Privacy Policy
Last updated: June 23, 2026
Little Story Bear helps parents and children create, read, practise, and revisit personalized storybooks. This policy explains what information we collect, how we use it, which providers process it for us, and how parents can review, export, or delete their family data.
1. Who We Are
Little Story Bear is operated by the Little Story Bear team. The privacy team responsible for family-data requests is reachable at privacy@littlestorybear.com.
Because the company is Canadian-operated and serves families internationally, we design our privacy program around PIPEDA accountability, adult-controlled child data, and the children's privacy laws that apply where families use the service.
2. Information We Collect
- Parent account information: name, email address, hashed password, account type, consent records, and subscription status.
- Child profile information: first name or nickname, age group, language, reading level, interests, and reading-support preferences entered by the parent or teacher.
- Story content: typed or spoken story ideas, generated story text, generated illustrations, saved characters, reading-support metadata, and generated narration audio.
- Reading data: assessment passage text, transcripts where mic mode is used, accuracy estimates, words-correct-per-minute estimates, reading level, word-level results, daily-lesson outcomes, and parent-confirmed read-aloud feedback.
- Voice input: short audio clips used to transcribe story ideas or support a parent-guided reading check. Little Story Bear does not keep the raw audio file after transcription or checking completes.
- Usage and device data: feature usage, approximate region, browser/device type, error logs, security logs, and payment metadata from our payment processor.
- We do not collect: facial images for identification, exact GPS location, contact lists, health records, or payment card numbers. Stripe handles card data directly.
3. Consent and Children's Use
Accounts must be created and managed by an adult parent, legal guardian, or authorized school user. We store the date, policy versions, method, IP address, and user agent for the adult confirmation shown during signup or on the in-app confirmation screen.
- Children should use Little Story Bear with adult involvement, especially for story creation, reading assessment, and read-aloud features.
- Child data is stored under the parent or school account and can be reviewed, exported, or deleted by the account holder.
- Mic-supported reading checks and read-aloud features require a current stored adult confirmation before the app will process or save the result.
- The payment-card verification mechanism for any paid beta will be reviewed with children's privacy counsel before launch.
4. How We Use Information
- To generate, illustrate, narrate, save, print, and replay storybooks.
- To run parent-guided reading checks, daily lessons, and read-aloud practice.
- To personalize stories to a child's reading level, phonics focus, language, and support settings.
- To process subscriptions, purchases, refunds, and essential service emails.
- To prevent abuse, secure the service, debug errors, and understand aggregate feature usage.
- We do not sell personal information or share it with third parties for their own advertising.
- We do not use family data to train public AI models. AI providers process prompts, images, and audio only to provide the requested feature under their service terms and our settings.
5. Voice, AI, and Narration
- Story-idea voice input is transcribed into text so the child can create a story without typing.
- Reading checks and echo/read-aloud mode may analyze the transcript to support parent-confirmed reading results. Raw audio is not stored by Little Story Bear after processing.
- OpenAI Whisper processes audio for transcription. The speech provider may retain API inputs briefly under its own API data policy; we are confirming current retention and zero-data-retention options before paid beta.
- Generated narration audio for saved stories may be stored so favorite stories can replay instantly without regenerating the same audio. Storage/re-serving of third-party TTS output will only be enabled once the relevant provider terms or written permission allow it.
6. Sub-Processors
These providers process data for Little Story Bear under our instruction. The list may change as the product matures.
| Provider | Purpose | Typical location |
|---|---|---|
| Vercel | Hosting, serverless compute, Blob storage | US / global |
| Neon | PostgreSQL database for accounts, stories, reading data | US |
| OpenAI | Story text generation, safety checks, speech transcription | US |
| Replicate | AI illustration generation | US |
| Fish Audio | Generated narration / text-to-speech when enabled | US / global |
| Stripe | Payments, invoices, refunds, fraud prevention | US / EU / global |
| Optional OAuth sign-in | US / global | |
| Resend | Transactional email | US |
| Cloudflare R2 | Print-ready files and generated assets where configured | US / global |
| PostHog | Product analytics on non-child surfaces only, if enabled | US |
| Sentry | Error and crash monitoring | US |
| Print providers | Print-on-demand fulfillment for ordered books | US / EU / global |
7. Retention
- Account, child profile, stories, and generated narration: kept while the account is active so the family can revisit saved books.
- Reading and assessment records: kept while the account is active so progress history remains available.
- Raw voice audio: not retained by Little Story Bear after transcription or scoring completes.
- Security, usage, and error logs: generally kept up to 12 months unless needed longer for security, fraud, or legal reasons.
- Deletion: account deletion removes personal and child data from active systems within 30 days; backups age out within 90 days where technically feasible.
8. Cookies and Analytics
- Essential cookies: sign-in, security, subscription, and service preferences.
- Local storage: interface preferences such as active child, reading-support settings, and story draft state.
- Analytics: if PostHog is enabled, it is configured without session recording or autocapture and is not initialized on child-facing story, dashboard, assessment, school, print, or journey surfaces.
9. Your Rights and Parent Controls
- Review, correct, export, or delete account and child data from account settings.
- Withdraw consent by deleting the account or contacting us; some child-facing features cannot operate without parent consent.
- Ask questions or raise concerns at privacy@littlestorybear.com.
- Residents of some regions may also contact their local privacy regulator, including the Office of the Privacy Commissioner of Canada for PIPEDA concerns.
10. Security and Safety
We use HTTPS, bcrypt password hashing, database access controls, rate limits, content-safety checks, and error monitoring. AI-generated content is reviewed by automated safety filters before it reaches children, but parents should still read with young children because automated systems are not perfect.
11. International Transfers
Little Story Bear is operated from Canada and uses providers that may process data in the United States and other countries. We rely on provider safeguards and contractual commitments for cross-border transfers.
12. Changes
We may update this policy as the product, law, or providers change. Material changes will be announced in the app or by email before they take effect when required.
13. Contact
Privacy requests: privacy@littlestorybear.com.
General support: support@littlestorybear.com.