Privacy Policy

1. What Data We Collect

We collect the following categories of information when you use NightTale:

• Account information: Your email address and password (stored as a secure hash — we never see your password in plain text).
• Child profile data:Names, ages, and optional physical appearance descriptions (e.g. "brown curly hair, big smile") for each child you add. This is the core personalisation data that makes stories feel real to your family.
• Story content: The story episodes we generate for your family, including text, illustrations, and audio narration.
• Story preferences: Genre selections, tone preferences, episode prompts, and series memory — the creative context your family builds over time.
• Usage data: Features used, pages visited, generation timestamps, and credit usage. Used to improve the product and detect abuse.
• Payment information: Billing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store your full card number, CVV, or bank details — Stripe holds those under PCI DSS compliance.

2. How We Use Your Data

We use the data we collect to:

• Generate personalised story episodes for your family.
• Maintain series continuity — remembering characters, world details, and story history across episodes.
• Process payments and manage your subscription through Stripe.
• Send transactional emails (account verification, password resets, billing receipts). We do not send marketing emails without your explicit consent.
• Monitor for content safety issues and enforce our Terms of Service.
• Improve generation quality using anonymised, de-identified data (see Section 4).
• Respond to support requests and account queries.

We do not use your data for advertising, do not build behavioural profiles for marketing purposes, and do not sell your data.

3. Children's Data

NightTale is designed for parents. We do not knowingly collect data directly from children, and children should not create accounts or interact with the service independently. All child profile information — names, ages, and appearance — is provided by a parent or guardian on behalf of their child.

Children's data is used solely for the purpose of personalising story content within your family account. We do not share children's names, ages, or appearance data with any third party except as strictly necessary to generate stories (see Section 4). We do not use children's data for AI model training, advertising, analytics, or any purpose beyond story personalisation.

If you believe a child has provided personal information to NightTale without parental consent, please contact us at hello@nighttale.app and we will delete that information promptly.

4. AI Processing

Story generation relies on three third-party AI services. We send them the minimum information needed to produce each story:

• Anthropic (Claude):Receives story prompts including children's first names, ages, genre, tone, and series memory context to generate story text. Anthropic processes this data under its API terms and does not use API inputs to train its models.
• fal.ai (FLUX.2 image generation):Receives image description prompts derived from story text. These prompts describe scenes and characters but are written to avoid including children's real names or directly identifying information. fal.ai processes requests under its API terms.
• ElevenLabs: Receives story text for text-to-speech narration. Audio is generated per episode and stored in your family account. ElevenLabs processes this data under its API terms.

We do not send children's appearance descriptions or any sensitive personal data to image generation services beyond what is required to produce a story scene.

5. Data Storage

Your data is stored in Supabase, a managed database platform hosted on Amazon Web Services (AWS). All data is encrypted at rest and in transit using industry-standard TLS encryption. Generated story images and audio files are stored in Supabase Storage (also on AWS).

NightTale is hosted on Vercel, which processes web requests on its edge network. Vercel may temporarily log request metadata (IP address, browser type) for security and performance purposes, consistent with its privacy policy.

We are based in Hong Kong. By using NightTale, you acknowledge that your data may be processed and stored on servers located in the United States or other jurisdictions where our infrastructure providers operate.

6. Data Sharing

We do not sell your personal data. We do not share your data with advertisers, data brokers, or analytics companies. We share data only with the following service providers, and only to the extent necessary to operate the platform:

• Anthropic — story text generation (API)
• fal.ai — story image generation (API)
• ElevenLabs — story audio narration (API)
• Stripe — payment processing and subscription management
• Supabase — database, authentication, and file storage
• Vercel — web hosting and request routing

We may disclose data if required to do so by law, court order, or to protect the rights, safety, or property of NightTale, our users, or the public.

7. Data Retention

We retain your account data for as long as your account is active. If you request account deletion, we will permanently delete your family profile, child profiles, story series, episodes, and all associated content within 30 days of receiving your request.

Anonymised, aggregated data that cannot be re-associated with your identity may be retained for product improvement purposes. Stripe will retain payment transaction records as required by applicable financial regulations, independently of our deletion process.

8. Cookies

NightTale uses cookies only for authentication session management. When you sign in, a secure, httpOnly session cookie is set to keep you logged in across page loads. This cookie contains no personal information beyond an encrypted session token.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not use Google Analytics, Meta Pixel, or similar tracking technologies. If you clear your browser cookies, you will be signed out and will need to log in again.

9. Your Rights

You have the right to:

• Access your data: Request a copy of the personal data we hold about you and your family.
• Correct your data: Update or correct inaccurate information directly in your account settings, or by contacting us.
• Delete your data: Request deletion of your account and all associated personal data. We will complete this within 30 days.
• Withdraw consent: Where processing is based on your consent (such as AI-assisted personalisation), you may withdraw consent by deleting your account.
• Data portability: Request an export of your story content in a portable format (PDF).

To exercise any of these rights, contact us at hello@nighttale.app. We will respond within 30 days.

10. COPPA Compliance

NightTale complies with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information directly from children under 13. All information about children is collected from their parent or guardian, who creates and controls the family account.

Parents have full control over their children's data through their account settings. You can review, update, or delete any child profile at any time. If you wish to remove all data related to a child, you may delete that child's profile within the app or submit a full account deletion request.

We do not require children to provide personal information as a condition of using any game, prize, or activity. Children's data is used only for generating their personalised stories and is never shared for commercial or marketing purposes.

If you have questions or concerns about our COPPA practices, contact us at hello@nighttale.app.