Privacy Policy

1. Who we are

The Services are provided by Story Gliders Inc. (“we”, “us”, or “our”). For users in the EU/EEA and UK, we act as a data controller for personal information processed via the parent portal. Contact details are provided at the end of this policy.

2. What information we collect

• Parent account information: name, email address, authentication identifiers, preferences, and settings.
• Child profile information: nickname or first name, avatar/character choices, reading preferences, and progress indicators. We encourage parents to avoid entering full legal names. Names are encrypted at rest using AES-256-GCM with a per-row random initialisation vector and authentication tag. Real names are decrypted server-side only when they need to be returned to the authenticated parent for display, and a separate per-child privacy alias is used in their place for any AI prompts (see Section 9 for details).
• Usage and activity: interactions with stories, reading sessions, quiz results, comprehension, and word practice history.
• Audio/voice data: when your child uses speech features (such as read-aloud practice or pronunciation feedback), their voice is captured by the device microphone and streamed to our speech-processing provider (Microsoft Azure Speech Services) for real-time analysis. We do not store, save, or retain any audio recordings of your child’s voice. Audio is processed transiently — once the service returns results (such as word accuracy scores or recognised text), the audio data is discarded immediately. Only derived, non-audio results are kept (for example, pronunciation accuracy scores and word-level error classifications). See Section 12 for full details on how our speech provider handles data.
• AI-generated content: to create personalised stories, illustrations, and reading activities, we send limited child profile information (such as approximate age, interests, and character/place descriptions) to our AI content-generation providers (Anthropic and OpenAI). Real names are never sent to Anthropic or OpenAI. Before any prompt reaches the AI content generator, all names are replaced with privacy aliases (fictional stand-in names). The AI-generated story text is then re-tokenised so that the stored version contains only opaque entity tokens, and real names are inserted back only at display time on your device. For text-to-speech and pronunciation assessment, the child’s first name may appear in text sent to Microsoft Azure Speech Services so that stories are read aloud naturally and reading accuracy can be assessed correctly. Microsoft does not store this data after processing (see Section 12a). See Sections 9 and 12 for full details.
• Technical data: device and browser type, OS, language, and time zone for core functionality. We do not use analytics trackers or collect IP addresses for profiling.
• Support communications: messages and contact details when you reach out to us.

3. How we use information

• Provide, maintain, and improve the Services and personalise content for your child’s learning.
• Enable speech features (e.g., recognition, pronunciation feedback, and text-to-speech), using transient audio processing only.
• Generate personalised stories, characters, illustrations, and reading activities through AI services.
• Monitor service reliability and prevent abuse; we do not build behavioural profiles.
• Communicate with parents about features, updates, and support (you can manage preferences).
• Comply with legal obligations and enforce our terms and policies.

4. Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, we rely on the following legal bases:

• Performance of a contract: to provide the Services you request.
• Legitimate interests: to improve and secure the Services in a manner that respects privacy.
• Consent: for optional features where required.
• Legal obligation: to meet compliance and regulatory requirements.

5. Children’s privacy

Story Gliders is designed for families with parental oversight. A parent or legal guardian must create and manage every child profile. Children do not create accounts or provide information directly to us without parental involvement.

• Data minimisation: we collect only what is needed to deliver the reading experience. We encourage nicknames rather than full legal names and do not require a child’s date of birth (age is optional and approximate). Names are pseudonymised and encrypted at rest (see Section 9).
• No voice storage: audio from a child’s microphone is streamed for real-time processing and never recorded, saved, or persisted by Story Gliders. Only non-audio derivatives (e.g. pronunciation accuracy scores) are retained.
• No advertising or tracking: we do not serve ads, use analytics trackers, or build behavioural profiles of children.
• Name isolation from AI content generation: when generating stories, illustrations, quizzes, and other AI content, your child’s real name and character names are replaced with temporary privacy aliases before any data reaches our AI providers. Neither Anthropic nor OpenAI ever sees or processes real names. After generation, aliases are converted to opaque entity tokens for storage, and real names are re-inserted only at display time on your device.
• Story content and place names: story place names entered by parents are fictional story settings created for entertainment purposes. We recommend using invented, imaginative names (such as “Crystal Caves” or “Moonberry Island”) rather than real addresses, cities, or locations. Story content is stored with character names replaced by anonymous tokens — real child names and character names are never stored in plain text within story content.
• Names in speech services: for text-to-speech (reading stories aloud) and pronunciation assessment (evaluating how a child reads), your child’s first name may appear in text sent to Microsoft Azure Speech Services. This is necessary so the story is read aloud with the child’s name and so pronunciation scoring can match against the actual text being read. Microsoft does not store this data after processing and does not use it for model training (see Section 12a).
• No model training: child data is not used to train AI models. Our AI providers process requests under API terms that prohibit using customer data for model training.
• Parental controls: parents can view, edit, and delete a child’s profile and all associated data (stories, characters, places, reading history, and assessment results) at any time through the parent portal.
• COPPA (U.S.): for children under 13 in the United States, we obtain parental consent before collecting personal information. Consent is captured at signup (the account holder confirms in writing that they are the parent or legal guardian, in combination with an authenticated email address) and is upgraded to a credit-card verification when the parent starts a paid trial or subscription, in compliance with the Children’s Online Privacy Protection Act.
• Age-appropriate design (UK): we apply data protection by design principles consistent with the UK Age Appropriate Design Code (Children’s Code).

