Storyori

Privacy Policy

Last updated: April 2026

Children's Privacy (COPPA)

Storyori is designed to be used by parents and guardians on behalf of their children. We comply with the Children's Online Privacy Protection Act (COPPA) and require verifiable parental consent before collecting any information related to a child under 13.

  • We collect only the minimum information needed to provide the service.
  • A child's first name is only shared with AI services if the parent explicitly opts in to name sharing.
  • We do not use children's personal information to train, develop, or improve artificial intelligence or machine learning models, nor do we permit our third-party service providers to do so.
  • If a parent does not provide consent, we will not collect any personal information from the child and the child will not be able to use the service.
  • Parents can review, modify, or delete their child's data at any time from the Settings page.
  • Parents may refuse to permit any further collection or use of their child's information.
  • Parents can withdraw consent at any time, which will trigger deletion of all associated child data.

What We Collect

  • Account information: Parent's email address for authentication (collected via Clerk, our authentication provider, using Google sign-in).
  • Child profiles: First name, birthday (optional), reading level, and content preferences, entered by the parent.
  • Stories and characters: Story content, character profiles, and associated images created within the app.
  • Payment information: Subscription and billing details are collected and processed by Stripe. We do not store credit card numbers.

How We Collect Information

  • Directly from parents: Account registration, child profile creation, story preferences, and content settings are entered by the parent.
  • Through app usage: Stories, characters, and images are generated as the child uses the app.
  • From authentication providers: Email address and basic profile information via Clerk using Google OAuth.
  • Automatically: Session identifiers and cookies necessary for authentication and app functionality. We do not use tracking cookies or third-party analytics cookies.

How We Use Information

We use collected information solely to provide the Storyori service as described below:

  • To generate personalized stories and characters based on the child's age, reading level, and preferences.
  • To generate illustrations for stories and character portraits.
  • To manage the parent's account and subscription.
  • To enforce content safety settings configured by the parent.

Third-Party Services

Storyori relies on third-party services to function. These services are integral to delivering the core features of the app. Below is a complete list of third-party providers, what data is shared with each, and why.

AI and Content Generation

  • Amazon Web Services (AWS) Bedrock — Mistral AI models: Story text generation and character creation. Receives story prompts containing the child's age range, reading level, and content preferences. If name sharing is enabled by the parent, the child's first name may also be included. Data sent to this service is not used for model training or development.
  • Google Cloud Vertex AI — Gemini models: Story illustration and character image generation. Receives image prompts containing character descriptions, scene descriptions, and reference images. If a parent uploads a photo for character creation, the photo is sent to this service. Character names are anonymized before being sent. Data sent to this service is not used for model training or development.

Infrastructure and Storage

  • Amazon Web Services (AWS) — DynamoDB and S3: All application data (child profiles, stories, characters, and images) is stored on AWS infrastructure. Data is encrypted at rest.

Hosting

  • Railway: Application hosting. Receives and processes HTTP requests, which may include IP addresses and request metadata. Does not receive or store children's personal information beyond what is necessary to route requests.

Authentication and Payments

  • Clerk: Handles parent account authentication and session management. Receives the parent's email address via Google OAuth sign-in.
  • Stripe: Processes subscription payments. Receives the parent's payment details (credit/debit card information). We do not store card numbers on our servers.

All third-party providers listed above are integral to the operation of Storyori. The app cannot function without these services. We do not share children's personal information with any third party for advertising, marketing, or any purpose unrelated to providing the service.

Cookies and Session Identifiers

Storyori uses cookies and session identifiers strictly for authentication and core app functionality. These include:

  • Authentication cookies: Managed by Clerk to maintain your login session.
  • Session identifiers: Used to associate requests with your account while using the app.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Persistent identifiers (authentication cookies and session identifiers) are used solely for the internal operation of maintaining your authenticated session. These identifiers are not used to contact a specific individual, build a profile for behavioral advertising, or track children across websites or services.

Data Retention

We retain data only as long as necessary to provide the service. Below are the specific retention periods for each category of data:

  • Child profiles, stories, characters, and images: Retained for the duration of the active account to allow the child to continue reading their stories and using their characters. Deleted when the parent deletes the child's profile or the account.
  • AI prompts and responses: Not stored beyond the immediate request lifecycle. Prompts are sent to AI providers, a response is received, and neither is persisted on our servers.
  • Authentication data (parent email): Retained for the duration of the active account. Deleted when the account is deleted.
  • Payment information: Managed and retained by Stripe in accordance with their data retention policies. We do not store payment card details.
  • Server logs: Retained for up to 90 days for debugging and security purposes, then automatically deleted.

When a parent requests deletion of their child's data, we delete all associated data from our primary database and storage systems. Data is not retained indefinitely under any circumstances.

Parental Rights

As a parent or guardian, you have the right to:

  • Review all personal information collected about your child, including stories, characters, and images.
  • Toggle name sharing with AI services on or off at any time.
  • Delete individual child profiles and all associated data (stories, characters, and images).
  • Refuse further collection of your child's information.
  • Withdraw consent entirely and delete all account data.

To exercise any of these rights, visit the Settings page within the app.

Data Security

We maintain security measures designed to protect children's personal information from unauthorized access, use, or disclosure. Data stored on AWS is encrypted at rest. All data transmitted between the app and our servers, and between our servers and third-party providers, is encrypted in transit using TLS. No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this privacy policy from time to time. If we make material changes to how we collect, use, or share children's personal information, we will provide direct notice to parents before implementing the changes. Where material changes affect how previously collected personal information is used, we will obtain new parental consent before using the information in the materially different manner. We will also update the "Last updated" date at the top of this page.