Important Notice for Parents: Our Service is designed for parents to use with their children. We comply with the Children's Online Privacy Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR), obtaining verifiable parental consent before collecting personal information from children under 13 (or under 16 in some EU countries).
1. Information We Collect
1.1 Information You Provide to Us
Account Information (Parents/Guardians):
- Email address
- Password (stored in encrypted form)
- Name (optional)
- Payment information (processed by Paddle, our merchant of record; not stored by us)
Child Profile Information:
- First name or nickname
- Age range (e.g., "3-5," "6-8," "9-12")
- Personality description (optional)
- Interests and preferences (optional)
- Imaginary companion or pet name (optional)
1.2 Information Collected Automatically
- Device type and operating system
- App version
- IP address (anonymized after 30 days)
- Usage patterns (features used, session duration)
- Crash reports and error logs
1.3 Information We Do NOT Collect from Children
We do NOT collect the following from children under 13:
- Last name or full name
- Physical address
- Phone number
- Social Security number or government ID
- Photos, videos, or audio recordings of the child
- Precise geolocation
- Persistent identifiers for behavioral advertising
2. Children's Privacy (COPPA)
COPPA Compliance: We are committed to complying with the Children's Online Privacy Protection Act (COPPA) and other applicable laws protecting children's privacy.
2.1 Parental Consent
Before collecting any personal information from or about a child under 13, we require verifiable parental consent:
- A parent or guardian must create the account
- We send a consent email explaining what data is collected
- The parent must click a verification link within 48 hours
- We record the date, time, and method of consent
2.2 What We Collect from Children
| Data Type | Purpose | Required? |
|---|---|---|
| First name or nickname | Story personalization | Yes |
| Age range | Age-appropriate content | Yes |
| Personality description | Story themes | No |
| Interests/likes | Story topics | No |
| Companion name | Story characters | No |
2.3 Parental Rights
Parents and guardians have the right to:
- Review: Access all personal information we have collected about their child
- Delete: Request deletion of their child's personal information at any time
- Refuse Further Collection: Revoke consent at any time
3. How We Use Your Information
- Generate personalized bedtime stories
- Process voice synthesis for narration
- Store and retrieve story history
- Process subscription payments
- Analyze usage patterns (in aggregate)
- Fix bugs and improve performance
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Child profiles | Until deleted by parent |
| Generated stories | Until deleted or 2 years of inactivity |
| Audio files | Until deleted or 90 days of inactivity |
| Payment records | 7 years (legal requirement) |
| Consent records | 7 years after consent ends |
5. Your Privacy Rights
Regardless of location, you have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Data Portability: Receive your data in a machine-readable format
To exercise these rights, use the Parent Dashboard in the app, email privacy@yourbedtimestory.com, or write to us.
6. Security
We implement appropriate technical and organizational measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Secure password hashing (bcrypt)
- Rate limiting and abuse prevention
- Regular security audits
7. AI-Generated Content and Third-Party Data Sharing
Important: Your Bedtime Story uses artificial intelligence (AI) to create personalized stories. This section explains what data is shared with AI providers.
7.1 What Data We Share with AI Providers
To generate personalized bedtime stories, we send the following limited information to our AI partners:
- Child's first name only (no last name or full name)
- Age range (e.g., "5-7 years old")
- Story preferences and themes selected by the parent
- Personality traits and interests (if provided)
- Companion or pet name (if provided)
We do NOT share: email addresses, passwords, payment information, physical addresses, phone numbers, photos, or any other identifying information with AI providers.
7.2 Our AI Service Providers
| Provider | Service | Privacy Policy |
|---|---|---|
| OpenAI | Story text generation, voice narration | OpenAI Privacy Policy |
| Google (Gemini) | Alternative story generation | Google Privacy Policy |
| Groq | Fast story generation | Groq Privacy Policy |
7.3 How AI Providers Use This Data
- Data is used only to generate the requested story
- Data is NOT used to train AI models (we use API tiers that opt out of training)
- Data is NOT stored permanently by AI providers
- Data is transmitted securely via encrypted connections (HTTPS/TLS)
7.4 Your Control Over AI Data Sharing
Since AI story generation is the core function of our app, using the service requires sharing the minimal data described above with AI providers. If you do not wish to share this data, please do not use the story generation feature.
You can request deletion of all data (including requesting removal from AI provider systems where applicable) through the Parent Dashboard or by contacting us at privacy@yourbedtimestory.com.