6. Sharing and disclosure

• Service providers: we use trusted processors to enable core features. A full list of our sub-processors appears in Section 12 below. They process data only under our instructions and appropriate safeguards.
• Parent-invited educators: you may invite a tutor, teacher, or speech-language pathologist to view your child’s name, reading progress, phonics levels, and practice activities. This sharing is initiated entirely by you and requires your explicit consent at the time of each invitation. The invited educator can only access data for the specific child you authorise. You can revoke access at any time from your account settings.
• Legal and safety: we may disclose information to comply with law, protect users, or respond to lawful requests.
• Business transfers: if we undergo a merger, acquisition, or asset sale, your information may transfer as part of that transaction, subject to this policy.
• No sales of personal information: we do not sell or “share” personal information for cross-context behavioural advertising as defined by CCPA/CPRA.

7. International transfers

We may process data in countries other than your own. Where required, we use appropriate safeguards for transfers, such as Standard Contractual Clauses (SCCs) for GDPR/UK GDPR. We implement technical and organisational measures to protect data irrespective of location.

8. Data retention

We retain personal information only as long as necessary to provide the Services. Specific retention practices:

• Voice/audio: never stored. Audio is processed in real time and discarded immediately. No recordings exist on our servers or in the app after processing.
• Pronunciation scores: word-level and phoneme-level accuracy results are kept in two places. (a) On the device in the browser’s local storage, for fast on-device progress views and offline access. (b) On our servers as part of the child’s profile, so progress is preserved across devices and after a browser cache clear. The server-stored paragraph text and story title used as reference for an assessment are encrypted at rest. We retain server-side assessments for the life of the child’s profile and prune to a rolling window of the most recent attempts per child; the local-storage copy is also pruned to a rolling window.
• Child profiles and content: stories, characters, places, and reading history are retained while the profile exists. When a parent deletes a child profile, all associated data is permanently removed.
• AI-generated content: stories and images generated by AI services are stored as part of the child’s profile. Story text is stored with opaque entity tokens instead of real names (see Section 9b), so the stored content is not directly identifiable. The prompts sent to AI providers are not stored by us after generation.

Parents may request deletion of child profiles and associated data at any time through the parent portal or by contacting us.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, environment isolation, and least-privilege practices. No method of transmission or storage is 100% secure, but we continuously improve our controls. For a comprehensive overview of our security programme, including infrastructure, secure development, incident response, and responsible disclosure, see our Security page.

9a. Encryption of names and the AI privacy alias

To protect the identities of children, characters, and other entities, we apply a layered approach:

• Encryption at rest: child names, family or household names, interests, and gender are stored AES-256-GCM-encrypted (authenticated encryption with a 256-bit key) in the same row that holds the rest of the profile. Each value carries its own random initialisation vector and authentication tag, so an attacker with database access cannot read the values without the encryption key, which is held separately in the application environment.
• Privacy alias for AI: a separate per-child privacy alias (a natural-sounding fictional name, e.g. “Bramble”) is generated once at profile creation and stored in its own column. The alias is the only name string that ever leaves our servers for AI content generation; the real encrypted name is never sent to AI providers.
• Hashed lookups: for operations such as deduplication and name-based searches, we use a one-way SHA-256 hash of the normalised name. This allows matching without ever decrypting or exposing the plaintext name in query parameters.
• Decryption only on demand: real names are decrypted server-side only when they need to be returned to the authenticated parent for display in the app. Names appear only as encrypted ciphertext in log output, are never cached in plaintext on-device, and are never included in error reports.

9b. AI name isolation (three-stage tokenisation)

When generating stories, illustrations, quizzes, and other content through our AI content-generation providers (Anthropic and OpenAI), we use a three-stage privacy pipeline to ensure real names are never shared with any AI provider:

1. Aliasing: before any prompt is sent to the AI, all real names are replaced with temporary privacy aliases — natural-sounding fictional names (e.g. “Bramble”, “Pippin”) that allow the AI to generate coherent prose without knowing the child’s identity.
2. Tokenisation: after the AI returns the generated text, privacy aliases are replaced with opaque entity tokens (e.g. “{{child:abc123}}”). These tokens carry no personal information and are what we store in the database.
3. Resolution: at display time on your device, entity tokens are resolved back to the real display names using data already available to the authenticated session. This means the stored story text itself contains no real names.

