StoryTelly
HomeFeaturesPricingFAQSign up

Privacy Policy

Last updated:

Draft notice: this page was drafted to ship with the marketing site launch and is pending legal review. Substantive changes may follow.

Contents

  1. What we collect
  2. Your child's name
  3. How we use your data
  4. How illustrations are created
  5. Data retention
  6. Third-party processors
  7. Security
  8. Cookies and similar technologies
  9. Changes to this Policy
  10. Contact

StoryTelly is built by parents, for parents. We collect the minimum data needed to deliver illustrated stories — and we treat your child's name with the care it deserves.

This Privacy Policy explains what we collect and how we use it. For your rights as a data subject — and how to exercise them — see our Privacy Rights page.

1. What we collect

When you create a StoryTelly account, we collect:

  • Email address. For account identification, password recovery, and (with your consent) product updates.
  • Password (hashed). Stored only in salted-bcrypt form. We never see your plaintext password.
  • Stories you generate. Story prompts, narrative text, and illustrations are stored in your account so you can reopen them.
  • Optional account metadata. Display name (if set), subscription tier, two-factor preference.

We do not collect: your child's real name (it stays on your device — see below), your location, your browsing history outside StoryTelly, contacts, or any third-party tracking identifiers.

2. Your child's name

Child names typed during story creation are tokenized client-side before any prompt leaves your device. The server receives only the tokenized form ([CHILD]). The plaintext name is encrypted and stored locally, keyed to your account.

When you read a story, the plaintext name is reinserted client-side. So your child sees their real name on the page; our servers never do.

Logout does not clear locally-stored names (so signing back in on the same device restores them across all your stories). Account deletion does clear them.

3. How we use your data

We use the data above to:

  • Provide the StoryTelly service (generate stories, store them in your account, deliver them across your devices).
  • Send transactional emails (password resets, two-factor codes, email verification).
  • Provide aggregate, anonymous analytics on site traffic via Cloudflare Web Analytics — cookieless and privacy-first; no individual user is identified.
  • Comply with legal obligations and respond to lawful requests for information.

We do not sell your data, share it with advertisers, or use it to train AI models on your private content.

4. How illustrations are created

Illustration prompts are sent to one of several leading AI image providers (OpenAI, Stability AI, Replicate, Google, fal.ai), depending on the style you choose. Every prompt is screened against OpenAI's moderation API before any image is generated.

Generated images are stored in our object storage (Cloudflare R2) and served to your browser via signed URLs with short expiry. Image-provider companies receive only the tokenized prompt — never your child's real name.

5. Data retention

We retain your account data for as long as your account is active. When you delete your account, your stories, illustrations, and personal data are removed within 30 days. Aggregate, anonymized usage statistics may be retained indefinitely.

Backups are retained for 30 days; restoring from backup is reserved for emergency recovery and would never reinstate a deleted account's data beyond that window.

6. Third-party processors

We use a small set of trusted third-party processors to deliver the service. Each processes data only as needed and under contractual confidentiality:

  • Render (US) — application hosting.
  • Neon (Frankfurt, EU) — database hosting for accounts + stories.
  • Cloudflare (US) — DNS, CDN, R2 image storage, and Web Analytics.
  • Resend (US) — transactional email delivery.
  • OpenAI / Anthropic / Stability / Replicate / Google / fal.ai — AI providers for story narrative + illustrations. Receive only tokenized prompts.
  • Stripe (US) — payment processing (when subscriptions launch). Card details are handled exclusively by Stripe; we do not store them.

7. Security

We follow industry-standard practices to protect your account: HTTPS everywhere, bcrypt-hashed passwords, JWT-based sessions with short expiry, two-factor authentication (optional), CSRF protection on every state-mutating endpoint, and a strict Content Security Policy on the marketing site.

No security system is perfect. If you suspect your account has been accessed without authorization, change your password immediately and email [email protected].

8. Cookies and similar technologies

The marketing site (mystorytelly.app) uses no cookies. Cloudflare Web Analytics is cookieless by design.

The application (the desktop app today; the web app when it launches at app.mystorytelly.app) uses a single session cookie to keep you signed in. This cookie contains a JWT and is HTTPOnly, Secure, and SameSite=Lax. No third-party cookies, no advertising trackers.

9. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated Policy.

10. Contact

Questions about this Policy? Email [email protected]. To exercise your data rights, see /privacy-rights.