Children's Privacy
Last updated: May 23, 2026
Our commitment
OnceUponMe is a platform operated by and for parents and legal guardians. Children do not create accounts. We take the protection of children's data extremely seriously and comply with COPPA (US), GDPR-K / Article 8 GDPR (EU/UK), PIPEDA (Canada), and equivalent regulations worldwide.
1. Who Uses OnceUponMe
All accounts on OnceUponMe are created and managed by parents and legal guardianswho are at least 18 years old. Children do not register, create accounts, or log in. The Service is designed so that the adult account-holder controls all data about their child.
If we learn that a child under 13 has independently created an account, we will immediately delete it and all associated data.
2. What Child Data We Collect
When a parent creates a story, they may provide their child's:
- First name (or nickname)
- Age range (e.g., toddler, preschool, early reader)
- Interests and personality traits (e.g., “loves dinosaurs”)
- Optionally: a photo to generate an avatar (uploaded by the parent)
This data is provided by the parent under parental consent and is linked exclusively to the parent's account. We do not collect children's email addresses, phone numbers, or location data.
3. How Child Data Is Used
Child data is used solely for story personalization — to tailor the story text, illustrations, and audio narration to that specific child. It is never:
- Shared with third-party advertisers or data brokers.
- Used for behavioral advertising or profiling of the child.
- Used to train AI models on identifiable child data.
- Used for any purpose unrelated to generating and improving the child's stories.
4. No Behavioral Advertising to Children
We do not display behavioral advertising to any user of OnceUponMe, and we never target children with any form of advertising. Any advertising cookies we use (with adult parental consent) are strictly for measuring the effectiveness of our own marketing to adults, not for targeting or profiling children.
We do not track children's online activities across other websites or services. We do not create profiles about children for any marketing purpose.
5. How Child Data Is Stored
Child data (name, age range, interests) is stored in our managed PostgreSQL database, encrypted at rest at the database and storage-provider level (standard managed-Postgres encryption and Cloudflare R2 server-side encryption). All data is transmitted over TLS/HTTPS. Story media files (images and audio) are stored in Cloudflare R2 with server-side encryption.
When generating a story, your child's first name and interests are sent to our AI providers (Anthropic Claude for text, Replicate/Google Vertex for images, ElevenLabs for audio) for processing. Each provider processes this data under a data processing agreement and does not use it for their own commercial purposes.
6. Parental Rights & Controls
As the account holder, parents have full control over their child's data. At any time, you can:
- Review all data stored about your child via your Account settings.
- Export your data (including child profiles and stories) using the “Export my data” feature in Account settings.
- Delete a child profile and all associated stories from Account settings at any time.
- Delete your entire account using the “Delete account” option in Account settings, which removes all data including child profiles within 30 days.
- Refuse further data use by contacting us — we will stop processing and delete the data.
For COPPA requests or to exercise rights under GDPR Art. 17 (erasure) or Art. 20 (portability) on behalf of your child, contact us at [email protected]. We will respond within 30 days (or 45 days for complex CCPA requests).
7. Retention
Child profile data and stories are retained for as long as the parent's account is active. If you delete a child profile, that data is removed within 30 days. If you close your account entirely, all child data is deleted within 30 days, except where retention is required by law (e.g., payment records for tax purposes).
8. Legal Basis (GDPR / GDPR-K)
Under GDPR, the legal basis for processing child data is parental consent(Article 6(1)(a)) provided by the parent when they create the child profile and confirm their parental or guardian status. For users in the EEA and UK, this satisfies Article 8 GDPR (conditions applicable to children's consent to information society services).
Parents may withdraw this consent at any time by deleting the child profile. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
9. Contact Us
For any questions about children's data handling, COPPA compliance, or to exercise your parental rights, please contact our Privacy team:
- Email: [email protected]
For the full picture of how we handle all personal data, please read our Privacy Policy.