Exception — speech services: for text-to-speech and pronunciation assessment, the resolved story text (including the child’s first name) is sent to Microsoft Azure Speech Services. This is functionally necessary so the story can be read aloud with the correct name and so pronunciation scoring works against the actual text the child is reading. Azure processes this data transiently and does not store it (see Section 12a).

9c. Right to erasure

When a parent deletes a child profile or requests account erasure, we permanently delete the encrypted profile rows (including the encrypted real name and the privacy alias) along with any associated entity tokens. Because story text contains only opaque tokens (not real names), deletion of the profile renders any residual tokens unresolvable.

10. Your rights

• EU/EEA & UK: rights to access, rectification, erasure, restriction, portability, and objection; right to withdraw consent without affecting prior processing; right to lodge a complaint with a supervisory authority.
• California (CCPA/CPRA): rights to know/access, correct, delete, and opt out of certain data uses; right to limit use of sensitive personal information where applicable; non-discrimination for exercising rights.
• Canada (PIPEDA): rights to access and challenge accuracy, and to withdraw consent subject to legal/contractual restrictions and reasonable notice.
• Australia (APPs): rights to access and correction; complaints may be submitted to us and, if unresolved, to the Office of the Australian Information Commissioner.

To exercise rights, see “Contact us” below. We may need to verify your identity and relationship to any child profile before responding. Authorised agent requests (e.g., under CCPA/CPRA) are supported where applicable.

11. Cookies and local device storage

We use essential cookies for core functionality (such as identifying your family session). We do not use non-essential cookies, advertising cookies, or third-party tracking cookies.

Some data is stored locally on your device using browser storage (localStorage) to provide a faster experience and keep progress data available offline. This includes reading preferences, pronunciation scores, and practice word history. Some of this data — in particular pronunciation and paragraph-level reading assessments— is also synchronised to our servers so that progress is preserved across devices and survives a browser cache clear. See Section 8 for retention details. You can clear the on-device copy at any time through your browser settings, and you can request deletion of the server-side copy from your account.

12. Third-party services

We use a small number of third-party providers to power core features. Below is a transparent summary of each provider, what data is shared, and how it is handled.

12a. Microsoft Azure Speech Services

Purpose: speech-to-text (real-time word tracking while a child reads aloud), pronunciation assessment (accuracy, fluency, completeness, and prosody scoring), and text-to-speech (reading stories aloud to the child).

• Data sent: audio from the device microphone (streamed in real time), and reference text for pronunciation comparison and speech synthesis. Reference text is the story content being read or spoken, which may include the child’s first name.
• Data returned: recognised words, accuracy scores, phoneme-level feedback, and synthesised speech audio.
• Storage by Microsoft: under Microsoft’s Azure Cognitive Services terms, audio submitted through the Speech API is not stored by Microsoft after processing is complete, and is not used to improve Microsoft models, unless the customer explicitly opts in to human review (which we have not enabled). See Microsoft’s Speech Service data privacy documentation for full details.
• Our retention: we discard audio immediately after receiving results. Only numerical scores and text are kept.

12b. Anthropic (Claude)

Purpose: primary AI provider for generating personalised stories and narrative content.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to Anthropic. All names are replaced with temporary privacy aliases before any data reaches Anthropic (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated story text and related narrative content.
• Storage by Anthropic: under Anthropic’s API terms, data submitted through the API is not used to train Anthropic models. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted. See Anthropic’s privacy policy for full details.
• Our retention: generated stories are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12c. OpenAI

Purpose: generating illustrations, reading comprehension quizzes, content moderation, and fallback story generation.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to OpenAI. All names are replaced with temporary privacy aliases before any data reaches OpenAI (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated images, quiz questions, and related content.
• Storage by OpenAI: under OpenAI’s API data usage policy, data submitted through the API is not used to train OpenAI models. API inputs and outputs may be retained for up to 30 days for trust and safety monitoring, after which they are deleted. See OpenAI’s enterprise privacy page for full details.
• Our retention: generated images and content are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12d. Voice transcription and spoken responses

When your child uses voice features (such as reading aloud or spoken comprehension answers), their speech is converted to text. These transcripts are used for pronunciation scoring (via Microsoft Azure) and comprehension evaluation (via Anthropic or OpenAI). Please be aware:

• Transcripts may contain names: if your child speaks their own name, a friend’s name, or other personal information while answering a question or reading aloud, that information will appear in the transcript. Transcripts sent to our AI providers for comprehension evaluation do not include any child profile data (such as the child’s name or age), but the transcript itself may contain whatever the child says.
• Speech assessment reference text: for pronunciation assessment, the story text being read (including the child’s first name if it appears in the story) is sent to Microsoft Azure Speech Services as reference text. This is necessary for accurate phoneme-level scoring. Azure processes this data transiently and does not store it after the assessment is complete.
• No audio retention: neither Story Gliders nor our providers store any audio recordings. Only derived text transcripts and numerical scores are retained.

