Privacy Policy | Little Story Bear

This policy describes our current practices. Little Story Bear is designed to meet the standards set by COPPA (US) and GDPR (EU/UK). A full legal compliance audit is in progress; this document will be updated as we complete that review.

At Little Story Bear, we take your family's privacy seriously. This policy explains what information we collect, how we use it, where it is stored, who else processes it on our behalf, and the choices and rights you have.

1. Who We Are

Little Story Bear ("we", "us") is an AI-powered children's literacy service. The data controller for purposes of GDPR is Little Story Bear. You can contact our privacy team at supportlittlestorybear@gmail.com.

2. Information We Collect

Parent account information: name, email address, hashed password, and (if you subscribe) billing details handled by our payment processor.
Child profile information you provide: first name or nickname, age or age-group, preferred language, reading level, and interests you enter.
Story content: prompts your child speaks or types, drawings they upload, generated story text, generated illustrations, and narration audio.
Reading-assessment data: voice recordings made during the oral reading check-in, our accuracy and fluency (WCPM) measurements, and the resulting reading-level assignment.
Usage data: pages visited, features used, approximate region, and device/browser type for service reliability and security.
We do NOT collect: facial images, biometric identifiers, exact location, contact lists, health data, financial identifiers beyond what Stripe handles, or any other sensitive personal data not listed above.

3. Legal Basis for Processing (GDPR)

For users in the EU/UK, we rely on the following legal bases:

Contract: to provide the service you signed up for (generating and storing stories, running reading assessments, delivering subscriptions).
Parental consent: for all processing involving a child under 13 (16 in some EU countries). Parents provide consent during account creation and can withdraw it at any time by deleting the account.
Legitimate interests: service security, fraud prevention, and limited product improvement analytics (aggregated and de-identified).

4. How We Use Your Information

To generate, illustrate, narrate, and save storybooks for your family.
To run the optional reading-level assessment and track progress over time.
To personalise story content to your child's reading level and interests.
To process subscription payments and send essential service emails.
To prevent abuse, protect the service, and meet legal obligations.
We do NOT use your data to train public AI models. Story prompts and content are sent to our AI providers (see §6) solely to generate your story; they are not retained by those providers for training purposes under our agreements.
We do NOT sell your personal information and we do not share it with third parties for their own marketing purposes.

5. Children's Privacy & COPPA

Little Story Bear is designed for families. We follow the United States Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 without parental consent.

Accounts must be created by a parent or legal guardian aged 18+.
Children should use Little Story Bear under parental supervision.
All content a child creates is stored under the parent's account and controlled by the parent.
Parents can review, export, or permanently delete their child's data at any time from the account settings page, or by emailing us.
If you believe a child has used the service without a parent's involvement, contact us at supportlittlestorybear@gmail.com and we will delete the data within 30 days.

6. Sub-Processors

We use the following third-party service providers to operate Little Story Bear. Each acts as a data processor under our instruction and has its own privacy and security commitments. We do not share your data with any other parties.

Provider	Purpose	Location
Vercel	Web hosting and serverless compute	US
Neon	PostgreSQL database (accounts, stories, assessments)	US (AWS)
OpenAI	Story text generation (GPT-4o) and speech transcription (Whisper)	US
Replicate	AI illustration generation (Flux Kontext)	US
Fish Audio	AI narration / text-to-speech	US
Stripe	Subscription payment processing	US / EU
Google	Optional sign-in (OAuth)	US
Resend	Transactional service emails	US

For users in the EU/UK, data transferred to the US is protected by Standard Contractual Clauses (SCCs) and each provider's own safeguards.

7. AI-Generated Content & Voice Recordings

Stories and illustrations are generated on demand using AI. When your child records a story prompt or reads a passage aloud:

Audio is uploaded over HTTPS and transcribed by OpenAI Whisper.
The transcript is saved alongside the story or assessment result. The raw audio file is used transiently for transcription and is not kept in our own storage after processing completes.
Our AI providers do not retain your prompts or audio for training purposes under the terms we have contracted with them.

8. Data Retention

Story content and child profiles: kept for as long as the parent account is active, so you and your child can revisit the library.
Voice recordings from assessments: kept for the life of the account so progress reports remain verifiable; can be deleted on request.
Usage/analytics logs: kept for up to 12 months for security and reliability.
After account deletion: personal data is deleted within 30 days. Backups are purged within 90 days. Anonymised aggregates may be retained.

9. Your Rights

Parents and account holders have the following rights, regardless of jurisdiction:

Access — see what personal data we hold about you and your child.
Rectification — correct anything inaccurate.
Erasure — delete your account and all associated child data.
Portability — export your stories and account data in a machine-readable format.
Restrict or object to certain processing.
Withdraw consent at any time (which may mean closing the account).
Complain to your local data protection authority (e.g. the UK ICO or your EU DPA).

You can exercise access, export, and deletion directly from your account settings, or email supportlittlestorybear@gmail.com and we will respond within 30 days.

10. Cookies & Similar Technologies

We use a small number of cookies and local-storage items:

Essential: session cookies for sign-in (required).
Preferences: language and theme, stored in your browser only.
Analytics (if enabled): aggregated, privacy-preserving page counts.

EU/UK visitors are asked for consent before any non-essential cookies are set.

11. Security

We use industry-standard measures: HTTPS everywhere, bcrypt-hashed passwords, encrypted database connections, least-privilege access, and regular security reviews. No system is completely secure; if we learn of a breach that affects you, we will notify you and the relevant authorities within 72 hours as required.

12. Content Moderation & Safety

All generated story content passes through multiple layers of automated content moderation before it is shown to a child, designed to prevent violence, adult content, graphic depictions, and unsafe material. Parents should still read along with young children — AI moderation is not perfect.

13. International Users & Cross-Border Transfers

Little Story Bear is operated from the United States. If you use the service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses and provider-level safeguards for transfers out of the EU/UK.

14. Changes to This Policy

We will update this policy from time to time. Material changes will be announced by email to active account holders and by a notice in the app at least 14 days before they take effect. The "Last updated" date at the top will always reflect the current version.

15. Contact Us

Privacy questions, data requests, or concerns about your child's data: supportlittlestorybear@gmail.com.
General support: supportlittlestorybear@gmail.com.