Privacy Policy

Your Privacy Matters

At Tinytales, we are committed to protecting your privacy and the privacy of children who use our service. This Privacy Policy explains how we collect, use, and safeguard your information.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (stored securely and encrypted)
  • Account preferences and settings
  • Subscription status and billing information (processed by LemonSqueezy)

1.2 Child Information for Story Personalization

To create personalized stories, we collect:

  • Child's first name (for story personalization only)
  • Child's age (to ensure age-appropriate content)
  • Interests and themes for story generation
  • Any specific topics or challenges to address in stories

Important: We do not collect last names, addresses, phone numbers, or any other personally identifiable information about children beyond what is necessary for story creation.

1.3 Generated Content

We store:

  • Stories you create and generate
  • Images and audio files associated with your stories
  • Story ratings and community interactions
  • Usage patterns and preferences to improve our service

2. How We Use Your Information

We use your information exclusively for:

  • Story Creation: Personalizing stories with your child's name, age, and interests
  • Service Delivery: Providing account access, managing subscriptions, and delivering content
  • Content Moderation: Ensuring all generated content is safe and age-appropriate
  • Service Improvement: Analyzing usage patterns to enhance our AI and user experience
  • Communication: Sending important account updates and service notifications
  • Legal Compliance: Meeting our obligations under data protection laws

3. Children's Privacy (COPPA Compliance)

Special Protections for Children

We are committed to complying with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide that protect children's privacy online.

3.1 Parental Consent

  • Parents/guardians must create accounts and provide consent for children under 13
  • Only parents can input their child's information for story personalization
  • Parents maintain full control over their child's data at all times
  • Children cannot directly create accounts or provide personal information

3.2 Limited Data Collection

  • We collect only the minimum information necessary for story personalization
  • No behavioral tracking or profiling of children
  • No third-party advertising or marketing to children
  • No sharing of children's information with third parties for commercial purposes

3.3 Parental Rights

Parents have the right to:

  • Review all information we have collected about their child
  • Request deletion of their child's information
  • Refuse further collection or use of their child's information
  • Contact us with questions about our children's privacy practices

4. Data Storage and Security

4.1 Security Measures

We implement industry-standard security measures:

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Regular security audits and updates
  • Limited employee access on a need-to-know basis
  • Secure hosting infrastructure with Fly.io

4.2 Data Location

Your data is stored:

  • Application Data: Hosted on Fly.io servers with PostgreSQL database
  • Files (Images/Audio): Stored securely on Tigris object storage
  • Geographic Location: Servers located in data centers with appropriate security certifications

5. Third-Party Services

We work with trusted third-party services to deliver our features:

OpenAI

Processes story prompts to generate personalized content, images, and audio. Subject to OpenAI's privacy policy and data processing terms.

Tigris Storage

Securely stores generated images and audio files. Data is encrypted and access-controlled.

LemonSqueezy

Processes subscription payments and billing. We do not store your payment information - it's handled entirely by LemonSqueezy's secure systems.

LogSnag

Provides analytics and monitoring for service improvement. Only aggregated, non-personal data is shared.

We carefully vet all third-party services and ensure they meet our privacy and security standards. We do not share personal information with third parties for their own marketing purposes.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

  • Community Library: All created stories are automatically shared in our public community library
  • Service Providers: With trusted third parties who help us operate our service (as described above)
  • Legal Requirements: When required by law, court order, or to protect rights and safety
  • Business Transfer: In the event of a merger or acquisition (with continued privacy protections)

7. Community Features

All stories you create are automatically shared in our community library:

  • All generated stories become publicly viewable to other users by default
  • Your child's first name will appear in shared stories
  • Other personal information is never shared publicly

Important: By creating stories on Tinytales, you consent to sharing them in our community library. This helps other families discover wonderful stories and builds our collaborative storytelling community.

8. Your Rights and Choices

8.1 Access and Control

You have the right to:

  • Access all personal information we hold about you and your child
  • Correct or update any inaccurate information
  • Delete your account and all associated data
  • Restrict or object to certain processing activities

8.2 Account Settings

Through your account settings, you can:

  • Update your email address and account preferences
  • Manage your subscription and billing information

8.3 Communication Preferences

You can opt out of non-essential communications at any time. We will always send important service updates and security notifications.

9. Data Retention

We retain your information only as long as necessary:

  • Active Accounts: Data is retained while your account is active
  • Inactive Accounts: We may delete accounts inactive for over 2 years
  • Account Deletion: Most data is deleted immediately upon account deletion
  • Legal Requirements: Some data may be retained longer for legal compliance
  • Backups: Data in backups is deleted according to our backup retention schedule

If you request account deletion, we will delete your personal information within 30 days, except where longer retention is required by law.

10. International Data Transfers

Tinytales operates internationally, and your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Transfers within the EU/EEA are considered adequate
  • Transfers outside the EU/EEA use appropriate safeguards such as Standard Contractual Clauses
  • All third-party services we use provide appropriate data protection guarantees
  • We regularly review and update our international transfer mechanisms

11. Updates to This Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the "Last updated" date at the top of this policy
  • We will notify you of significant changes via email or in-app notification
  • We will never reduce your privacy rights without your explicit consent
  • You can review the current policy at any time on our website

Continued use of our service after policy updates constitutes acceptance of the new terms.

12. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

  • Contract Performance: Processing necessary to provide our service to you
  • Legitimate Interest: Improving our service and ensuring security
  • Legal Obligation: Complying with applicable laws and regulations
  • Consent: For children's data and certain marketing communications

13. Contact Information

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Website: https://tinytales.io

Twitter: https://twitter.com/codestirring

For GDPR requests: If you are in the EU and wish to exercise your data protection rights, please contact us via Twitter with "GDPR Request" in your message.

Our Commitment

At Tinytales, protecting your privacy and your child's privacy is fundamental to everything we do. We are committed to transparency, security, and giving you full control over your personal information. Thank you for trusting us with your family's storytelling journey.