12e. Supabase (authentication and database hosting)

Purpose: identity and authentication for parent accounts, and managed PostgreSQL hosting for our application database.

• Data sent: parent email, hashed password, session tokens, and the encrypted profile, story, and progress rows that make up the application database. Child PII (names, interests, etc.) is encrypted server-side with AES-256-GCM before it ever reaches Supabase.
• Data returned: authentication results, session cookies, and database query results.
• Storage by Supabase: data is stored in the region we configure for the project under Supabase’s standard data processing terms. See Supabase’s Data Processing Addendum.
• Our retention: account and profile data are retained while the parent account exists; deletion of a child profile or account removes the corresponding rows.

12f. Stripe (payment processing)

Purpose: processing the $0.50 trial verification charge and any subscription payments.

• Data sent: parent email and an internal family identifier. Card details are entered by the parent directly into Stripe’s hosted checkout and never pass through our servers. No child profile data is sent to Stripe.
• Data returned: customer and subscription identifiers, payment status, and webhook events confirming charges.
• Storage by Stripe: handled under Stripe’s standard data processing terms. See Stripe’s Data Processing Agreement.
• Our retention: we retain Stripe customer and subscription identifiers as long as the account is active so that billing and cancellations work; we do not store full card numbers.

12g. Brevo (transactional email)

Purpose: sending transactional emails such as welcome messages, weekly progress summaries, password resets, and account notifications.

• Data sent: parent email address, parent name, and template parameters needed to render the message (for example, a child’s first name in a weekly progress email).
• Data returned: delivery status and message identifiers.
• Storage by Brevo: handled under Brevo’s standard data processing terms. See Brevo’s Data Processing Agreement.
• Our retention: we do not store the email body once it has been sent; only the sent/delivered status is logged.

12h. Vercel (hosting and serverless compute)

Purpose: hosting the parent portal, running our serverless API functions, scheduled jobs, and platform logs.

• Data sent: any data processed by our application as part of normal request handling (e.g., parent session cookies, encrypted profile data on its way to or from the database). Application logs are scrubbed of plaintext PII before they are written.
• Data returned: hosting infrastructure does not return data to us beyond the standard request/response cycle.
• Storage by Vercel: handled under Vercel’s standard data processing terms. See Vercel’s Data Processing Addendum.
• Our retention: platform logs are retained on a short rolling window per Vercel’s defaults; we do not write child PII into logs.

12i. Sub-processor agreements

All sub-processors are bound by formal data processing agreements:

• Anthropic: we use the Anthropic API under their commercial terms and privacy policy, which prohibit Anthropic from using API inputs/outputs for model training.
• OpenAI: we use the OpenAI API under their Data Processing Addendum (DPA), which includes Standard Contractual Clauses for international transfers and prohibits OpenAI from using API inputs/outputs for model training.
• Microsoft Azure: we use Azure Cognitive Services under the Microsoft Products and Services Data Protection Addendum (DPA), which covers GDPR, UK GDPR, and includes Standard Contractual Clauses. Microsoft’s HIPAA Business Associate Agreement (BAA) is also available for health-adjacent data if applicable.
• Supabase: we use Supabase under their Data Processing Addendum, which includes Standard Contractual Clauses for international transfers.
• Stripe: we use Stripe under their Data Processing Agreement, which includes Standard Contractual Clauses for international transfers.
• Brevo: we use Brevo under their Data Processing Agreement, which includes Standard Contractual Clauses for international transfers.
• Vercel: we use Vercel under their Data Processing Addendum, which includes Standard Contractual Clauses for international transfers.

We bind all processors to confidentiality and security obligations, and we review their data-handling practices regularly. Other than parent-initiated educator sharing described in Section 6, we do not share child data with any third parties beyond the sub-processors listed in this section.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. For material changes, we will provide additional notice (e.g., via the parent portal).

14. Contact us

If you have questions, concerns, or requests about this Privacy Policy or our data practices, please contact our privacy team at contact@storygliders.com. EU/EEA/UK users may also contact their local data protection authority.

15. Cookies

We use strictly necessary cookies to operate this service. These include:

• Session cookies — used to keep you securely logged in. These are set by our authentication provider (Supabase) and are required for the app to function.
• Family identifier cookies — used to associate your session with your family account. Required for access control.

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.

Because all cookies we set are strictly necessary for the service to function, they do not require your prior consent under GDPR or PIPEDA. If we add optional cookies in the future (such as analytics), we will update this policy and implement a consent mechanism before doing so.