Privacy Policy — Your Story Kiddo
Your Story Kiddo ("the App") is operated by Alte Limited ("we", "us", "our"), a New Zealand company.
Contact: Get in touch
Summary
Your Story Kiddo is a phonics learning app for children aged 5–7. Parents create and manage all accounts. We collect limited personal information to generate personalised stories and track reading progress. We do not serve ads, do not sell data, and do not allow children to interact with other users.
Key points:
- All data is entered and controlled by parents/guardians
- Child names and interests are sent to AI services to generate stories
- Data is stored and processed in the United States
- You can request deletion of all data at any time
1. Information We Collect
Information provided by parents
| Data | Purpose |
|---|---|
| Email address | Account creation and authentication |
| Password | Account security (stored as a hash, never in plain text) |
| Child's first name | Story personalisation — the child appears as a character |
| Friend first names (up to 3) | Story personalisation — friends appear as characters |
| Important people (family terms only) | Story personalisation — family members appear in stories |
| Child's interests (selected from a predefined list) | Story personalisation — topics are woven into stories |
| Books completed (selected from curriculum list) | Determining the child's current phonics level |
Information generated by the App
| Data | Purpose |
|---|---|
| Reading progress | Tracking which stories have been read and completed |
| Phonics concept mastery | Tracking which phonics concepts have been practised |
| Story history | Avoiding repetition in future story generation |
| Story content | Storing generated stories for re-reading |
Information collected automatically
| Data | Purpose |
|---|---|
| Firebase anonymous user ID | Identifying anonymous accounts |
| Firebase authenticated user ID | Linking data to parent accounts |
| Subscription status | Managing access to paid features |
| App crash data | Diagnosing and fixing technical issues |
We do not collect location data, device contacts, photos, browsing history, advertising identifiers, or any biometric data.
2. How We Use Information
We use the information collected solely for:
- Account management — Creating and authenticating parent accounts
- Story generation — Sending child personalisation data to our AI provider to generate phonics-appropriate stories (see Section 4)
- Progress tracking — Recording which stories have been read and which phonics concepts have been practised
- Subscription management — Processing and verifying subscription purchases
- App improvement — Diagnosing crashes and fixing bugs
We do not use any information for advertising, profiling, behavioural analytics, or any purpose unrelated to the App's educational function.
3. Third-Party Services
We share information with the following third-party services, each for a specific and limited purpose:
Google / Firebase (United States)
- What we share: Parent email, authentication credentials, all child profile data, story content, reading progress
- Why: Firebase provides our authentication, database, and cloud infrastructure
- Their policy: firebase.google.com/support/privacy
OpenRouter (United States)
- What we share: Child's first name, friend first names, interests, current phonics level, and teaching constraints (sounds and sight words)
- Why: OpenRouter routes our story generation requests to AI language models
- Data retention: We have opted out of prompt logging. OpenRouter does not store our prompts beyond the time needed to process each request.
- Their policy: openrouter.ai/privacy
Anthropic (United States)
- What we share: The same data sent to OpenRouter is forwarded to Anthropic's Claude language model for story generation
- Why: Claude generates the personalised phonics stories
- AI training: Anthropic does not train its models on data submitted through its API
- Their policy: anthropic.com/privacy
RevenueCat (United States)
- What we share: Anonymous user identifiers and subscription transaction data
- Why: RevenueCat manages subscription purchases and entitlements
- Note: RevenueCat interacts with the parent's account only, never with child profiles
- Their policy: revenuecat.com/privacy
We do not share data with any advertising networks, data brokers, social media platforms, or analytics services beyond those listed above.
4. AI Story Generation
This section explains how your child's information is used to generate personalised stories.
What happens when you tap "Generate Story"
- The App assembles a prompt containing:
- Your child's first name
- Friend first names (if provided)
- Selected interests
- Current phonics level (sounds, sight words, and patterns to use)
- Instructions to generate an age-appropriate, phonics-constrained story
- This prompt is sent over an encrypted connection (HTTPS) to OpenRouter
- OpenRouter forwards the prompt to Anthropic's Claude language model
- Claude generates a story and returns it to the App
- The story is saved to your account in Firebase for re-reading
Important details
- No prompt logging: We have configured OpenRouter to not log or store prompts
- No AI training: Anthropic does not use API-submitted data to train its models
- Content filtering: Generated stories are checked for age-appropriateness before display
- Phonics constraints: The AI is instructed to use only sounds and words appropriate to your child's current level
- Parent as user: The parent account is the entity interacting with AI services. Children do not directly access AI services.
5. International Data Transfers
Your data is transferred to and processed in the United States by the third-party services listed in Section 3. United States privacy protections may differ from those in New Zealand, the United Kingdom, or the European Union.
We rely on the following safeguards:
- Encrypted data transmission (TLS/HTTPS) for all transfers
- Contractual commitments from our service providers regarding data protection
- Limiting data shared to the minimum necessary for each service's function
By creating an account and using the App, you consent to the transfer of data to the United States as described in this policy. If you do not consent, please do not use the App.
6. Data Retention
| Data | Retention Period |
|---|---|
| Parent account data | Until account deletion is requested |
| Child profile data | Until the child profile or parent account is deleted |
| Generated stories | Until the child profile or parent account is deleted |
| Reading progress | Until the child profile or parent account is deleted |
| Anonymous account data | May be deleted after extended periods of inactivity |
| AI prompts (at OpenRouter) | Not retained (prompt logging disabled) |
| Subscription records | As required by Apple's and RevenueCat's retention policies |
When you delete a child profile, all associated stories, reading progress, and personalisation data for that child are permanently deleted from our systems. When you delete your parent account, all child profiles and associated data are permanently deleted.
7. Parental Rights and Controls
As a parent or guardian, you have the right to:
- Access all personal information we hold about you and your children
- Review the data used in story generation for each child profile
- Correct any inaccurate information by editing child profiles within the App
- Delete individual child profiles (and all associated data) from within the App
- Delete your account (and all associated child and story data) from within the App
- Withdraw consent for data collection at any time by deleting your account
- Refuse further collection by discontinuing use of the App
- Request a copy of your data by contacting us at the email address below
To exercise any of these rights, you may use the in-app settings or contact us. We will respond within 20 working days (as required by the NZ Privacy Act 2020).
8. Parental Consent
All child data in the App is entered by a parent or guardian. By creating a child profile, you confirm that:
- You are the parent or legal guardian of the child
- You consent to the collection and use of the child's information as described in this policy
- You consent to the child's personalisation data (name, friend names, interests) being sent to the AI services described in Section 4 for the purpose of generating stories
- You understand that data is transferred to the United States (Section 5)
You may withdraw consent at any time by deleting the child's profile or your account.
9. Data Security
We implement the following security measures:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Firebase Security Rules: Database access is restricted so parents can only access their own data and their children's data
- Authentication: Accounts are protected by Firebase Authentication
- No plain-text passwords: Passwords are hashed and managed by Firebase Authentication
- Access controls: Child data is isolated per parent account
No system is 100% secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security. If we become aware of a data breach affecting your information, we will notify you as required by applicable law.
10. Anonymous Accounts
The App allows you to try it without creating a full account ("Guest Mode").
- Anonymous accounts are identified by a Firebase-generated anonymous user ID
- Anonymous accounts can create one child profile and generate up to 5 stories
- If you convert to a full account, all data from your anonymous session is preserved
- Anonymous account data may be deleted after extended periods of inactivity
- The same privacy protections apply to anonymous accounts as to full accounts
11. Children's Privacy Protections
Your Story Kiddo is designed for use by children aged 5–7 under parental supervision.
- Children do not create accounts. Only parents/guardians create and manage accounts.
- Children do not input data. All personal information (names, interests, books) is entered by the parent.
- No direct contact with children. We do not send emails, notifications, or messages to children.
- No child-to-child interaction. There are no social features, chat, or multiplayer elements.
- No behavioural tracking. We do not track, profile, or analyse children's behaviour for any purpose beyond recording reading progress.
- Content safety. AI-generated stories are filtered for age-appropriateness.
12. What We Do NOT Do
- We do not sell personal information — ever
- We do not serve advertisements of any kind
- We do not share data with advertising networks or data brokers
- We do not track location
- We do not use nudge techniques or dark patterns
- We do not allow children to make information publicly available
- We do not use children's data for profiling or behavioural advertising
- We do not permit our AI providers to train models on data submitted through our App
- We do not collect more data than is necessary for the App's educational function
13. Changes to This Policy
If we make material changes to this privacy policy, we will:
- Update the "Last Updated" date at the top of this page
- Notify you via the email address associated with your account
- Display a notice within the App upon your next use
Material changes will not be applied retroactively. If changes affect how we handle children's data, we will seek renewed parental consent before implementing the changes.
14. Jurisdiction-Specific Rights
New Zealand
Under the Privacy Act 2020, you have the right to access and correct your personal information, and to complain to the Office of the Privacy Commissioner (privacy.org.nz) if you believe your privacy has been breached.
United States (COPPA)
We comply with the Children's Online Privacy Protection Act (COPPA). Parents may review, delete, or refuse further collection of their child's personal information at any time. Contact us to exercise these rights.
United Kingdom and European Union (GDPR)
If you are located in the UK or EU, you have additional rights including the right to data portability, the right to restrict processing, and the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK). Our lawful basis for processing children's data is parental consent (GDPR Article 6(1)(a) and Article 8).
Australia
Under the Australian Privacy Act 1988 and the Privacy (Australian Government Agencies — Governance) APP Code 2017, you have the right to access and correct your personal information, and to complain to the Office of the Australian Information Commissioner (oaic.gov.au).
15. Contact Us
If you have questions about this privacy policy, wish to exercise your rights, or have concerns about how we handle personal information:
We aim to respond to all enquiries within 20 working days.