Back to home

UK Children’s Code

Safeguarding

Spellito is built for primary-school children, so the default is simple: collect as little as possible, keep practice private, and avoid adverts, tracking, profiling, or pressure mechanics.

Last reviewed: 2 June 2026

What this means for kids

No strangers

There is no chat, no friend requests, and no public profile.

No tracking

Spellito does not follow you round the web or sell anything about you.

No recordings

You hear Spellito. Spellito never records your voice or asks for your photo.

For parents and carers

This page is the public summary of Spellito’s safeguarding posture. The internal DPIA, or Data Protection Impact Assessment, is maintained separately and re-audited whenever the app adds a new data flow or third-party processor.

Anonymous by design

Guest practice does not require sign-up, email, birthday, address, photo, or voice recording. If a child asks Spellito to remember a first name, it stays on the device for local greetings only.

Device-first practice

The optional first name, year band, practice attempts, and input-mode preferences live in the browser. Clearing site data wipes them from the device.

Minimal server data

Parent-submitted spelling lists are stored against an unguessable job ID, not against a user account. The generated audio is content-hashed and reused when the same script appears again.

AI with controls

Runtime sentence and audio generation uses Google Vertex AI under enterprise terms that prohibit training on Spellito prompts. Public curriculum audio generation uses public-domain vocabulary only.

Children’s Code checks

Spellito’s internal self-assessment maps the Information Commissioner’s Office (ICO) Children’s Code standards against the current app. The current build records pass positions for data minimisation, transparency, no profiling, no geolocation, no detrimental use of data, and no privacy-affecting default settings.

  • No adverts or behavioural marketing.
  • No public child profiles or child-to-child messaging.
  • No geolocation, device fingerprinting, or third-party analytics.
  • No voice recordings, photos, or child email addresses.
  • Plain-English privacy and terms pages.
  • A 90-day purge process for runtime-generated server content.