Privacy Policy

1. Who We Are

OnceUponMe (“we,” “us,” or “our”) operates the personalized children's story platform available at onceuponme.com (the “Service”). We create AI-powered illustrated stories and audio narration tailored to your child's name, age, and interests.

This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have regarding your data. We are committed to protecting the privacy of both parents and children who use our Service.

2. Scope of This Policy

This Privacy Policy applies to all information collected through our website at onceuponme.com, any related mobile applications, APIs, and any other services we offer that link to this policy (collectively, the “Service”).

This policy does not apply to information collected by third parties, including through any application or content that may link to or be accessible from the Service. We encourage you to read the privacy policies of every website and service you visit or use.

3. Children's Privacy & COPPA Compliance

Because our Service creates stories for children, we take children's privacy extremely seriously. We comply fully with the Children's Online Privacy Protection Act (COPPA) and related regulations.

3.1 No Direct Collection from Children

Our Service is designed for use by parents and legal guardians. We do not knowingly collect personal information directly from children under 13 years of age. All accounts must be created and managed by a parent or legal guardian who is at least 18 years old.

3.2 Information About Children

When a parent creates a story, they may provide their child's first name, age range, and interests (e.g., “loves dinosaurs” or “enjoys painting”). This information is:

• Used solely to personalize the story content for that specific child.
• Never shared with third-party advertisers or data brokers.
• Never used for behavioral advertising or profiling of the child.
• Stored securely and associated only with the parent's account.
• Deletable at any time by the parent through their account settings or by contacting us.

3.3 Verifiable Parental Consent

By creating an account and providing information about a child, the parent or guardian provides verifiable parental consent for the limited collection and use of that information as described in this policy. Parents may at any time:

• Review the personal information we have collected about their child.
• Request deletion of their child's personal information.
• Refuse further collection or use of their child's information.
• Revoke consent previously given, which may result in deletion of associated stories.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

3.4 No Behavioral Advertising

We do not display behavioral advertising to any users. We do not track children's online activities across websites or services. We do not create profiles about children for marketing purposes.

3.5 COPPA Safe Harbor

We are committed to maintaining our compliance with COPPA and regularly review our practices to ensure they meet or exceed the requirements. If you believe we have inadvertently collected information from a child under 13 without proper parental consent, please contact us immediately and we will promptly delete such information.

4. Information We Collect

4.1 Information You Provide Directly

• Account information: Your name, email address, and password (or OAuth credentials) when you create an account.
• Profile information: Any additional details you add to your account, such as a profile picture or display name.
• Story details: Your child's first name, age range, interests, personality traits, and story preferences you provide when creating stories.
• Payment information: Billing name, address, and payment card details when you subscribe. Payment card information is processed directly by Stripe and is never stored on our servers.
• Communications: Information you provide when you contact us for support, submit feedback, or respond to surveys.
• Gift story information: Recipient child's name and details provided when purchasing a gift story.

4.2 Information Collected Automatically

• Device information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• Log data: IP address, access times, pages viewed, referring URL, and the actions you take on our Service.
• Usage data: Features used, stories created, time spent on pages, and interaction patterns (collected only with your consent via analytics cookies).
• Cookies and similar technologies: As described in Section 9 below.

4.3 Information from Third Parties

• OAuth providers: If you sign in via Google, we receive your name, email address, and profile picture from Google.
• Payment processor: Stripe may provide us with limited transaction information such as payment status and subscription details (but never your full card number).

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Providing and Improving the Service

• Generate personalized stories with illustrations and audio narration tailored to your child.
• Maintain and operate your account, including authentication and authorization.
• Process your subscriptions, payments, and any one-time purchases (story packs, gift stories).
• Provide customer support and respond to your inquiries.
• Analyze usage patterns (in aggregate) to improve our Service, fix bugs, and develop new features.

5.2 Safety and Security

• Moderate generated content to ensure child safety and appropriateness.
• Detect, prevent, and address fraud, abuse, and security issues.
• Enforce our Terms of Service and other policies.
• Protect the rights, property, and safety of our users and the public.

5.3 Communications

• Send you transactional emails (account verification, password resets, payment receipts, subscription updates).
• Send you service-related announcements (e.g., maintenance notices, security alerts).
• With your opt-in consent, send marketing communications about new features or promotions. You may opt out at any time.

5.4 Legal Compliance

• Comply with applicable laws, regulations, and legal processes.
• Respond to lawful requests from public and governmental authorities.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following lawful bases:

• Performance of a contract: Processing necessary to provide you with the Service you requested, including account management, story generation, and subscription processing.
• Consent: Where you have given explicit consent, such as for analytics cookies, marketing communications, and the collection of your child's information for story personalization. You may withdraw consent at any time.
• Legitimate interests: For fraud prevention, service security, debugging, improving our Service, and enforcing our terms, where these interests are not overridden by your data protection rights.
• Legal obligation: Where processing is necessary to comply with a legal obligation, such as tax reporting or responding to lawful government requests.

7. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following circumstances:

7.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our Service, as described in Section 8. These providers are contractually obligated to use your information only for the purposes of providing their services to us and to maintain appropriate security measures.

