Privacy Policy

1. Introduction

Welcome to story4today ("we", "our", "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, in compliance with the General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

Data Controller: story4today
Contact: privacy@story4today.com

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, password (encrypted)
• Profile Information: Child profiles including name, age, reading preferences, interests, and optional avatar
• Profile Photos: Optional photos you upload for personalized story illustrations (see Section 4.1 for details)
• Payment Information: Processed securely through Stripe (we do not store full card details)
• User-Generated Content: Reading progress, story preferences, comprehension results

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, reading sessions
• Device Information: IP address, browser type, device type, operating system
• Cookies: Essential cookies for authentication and preferences (see Cookie Policy)

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contractual Necessity: To provide our services and fulfill our agreement with you
• Consent: For optional features like marketing communications (you may withdraw at any time)
• Legitimate Interests: To improve our service, prevent fraud, and ensure security
• Legal Obligation: To comply with applicable laws and regulations

4. How We Use Your Information

• Generate personalized AI stories based on reading level and preferences
• Track reading progress and provide comprehension assessments
• Process payments and manage subscriptions
• Send service-related notifications (account updates, subscription status)
• Improve our service through analytics and user feedback
• Ensure security and prevent fraud
• Comply with legal obligations

4.1 Profile Photo Processing

When you choose to upload profile photos, we use them to create personalized story illustrations. This process involves:

• Third-Party AI Services: We use external AI services (including Google Imagen API) to generate custom illustrations that may incorporate uploaded photos
• Purpose Limitation: Photos are used solely for generating personalized story illustrations for your profiles
• Explicit Consent: We require your explicit consent before uploading any photos, which you provide by checking the consent box
• Your Control: You can delete uploaded photos at any time through your profile settings
• Data Minimization: Only photos of profiles included in specific stories are sent to AI services for illustration generation
• No Public Sharing: Uploaded photos are never shared publicly or used for purposes other than your personalized stories

Important: By uploading photos, you acknowledge that they will be processed by third-party AI services as described above. These services operate under their own privacy policies and data protection agreements with us. We ensure all third-party processors comply with GDPR and implement appropriate technical and organizational measures to protect your data.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

• AI Service Providers: OpenAI (story generation), Google Cloud (Imagen API for illustration generation with uploaded photos)
• Payment Processors: Stripe (payments)
• Infrastructure Providers: Hosting providers, database services
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In the event of a merger, acquisition, or sale of assets

All third-party processors are GDPR-compliant and bound by data processing agreements that include appropriate technical and organizational measures to protect your data.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with equivalent data protection
• Privacy Shield certification (where applicable)

7. Your Rights Under GDPR

You have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for optional processing

To exercise these rights, contact us at privacy@story4today.com. We will respond within 30 days.

8. Children's Privacy

Our service is intended for use by parents/guardians to create reading profiles for children. We do not knowingly collect personal data directly from children under 16 without parental consent. Parents/guardians control all child profile information and can delete it at any time.

Child profiles may include: name, age, reading level, interests, and reading progress. This information is used solely to personalize stories and track reading development.

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Active Accounts: Data retained while your account is active
• Inactive Accounts: Deleted after 24 months of inactivity (with prior notice)
• Legal Requirements: Some data may be retained longer to comply with legal obligations
• Deleted Accounts: Data permanently deleted within 30 days of account deletion request

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing (bcrypt)
• Regular security audits and updates
• Access controls and authentication
• Secure cloud infrastructure (EU-based servers where possible)

11. Cookies and Tracking

We use essential cookies for authentication and user preferences. For detailed information, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a prominent notice on our service. Your continued use after changes indicates acceptance of the updated policy.

13. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority in the EU.

14. Contact Us

For any questions about this Privacy Policy or to exercise your rights, contact us: