge, your settings may sync across your devices through Google's or Microsoft's sync services. This sync is managed entirely by your browser, not by Helperbird.

What We Never Collect

We do not collect browsing history, page content, keystrokes, location data, device identifiers, IP addresses (beyond what is incidentally logged by our infrastructure providers), or any other personal information. We do not use cookies, analytics tools, or third-party tracking scripts in the extension.

How Data Is Processed

Local Processing

The vast majority of Helperbird features run entirely in your browser. Font changes, color overlays, spacing adjustments, reading rulers, screen masking, highlighters, and other visual modifications happen locally without any network requests.

Subscription Verification

When you activate Helperbird Pro, the extension sends a request to our API (api.helperbird.com) to check whether your email or subscription key has a valid subscription. This is the only routine network request the extension makes. The API runs on AWS Lambda (serverless) in the United States (us-east-1 region). No user data is stored during this process. The request is authenticated, a response is returned, and no data is written to any database or log.

Text-to-Speech

Helperbird offers two text-to-speech options. The default option uses your browser's built-in speech synthesis, which processes text entirely on your device with no network requests. Pro subscribers who choose to use the natural voice option use Microsoft Azure Cognitive Services for higher-quality speech. In that case, only the text you choose to read aloud is sent to Microsoft for speech synthesis. No personal identifiers are included. Microsoft processes the text and returns audio. The text is not stored by Microsoft after processing.

Translation

The translation feature opens Google Translate in a new browser tab. No data passes through Helperbird's servers for translation.

AI Features (Pro Only)

Helperbird includes optional AI-powered features (summarizing, simplifying, translating, grammar, OCR text extraction, maths recognition, comprehension questions, and image alt-text) available only to Pro subscribers. These features are powered by OpenAI's API.

When you use an AI feature, only the specific text you select is sent to OpenAI for processing. No personal identifiers, browsing history, or metadata about you is included. OpenAI does not use API data to train its models, we have disabled API logging on our organisation, and Zero Data Retention (ZDR) is Active on our OpenAI organisation. Your text is not retained after processing. We also strip personal details from the text on your device before it is sent. (OpenAI data controls and ZDR)

School administrators can fully disable all AI features across their organization using JSON policy configuration through Google Admin Console or Microsoft Intune. Individual users can also disable AI features in their Helperbird settings at any time.

Third-Party Services

We believe in full transparency about what services are involved in delivering Helperbird.

OpenAI powers our AI features (summarization, simplification, translation, grammar, OCR, maths, comprehension questions, and image alt-text). Pro only. Can be disabled by administrators or individual users. Data sent: only the text or image selected by the user, with personal details stripped on-device first. No personal identifiers. Storage: not retained. API logging is disabled on our organisation and Zero Data Retention (ZDR) is Active. No training on API data.

Microsoft Azure powers natural voice text-to-speech (Pro only) and Immersive Reader. Only used when a Pro subscriber selects a natural voice. Data sent: text content for speech synthesis. No personal identifiers. Storage: processed and discarded. Free users and those using browser-built-in voices do not send any data to Microsoft.

Stripe handles payment processing for Pro subscriptions. Data sent: email and payment details (administrator only for school licenses). Storage: PCI DSS Level 1 certified. Helperbird does not see or store credit card numbers.

Google Translate powers the translation feature. It opens translate.google.com in a new tab. No data passes through Helperbird servers.

Crisp powers live chat on the helperbird.com website only. It is not used in the extension. Data sent: name and email only if voluntarily provided during a chat session.

No other third-party services receive user data from the Helperbird extension.

Data Handling by Service: Verified Detail and Sources

This section is the deep‑dive on the summary at the top of this policy, feature by feature, with sources and references. If the "In plain English" summary above answered your questions, you don't need to read further unless you want the underlying detail.

Examples

You summarise a paragraph (Pro). You select a paragraph and choose Summarise. Helperbird removes any names, emails, or other personal details from it on your device, sends only that de‑identified text to OpenAI, shows you the summary, and then the text is gone. It is not stored and not used to train anything.

You read a page aloud with the free voice. Your browser or device reads it aloud locally. Nothing is sent to Helperbird, OpenAI, or Microsoft, and it works offline.

You read aloud with a natural (Pro) voice. Only the text being read is sent to Microsoft Azure to generate the audio, then discarded. It is not stored and not used for training.

A student dictates with built‑in voice typing. The audio goes to their browser's own speech service (Google on Chrome, Apple on Safari, Microsoft on Edge) to turn speech into text. It never goes to Helperbird or our providers.

You open a document in Immersive Reader. The text is sent to Microsoft to power read‑aloud, syllables, and translation, with personal details stripped first. Immersive Reader doesn't store it.

A free user changes fonts, colours, or uses the reading ruler. Everything happens on your device. No network request, no data sent, works offline.

Every feature at a glance

Feature	What is sent	Processed by	Plan
Summarize	The text you select	OpenAI	Pro
Simplify / Reword	The text you select	OpenAI	Pro
Translate	The text you select	OpenAI	Pro
Grammar	The text you select	OpenAI	Pro
Dictionary (AI)	The single word you look up	OpenAI	Pro
Extract text (OCR)	The image you capture	OpenAI	Pro
Maths & Speech-to-Math	The image you capture	OpenAI	Pro
Comprehension questions	The text you select	OpenAI	Pro
Image alt text	The image you capture	OpenAI	Pro
Text-to-speech, local voices (built-in)	Nothing is sent. Read aloud on your device.	Your device (browser / OS)	Free
Text-to-speech, online voices (natural)	The text you choose to read aloud	Microsoft Azure	Pro
Voice typing, built-in (your browser)	Your microphone audio	Your browser's own speech service (Google / Apple / Microsoft)	Free
Voice typing, online (Azure)	Your microphone audio while dictating	Microsoft Azure	Pro

The detail, with sources

This section documents exactly how each cloud service handles your content, with links to each provider's own published documentation.

Free Helperbird sends nothing to any of these services. Every cloud feature below is part of Helperbird Pro, and the free tier runs entirely on your device and your browser's own services. In every case, only the specific content you actively select is sent, with no personal identifiers, and it is processed transiently to return a result.

OpenAI: text and image AI features (Pro)

Powers. Summarize, simplify/reword, translate, grammar, dictionary, text extraction (OCR), maths recognition, comprehension questions, and image alt-text.

Endpoint. Chat Completions.

Personal information removed first. Before selected text is sent, Helperbird strips PII from it on your device. Those identifiers never leave your device. This also applies to Immersive Reader.

Used for training? No. OpenAI does not use data submitted through the API to train its models. (OpenAI data controls, OpenAI business data)

Retained? No. We have disabled API call logging on our organisation, and Zero Data Retention (ZDR) is Active on our OpenAI organisation. Prompts and responses are not retained at all, not even the short abuse-monitoring window. (OpenAI data controls and Zero Data Retention)

Healthcare (HIPAA). A Business Associate Agreement (BAA) is available for the API and does not require an enterprise agreement. (OpenAI guide to getting a BAA)

Microsoft Azure AI Speech: online (natural) voices and online voice typing (Pro)

Powers. Natural (neural) text-to-speech and voice typing, via the Microsoft Azure Cognitive Services Speech SDK.

Sent. The text you read aloud, or your microphone audio while dictating.

Retained? No. This is Azure's equivalent of zero data retention. For real-time speech, "Microsoft does not retain or store the data provided by customers". Audio is processed in server memory with nothing stored at rest. (Azure Speech-to-text data, privacy and security, Azure Text-to-speech)

Used for training? No. Customer data is not used to train, retrain, or improve Azure Speech. This is a contractual commitment. (Microsoft protecting customer data in the AI era)

Note. Optional audio/transcription logging is off by default, and we keep it off.

Microsoft Azure AI Immersive Reader (Pro)

Powers. Immersive Reader's read-aloud, syllables, line focus, translation, and picture dictionary.

Sent. The text you open in Immersive Reader.

