Privacy Policy

1. Who we are

The Services are provided by Story Gliders Inc. (“we”, “us”, or “our”). For users in the EU/EEA and UK, we act as a data controller for personal information processed via the parent portal. Contact details are provided at the end of this policy.

2. What information we collect

• Parent account information: name, email address, authentication identifiers, preferences, and settings.
• Child profile information: nickname or first name, avatar/character choices, reading preferences, and progress indicators. We encourage parents to avoid entering full legal names. Names are pseudonymised at rest: the main database stores only a non-identifying pseudonym, while the real display name is kept in a separate, AES-256-GCM encrypted mapping that is decrypted only when it needs to be shown to you (see Section 9 for details).
• Usage and activity: interactions with stories, reading sessions, quiz results, comprehension, and word practice history.
• Audio/voice data: when your child uses speech features (such as read-aloud practice or pronunciation feedback), their voice is captured by the device microphone and streamed to our speech-processing provider (Microsoft Azure Speech Services) for real-time analysis. We do not store, save, or retain any audio recordings of your child’s voice. Audio is processed transiently — once the service returns results (such as word accuracy scores or recognised text), the audio data is discarded immediately. Only derived, non-audio results are kept (for example, pronunciation accuracy scores and word-level error classifications). See Section 12 for full details on how our speech provider handles data.
• AI-generated content: to create personalised stories, illustrations, and reading activities, we send limited child profile information (such as approximate age, interests, and character/place descriptions) to our AI content-generation providers (Anthropic and OpenAI). Real names are never sent to Anthropic or OpenAI. Before any prompt reaches the AI content generator, all names are replaced with privacy aliases (fictional stand-in names). The AI-generated story text is then re-tokenised so that the stored version contains only opaque entity tokens, and real names are inserted back only at display time on your device. For text-to-speech and pronunciation assessment, the child’s first name may appear in text sent to Microsoft Azure Speech Services so that stories are read aloud naturally and reading accuracy can be assessed correctly. Microsoft does not store this data after processing (see Section 12a). See Sections 9 and 12 for full details.
• Technical data: device and browser type, OS, language, and time zone for core functionality. We do not use analytics trackers or collect IP addresses for profiling.
• Support communications: messages and contact details when you reach out to us.

3. How we use information

• Provide, maintain, and improve the Services and personalise content for your child’s learning.
• Enable speech features (e.g., recognition, pronunciation feedback, and text-to-speech), using transient audio processing only.
• Generate personalised stories, characters, illustrations, and reading activities through AI services.
• Monitor service reliability and prevent abuse; we do not build behavioural profiles.
• Communicate with parents about features, updates, and support (you can manage preferences).
• Comply with legal obligations and enforce our terms and policies.

4. Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, we rely on the following legal bases:

• Performance of a contract: to provide the Services you request.
• Legitimate interests: to improve and secure the Services in a manner that respects privacy.
• Consent: for optional features where required.
• Legal obligation: to meet compliance and regulatory requirements.

5. Children’s privacy

Story Gliders is designed for families with parental oversight. A parent or legal guardian must create and manage every child profile. Children do not create accounts or provide information directly to us without parental involvement.

• Data minimisation: we collect only what is needed to deliver the reading experience. We encourage nicknames rather than full legal names and do not require a child’s date of birth (age is optional and approximate). Names are pseudonymised and encrypted at rest (see Section 9).
• No voice storage: audio from a child’s microphone is streamed for real-time processing and never recorded, saved, or persisted by Story Gliders. Only non-audio derivatives (e.g. pronunciation accuracy scores) are retained.
• No advertising or tracking: we do not serve ads, use analytics trackers, or build behavioural profiles of children.
• Name isolation from AI content generation: when generating stories, illustrations, quizzes, and other AI content, your child’s real name and character names are replaced with temporary privacy aliases before any data reaches our AI providers. Neither Anthropic nor OpenAI ever sees or processes real names. After generation, aliases are converted to opaque entity tokens for storage, and real names are re-inserted only at display time on your device.
• Story content and place names: story place names entered by parents are fictional story settings created for entertainment purposes. We recommend using invented, imaginative names (such as “Crystal Caves” or “Moonberry Island”) rather than real addresses, cities, or locations. Story content is stored with character names replaced by anonymous tokens — real child names and character names are never stored in plain text within story content.
• Names in speech services: for text-to-speech (reading stories aloud) and pronunciation assessment (evaluating how a child reads), your child’s first name may appear in text sent to Microsoft Azure Speech Services. This is necessary so the story is read aloud with the child’s name and so pronunciation scoring can match against the actual text being read. Microsoft does not store this data after processing and does not use it for model training (see Section 12a).
• No model training: child data is not used to train AI models. Our AI providers process requests under API terms that prohibit using customer data for model training.
• Parental controls: parents can view, edit, and delete a child’s profile and all associated data (stories, characters, places, reading history, and assessment results) at any time through the parent portal.
• COPPA (U.S.): for children under 13 in the United States, we obtain verifiable parental consent before collecting personal information, in compliance with the Children’s Online Privacy Protection Act.
• Age-appropriate design (UK): we apply data protection by design principles consistent with the UK Age Appropriate Design Code (Children’s Code).

