Skip to main content

Privacy Policy

Last updated: April 28, 2026

Introduction

Welcome! At Bedtime Stories, we keep things simple when it comes to your family's privacy. This policy explains exactly what we need to create magical, personalized bedtime stories for your child.

The simple truth:We only need your child's age range (3-4, 5-6, 7-8, or 9-12 years) to create age-appropriate stories. Character names are completely optional. Everything else is just the technical stuff needed to run the service.

Who We Are (Data Controller)

Bedtime Storiesis a sole proprietorship registered with the Dutch Chamber of Commerce. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), we are the data controller for personal data processed through the Service.

You can reach us about any data-protection matter — including access, correction, deletion, portability, restriction, or objection requests — at [email protected]. We respond to verified requests within 30 days. We are below the GDPR threshold for appointing a Data Protection Officer; the business owner handles all privacy queries directly.

Information We Collect

What We Actually Need

For Your Account:

  • Your email address (for login and account updates)
  • Payment information (securely handled by Stripe, we never see your card details)

For Your Stories:

  • Character names you choose (optional - can be any names, real or fictional)
  • Age range you select (required - 3-4, 5-6, 7-8, or 9-12 years for age-appropriate content)
  • Story preferences and settings you customize (optionally saved with character names and voices)

The Technical Stuff

Like any website, we automatically collect some technical information to keep things running smoothly:

  • Generated story content (text, audio, images) based on your preferences
  • Basic device info (to make sure the site works on your phone/computer)
  • Usage data (to fix bugs and improve the experience)
  • Cookies (to remember you're logged in)

How We Use Your Information

Here's exactly what we do with your information:

Story Creation

  • Create personalized stories with the character names you choose
  • Generate age-appropriate magical adventures based on your selected range
  • Save your favorite stories and access them anytime

Account Management

  • Manage your account and subscription
  • Process payments securely
  • Send important account updates

AI Processing Note: Story text is generated using Anthropic Claude for creating personalized narratives. Story images are created through OpenAI using only story-related prompts. Text-to-speech conversion is handled by ElevenLabs for catalog voices and a specialized AI partner for custom voice cloning. AI content safety is monitored through Helicone (Llama Guard). Our backend services running on Hetzner European servers coordinate these AI services and store the final content in Supabase. We ensure all AI partners maintain strict data protection standards.

Bot Protection: We use Cloudflare for DNS and Turnstile captcha protection to protect against automated abuse and ensure platform security. Turnstile processes technical information (IP address, browser signals, TLS fingerprint) to distinguish humans from bots. This data is processed by Cloudflare Inc. (US) under their privacy policy. Turnstile does not use traditional cookies and collects minimal data solely for security purposes.

Analytics & Cookies: We use PostHog (European data region) for analytics and product improvement. PostHog uses cookies and local storage to track user sessions, feature usage, and platform performance. You can manage your cookie preferences and opt out of analytics tracking at any time. PostHog data is processed under their privacy policy with GDPR-compliant safeguards. For more details, see our Cookie Policy.

Error Monitoring: We use Sentry to detect and fix technical issues. Sentry does not use cookies and we have disabled personal data collection.

Email Communications: Transactional emails (account confirmations, password resets, story-ready notifications) are sent via Resend. If you separately subscribe to our roadmap newsletter, you will also receive occasional product-update emails; every newsletter contains a one-click unsubscribe link.

Lawful Basis for Processing

Under GDPR Article 6 (and Article 9 for special-category data) we rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)): account creation, authentication, story generation and delivery, payment processing, customer support, and story-ready notifications.
  • Legal obligation (Art. 6(1)(c)): retention of invoice and payment records for 7 years under Dutch tax law.
  • Legitimate interests(Art. 6(1)(f)): bot protection (Cloudflare Turnstile), error monitoring (Sentry), prompt-safety logging (to detect abuse and prevent generation of illegal content), and securing our infrastructure. You have a right to object to processing carried out on this basis (see "Your Privacy Rights" below).
  • Consent (Art. 6(1)(a)): optional analytics via PostHog and the product-update newsletter. You can withdraw consent at any time using the Cookie Settings link in the footer or the unsubscribe link in any email.
  • Explicit consent for biometric data (Art. 9(2)(a)): processing your voice recording to generate a custom AI voice. Consent is captured before recording and can be withdrawn at any time by deleting the voice from your dashboard.

Children's Privacy & Parental Consent

Important - Parents & Guardians Only

Our service is designed exclusively for parents and guardians. Children under 13 should not create accounts or provide personal information directly. Only parents or legal guardians should sign up and use this service on behalf of their children.

No Direct Collection from Children: We do not knowingly collect personal information directly from children under 13. All child-related information (names, age ranges) is provided by parents through their adult accounts.

Parental Consent & Control:By creating an account and providing your child's information, you (as the parent/guardian) are giving consent for us to use that information to create personalized stories. You maintain complete control and can review, modify, or delete your child's data at any time.

Compliance with Children's Privacy Laws

We comply with children's privacy regulations including:

  • COPPA (US):Children's Online Privacy Protection Act
  • GDPR Article 8 (EU):Special protection for children's data
  • International Standards: Age-appropriate data protection globally

If we discover we have received personal information directly from a child without proper parental consent, we will delete it immediately.

Story Personalization

Here's the simple truth:We only use the character names and age ranges you choose to create personalized stories. That's it!

  • Only you decide what names to use for story characters
  • You choose the age range for appropriate content
  • You control everything and can delete data anytime
  • No advertising, no profiling, no selling of personal data — optional analytics only with your consent, and a separate product-update newsletter you can unsubscribe from at any time

Custom Voice Recording

You can optionally record your own voice to narrate bedtime stories. This feature uses AI voice cloning technology provided by a specialized third-party AI provider. Here is exactly how your voice data is handled:

How It Works

  • You record a short voice sample (5-15 seconds) through your browser's microphone
  • Your recording is temporarily uploaded to our secure servers for processing
  • We send the processed audio to our AI voice partner, who creates a voice clone that can generate speech in your voice
  • Your original recording is deleted immediately after processing - we do not retain raw voice audio on our infrastructure
  • Only the voice clone (hosted by our AI voice partner) is retained for generating story narration

Data Controller & Processor

We (Bedtime Stories) are the Data Controller for your voice data. Our AI voice technology partner acts as our Data Processor, processing your voice data solely on our instructions under a Data Processing Agreement. Our AI partner does not use your voice data for their own purposes.

Lawful Basis & Consent

Voice data is biometric data under GDPR Article 9. We process it based on your explicit consent (GDPR Article 9(2)(a)), which you provide before recording by checking the consent box. You can withdraw consent at any time by deleting your voice from your dashboard or deleting your account.

Training Opt-Out

We have opted out of allowing our AI voice partner to use your voice data for model training. Your voice recordings and clones are used exclusively for generating story narration within our service.

Voice Data Retention & Deletion

  • Raw recordings: Deleted immediately after processing (typically within seconds)
  • Voice clone: Hosted by our AI voice partner for as long as you keep the voice active in your account
  • On voice deletion: We instruct our AI voice partner to delete the voice clone immediately. They may take up to 30 days to fully purge the data from their systems.
  • On account deletion: All voice clones are automatically queued for deletion from our AI voice partner as part of our account cleanup process

Your Voice Data Rights

  • Delete any custom voice at any time from your dashboard
  • You can have a maximum of 6 custom voices at a time
  • Re-recording is quick (5-15 seconds) if you ever need to create a new voice
  • Custom voice stories are currently not shareable publicly

Data Storage & Protection

European Data Residency

Your data is stored primarily on European servers through Supabase's European data region, ensuring GDPR compliance and strong data protection standards. This includes our database, object storage, and authentication systems.

Security & Compliance

We implement enterprise-grade security measures including encryption, access controls, and regular security audits. For detailed technical security information, please see our comprehensive Security Policy.

Service Providers

We work with trusted partners who maintain strict data protection standards:

European Services:
  • Supabase (database, storage)
  • PostHog (analytics)
  • Hetzner (backend hosting)
Global Services:
  • Vercel (frontend hosting)
  • Anthropic Claude (story generation)
  • ElevenLabs (catalog voice generation)
  • Specialized AI partner (custom voice cloning)
  • Google/Apple (optional login)

All partners maintain GDPR-equivalent protection standards through data processing agreements and appropriate safeguards.

