Privacy Policy — Kid Storytime

1. Overview

This Privacy Policy explains how Kid Storytime ("we", "us", "our") collects, uses, stores, and protects information in connection with the Kid Storytime iOS application ("App") and website at kidstorytime.app (the "Site").

We designed the App with privacy at the core, especially because it may be used by or on behalf of children. We do not build advertising profiles. We do not sell data. We minimise collection to what is genuinely necessary. Please read this policy carefully.

This policy applies to all users of the App and Site. By using the App you accept the practices described here. If you do not agree, please do not use the App.

2. Who We Are

Kid Storytime is the data controller for information processed in connection with your use of the App and Site.

Kid Storytime
Email: privacy@kidstorytime.app
Website: kidstorytime.app

For privacy-specific queries including data subject requests, contact us at privacy@kidstorytime.app.

3. Data We Collect

3.1 Information you provide directly

When you use the App, you may provide:

Child's first name — used to personalise the story. This is a short text string (e.g. "Zoli").
Child's age or age range — used to calibrate story complexity and vocabulary.
Story preferences — chosen lesson or theme (e.g. "Kindness"), story length, language.
Ritual names — if you create and name a Premium bedtime ritual preset.

We emphasise: you should only use a first name for your child. Do not input surnames, full legal names, or any information that could identify your child beyond the context of the App.

3.2 Technical & usage data

Our backend infrastructure may log, for security and service reliability purposes:

Device type and operating system version (iOS version)
App version
Request timestamps and response times
Error logs and crash reports (anonymised)
IP address (processed transiently to route requests; not stored linked to story content)

We do not log the story content generated for you or the name inputs alongside technical metadata.

3.3 Purchase & subscription data

Subscription purchases are managed entirely by Apple through the App Store. We receive from Apple only a validated receipt confirming active subscription status — we never receive your payment card details, Apple ID, or billing address. Apple's processing of payment data is governed by Apple's Privacy Policy.

3.4 Data we do NOT collect

Email addresses (unless you contact us or request launch updates)
Phone numbers
Location data
Child's photograph or biometric data
Social media profiles
Contacts or calendar data
Microphone or camera data (we do not use these)
Cross-app tracking identifiers (we do not use advertising networks or IDFA)

4. How We Use Your Data

Purpose	Data used	Legal basis (UK/EU GDPR)
Generate personalised bedtime stories	Child name, age, lesson preference, language, length	Performance of contract / Legitimate interests
Deliver narration audio	Generated story text	Performance of contract
Save stories to your local library	Story content (stored on-device only)	Performance of contract
Manage Premium subscription status	Apple receipt validation token	Performance of contract
Monitor service reliability and security	Anonymised technical logs	Legitimate interests
Improve story quality and app functionality	Aggregated, anonymised usage patterns (no names, no story text)	Legitimate interests
Respond to support enquiries	Email address, enquiry content (only if you contact us)	Legitimate interests
Launch update notifications	Email address (only if you opt in on the Site)	Consent

We do not use your data for advertising, profiling, or any purpose not listed above. We do not combine the data you provide in the App with data from any external sources.

5. AI & Story Generation

Stories are generated using large language model (LLM) AI services. When you request a story, a prompt is constructed from your inputs (child name, age, lesson, language, length) and sent to an AI service provider for processing. The resulting story text is returned to the App.

5.1 Transient processing

Story inputs and outputs are processed to complete your request. Kid Storytime is designed not to store child names or generated story text in our application database after delivery, although operational records may be retained for security, quota enforcement, subscription validation, reliability, support, and legal obligations. Saved stories are stored locally on your device.

5.2 AI service providers

We use third-party AI and text-to-speech providers to generate story content and narration. These providers process the prompts or story text we send as processors or service providers on our behalf, subject to their applicable data processing terms.

Our backend currently uses OpenAI for story generation and OpenAI or ElevenLabs for narration, depending on the configured text-to-speech provider. Their privacy practices are described in the OpenAI Privacy Policy and ElevenLabs Privacy Policy.

5.3 Content safety

All story generation prompts include age-appropriate content guidelines and safety constraints. We employ both prompt-level controls and post-processing checks to prevent generation of inappropriate content. If you encounter a story that seems inappropriate, please report it immediately to support@kidstorytime.app.

6. Children's Privacy (COPPA & GDPR-K)

6.1 App designed for parents, not children

The App is designed to be used by adults — parents and guardians — on behalf of children. Children themselves are not expected to operate the App, create accounts, or enter their own data. The App is rated 4+ on the App Store and does not contain third-party advertising, social features, or links to external websites that children could access.

6.2 What data relates to children

The only data that relates to a child is the first name and age range entered by a parent or guardian. This data is:

Used only for story generation at the moment of the request
Not stored as a child profile in our application database after generation
Not linked to any persistent identifier for the child
Shared only with service providers needed to generate the story, create narration, validate subscriptions, enforce quotas, operate the backend, or comply with law
Not used for advertising, profiling, or any commercial purpose

6.3 COPPA (United States)

We comply with the Children's Online Privacy Protection Act (COPPA). The App is not directed at children under 13 as users. Parents provide a child's name and age on the child's behalf; we treat this data as belonging to the parent account for COPPA purposes. We do not knowingly collect persistent personal information from children under 13.

If you believe a child under 13 has independently submitted personal information through the App, please contact us at privacy@kidstorytime.app and we will act immediately.

6.4 GDPR-K (United Kingdom & European Union)

Under UK GDPR and EU GDPR, the processing of personal data of children requires particular care. We minimise child-related data to first name, age, and the story preferences chosen by a parent or guardian. We use that data to generate and narrate stories and to operate the service. We do not use automated decision-making or profiling with respect to children's data.

7. Data Sharing & Third Parties

7.1 We do not sell your data

We do not sell, rent, or broker your personal information to any third party, ever.

7.2 Data processors

We share data with the following categories of service provider, who process data on our behalf under data processing agreements:

AI generation (OpenAI) — receives story prompts (name, age, lesson, language) to generate story text.
Cloud infrastructure — our backend runs on cloud infrastructure. Server logs (anonymised, no story content) may be stored by our infrastructure provider.
Text-to-speech (TTS) providers — story text may be sent to OpenAI or ElevenLabs to produce narration audio.
Apple — subscription validation and App Store purchase processing. Apple's Privacy Policy applies.
Crash reporting — anonymised crash data may be collected by Apple's built-in crash reporting (if you have shared diagnostics with Apple).

7.3 Legal disclosures

We may disclose personal data if required to do so by law, regulation, legal process, or governmental request — for example, in response to a court order or a request from a law enforcement authority. We will, where lawfully possible, notify you of such disclosure.

7.4 Business transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

8. Data Retention

Data type	Where stored	Retention period
Story generation inputs (name, age, lesson)	Transmitted through our backend to AI/TTS providers	Not stored in the Kid Storytime application database after delivery; provider and infrastructure retention follows their applicable terms
Generated story text & audio	On-device (your iPhone/iPad)	Until you delete the story or uninstall the App
Ritual presets	On-device (UserDefaults)	Until you delete the ritual or uninstall the App
Anonymised server logs	Our cloud infrastructure	Up to 90 days, then automatically deleted
Support email correspondence	Our email provider	Up to 3 years after resolution, then deleted
Launch update email addresses	Our email list provider	Until you unsubscribe or request deletion

9. Security

We take reasonable technical and organisational measures to protect your information against unauthorised access, loss, alteration, or disclosure. These include:

All data in transit is encrypted using TLS 1.2 or higher
Backend API access is authenticated using Apple App Attest, which verifies requests come from genuine, unmodified Kid Storytime app instances
Story inputs are not persisted in server logs alongside identifiable metadata
On-device data is stored using Apple's iOS data protection APIs, encrypted by the device passcode
We conduct periodic security reviews of our infrastructure

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you believe your data has been compromised, contact us immediately at security@kidstorytime.app.

10. Your Privacy Rights

10.1 Rights under UK & EU GDPR

If you are located in the United Kingdom or European Economic Area, you have the following rights:

Right of access — You may request a copy of the personal data we hold about you.
Right to rectification — You may ask us to correct inaccurate or incomplete data.
Right to erasure — You may ask us to delete your personal data where we have no legitimate reason to continue processing it.
Right to restrict processing — You may ask us to pause processing your data in certain circumstances.
Right to data portability — You may request your data in a structured, commonly used, machine-readable format.
Right to object — You may object to processing based on legitimate interests.
Rights related to automated decision-making — We do not make solely automated decisions with significant effects on you.
Right to withdraw consent — Where processing is based on consent (e.g. launch updates), you may withdraw consent at any time.

10.2 Rights under CCPA (California residents)

If you are a California resident, you have rights under the California Consumer Privacy Act including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the "sale" of personal information (we do not sell personal information). To exercise these rights, contact us at privacy@kidstorytime.app.

10.3 Exercising your rights

To exercise any of these rights, email privacy@kidstorytime.app with the subject line "Privacy Request". We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before fulfilling the request.

Note that because we store most data on-device only, the most effective way to delete your data is to delete stories from your library within the App and uninstall the App. Uninstalling removes all locally stored data.

10.4 Right to complain

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with your local supervisory authority:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
European Union: Your national data protection authority — edpb.europa.eu

11. International Data Transfers

Our servers and some of our data processors may be located outside the United Kingdom or European Economic Area. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, which may include:

Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
Adequacy decisions by the UK Government or European Commission
Other legally recognised transfer mechanisms

For more information about the safeguards we use for international transfers, contact us at privacy@kidstorytime.app.

12. Apple Platform Data

As an iOS app distributed through the App Store, certain data interactions occur through Apple's platforms and are governed by Apple's Privacy Policy rather than ours:

App Store downloads & updates — processed by Apple
In-App Purchase receipts & subscription management — processed by Apple
Crash reports — if you have opted into sharing diagnostics with Apple, crash data may be shared with us through App Store Connect
Device permissions — microphone, camera, and location are not requested by Kid Storytime; notifications are optional and requested only in-app

Apple's Privacy Policy is available at apple.com/legal/privacy.

13. Cookies & Tracking (Website)

The Kid Storytime website at kidstorytime.app is a static informational site. We use only essential cookies necessary for the website to function (e.g. security cookies). We do not use advertising cookies, tracking pixels, or analytics services that identify individual visitors.

The App itself does not use cookies. App data is stored using Apple's local storage APIs (UserDefaults, file system) on your device.

If we introduce analytics or additional cookies in the future, we will update this policy and request consent where required by applicable law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes — particularly those that affect how we process children's data or that reduce your privacy rights — we will notify you within the App and, if we hold your email, by email, with at least 14 days' notice before the changes take effect.

If you disagree with a material change to this policy, your remedy is to stop using the App, delete your data, and cancel any active subscription before the new policy takes effect.

15. Contact & Data Protection Enquiries

For any privacy-related questions, data subject requests, or concerns, please contact us:

Kid Storytime — Privacy Team
Email: privacy@kidstorytime.app
Security: security@kidstorytime.app
Support: support@kidstorytime.app
Website: kidstorytime.app

We will respond to all privacy requests within 30 days. For urgent matters involving children's data, we aim to respond within 72 hours.