Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Your name and email address
• Password (encrypted)
• Billing address (for printed book delivery)
• Payment information (processed securely by Stripe; we don't store card details)

1.2 Child Profile Information

To create personalized stories, we collect:

• Child's first name
• Age
• Gender
• Physical characteristics (hair color, eye color)
• Interests and hobbies
• Names of friends and family members (optional)
• Special notes and preferences

1.3 Usage Information

We automatically collect:

• Device information (browser type, operating system)
• IP address
• Pages visited and features used
• Story downloads and reading activity
• Subscription and payment history

2. How We Use Your Information

2.1 Story Generation

We use your child's profile information to generate personalized stories using Claude AI by Anthropic. The information is sent securely to Anthropic's API for story creation and is not stored by Anthropic beyond the generation process.

2.2 Service Delivery

We use your information to:

• Process your subscription and payments
• Generate and deliver personalized stories
• Ship printed books (for Printed and Ultimate plans)
• Send service notifications and updates
• Provide customer support

2.3 Communication

We may send you:

• Welcome emails
• Story ready notifications
• Payment receipts and billing updates
• Important service announcements
• Marketing emails (you can opt out anytime)

2.4 Service Improvement

We analyze usage data to improve our service, including story quality, user experience, and feature development.

3. Data Sharing and Disclosure

3.1 Third-Party Services

We share data with trusted third-party services:

• Anthropic (Claude AI): Story generation (does not store child data)
• Stripe: Payment processing (PCI-compliant)
• Supabase: Database hosting (encrypted at rest)
• Resend: Email delivery
• Vercel: Website hosting

3.2 We Never Sell Your Data

We never sell, rent, or trade your personal information or your child's information to third parties for marketing purposes.

3.3 Legal Requirements

We may disclose information if required by law, court order, or to protect our rights and the safety of our users.

4. Children's Privacy (COPPA Compliance)

StoryMagic is designed for parents and guardians to use on behalf of children. We do not knowingly collect information directly from children under 13. Parents provide all information about their children.

If you believe we have inadvertently collected information from a child under 13, please contact us immediately at hello@storymagic.design.

5. Data Security

We implement industry-standard security measures:

• SSL/TLS encryption for data transmission
• Encrypted database storage
• Secure password hashing
• Regular security audits
• Access controls and authentication
• Secure API communications

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. If you cancel your subscription, we retain your data for 90 days in case you wish to reactivate. After 90 days, you may request permanent deletion.

7. Your Rights and Choices

7.1 Access and Update

You can access and update your account information and child profile at any time through your account settings.

7.2 Data Deletion

You may request deletion of your account and all associated data by contacting us at hello@storymagic.design. Note that some data may be retained for legal or accounting purposes.

7.3 Marketing Opt-Out

You can unsubscribe from marketing emails by clicking the "unsubscribe" link in any marketing email or by updating your preferences in account settings.

7.4 Export Your Data

You have the right to request a copy of your data in a portable format. Contact us to request a data export.

8. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. See our Cookie Policy for detailed information.

9. International Data Transfers

Your data may be processed in countries outside the UK, including the United States (where our hosting providers are located). We ensure appropriate safeguards are in place for international transfers.

10. GDPR Rights (UK/EU Residents)

If you are located in the UK or EU, you have additional rights under GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

To exercise these rights, contact us at hello@storymagic.design.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated via email.

12. Sub-processors and Data Transfers

12.1 Sub-processors

We use the following sub-processors to help deliver our Service:

• Anthropic (Claude AI): Story generation using Claude AI - child information is transmitted but not retained by Anthropic beyond the generation process
• Stripe: Payment processing - PCI-DSS Level 1 compliant, does not receive child data
• Supabase: Database hosting - encrypted at rest and in transit, hosted in the UK/EU
• Resend: Email service provider - transactional emails only, does not retain child data
• Vercel: Website hosting - geographical distribution, encrypted connections

All sub-processors have signed Data Processing Agreements (DPAs) ensuring GDPR compliance.

12.2 Data Processing Agreements

All third-party service providers who process personal data on our behalf have entered into Data Processing Agreements that comply with GDPR requirements. You may request a copy of these agreements by contacting us.

13. Sensitive Data Handling for Child Information

13.1 Enhanced Protections

We recognize that information about children is particularly sensitive. We implement enhanced security measures specifically for child profile data:

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2+
• Limited access controls - only necessary staff can access child data
• Regular security audits focused on child data protection
• No sharing of child profile information with any third party except for story generation
• Parental verification for all access and modification requests

13.2 What We Never Do

We are committed to protecting children's privacy. We will NEVER:

• Sell or share child data with advertisers or marketers
• Use child information for behavioral targeting or profiling
• Share child photos, physical characteristics, or identifying information publicly
• Use child data for any purpose other than generating personalized stories
• Profile children or build persistent tracking identifiers
• Share data with third parties for marketing purposes

14. Parental Rights and Responsibilities

14.1 Parental Access and Control

Parents and guardians have the right to:

• Access all child profile information we collect
• Modify or update their child's information at any time
• Delete their child's information from our systems
• Withdraw consent for data collection and story generation
• Request a copy of all their child's data
• Request deletion of all stored stories

14.2 Verification of Parental Authority

Before processing requests to access, modify, or delete child data, we will verify that the requesting individual is the legal parent or guardian of the child. This may include requesting:

• Government-issued photo identification
• Proof of guardianship or custody documents
• Verification via phone or video call

15. Breach Notification

15.1 Security Incident Response

In the unlikely event of a data breach affecting personal or child information, we will:

• Immediately investigate the breach and contain the incident
• Notify affected individuals within 72 hours of discovery (as required by GDPR)
• Provide clear information about what information was affected
• Offer appropriate remedies and protective measures
• Notify relevant supervisory authorities as required
• Conduct a thorough security audit to prevent recurrence

For child data breaches, notifications will be sent to the registered parent or guardian email address on file.

16. Legitimate Interests

Where we rely on legitimate interests as a legal basis for processing data, these include:

• Delivering and improving our service
• Preventing fraud and ensuring account security
• Responding to legal obligations and enforcing our terms
• Analyzing service usage to improve user experience
• Marketing to existing customers about service improvements

We do not use legitimate interests as a basis for processing child data beyond what is necessary to deliver personalized stories.

17. Your Data Protection Officer and Contact

StoryMagic is committed to GDPR compliance. For data protection inquiries or to exercise your rights under GDPR, please contact us:

18. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us: