Privacy Policy

1. Who we are

The Services are provided by Story Gliders Inc. (“we”, “us”, or “our”). We are responsible for the personal information we process via the parent portal. Our full contact details, including our postal address, are provided at the end of this policy.

2. What information we collect

• Parent account information: name, email address, authentication identifiers, preferences, and settings.
• Child profile information: nickname or first name, avatar/character choices, reading preferences, and progress indicators. We encourage parents to avoid entering full legal names. Names are encrypted at rest using AES-256-GCM with a per-row random initialisation vector and authentication tag. Real names are decrypted server-side only when they need to be returned to the authenticated parent for display, and a separate per-child privacy alias is used in their place for any AI prompts (see Section 9 for details).
• Accessibility reading modes: a parent can turn on optional Dyslexia and ADHD/Focus reading modes for a child. These simply adapt how stories are displayed (for example the OpenDyslexic font, wider spacing, a reading ruler, or a focus overlay). Because turning a mode on can reveal information about a child’s health or learning needs, some privacy laws (including Quebec’s Law 25 and the EU’s GDPR) treat this as sensitive, special-category health-related information. These modes are off by default; we record them only with a parent’s explicit consent, use them solely to adapt the reading display (never for profiling, advertising, or AI training), and a parent can turn them off at any time.
• Usage and activity: interactions with stories, reading sessions, quiz results, comprehension, and word practice history.
• Audio/voice data: when your child uses speech features (such as read-aloud practice or pronunciation feedback), their voice is captured by the device microphone and streamed to our speech-processing provider (Microsoft Azure Speech Services) for real-time analysis. We do not store, save, or retain any audio recordings of your child’s voice. Audio is processed transiently — once the service returns results (such as word accuracy scores or recognised text), the audio data is discarded immediately. Only derived, non-audio results are kept (for example, pronunciation accuracy scores and word-level error classifications). See Section 12 for full details on how our speech provider handles data.
• AI-generated content: to create personalised stories, illustrations, and reading activities, we send limited child profile information (such as approximate age, interests, and character/place descriptions) to our AI content-generation providers (Anthropic and OpenAI). A child’s name and chosen character names are never sent to Anthropic or OpenAI. Before any prompt reaches the AI content generator, those names are replaced with privacy aliases (fictional stand-in names). The AI-generated story text is then re-tokenised so that the stored version contains only opaque entity tokens, and real names are inserted back only within your authenticated session. Free-text you write yourself is sent as entered (see Section 9b). For text-to-speech and pronunciation assessment, the child’s first name may appear in text sent to Microsoft Azure Speech Services so that stories are read aloud naturally and reading accuracy can be assessed correctly. Microsoft does not store this data after processing (see Section 12a). See Sections 9 and 12 for full details.
• Technical data: device and browser type, OS, language, and time zone for core functionality. We do not use analytics trackers. IP addresses are SHA-256 hashed for security audit purposes only and are never stored in plaintext or used for profiling (see Section 9d).
• Support communications: messages and contact details when you reach out to us.

3. How we use information

• Provide, maintain, and improve the Services and personalise content for your child’s learning.
• Enable speech features (e.g., recognition, pronunciation feedback, and text-to-speech), using transient audio processing only.
• Generate personalised stories, characters, illustrations, and reading activities through AI services.
• Monitor service reliability and prevent abuse; we do not build behavioural profiles.
• Communicate with parents about features, updates, and support (you can manage preferences).
• Comply with legal obligations and enforce our terms and policies.

4. Our grounds for processing

We process personal information on the following grounds:

• Performance of a contract: to provide the Services you request.
• Legitimate interests: to improve and secure the Services in a manner that respects privacy.
• Consent: for optional features where required.
• Legal obligation: to meet compliance and regulatory requirements.

5. Children’s privacy

Story Gliders is designed for families with parental oversight. A parent or legal guardian must create and manage every child profile. Children do not create accounts or provide information directly to us without parental involvement.

• Data minimisation: we collect only what is needed to deliver the reading experience. We encourage nicknames rather than full legal names and do not require a child’s date of birth (age is optional and approximate). Names are pseudonymised and encrypted at rest (see Section 9).
• No voice storage: audio from a child’s microphone is streamed for real-time processing and never recorded, saved, or persisted by Story Gliders. Only non-audio derivatives (e.g. pronunciation accuracy scores) are retained.
• No advertising or tracking: we do not serve ads, use analytics trackers, or build behavioural profiles of children.
• Name isolation from AI content generation: when generating stories, illustrations, quizzes, and other AI content, your child’s real name and chosen character names are replaced with temporary privacy aliases before any data reaches our AI content-generation providers (Anthropic and OpenAI). After generation, aliases are converted to opaque entity tokens for storage, and real names are re-inserted only within your authenticated session. Free-text you write yourself is sent as entered — see Section 9b.
• Story content and place names: story place names entered by parents are fictional story settings created for entertainment purposes. We recommend using invented, imaginative names (such as “Crystal Caves” or “Moonberry Island”) rather than real addresses, cities, or locations. Story content is stored with character names replaced by anonymous tokens — real child names and character names are never stored in plain text within story content.
• Names in speech services: for text-to-speech (reading stories aloud) and pronunciation assessment (evaluating how a child reads), your child’s first name may appear in text sent to Microsoft Azure Speech Services. This is necessary so the story is read aloud with the child’s name and so pronunciation scoring can match against the actual text being read. Microsoft does not store this data after processing and does not use it for model training (see Section 12a).
• No model training: child data is not used to train AI models. Our AI providers process requests under API terms that prohibit using customer data for model training.
• Parental controls: parents can view, edit, and delete a child’s profile and all associated data (stories, characters, places, reading history, and assessment results) at any time through the parent portal.
• COPPA (U.S.): for children under 13 in the United States, we obtain verifiable parental consent before collecting any personal information from a child. At signup the account holder confirms in writing that they are the parent or legal guardian (with an authenticated email address); verifiable parental consent is then completed through a credit/debit-card verification when the parent starts a subscription. Child information is not collected until that card-based verification is in place, in compliance with the Children’s Online Privacy Protection Act.
• Age-appropriate design: we apply data-protection-by-design principles for child users, including data minimisation, no profiling, and clear transparency.

