Version 1.0 · Effective date: June 14, 2026 · Last updated: June 14, 2026
This Privacy Policy explains how Wyla Studios LLC, a California limited liability company (“Wyla,” “we,” “us”), collects, uses, shares, and protects personal information when you use the Wyla website at wyla.app, the Wyla web application, and related services (together, the “Service”). It applies to parents and guardians, adult learners, the children whose profiles a parent creates, and visitors to our marketing site.
We’ve tried to write this in plain language. If anything is unclear, email us at hello@wyla.app.
The rest of this policy is the detail behind those points.
There are two kinds of account, both held by adults:
We also collect limited information from visitors to our marketing site at wyla.app.
When you create an account, we collect your preferred name and email address. Because sign-in is passwordless, we do not collect or store a password in the normal flow. Each time you sign in, we create a session and store your IP address and browser/device information (User-Agent) with that session, along with a session token and expiry, to keep you signed in and to help secure your account. We send a one-time sign-in code to your email; the code is stored briefly and deleted once it is used or expires.
For each child profile, we collect the child’s first name or nickname (whatever the parent enters) and, optionally, the child’s age. The age field is never required and never blocks setting up a profile; if you provide it, we store the age together with the date you gave it, not a date of birth. We ask for age only to help us understand which words learners of a given age typically know, so we can improve our lessons and our research into how children learn to spell. Age is always provided by the parent in the parent’s account — we never ask a child for it during play. Adult learners may provide their own age.
We do not collect a child’s date of birth, email address, photo, voice, or contact details.
As a learner uses Wyla, we collect the information needed to run the adaptive learning engine and to show progress, stored against the profile:
Wyla reads words and example sentences aloud. The audio is generated by us from dictionary words and sentences (text-to-speech) and cached so it can be replayed. We do not record, capture, or process any audio of you or your child. There is no microphone input or voice recording anywhere in the Service.
The Wyla web app uses a session cookie and security tokens to keep you signed in and to operate the Service. These are strictly necessary; without them the Service won’t work. The children’s app uses no advertising cookies and no cross-site tracking cookies. Our marketing site uses limited analytics and, for advertising measurement, the technologies described in Section 8.
If you join our waitlist or contact us through wyla.app, we collect the email address (and any message) you submit. We use privacy-friendly, cookieless analytics on the marketing pages to understand general site usage. See Sections 7 and 8 for detail.
We keep short-lived operational logs (for example, records of requests to our servers and internal learning-event logs used to operate and debug the Service). The internal learning-event logs are keyed only by a profile identifier and contain no names or email addresses. We retain operational logs for a limited period (no more than 30 days) and then delete them, except where we need to keep something longer to investigate a security or technical issue.
We keep a minimal, append-only record that an account accepted these terms (with the version) and that an account or profile was deleted. These records contain no name or email and exist as durable proof of consent and deletion.
We use the information above to:
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
| What we do | Legal basis |
|---|---|
| Provide the account and deliver lessons (including processing the child’s learning data the parent set up) | Performance of our contract with you (Art. 6(1)(b)) |
| Send sign-in codes and essential service messages | Performance of contract (Art. 6(1)(b)) |
| Keep the Service secure, prevent abuse, debug | Our legitimate interests in a safe, working Service (Art. 6(1)(f)) |
| Improve Wyla using learning data before it is anonymised | Our legitimate interests in improving the Service (Art. 6(1)(f)) |
| Send waitlist / marketing email | Your consent (Art. 6(1)(a)) — withdraw any time |
| Measure and optimize our own advertising on the marketing site (see Section 8) | Your consent (Art. 6(1)(a)) |
| Keep consent and deletion records; meet legal duties | Legal obligation and our legitimate interests (Art. 6(1)(c), (f)) |
Once learning data has been anonymised (Section 9), it is no longer personal data and these bases no longer apply to it.