Retained? No. Azure Immersive Reader "doesn't store any customer data." (Azure Immersive Reader overview)

Used for training? Covered by Microsoft's universal Azure AI commitment that customer data is not used to train models without permission. (Microsoft AI data FAQ)

Local and built-in options (Free)

Built-in text-to-speech. Your browser or operating system reads the text aloud on your device. Nothing is sent anywhere.

Built-in voice typing. Uses your browser's own speech-recognition service (Google on Chrome, Apple on Safari, Microsoft on Edge), under that provider's privacy terms. It is not sent to Helperbird or our subprocessors. Where the browser supports it, on-device recognition keeps it fully local. (MDN Web Speech API)

Summary

Service	Plan	Retained?	Used for training?
OpenAI (text/image)	Pro	No (Zero Data Retention)	No
Azure Speech (voices, voice typing)	Pro	No (real-time, in-memory)	No (contractual)
Azure Immersive Reader	Pro	No (does not store data)	No (Microsoft commitment)
Built-in TTS / voice typing	Free	n/a (on-device / browser's own service)	n/a

Sources and references

These are the providers' own published policies that back the statements above:

OpenAI

Microsoft Azure

Browser standards

MDN Web Speech API (on-device recognition)

Data Storage and Security

Where Data Is Stored

User settings are stored locally in your browser on your device. They are not transmitted to or stored on our servers.

Subscription verification requests are processed through our API, which runs on AWS Lambda in the United States (us-east-1 region). Our API is serverless, meaning there are no persistent servers. Each request runs in an isolated container with no shared state between requests. No user data is stored as part of this process. The API authenticates the subscription key or email, returns a response, and the request ends. Nothing is written to a database or log file.

Payment information is stored by Stripe on their PCI DSS Level 1 certified infrastructure in the United States.

Encryption

All traffic between the Helperbird extension and our services is encrypted using TLS 1.2 or TLS 1.3. Older protocols (SSL 2, SSL 3, TLS 1.0, TLS 1.1) are fully disabled. Our SSL configuration is rated Grade A by Qualys SSL Labs.

Infrastructure Security

Our backend runs on AWS with a serverless architecture (AWS Lambda). Content is delivered through AWS CloudFront CDN, which provides DDoS protection and edge caching. All API keys and credentials are stored in environment variables, never hardcoded in the codebase.

Security Scanning and Audits

We run multiple layers of automated security scanning on every release.

npm audit. Every dependency is checked for known vulnerabilities across our API, extension, and website codebases.

ESLint security analysis. We run eslint-plugin-security across all JavaScript and Node.js code to catch common security anti-patterns.

OWASP / njsscan. We use njsscan (powered by semgrep) for OWASP‑aligned static analysis, scanning for injection vulnerabilities, insecure cryptography, hardcoded secrets, and other OWASP Top 10 issues.

OWASP ZAP. We use OWASP ZAP for automated vulnerability scanning of our web properties, including injection testing and cross‑site scripting detection.

Snyk Open Source. We use Snyk to scan our dependency tree for known vulnerabilities, license compliance issues, and outdated packages.

External scanning. Our website is regularly scanned by Qualys SSL Labs (Grade A), Mozilla Observatory (B+), and Google Lighthouse.

Browser store reviews. Every version of the Helperbird extension is reviewed by Google (Chrome Web Store), Microsoft (Edge Add‑ons), Mozilla (Firefox Add‑ons), and Apple (App Store for Safari) before publication.

CASA Tier 2. We have completed a Cloud Application Security Assessment (CASA) Tier 2 self‑assessment, the level required by Google for apps accessing user data.

SOC 2 Type II Preparing We are preparing for a formal SOC 2 Type II audit conducted by an independent third‑party auditor, covering security, availability, and confidentiality controls. Expected to be completed in 2027.

ISO/IEC 27001 Preparing We are also preparing our information security management programme against the ISO/IEC 27001 control framework, with the intent to pursue formal certification once our SOC 2 Type II audit is complete. Our existing controls are designed against the requirements of ISO/IEC 27001. Until certification is complete, we describe ourselves as "audit‑aligned" rather than "certified."