7.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or use of your personal information, as well as any choices you may have regarding your information.

7.4 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may share statistics about the number of stories created on our platform.

7.5 With Your Consent

We may share your information in other circumstances with your explicit consent.

8. Third-Party Services

We use the following third-party services to operate our platform:

• Google (OAuth): Provides authentication services. When you sign in with Google, we receive your name, email address, and profile picture. Google's use of your information is governed by Google's Privacy Policy.
• Stripe: Processes all payments and subscription billing. Stripe collects and processes your payment card information directly; we never see or store your full card number.
• Google Cloud Platform (Vertex AI): Powers our AI story generation, image illustration, and text-to-speech audio narration. Story prompts containing your child's first name and interests are sent to Google Cloud for processing. Google Cloud processes this data under our data processing agreement and does not use it for its own purposes.
• Cloudflare: Provides content delivery network (CDN) services, DDoS protection, and media storage (R2). Cloudflare may process your IP address and request metadata.
• Sentry: Provides error monitoring and performance tracking. Sentry may receive technical error data, but we configure it to exclude personally identifiable information.
• Resend: Handles transactional email delivery (e.g., account verification, password resets). Your email address is shared with Resend for the sole purpose of delivering emails on our behalf.

Each third-party service provider is selected for its strong privacy and security practices. We maintain data processing agreements with providers that handle personal information on our behalf.

9. Cookies & Tracking Technologies

9.1 What Are Cookies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently and to provide information to the site owners.

9.2 Essential Cookies

These cookies are strictly necessary for the operation of our Service. They include cookies for:

• Authentication and session management (keeping you logged in).
• Security tokens (CSRF protection).
• Cookie consent preferences (remembering your cookie choices).
• Discount code tracking (storing promotional codes for your session).

Essential cookies are always active and do not require your consent, as the Service cannot function without them.

9.3 Analytics Cookies

We may use analytics cookies to understand how visitors interact with our Service, such as which pages are visited most often and how users navigate through the site. These cookies are only set with your explicit consent via our cookie consent banner. You can withdraw consent at any time through your browser settings or our cookie preferences tool.

9.4 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can typically set your browser to refuse all cookies or to indicate when a cookie is being set. However, blocking essential cookies may prevent you from using certain features of our Service.

10. Data Retention

10.1 Account and Story Data

We retain your account information and generated stories for as long as your account is active or as needed to provide you with the Service. If you cancel your subscription, your account and stories remain accessible in a read-only state unless you request deletion.

10.2 Account Deletion

You may request deletion of your account and all associated data at any time by contacting us at [email protected]. Upon receiving a verified deletion request, we will delete your personal information within 30 days, except where we are required to retain certain information for legal or legitimate business purposes (e.g., tax records, fraud prevention).

10.3 Log Data

Server logs containing IP addresses and request metadata are automatically purged after 90 days. Error logs in Sentry are retained for 90 days. Analytics data (if consent was given) is retained in aggregated form.

10.4 Payment Records

Transaction records are retained for a minimum of 7 years as required by applicable tax and financial regulations, even after account deletion. These records are stored securely and accessed only for compliance purposes.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL (HTTPS) on all connections.
• Encryption of sensitive data at rest in our databases.
• Regular security assessments and vulnerability scanning.
• Access controls limiting employee and contractor access to personal data on a need-to-know basis.
• Secure password hashing using industry-standard algorithms (bcrypt).
• DDoS protection and web application firewall through Cloudflare.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents. If we become aware of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

12. International Data Transfers

Our Service is operated from the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For users in the EEA, UK, and Switzerland, we ensure that international transfers of personal data are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with all service providers that handle personal data.
• Adequacy decisions where applicable (e.g., transfers to countries deemed adequate by the European Commission).

You may request a copy of the safeguards we use for international transfers by contacting us.

13. Your Rights Under GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request correction of inaccurate personal data.
• Right to erasure (“right to be forgotten”): You have the right to request deletion of your personal data, subject to certain legal exceptions.
• Right to restrict processing: You have the right to request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. If you are exercising rights on behalf of your child, we may require verification of your parental relationship.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You have the right to request details about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. Therefore, there is no need to opt out.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to limit use of sensitive personal information: To the extent we process sensitive personal information (such as your child's name and characteristics), we use it only for the purposes of providing the Service as described in this policy.

To exercise your California privacy rights, contact us at [email protected] or write to us at the address in Section 17. We will verify your identity before processing your request and respond within 45 days.

15. Do Not Track Signals

Our Service responds to Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not set analytics or non-essential cookies, and we do not track your activity across other websites or services. Note that since we do not engage in cross-site tracking, your experience on our Service is largely the same regardless of your DNT setting.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you via email (using the email address associated with your account) at least 30 days before the changes take effect, for material changes.
• Display a prominent notice on our Service.

Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should stop using the Service and request deletion of your account.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, please contact us:

• Email: [email protected]
• General support: [email protected]

We aim to respond to all privacy-related inquiries within 30 days. For COPPA-related concerns involving children's data, we will prioritize your request and respond as quickly as possible.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (for EEA/UK residents) or the Federal Trade Commission (for U.S. residents).