Privacy Policy

1. Who We Are

KidStories ("we", "us", "our") operates the website kidstories.io and the related service that generates personalized AI-powered storybooks for children. References to "you" or "your" mean the adult account holder using our service.

For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller of personal information we hold about you.

If you have questions about this Privacy Policy, contact us at: privacy@kidstories.io

2. Information We Collect

2.1 Account Information

When you sign in with Google, we receive and store:

• Your email address
• Your display name
• Your Google profile picture URL
• A Google-issued identifier (used only to recognize your account)

We do not receive or store your Google password.

2.2 Child Profile Information

To personalize stories, you may provide:

• A child's first name (or any name you choose — it does not have to be a real name)
• An age range (e.g., "4–5 years")
• A list of interests (e.g., "dinosaurs, space, drawing")

You are never required to provide a child's real name. We encourage you to use nicknames or fictional names for additional privacy.

2.3 Story Requests & Generated Content

When you create a story, we store:

• The story request parameters (name, age, interests, genre, language)
• The generated story text, illustrations, and audio files
• Story status and metadata (creation date, language, format)

2.4 Payment Information

We do not store credit card numbers or full payment details. All payment processing is handled by Paddle (our payment processor). We receive confirmation of subscription status and a customer identifier from Paddle.

2.5 Usage Data

We automatically collect:

• Number of stories generated per month (for plan limit enforcement)
• Subscription plan and status
• Timestamps of account creation and story creation

2.6 Technical Data

Our web server and infrastructure providers collect standard server logs, which may include IP addresses, browser type, and pages visited. We use this data only for security monitoring and debugging. We do not use this data to track or profile individual users.

3. How We Use Your Information

We use the information we collect to:

• Provide the service: authenticate your account, generate personalized stories, deliver them to your dashboard and by email
• Enforce plan limits: track monthly story usage against your subscription tier
• Process payments: manage subscriptions through Paddle
• Send transactional emails: story-ready notifications, payment receipts, and service alerts — no marketing emails without your explicit opt-in
• Improve reliability: monitor for errors and fix technical issues
• Comply with legal obligations: retain records as required by applicable law

We do not use your data or your children's data to:

• Show you advertisements
• Build advertising profiles
• Sell or rent your data to third parties
• Train AI models on your personal story content

4. Third-Party Services

To deliver the service, we share certain data with trusted third-party providers. Each provider is bound by contractual data processing agreements.

4.1 AI Story Generation

Anthropic (claude.ai API) and/or OpenAI (GPT-4o API) receive the story prompt — including the child's name, age range, interests, and genre — to generate story text. These providers process this data under their API terms. Story prompts are not used to train their public models under current enterprise API agreements.

4.2 Image Generation

OpenAI (DALL-E 3 API) receives illustration descriptions (in English, regardless of story language) to generate images. These descriptions do not contain personal information about your child.

4.3 Audio Narration

ElevenLabs receives story page text to generate audio narration files. This text may contain the child's name as used in the story. ElevenLabs processes this under their API terms and does not retain audio generation content beyond the API response.

4.4 Authentication

Google provides authentication via Google Sign-In. Your Google account data is governed by Google's Privacy Policy. We receive only your basic profile information (name, email, profile picture) from Google.

4.5 Payments

Paddle processes all subscription payments. Paddle is the Merchant of Record for our service and handles billing, taxes, and payment data under their own Privacy Policy. We do not see or store your full payment card details.

4.6 Email Delivery

Resend delivers transactional emails (story delivery, receipts). Your email address is shared with Resend for this purpose.

4.7 Infrastructure & Storage

Story files (PDFs, images, audio) are stored on cloud storage services (Google Cloud Storage, AWS S3, or local storage on our Hetzner server, depending on configuration). Our API server runs on Hetzner cloud infrastructure in Germany (EU), which means your data may be stored within the European Economic Area.

5. Children's Privacy (COPPA)

Children do not create accounts on KidStories. Only adult account holders create child profiles. The child profile information (name/nickname, age range, interests) is provided by the adult account holder and used solely to personalize stories.

We comply with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has somehow submitted personal information to us directly without parental consent, please contact us at privacy@kidstories.io and we will promptly delete it.

We recommend using nicknames rather than real names for child profiles to minimize the personal data involved in story generation.

6. Data Retention

We retain your data for as long as your account remains active and for a reasonable period thereafter:

• Account data: retained while your account is active, and deleted within 90 days of account deletion
• Child profiles: deleted immediately upon your request or within 90 days of account deletion
• Stories: retained while your account is active; you may delete individual stories at any time from your dashboard
• Payment records: retained for 7 years as required for accounting and tax compliance
• Server logs: retained for 30 days for security purposes, then deleted

You can request deletion of all your data at any time by emailing privacy@kidstories.io with the subject "Data Deletion Request".

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Rights under GDPR (EU/EEA residents)

• Right of access: request a copy of all personal data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure ("right to be forgotten"): request deletion of your personal data
• Right to restriction: request that we limit how we use your data
• Right to data portability: request your data in a machine-readable format
• Right to object: object to certain types of processing

Rights under CCPA (California residents)

• Right to know what personal information we collect and how we use it
• Right to delete personal information (with certain exceptions)
• Right to opt out of the sale of personal information — we do not sell personal information
• Right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, email privacy@kidstories.io. We will respond within 30 days. We may need to verify your identity before processing requests.

8. Security

We take reasonable technical and organizational measures to protect your personal data:

• All data in transit is encrypted via TLS 1.2/1.3 (HTTPS)
• Passwords are never stored — authentication is delegated to Google OAuth
• API access is controlled by short-lived signed JWT tokens
• Our database and file storage are not publicly accessible
• Admin access to user data requires a separate credential with rate limiting

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@kidstories.io.

9. Cookies & Local Storage

KidStories does not use advertising or tracking cookies. We use browser localStorage (not cookies) to store:

• Your authentication token (to keep you logged in between sessions)
• Your preferred UI language
• Your selected subscription plan (temporarily, during the checkout flow)

This data never leaves your browser except as part of authenticated API requests to our own servers. You can clear this data at any time by clearing your browser's local storage or logging out.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking scripts.

10. International Data Transfers

Our primary server infrastructure is located in Germany (EU) via Hetzner. However, some of our third-party processors (Anthropic, OpenAI, ElevenLabs, Paddle) are based in the United States.

When data is transferred outside the European Economic Area, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission. By using KidStories, you acknowledge that your data may be processed in countries outside your own, including the United States and Germany.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via a notice on our website.

Your continued use of KidStories after changes are posted constitutes your acceptance of the updated policy. If you disagree with the changes, you may delete your account and stop using the service.

12. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our handling of your personal data, please contact us:

• Email: privacy@kidstories.io
• Website: kidstories.io

We aim to respond to all privacy-related inquiries within 5 business days, and to all data subject requests within 30 days.

If you are located in the EU and believe we have not resolved your complaint satisfactorily, you have the right to lodge a complaint with your local data protection authority.