International Data Transfers

Most of your personal data stays in the European Economic Area (Supabase Frankfurt, Hetzner Germany, PostHog EU). However, some processors are based outside the EEA — primarily in the United States — including:

  • Anthropic (story text generation) — United States
  • OpenAI (story illustrations) — United States
  • ElevenLabs (catalog voice synthesis) — United States
  • Custom voice partner (custom voice cloning) — United States
  • Vercel (frontend edge hosting) — United States, with global edge caching
  • Cloudflare (DNS, DDoS, Turnstile) — United States, with global edge presence
  • Stripe (payment processing) — Stripe Payments Europe (Ireland) with onward transfers to Stripe Inc. (United States)

Where personal data leaves the EEA, we rely on one or more of the following safeguards under Chapter V of the GDPR:

  • The EU-US Data Privacy Framework for certified US recipients (Article 45 adequacy decision).
  • Standard Contractual Clauses (2021/914/EU) with supplementary technical and organisational measures (Article 46(2)(c)).
  • Your explicit consent for specific transfers where we cannot rely on the safeguards above (Article 49(1)(a)).

A copy of the relevant transfer mechanism for any specific processor is available on request at [email protected].

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share limited data only in these circumstances:

  • Service Providers: Trusted partners who help operate our service (hosting, payment processing, AI services) under strict data protection agreements
  • Legal Requirements: When required by law, court order, or to protect rights and safety
  • Business Transfers: In the event of a merger or acquisition, with equivalent privacy protection guarantees
  • Parental Consent: When explicitly authorized by parents and guardians

Your Privacy Rights & Data Control

You're in Complete Control

You can delete your stories or entire account anytime directly from your account settings. When you delete data, it's removed from our systems within 30 days. No need to contact us - you're in complete control!

Your Rights Under GDPR

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): correct inaccurate or incomplete data.
  • Erasure / "Right to be forgotten" (Art. 17): delete your account and the personal data tied to it. Available directly from your dashboard.
  • Restriction of processing (Art. 18): ask us to pause processing while we resolve a dispute about accuracy or lawful basis.
  • Data portability (Art. 20): export your stories and account data in a machine-readable format.
  • Objection (Art. 21): object to any processing we carry out on the basis of legitimate interests, including bot-protection and prompt-safety logging.
  • Withdraw consent (Art. 7(3)): turn off optional analytics, unsubscribe from the newsletter, or delete your custom voice — without affecting the lawfulness of processing carried out before you withdrew.
  • Lodge a complaint (Art. 77): if you believe we are mishandling your data, you have the right to complain to a supervisory authority. Our lead authority is the Dutch Autoriteit Persoonsgegevens.

To exercise any of these rights, email [email protected]. We may ask for proof of identity to prevent unauthorised disclosure. We respond within 30 days.

Data Retention

  • Account profile and stories: until you delete them. Account deletion removes them within 30 days, excluding encrypted backups which roll off within a further 30 days.
  • Custom voice clones: until you delete the voice or your account; our voice partner takes up to 30 days to fully purge their copy.
  • Payment and invoice records: 7 years (Dutch tax law).
  • Analytics events: aggregated and anonymised after 2 years.
  • Prompt-safety and abuse logs: 90 days, longer if linked to an active investigation.
  • Security and audit logs: 365 days.

Policy Changes

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. When we make material changes:

  • We'll notify you via email at least 30 days before changes take effect
  • We'll update the "Last updated" date at the top of this policy
  • For changes affecting story content or personalization, we'll provide clear notification
  • You can review the current version at bedtime-stories.fun/privacy

Get in Touch

Have privacy questions or concerns? I'm here to help!

Related: Security Policy | Cookie Policy

This policy is effective as of the date listed above and applies to all users of Bedtime Stories.

Privacy Policy for Bedtime Stories, the leading AI-powered personalized children's story platform. Key privacy highlights: COPPA and GDPR compliant, European data residency (Frankfurt, Germany), only child's first name collected for personalization (optional), no tracking of children. Parents maintain complete control over all data and can delete anytime. Payment handled securely by Stripe (we never see card details). AI processing: Anthropic Claude for stories, ElevenLabs for voices, OpenAI for images. All AI partners maintain strict data protection standards. No selling of personal information. Analytics opt-in only (PostHog EU).