Security
Last updated: July 1, 2026
SpeechStep handles children’s voice recordings, so we engineer for their protection. This page describes the controls we have in place today and how we’re continuing to strengthen them. We describe only what we actually do — no certifications we don’t hold.
Encryption
- In transit: all traffic is served over HTTPS/TLS.
- At rest: our database and file storage encrypt data at rest. Our planned machine-learning storage uses server-side encryption with managed keys.
Access control
- Per-account isolation. Every record is protected by database row-level security scoped to the signed-in account, so one family can never read another’s data. Default is deny.
- Private recordings store. Voice recordings live in a private bucket that is not publicly accessible. Uploads happen only through our server; a parent can access only their own child’s recordings.
Authentication
Sign-in is passwordless — a one-time code sent to your email. We do not store passwords, so there is no password database to breach.
Consent-gated audio
Practice runs on-device by default. A child’s audio is only sent to our AI scoring service, or stored, when a parent has granted recording consent, and we verify that consent on our servers before a recording is stored. A separate, optional consent is required before any recording may be used to improve our models.
Data minimization
- Recordings are stored under a random identifier, never a child’s name.
- We use no third-party advertising or analytics trackers.
- We collect age in months only — never a full date of birth — and never require a child’s real name.
Our service providers
We rely on a small set of vetted providers — Supabase (database, auth, storage), Hugging Face (AI scoring), Vercel (hosting), and, planned, AWS (ML infrastructure). Each processes data only to provide its service to us. See the Privacy Policy for the full list and purposes.
Data deletion
You can delete recordings at any time in your account, and you can ask us to delete your account and associated data by emailing privacy@webmobi.com.
How we keep improving
Security is ongoing. We maintain an internal security and privacy review and are actively working on additional hardening — including tighter rate limiting on public endpoints, credential rotation, automatic retention limits on recordings, and moving production data onto dedicated infrastructure.
Reporting a vulnerability
If you believe you’ve found a security issue, please email security@webmobi.com with details. We appreciate responsible disclosure and will work with you to resolve valid reports. Please do not access or modify other users’ data, and give us reasonable time to fix issues before disclosing them publicly.
Questions, or want to review or delete your child’s data? Email us at security@webmobi.com and we’ll respond promptly. You can also manage recordings and consent anytime in your account.