8. Data Processors and Third-Party Services
We use the following third-party service providers (data processors) to operate our Service. Each processor only receives the minimum data necessary for its purpose.
| Processor | Purpose | Data Shared | Location | Privacy Policy |
|---|---|---|---|---|
| Vercel | Hosting, serverless functions, PostgreSQL database, blob storage | All service data (hosting provider) | US (AWS regions) | Vercel Privacy |
| WorkOS | Authentication and user management | Email, name, session tokens | US | WorkOS Privacy |
| Paddle | Payment processing (merchant of record) | Email, payment details, subscription status | UK / US | Paddle Privacy |
| OpenAI | Story text generation, voice narration (TTS) | Child first name, age range, story preferences, personality traits | US | OpenAI Privacy |
| Google (Gemini) | Alternative story generation | Child first name, age range, story preferences, personality traits | US | Google Privacy |
| Groq | Fast story generation | Child first name, age range, story preferences, personality traits | US | Groq Privacy |
| PostHog | Product analytics (opt-in) | Anonymized usage data, page views, feature usage | US (EU hosting available) | PostHog Privacy |
| Sentry | Error tracking and crash reporting | Error logs, device info, app state at time of error | US | Sentry Privacy |
| Upstash | Rate limiting and caching (Redis) | IP addresses, request counts (no PII stored) | US / EU | Upstash Privacy |
| Meta (Facebook) | Advertising conversion measurement (opt-in via cookie consent) | Hashed user ID, page views, conversion events (no PII) | US | Meta Privacy |
| Google Ads | Advertising conversion measurement (opt-in via cookie consent) | Conversion events, page views (no PII) | US | Google Privacy |
8.1 Cross-Border Data Transfers
Most of our processors are based in the United States. For EU/EEA users, we ensure appropriate safeguards for international data transfers through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with each processor
- Where available, EU-US Data Privacy Framework certification of the processor
8.2 Marketing and Advertising Processors
Important: Meta Pixel and Google Ads tracking are only activated if you consent to marketing/analytics cookies. They are disabled by default. You can manage this in Settings > Privacy or via our cookie banner.
These services are used solely to measure the effectiveness of our advertising campaigns. We do not use them to build profiles of children or to serve targeted advertising within the app.
9. California Privacy Rights (CCPA)
For California Residents: This section provides additional disclosures required under the California Consumer Privacy Act (CCPA).
9.1 Your CCPA Rights
If you are a California resident, you have the following rights:
- Right to Know: You can request information about the personal data we collect, use, and disclose about you
- Right to Delete: You can request deletion of your personal data
- Right to Opt-Out: You can opt out of the "sale" of your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
9.2 Categories of Personal Information
In the past 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email address, name, IP address | Yes |
| Commercial Information | Subscription status, payment history | Yes |
| Internet Activity | App usage, features used | Yes |
| Geolocation | Approximate location (country/region) | Yes (from IP) |
| Inferences | Story preferences | Yes |
9.3 "Do Not Sell My Personal Information"
Your Bedtime Story does NOT sell personal information.
We do not sell, rent, or trade your personal information or your children's personal information to third parties for monetary or other valuable consideration.
While we share limited data with service providers (AI providers for story generation, Paddle for payment processing, PostHog for analytics, Meta and Google for advertising measurement), these are not considered "sales" under the CCPA because:
- The sharing is for business purposes only
- We have contracts requiring providers to use data only for specified purposes
- Providers are prohibited from further selling or using the data for their own purposes
9.4 Exercising Your CCPA Rights
To exercise your CCPA rights, you may:
- Use the Parent Dashboard in the app to access, download, or delete your data
- Email us at privacy@yourbedtimestory.com
- Write to us at the address provided in the Contact section
We will verify your identity before processing your request. For requests related to children's data, we will verify that you are the parent or guardian.
10. European Privacy Rights (GDPR)
For EU/EEA Residents: This section provides additional disclosures required under the General Data Protection Regulation (GDPR).
10.1 Legal Basis for Processing
We process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Story generation and personalization | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Children's data processing | Parental consent (Art. 6(1)(a) + Art. 8) |
| Marketing/advertising measurement (Meta Pixel, Google Ads) | Consent (Art. 6(1)(a)) |
| Error tracking and crash reporting | Legitimate interest (Art. 6(1)(f)) |
10.2 Your GDPR Rights
If you are located in the EU/EEA, you have the following rights:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Art. 7): Withdraw previously given consent at any time
10.3 International Data Transfers
Your data may be transferred to and processed in the United States, where our servers and service providers are located. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all service providers
- Encryption in transit and at rest
10.4 Data Protection Officer
For GDPR-related inquiries, you may contact us at: privacy@yourbedtimestory.com
10.5 Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your country of residence. A list of EU data protection authorities can be found at: https://edpb.europa.eu
10.6 Children's Data Under GDPR
In compliance with Article 8 of the GDPR regarding children's consent in relation to information society services:
- We require parental consent for processing any child's personal data
- Parents can review, modify, or delete their child's data at any time
- We collect only the minimum data necessary for story personalization
- Child data is never shared for marketing or profiling purposes
11. Contact Us
Privacy Questions: privacy@yourbedtimestory.com
General Support: support@yourbedtimestory.com