Privacy Policy

2.1 Information You Provide Directly

• •Account Information: Email address, password (if not using OAuth), first name, last name
• •Child Profile Information: Child's first name only (no last name), age (2-9 years), gender (optional), interests, favorite values/lessons
• •Pet Information: Pet names and types (optional)
• •Story Preferences: Values to teach, story themes, language preferences
• •Payment Information: Processed securely through Paddle (we do not store credit card numbers)
• •OAuth Profile Data: When using Google or Facebook login, we receive your name, email, and profile ID
• •Parent Quiz Responses: If you complete our optional bedtime-parent quiz, we store your answers and the resulting parenting style archetype

2.2 Information Collected Automatically

• •Usage Data: Stories generated, favorites marked, generation timestamps
• •Device Information: IP address, browser type, device type, operating system
• •Log Data: Access times, pages viewed, errors encountered
• •Session Information: Authentication tokens, session identifiers

2.3 Cookies and Tracking Technologies

We use essential storage required to operate the service, plus first-party analytics cookies for product analytics and session replay so we can understand how the site is used and fix issues. We do not use advertising cookies or cross-site profiling, and we do not sell your data.

• •Essential Cookies: For authentication and session management. Duration: session-only or up to 30 days for "remember me".
• •localStorage: To store authentication tokens and user preferences. Persisted in your browser until you log out or clear browser data.
• •sessionStorage: For temporary data during story creation. Cleared when you close the tab.

If we ever introduce additional tracking or non-essential cookies beyond what is listed here, we will update this policy and obtain your consent before doing so.

3.1 Primary Uses

• •Generate personalized bedtime stories based on child profiles
• •Manage user accounts and subscriptions
• •Process payments and manage billing
• •Send transactional emails (verification, password resets, receipts)
• •Provide customer support
• •Improve our service and develop new features
• •Understand our user base through aggregate analytics

3.2 Legal Basis for Processing (GDPR)

• •Consent: For marketing communications and non-essential features
• •Performance of Contract: To provide our story generation service
• •Legal Obligations: Tax records, fraud prevention
• •Legitimate Interests: Service improvements, security, analytics

4.1 Service Providers

• •Supabase: Database and authentication services
• •Paddle: Payment processing (PCI-compliant)
• •Anthropic: Story text generation via Anthropic's API. We send your child's first name, age, gender, interests, pet name, and sibling first names to generate personalized story content. Anthropic processes this data in the United States and is certified under the EU-US Data Privacy Framework, providing GDPR-compliant transfer protections for EU users. No last names, email addresses, or contact information is ever shared. Anthropic does not retain or use submitted data for model training.
• •OpenAI: We use OpenAI services as part of the story generation, illustration generation, and audio narration. Story content (which contains your child's first name) and minimal child profile data are sent. Illustrations depict environments only, never people. Audio narration is generated using OpenAI's text-to-speech service. OpenAI is US-hosted and certified under the EU-US Data Privacy Framework. Submitted data is not used for model training.
• •Cloudflare R2: Image and audio storage and delivery
• •Resend: Transactional email delivery
• •Vercel: Website hosting, deployment, and cookieless analytics. Vercel Analytics collects aggregate page-view metrics using an anonymized, daily-rotating device hash — no cookies, no persistent identifiers, no cross-site tracking. Vercel is US-hosted and offers GDPR-compliant transfer mechanisms for EU users.
• •Sentry: Error tracking and performance monitoring. When the application encounters an error, technical context (stack traces, browser and device information, anonymized user identifier) is sent to Sentry so we can diagnose issues. Story content, child profile information, and payment data are not sent. Sentry is US-hosted and certified under the EU-US Data Privacy Framework.

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred with appropriate privacy protections.

7.1 GDPR Rights (EU Users)

If you are in the EU/EEA, you have the following rights under the GDPR:

• •Access: Request a copy of your personal data
• •Rectification: Correct inaccurate information
• •Erasure: Request deletion ("right to be forgotten")
• •Portability: Receive your data in a portable format
• •Restriction: Limit processing of your data
• •Object: Opt-out of certain processing
• •Withdraw Consent: Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal

7.2 CCPA Rights (California Users)

• •Know: What personal information we collect and how it's used
• •Delete: Request deletion of your personal information
• •Opt-Out: We do not sell personal information
• •Non-Discrimination: Equal service regardless of privacy choices

7.3 How to Exercise Your Rights

Email us at hello@cozytales.app or use the account settings in your dashboard. We will respond within 30 days.