Wyla is directed to children, and we take children’s privacy seriously. This section explains how we comply with the U.S. Children’s Online Privacy Protection Act (“COPPA”) and how we obtain parental consent.
What we collect from children. As set out in Section 3, for a child we collect a first name or nickname, an optional age, and the child’s learning activity (including the text typed during lessons and coarse typing measures), tied to a profile identifier. We do not collect a child’s date of birth, email, photo, or voice.
A parent sets everything up. A child cannot create an account or a profile. A parent or guardian creates the account using their own email, and creates each child’s profile. This parent-gatekeeper design is central to how we obtain consent.
How we obtain verifiable parental consent. Because we do not disclose children’s personal information to any third party for the third party’s own purposes (see Section 8), we use the “email-plus” method permitted by COPPA:
The notice also tells you that you may consent to our collection and use of your child’s information without consenting to any disclosure to third parties — which is straightforward here, because we make no such disclosure.
No child voice or audio. Wyla’s audio is text-to-speech that we generate; we never collect a child’s voice or any audio recording.
Your choices as a parent. At any time you can review the information in your child’s profile, delete the child’s profile from Settings, or email hello@wyla.app to have your child’s information erased (see Section 9). You can also stop further collection by deleting the profile or account. If you have questions about your child’s information, contact us at hello@wyla.app.
If we ever change children’s data practices. If we want to collect new types of information from children, use children’s data in a materially new way, or share it with new categories of third parties, we will provide a fresh notice and obtain new verifiable parental consent before the change takes effect.
Children in the EEA / UK. Because only adults hold accounts and every consent is given by the parent or guardian — who holds parental responsibility — Wyla never relies on a child’s own consent. This resolves the differences between countries in the minimum age at which a child can consent: that question never arises here.
On our marketing pages at wyla.app (which are directed to adults), we use Plausible Analytics, a privacy-friendly, cookieless analytics tool, to understand general traffic and usage. Plausible does not set cookies or build cross-site profiles. We do not use Plausible inside the children’s app.
We never sell personal information, and we never share a child’s information for advertising. The only advertising-related “sharing” we do (in the sense California law gives that word) involves limited data about the purchasing adult, described in Section 8.2. Here is every way information leaves Wyla:
We use a small set of vendors to run the Service. They act as our processors — they handle data only to provide services to us, under contract, and not for their own purposes:
| Provider | What it does | What it receives |
|---|---|---|
| Render | Hosts our application and database | Hosting of all Service data, including the database |
| Cloudflare | Serves audio and images/video, and content delivery | Cached audio of dictionary words; media delivered to the browser (so the browser’s IP reaches Cloudflare) |
| ElevenLabs | Generates text-to-speech audio | The words and sentences to be spoken — no child-authored text and no personal information |
| Postmark | Sends the sign-in email | The recipient email address and the one-time code |
| Customer.io | Manages our waitlist (marketing site only) | The email address of waitlist sign-ups |
| Formspree | Powers our contact form (marketing site only) | The email and message a visitor submits |
These providers are not “third parties” we disclose children’s data to for their own use; they are infrastructure that helps us operate. None of them receives children’s data for advertising.
We advertise Wyla, and we measure whether our ads work. This involves sharing a limited amount of data about the purchasing or signing-up adult — specifically a hashed (obscured) version of the adult’s email and the fact that a conversion (such as a sign-up) happened — with Meta Platforms Ireland Ltd (“Meta”) and Google, so they can tell us which ads led to sign-ups and help us optimize our advertising.
Two things matter here:
Meta and Google act as independent controllers of the data we share with them for this purpose (not as our processors). Their own privacy policies govern what they do with it.
EEA / UK / Switzerland visitors. On our marketing site, advertising and analytics tags are blocked until you give consent through our consent banner, and we only share the advertising data described above if you have consented. If you don’t consent, we don’t share it. (Visitors elsewhere can exercise the opt-out described in Section 10.)