6. Sharing and disclosure

• Service providers: we use trusted processors to enable core features. These are limited to the providers named in Section 12. They process data only under our instructions and appropriate safeguards.
• Legal and safety: we may disclose information to comply with law, protect users, or respond to lawful requests.
• Business transfers: if we undergo a merger, acquisition, or asset sale, your information may transfer as part of that transaction, subject to this policy.
• No sales of personal information: we do not sell or “share” personal information for cross-context behavioural advertising as defined by CCPA/CPRA.

7. International transfers

We may process data in countries other than your own. Where required, we use appropriate safeguards for transfers, such as Standard Contractual Clauses (SCCs) for GDPR/UK GDPR. We implement technical and organisational measures to protect data irrespective of location.

8. Data retention

We retain personal information only as long as necessary to provide the Services. Specific retention practices:

• Voice/audio: never stored. Audio is processed in real time and discarded immediately. No recordings exist on our servers or in the app after processing.
• Pronunciation scores: word-level and phoneme-level accuracy results are stored on the device (in the browser’s local storage) to show parents their child’s progress. These are automatically pruned to a rolling window.
• Child profiles and content: stories, characters, places, and reading history are retained while the profile exists. When a parent deletes a child profile, all associated data is permanently removed.
• AI-generated content: stories and images generated by AI services are stored as part of the child’s profile. Story text is stored with opaque entity tokens instead of real names (see Section 9b), so the stored content is not directly identifiable. The prompts sent to AI providers are not stored by us after generation.

Parents may request deletion of child profiles and associated data at any time through the parent portal or by contacting us.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, environment isolation, and least-privilege practices. No method of transmission or storage is 100% secure, but we continuously improve our controls. For a comprehensive overview of our security programme, including infrastructure, secure development, incident response, and responsible disclosure, see our Security page.

9a. Pseudonymisation and encryption of names

To protect the identities of children, characters, and other entities, we apply a layered approach:

• Pseudonymisation: the primary database records for children, characters, and places store only a non-identifying pseudonym (e.g. “Profile_a7f2b3c1”). The real display name is never stored in the main entity tables.
• Encryption at rest: real display names are stored in a separate encrypted mapping using AES-256-GCM (authenticated encryption with a 256-bit key). Each name entry has its own random initialisation vector and authentication tag, ensuring that an attacker with database access cannot read names without the encryption key, which is held separately.
• Hashed lookups: for operations such as deduplication and name-based searches, we use a one-way SHA-256 hash of the normalised name. This allows matching without ever decrypting or exposing the plaintext name in query parameters.
• Decryption only on demand: real names are decrypted server-side only when they need to be returned to the authenticated parent for display in the app. Names appear only as pseudonyms in log output, are never cached in plaintext on-device, and are never included in error reports.

9b. AI name isolation (three-stage tokenisation)

When generating stories, illustrations, quizzes, and other content through our AI content-generation providers (Anthropic and OpenAI), we use a three-stage privacy pipeline to ensure real names are never shared with any AI provider:

1. Aliasing: before any prompt is sent to the AI, all real names are replaced with temporary privacy aliases — natural-sounding fictional names (e.g. “Bramble”, “Pippin”) that allow the AI to generate coherent prose without knowing the child’s identity.
2. Tokenisation: after the AI returns the generated text, privacy aliases are replaced with opaque entity tokens (e.g. “{{child:abc123}}”). These tokens carry no personal information and are what we store in the database.
3. Resolution: at display time on your device, entity tokens are resolved back to the real display names using data already available to the authenticated session. This means the stored story text itself contains no real names.

Exception — speech services: for text-to-speech and pronunciation assessment, the resolved story text (including the child’s first name) is sent to Microsoft Azure Speech Services. This is functionally necessary so the story can be read aloud with the correct name and so pronunciation scoring works against the actual text the child is reading. Azure processes this data transiently and does not store it (see Section 12a).

9c. Right to erasure

When a parent deletes a child profile or requests account erasure, we permanently delete all associated encrypted name mappings, pseudonyms, and entity tokens. Because story text contains only opaque tokens (not real names), deletion of the name mappings renders any residual tokens unresolvable.

10. Your rights

• EU/EEA & UK: rights to access, rectification, erasure, restriction, portability, and objection; right to withdraw consent without affecting prior processing; right to lodge a complaint with a supervisory authority.
• California (CCPA/CPRA): rights to know/access, correct, delete, and opt out of certain data uses; right to limit use of sensitive personal information where applicable; non-discrimination for exercising rights.
• Canada (PIPEDA): rights to access and challenge accuracy, and to withdraw consent subject to legal/contractual restrictions and reasonable notice.
• Australia (APPs): rights to access and correction; complaints may be submitted to us and, if unresolved, to the Office of the Australian Information Commissioner.

