UK Children’s Code
Safeguarding
Spellito is built for primary-school children, so the default is simple: collect as little as possible, keep practice private, and avoid adverts, tracking, profiling, or pressure mechanics.
Last reviewed: 2 June 2026

What this means for kids
No strangers
There is no chat, no friend requests, and no public profile.
No tracking
Spellito does not follow you round the web or sell anything about you.
No recordings
You hear Spellito. Spellito never records your voice or asks for your photo.
For parents and carers
This page is the public summary of Spellito’s safeguarding posture. The internal DPIA, or Data Protection Impact Assessment, is maintained separately and re-audited whenever the app adds a new data flow or third-party processor.
Anonymous by design
Guest practice does not require sign-up, email, birthday, address, photo, or voice recording. If a child asks Spellito to remember a first name, it stays on the device for local greetings only.
Device-first practice
The optional first name, year band, practice attempts, and input-mode preferences live in the browser. Clearing site data wipes them from the device.
Minimal server data
Parent-submitted spelling lists are stored against an unguessable job ID, not against a user account. The generated audio is content-hashed and reused when the same script appears again.
AI with controls
Runtime sentence and audio generation uses Google Vertex AI under enterprise terms that prohibit training on Spellito prompts. Public curriculum audio generation uses public-domain vocabulary only.
Children’s Code checks
Spellito’s internal self-assessment maps the Information Commissioner’s Office (ICO) Children’s Code standards against the current app. The current build records pass positions for data minimisation, transparency, no profiling, no geolocation, no detrimental use of data, and no privacy-affecting default settings.
- No adverts or behavioural marketing.
- No public child profiles or child-to-child messaging.
- No geolocation, device fingerprinting, or third-party analytics.
- No voice recordings, photos, or child email addresses.
- Plain-English privacy and terms pages.
- A 90-day purge process for runtime-generated server content.