Privacy & student data

Built privacy-first.

Voca is used by students, many of them minors, so we collect as little as possible and are clear about how it's handled. This page explains what we do and don't do with data.

The principles

What every
school can count on.

No recordings stored

Speech is processed live during a session to give feedback. Audio is not stored afterwards — there's nothing to review or leak later.

No personal email

Students sign in with a school code and roll number. No personal email address is required to use Voca.

Minimal by default

We collect the least we need to run the service and show progress — nothing more.

Never sold

Student data is never sold or used for advertising.

What we collect

To create an account and run sessions, Voca collects the following:

Account information

  • The student's name, class, and section as provided by the school
  • A school-assigned roll number
  • A PIN chosen by the student (stored in hashed form — Voca itself cannot read the PIN)
  • An optional email address, only if the school provides one for the student
  • The student's preferred interface language
  • The date the student joined

Practice information

  • The activity being practiced (Foundations, Conversation, Mock Interview, or Public Speaking)
  • Text transcripts of what the student said during each session
  • AI-generated scores across eleven speaking-skill dimensions
  • Short feedback notes generated for each session
  • Session date, time, and duration
  • Daily streak and progress information
  • A "weakest skill" indicator used to choose what to practice next
  • Baseline assessment results from when the student first joined

Technical information

  • Browser type and basic device information, for product reliability
  • The country selected by the school in admin settings, for content adaptation
Voca deliberately does not collect:
  • Home addresses
  • Phone numbers from students
  • Parent contact details, unless a school chooses to add them for parent reports
  • Photos, video, or any visual data
  • Biometric data
  • Government identification numbers
  • Browsing history or activity from outside Voca
  • Social connections or friend networks
  • Location data beyond the country selected by the school (no GPS, no IP-based fine location)
  • Raw audio recordings — speech is processed live during a session and not retained afterwards

How speech is handled

When a student speaks during a session, the browser captures the audio and streams it to a specialized speech-to-text service that converts it into a text transcript in real time. The text transcript is what's saved in the session record — the raw audio itself is not stored in Voca's database.

The transcript, along with the activity context, is then sent to Voca's AI scoring system, which generates the dimension scores and feedback that the student sees at the end of the session.

For modes where the AI responds with a voice (Conversation and Mock Interview), Voca sends the AI's text response to a text-to-speech service which generates the spoken reply. That generated audio is played to the student but not stored.

Voca uses a small set of third-party services to handle speech-to-text, AI scoring, and text-to-speech. Each operates under a contract that restricts use of student data to providing the service to Voca — student data is not used to train these providers' models. A full sub-processor list, with each provider named and the data they handle, is available to schools on request as part of due diligence.

Where data is stored & who can access it

Voca's student data is stored in a managed cloud database with industry-standard security:

  • Encryption at rest by default
  • Encryption in transit — all data moves between browser and Voca over encrypted HTTPS / TLS connections
  • Role-based access — no anonymous access is permitted; every database request is authenticated and checked against role permissions

The specific cloud region is configurable and can be discussed with schools that have data-residency requirements (for example, schools in the EU or the UAE that prefer in-region storage).

Access to student data is restricted by role:

  • A student sees only their own sessions, scores, and progress
  • A parent sees only their own child's sessions, scores, and progress
  • A teacher sees only their assigned class students' data
  • A school administrator sees only their own school's data
  • The Voca team accesses individual student data only when explicitly authorized by the school — for support, troubleshooting, or at the school's request

Each school's data is isolated from every other school's. No cross-school visibility, ever.

A student's data is retained while the student is actively enrolled with a Voca-licensed school. When a school's license ends, or when a student is removed from the school's roster, the student's data is deleted within 90 days, unless the school requests earlier deletion or a different retention period.

Schools can request immediate deletion of any individual student's data at any time. Aggregated, de-identified usage statistics (with no information that could identify an individual student) may be retained for product improvement.

Compliance & rights

Voca is designed in alignment with the principles of major data protection frameworks across the markets it serves:

  • The General Data Protection Regulation (GDPR) for the EU and UK
  • The Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA) for the United States
  • India's Digital Personal Data Protection Act 2023 (DPDP)
  • Equivalent frameworks in the UAE, Singapore, Australia, and Canada

Voca does not at this stage claim formal third-party certifications under these frameworks. We work with each school to meet the specific data-protection requirements of their jurisdiction, and we provide detailed responses to data-protection questionnaires and execute Data Processing Agreements (DPAs) as part of school onboarding.

If a school, parent, or student wants to access, correct, or delete a student's data:

  • A school administrator can submit the request directly to Voca
  • A parent can submit the request through their child's school administrator
  • A student of the appropriate legal age (which varies by country) can submit the request through their school administrator or directly to Voca

Voca will respond to verified requests within 30 days.

Contact

For any question about data or privacy, contact contact@myvoca.us. Privacy and data-protection inquiries from schools, parents, and DPOs are handled directly by the Voca team.

Last updated: 2 February 2026.

Questions about data?

Ask us
anything.

We're glad to walk your team or legal department through exactly how Voca handles student data.

Contact us →