To exercise rights, see “Contact us” below. We may need to verify your identity and relationship to any child profile before responding. Authorised agent requests (e.g., under CCPA/CPRA) are supported where applicable.

11. Cookies and local device storage

We use essential cookies for core functionality (such as identifying your family session). We do not use non-essential cookies, advertising cookies, or third-party tracking cookies.

Some data is stored locally on your device using browser storage (localStorage) to provide a faster experience and keep progress data available offline. This includes reading preferences, pronunciation scores, and practice word history. This data never leaves your device unless you explicitly use a backup or sync feature. You can clear this data at any time through your browser settings.

12. Third-party services

We use a small number of third-party providers to power core features. Below is a transparent summary of each provider, what data is shared, and how it is handled.

12a. Microsoft Azure Speech Services

Purpose: speech-to-text (real-time word tracking while a child reads aloud), pronunciation assessment (accuracy, fluency, completeness, and prosody scoring), and text-to-speech (reading stories aloud to the child).

• Data sent: audio from the device microphone (streamed in real time), and reference text for pronunciation comparison and speech synthesis. Reference text is the story content being read or spoken, which may include the child’s first name.
• Data returned: recognised words, accuracy scores, phoneme-level feedback, and synthesised speech audio.
• Storage by Microsoft: under Microsoft’s Azure Cognitive Services terms, audio submitted through the Speech API is not stored by Microsoft after processing is complete, and is not used to improve Microsoft models, unless the customer explicitly opts in to human review (which we have not enabled). See Microsoft’s Speech Service data privacy documentation for full details.
• Our retention: we discard audio immediately after receiving results. Only numerical scores and text are kept.

12b. Anthropic (Claude)

Purpose: primary AI provider for generating personalised stories and narrative content.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to Anthropic. All names are replaced with temporary privacy aliases before any data reaches Anthropic (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated story text and related narrative content.
• Storage by Anthropic: under Anthropic’s API terms, data submitted through the API is not used to train Anthropic models. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted. See Anthropic’s privacy policy for full details.
• Our retention: generated stories are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12c. OpenAI

Purpose: generating illustrations, reading comprehension quizzes, content moderation, and fallback story generation.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to OpenAI. All names are replaced with temporary privacy aliases before any data reaches OpenAI (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated images, quiz questions, and related content.
• Storage by OpenAI: under OpenAI’s API data usage policy, data submitted through the API is not used to train OpenAI models. API inputs and outputs may be retained for up to 30 days for trust and safety monitoring, after which they are deleted. See OpenAI’s enterprise privacy page for full details.
• Our retention: generated images and content are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12d. Voice transcription and spoken responses

When your child uses voice features (such as reading aloud or spoken comprehension answers), their speech is converted to text. These transcripts are used for pronunciation scoring (via Microsoft Azure) and comprehension evaluation (via Anthropic or OpenAI). Please be aware:

• Transcripts may contain names: if your child speaks their own name, a friend’s name, or other personal information while answering a question or reading aloud, that information will appear in the transcript. Transcripts sent to our AI providers for comprehension evaluation do not include any child profile data (such as the child’s name or age), but the transcript itself may contain whatever the child says.
• Speech assessment reference text: for pronunciation assessment, the story text being read (including the child’s first name if it appears in the story) is sent to Microsoft Azure Speech Services as reference text. This is necessary for accurate phoneme-level scoring. Azure processes this data transiently and does not store it after the assessment is complete.
• No audio retention: neither Story Gliders nor our providers store any audio recordings. Only derived text transcripts and numerical scores are retained.

12e. Sub-processor agreements

All sub-processors are bound by formal data processing agreements:

• Anthropic: we use the Anthropic API under their commercial terms and privacy policy, which prohibit Anthropic from using API inputs/outputs for model training.
• OpenAI: we use the OpenAI API under their Data Processing Addendum (DPA), which includes Standard Contractual Clauses for international transfers and prohibits OpenAI from using API inputs/outputs for model training.
• Microsoft Azure: we use Azure Cognitive Services under the Microsoft Products and Services Data Protection Addendum (DPA), which covers GDPR, UK GDPR, and includes Standard Contractual Clauses. Microsoft’s HIPAA Business Associate Agreement (BAA) is also available for health-adjacent data if applicable.

We bind all processors to confidentiality and security obligations, and we review their data-handling practices regularly. We do not share child data with any other third parties beyond those listed above.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. For material changes, we will provide additional notice (e.g., via the parent portal).

14. Contact us

If you have questions, concerns, or requests about this Privacy Policy or our data practices, please contact our privacy team at privacy@storygliders.com. EU/EEA/UK users may also contact their local data protection authority.

15. Cookies

We use strictly necessary cookies to operate this service. These include:

• Session cookies — used to keep you securely logged in. These are set by our authentication provider (Supabase) and are required for the app to function.
• Family identifier cookies — used to associate your session with your family account. Required for access control.

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.

Because all cookies we set are strictly necessary for the service to function, they do not require your prior consent under GDPR or PIPEDA. If we add optional cookies in the future (such as analytics), we will update this policy and implement a consent mechanism before doing so.