Trust
Privacy
What Articarry stores, who can see it, how long it is kept, and how a family can take it back.
Internal beta: synthetic and explicitly-consented test data only.
Articarry is in a private beta. The text below describes how the product is engineered and how it intends to handle data. Use with real patient audio requires BAA-covered infrastructure and a legal review of this text; both are gates between this beta and any wider use.
What Articarry stores
- Account details for the clinician and the guardian who sign in: email address, a display name, and a hashed password. The clinician's self-attested licensing line is stored as plain text on the clinician profile.
- A child's first name and the practice a clinician has assigned them. A child is never a user; a child has no login, no password, no session of their own.
- Short audio recordings a child makes while practicing. Each recording is paired with the scoring provider's response and a derived per-word score block. The audio blob and the score are kept together while the audio is retained; the score block is preserved after the audio is removed (see How long things are kept).
- An audit log of sensitive reads + writes: which clinician opened a recording's diagnostic, which clinician streamed a recording's audio, when a guardian granted or revoked consent, when an account or child was deleted. The audit log carries identifiers, never transcripts or names; a future compliance team can read it without that read being a privacy event.
Who can see it
A child's recordings are reachable by that child's clinician (the one whose caseload the child is enrolled on) and by their guardian (through the guardian's signed-in session). They are not shared with anyone else and they are not sold.
We do not use third-party analytics. We do not place advertising cookies. We do not send marketing email.
Engineers may listen to a recording while debugging.
Articarry's engineering team may read a recording and its surrounding metadata when they need to: debug an upload failure, calibrate the scoring path, investigate a report a clinician or guardian sent us. This is the only non-clinical, non-guardian reason a recording is ever opened, the consent a guardian reads at signup says so plainly before any audio is recorded, and every such read writes a row to the audit log so the read is visible to a future review. We do not train any model on recordings; we do not share recordings with any third party; we do not resell anything.
How long things are kept
Audio recordings are kept for 180 days; a removed child or account is kept for 30 days and then permanently deleted.
- Audio recordings: the audio blob is kept for 180 days. After that, the audio is removed from storage. The Recording row + the scoring provider's response + the derived per-word score block are preserved so the clinician's history of what happened stays truthful. Only the bytes are gone.
- A removed child or account: kept for 30 days, then permanently deleted. Within the 30-day window a guardian can restore from their account page.
- The audit log: kept for the lifetime of the deployment. Audit rows are identifiers; removing them would defeat their purpose.
- Account details + the assignments a clinician has authored: kept while the account is active. Deletion of the account removes them along with everything else above.
The control a family keeps
Consent for recording is given by the guardian before practice starts, and it can be withdrawn at any time. A guardian can ask for a child's recordings to be deleted whenever they like, and they do not have to give a reason. The deletion path is on the account page.
A clinician can remove a child from their caseload. That ends the clinician's access; the family's account and recordings remain. Deleting a family's data is the family's call, not the clinician's.
Cookies and tracking
We use only essential cookies: the Django session cookie that keeps you signed in, and the CSRF cookie that protects every form. We do not use analytics cookies, advertising cookies, or third-party tracking pixels of any kind. A "cookie consent banner" would be cargo-cult here: there is nothing to consent to beyond the session that signs you in.
How to reach us
Privacy questions during the beta: privacy@articarry.com. Security disclosures: security@articarry.com. We acknowledge in writing.
How this applies to a child specifically is set out on the children's privacy page.
Last updated: 2026-05-25.