How we protect kids on The Whiteboard.

Privacy is not a feature here. It is the substrate. Each of these is implementable, auditable, and demonstrable to any parent who asks.

Voice

• Raw audio never leaves the device. When a child speaks to the tutor, the audio is captured in volatile memory, run through on-device speech-to-text, and immediately discarded. Only the transcribed text is sent to the server.
• No raw-audio fallback. If on-device STT is unavailable, the voice feature is disabled. There is no degraded path that ships audio.
• Singing exception is narrow. Structured singing exercises use on-device pitch/timing encoding so the tutor can give feedback without storing a voiceprint.
• Local practice channel is sandbox-only. A separate explicit record button writes audio only to the device. Parent unlock is required for any external share.

Identity and image

• Photos of student work are not stored. They are processed for tutor feedback and then deleted — unless the learner explicitly opts in to portfolio storage. EXIF and GPS are stripped on capture either way.
• Children's accounts are not discoverable. Not searchable. Cannot receive contact from unknown users.
• The only kid-to-kid channel is parent-gated. Performing-arts practice rooms require parent-device unlock per session, and are recorded for parent review.

Content and conduct

• The tutor is kind. Always. It never shames a wrong answer, never sighs at a slow learner, never punishes curiosity by ignoring an off-topic question.
• The tutor refuses topics outside the configured curriculum, by age tier. The refusal is kind and redirects to the curriculum — never shaming.
• Ethics is woven into every lesson as a cross-cutting layer, not a separate class.
• The mentor pipeline is background-checked, credentialed, and supervised. Connections to a child require explicit per-event parent consent.
• No captive geometry. The child never has to be alone in a closed room with an adult to get extra help.

What this prototype actually does

This is the text-only privacy-honest MVP. There is no microphone path in the server code. When voice is added, the contract does not change — the server still only accepts text. The privacy strip at the bottom of the lesson screen is load-bearing UX, not decoration.