We may disclose information if required by law, to respond to lawful requests, to enforce our Terms, or to protect the rights, safety, and security of our users, the public, or Wyla. If Wyla is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction, subject to this policy.
While your account is active, we keep your learning data (attempts, typed answers, the coarse typing measures, scheduling state, and so on) because it is necessary to run the adaptive learning engine and show your progress.
When you delete an account or a child’s profile, we immediately remove identifying details — the name and email — and delete your sign-in sessions. We then keep the learning data only in de-identified form.
Our de-identification standard. We de-identify learning data to the anonymisation standard under the GDPR: we sever the link between the data and any identifying information and do not retain data that could reasonably be used, by us or anyone else, to re-identify a person — and we commit never to attempt to re-identify it. Once de-identified to this standard, the data is no longer personal information. We retain this de-identified learning data indefinitely to produce aggregate statistics and to improve our product and algorithms; this can include a learner’s age (with no name, email, or other identifier), which on its own does not identify anyone.
Full erasure on request. If you would rather we erase everything — including the learning state and the internal learning-event logs — email hello@wyla.app and we will purge your (or your child’s) data.
Inactivity. If an account has no sign-in for three years, we automatically process it as a deletion using the same de-identify-and-retain steps above.
Operational logs are kept for a short period and then deleted, as described in Section 3.7.
We extend the following rights to all users, wherever you live, and will not discriminate against you for exercising them.
You can ask us to: access the personal information we hold about you (or your child); correct it; delete it; restrict or object to certain processing; receive a copy in a portable format; and, where we rely on consent, withdraw that consent at any time (withdrawing consent does not affect processing already carried out).
Advertising opt-out. You can opt out of the advertising “sharing” described in Section 8.2. EEA/UK/Switzerland visitors control this through our consent banner. Anyone else can opt out by emailing hello@wyla.app; we honor these requests. (We do not currently offer an automated “Do Not Sell or Share” web control or Global Privacy Control signal, because we fall below the thresholds that would require it; we will add one if that changes.)
Marketing email. You can unsubscribe from waitlist or marketing email at any time using the link in those emails, or by emailing us.
How to exercise your rights. Email hello@wyla.app. We may need to verify your request — for example, by confirming control of the relevant email address. For a child’s information, the parent or guardian who manages the account exercises these rights on the child’s behalf.
If you are in the EEA or UK and believe we have not handled your data properly, you have the right to complain to your local data protection authority, though we’d appreciate the chance to address your concern first.
We are based in the United States, and we and our providers process data in the United States and potentially other countries. When we transfer personal data out of the EEA or the UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK addendum) with our providers, or another lawful transfer mechanism. Meta and Google (Section 8.2) receive the advertising data in the United States under their own transfer mechanisms, such as Standard Contractual Clauses or the EU–U.S. Data Privacy Framework.
We take reasonable measures to protect personal information, and we maintain a written security program for children’s data. These measures include passwordless sign-in (so there are no stored passwords to steal), encryption of data in transit (HTTPS/TLS), access controls and secrets that gate our administrative and internal tools, and a managed, access-controlled database. We limit what our providers receive and keep operational logs for only a short time.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.
Wyla Studios LLC is the controller of the personal information described in this policy. Our contact for any privacy question or request is hello@wyla.app.
We are a U.S.-based company and do not currently target our Service to the EEA or UK, so we have not appointed an EU or UK representative at this time; if that changes, we will appoint one and add their details here. We are not required to appoint a Data Protection Officer at our current scale; hello@wyla.app is our data-protection contact.
We may update this policy from time to time. Every version carries a version number and effective date, and we archive prior versions. For non-material changes we update the document and its date. For material changes we will provide prominent notice (for example, by email or in the Service). As noted in Section 6, a material change to how we handle children’s information requires fresh parental consent before it takes effect.
Email us at hello@wyla.app with any privacy question or request.
Wyla Studios LLC 2261 Market Street STE 78174 San Francisco, CA 94114 United States