Development Practices

All team members use two-factor authentication on every account with access to code, infrastructure, or user-facing services. All code changes are reviewed before they ship. Security-sensitive changes receive additional scrutiny. Dependencies are kept up to date, and we monitor for new vulnerabilities and patch quickly when discovered.

Data Retention and Deletion

Extension Data

All settings, notes, and highlights are stored locally in your browser. When you uninstall Helperbird, that data is removed with the extension. We do not retain any user data on our servers after uninstallation.

Subscription Data

Upon cancellation of a Pro subscription, we delete all payment information from Stripe within 48 hours.

School and Organization Data

For school and organization accounts, the only data we hold is the subscription record (domain name or subscription key, subscription dates, and payment information in Stripe). Upon contract termination, we will delete all associated records within 30 days of written request.

Right to Deletion

You can request deletion of any data we hold at any time by contacting us at support@helperbird.com. We will process deletion requests within 30 days.

Data Breach Response

We maintain a documented data breach response plan. In the event of a data security incident affecting user data:

Within 24 hours of discovering the breach, we will notify affected organizations and begin containment.

Within 48 hours, we will provide a detailed report covering the categories of data impacted, the number of affected users, the versions of our product or service involved, containment actions taken, and recommended mitigation steps.

We will cooperate fully with affected organizations in investigating and remediating the breach, including providing the results of a third-party security assessment confirming the breach has been remediated.

We will notify users and organizations of data security breaches that affect their data. We maintain the contact details of our primary points of contact at each organization for this purpose.

AI Governance

No Training on User Data

Helperbird does not use any user data, including student work, communications, or personally identifiable information, to train, refine, or improve AI models. Our API agreement with OpenAI explicitly prohibits the use of API data for model training.

Transparency

AI features in Helperbird are clearly labeled in the interface. Users always know when they are using an AI-powered feature. AI features only process text that the user explicitly selects. No background AI processing occurs.

Administrator Controls

School and organization administrators can fully disable all AI features for their users through JSON policy configuration via Google Admin Console or Microsoft Intune. When disabled, AI features are completely removed from the extension interface.

Human Control

AI features in Helperbird are assistive tools. They do not make decisions about students, do not generate assessments or grades, and do not influence educational placements. All AI outputs are presented to the user for their own review and use.

Children's Privacy (COPPA)

For our full COPPA statement, see the dedicated COPPA Compliance page.

Helperbird does not collect personal information from any user, child or adult.

Pro features are activated using a subscription key that requires no email, no name, no personal information of any kind. This is how the vast majority of our school customers deploy Helperbird, and it is the method we recommend for any deployment involving students under 13. Children and adults use the same subscription-key activation method, so there is no separate data path for under-13 users to begin with.

For organisations that prefer email-based activation, an optional path is available. Where that path is chosen for a student under 13, we require the school or teacher to obtain verifiable parental consent on the parent's behalf under the FTC-recognised "school as agent" doctrine. The email is used solely to check subscription status, never for marketing, profiling, or advertising.

Helperbird does not use anyone's data for advertising, profiling, or behavioural inference. Ever. By architecture.

Student Privacy (FERPA)

For our full FERPA statement, see the dedicated FERPA Compliance page.

Helperbird does not access, collect, store, or disclose any education records. Ever.

Pro features are activated using a subscription key that requires no email, no name, no student data, and no personal information of any kind. Student data and education records simply never touch Helperbird's systems. Schools remain in full control of deployment: individual features can be disabled organisation-wide via Google Admin Console (JSON policy), Microsoft Intune, or the equivalent Firefox enterprise policy at any time.

Where a district designates Helperbird as a "School Official" with legitimate educational interests under 34 C.F.R. § 99.31(a)(1)(i)(B), we operate under the school's direct control, do not redisclose, and use any information solely to deliver the service the district has chosen to offer.

We publish a standard Data Privacy Agreement that includes a FERPA School Official schedule, COPPA "school as agent" terms, GDPR Article 28 + SCCs, and state-specific exhibits (NY Ed-Law § 2-d, CA SOPIPA, TX Student Privacy Act, Utah, Illinois SOPPA, Connecticut, Maryland). We also accept the SDPC National Data Privacy Agreement and can counter-sign a district's own template.

We do not use student data for advertising, marketing, or building user profiles. We do not share student data with any third parties for purposes unrelated to delivering the Helperbird service.

Helperbird complies with the General Data Protection Regulation (GDPR) and post-Brexit UK data protection standards. Because we collect minimal data, our compliance position is strong.

Lawful basis for processing: Where we process personal data (email for subscription verification), the lawful basis is the performance of a contract (your subscription).

Data minimization: We collect only what is strictly necessary to verify your subscription.

Your rights: You have the right to access, rectify, or delete any personal data we hold. You also have the right to data portability and the right to object to processing. Contact us at support@helperbird.com to exercise any of these rights.

Data transfers: Subscription verification data is processed in the United States. Payment data is processed by Stripe in the United States. For EU/UK users, these transfers are covered by Stripe's Standard Contractual Clauses and our own commitment to GDPR-level protections regardless of location.

U.S. State Privacy Laws

Maryland Online Data Privacy Act (MODPA)

Helperbird complies with the Maryland Online Data Privacy Act of 2024. We do not sell personal data, do not engage in targeted advertising based on personal data, and do not profile users. We process only the minimum data necessary to provide our service.

Maryland Student Privacy Act

Helperbird complies with the Maryland Student Privacy Act of 2015. We do not use student data for non-educational purposes, do not sell student data, and do not engage in targeted advertising to students.

Other State Laws

Helperbird's minimal data collection approach means we comply with student privacy laws across all U.S. states, including California (SOPIPA, CalOPPA), New York (Education Law 2-d), Texas, Illinois, and others. We are happy to work with districts to complete state-specific data privacy agreements.

Cookies and Tracking

In the Extension

Helperbird does not use cookies, local storage for tracking, third-party scripts, analytics, or any form of user tracking in the extension.

On Our Website

Our website (helperbird.com) does not use Google Analytics or any third-party analytics tools. We use Crisp for live chat functionality on the website only, which operates under its own privacy policy. All YouTube videos embedded on our site are in privacy-enhanced mode to prevent tracking of viewing behavior.

Browser Permissions

The Helperbird extension requests only the permissions it needs:

activeTab. Allows the extension to interact with the webpage you are currently viewing.

storage. Enables the extension to save settings locally in your browser.

contextMenus. Allows the extension to add options to the right-click menu.

alarms. Permits scheduling of internal extension tasks.

sidePanel. Lets the extension use a side panel for additional tools.

scripting. Allows the extension to modify page content for accessibility features.

identity.email (optional). If you choose email-based verification, this allows the extension to access the email associated with your browser profile. This is optional. The subscription key method does not require this permission.

Google Workspace Integration

Helperbird's integration with Google Docs and Slides uses /auth/documents.currentonly and /auth/presentations.currentonly authorizations. Our Google Drive integration uses /auth/drive.file, which grants access only to the specific file you choose to open, not your entire Drive. We comply with the Google API Services User Data Policy.

Domain Whitelisting

For organizations with strict network policies, the following domains are used by Helperbird:

engine.helperbird.app. Core extension services.

api.helperbird.com. Subscription verification API.

A full list is available at helperbird.com/help/domains-to-whitelist-for-helperbird/.

Clean Slate Policy

When a user leaves your organization or uninstalls Helperbird, all extension settings are cleared from their browser. No data persists on our servers because we do not store user data on our servers.

Changes to This Policy

We will communicate changes to this privacy policy through notices on our website. We may also notify organizations directly if changes affect how we handle data under their accounts. We recommend reviewing this policy periodically.

Contact Us

For any questions about this privacy policy, our data practices, or to exercise your privacy rights:

General: support@helperbird.com

Privacy / data‑subject requests: privacy@helperbird.com

Security disclosures: security@helperbird.com

Compliance, BAA & DPA inquiries: compliance@helperbird.com

Legal / DMCA: legal@helperbird.com

Mailing address: Available upon request. Please email compliance@helperbird.com and we will provide our registered office address.

For our full security practices, visit helperbird.com/security/.

For our FERPA and COPPA compliance statement, visit helperbird.com/compliance/.

Privacy Policy