6. Sharing and disclosure

• Service providers: we use trusted processors to enable core features. A full list of our sub-processors appears in Section 12 below. They process data only under our instructions and appropriate safeguards.
• Parent-invited educators: you may invite a tutor, teacher, or speech-language pathologist to view your child’s name, reading progress, phonics levels, and practice activities. This sharing is initiated entirely by you and requires your explicit consent at the time of each invitation. The invited educator can only access data for the specific child you authorise. You can revoke access at any time from your account settings.
• Legal and safety: we may disclose information to comply with law, protect users, or respond to lawful requests.
• Business transfers: if we undergo a merger, acquisition, or asset sale, your information may transfer as part of that transaction, subject to this policy.
• No sales of personal information: we do not sell or “share” personal information for cross-context behavioural advertising as defined by CCPA/CPRA.

7. International transfers

We may process data in countries other than your own (for example, in the United States, where some of our service providers operate). Where we transfer personal information across borders, we use contractual and technical safeguards with our providers and implement technical and organisational measures to protect data irrespective of location.

8. Data retention

We retain personal information only as long as necessary to provide the Services. Specific retention practices:

• Voice/audio: never stored. Audio is processed in real time and discarded immediately. No recordings exist on our servers or in the app after processing.
• Spoken-comprehension transcripts: when a child speaks an answer, the text transcript (not the audio) is stored encrypted at rest so we can score comprehension. Transcripts are automatically deleted on a rolling 12-month window.
• Pronunciation scores: word-level and phoneme-level accuracy results are kept in two places. (a) On the device in the browser’s local storage, for fast on-device progress views and offline access. (b) On our servers as part of the child’s profile, so progress is preserved across devices and after a browser cache clear. The server-stored paragraph text and story title used as reference for an assessment are encrypted at rest. We retain server-side assessment results for the life of the child’s profile and delete them when the profile is deleted (see below); the local-storage copy is pruned to a rolling window of the most recent attempts.
• Child profiles and content: stories, characters, places, and reading history are retained while the profile is in use, and are never kept indefinitely. When a parent deletes a child profile, all associated data is permanently removed. In addition, a profile that has not been used for 24 months is automatically and permanently deleted — we email the parent twice beforehand (about 30 days and 7 days in advance), and simply opening and using the profile cancels the deletion.
• AI-generated content: stories and images generated by AI services are stored as part of the child’s profile. Story text is stored with opaque entity tokens instead of real names (see Section 9b), so the stored content is not directly identifiable. The prompts sent to AI providers are not stored by us after generation.

Parents may request deletion of child profiles and associated data at any time through the parent portal or by contacting us.

Deletion removes your profile content and your child’s personal information. As a limited exception, we retain pseudonymised security audit records (which contain no names or contact details) and parental-consent records for up to 5 years, to meet our security and legal record-keeping obligations.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, environment isolation, and least-privilege practices. No method of transmission or storage is 100% secure, but we continuously improve our controls. For a comprehensive overview of our security programme, including infrastructure, secure development, incident response, and responsible disclosure, see our Security page.

9a. Encryption of names and the AI privacy alias

To protect the identities of children, characters, and other entities, we apply a layered approach:

• Encryption at rest: child names, family or household names, interests, and gender are stored AES-256-GCM-encrypted (authenticated encryption with a 256-bit key) in the same row that holds the rest of the profile. Each value carries its own random initialisation vector and authentication tag, so an attacker with database access cannot read the values without the encryption key, which is held separately in the application environment.
• Privacy alias for AI: a separate per-child privacy alias (a natural-sounding fictional name, e.g. “Bramble”) is generated once at profile creation and stored in its own column. The alias is the only name string that ever leaves our servers for AI content generation; the real encrypted name is never sent to AI providers.
• Hashed email lookups: for account uniqueness and invitation matching, we compare a one-way keyed hash (HMAC-SHA-256) of the normalised email address rather than the plaintext, so emails are matched without being exposed in query parameters. Names themselves are protected by the AES-256-GCM encryption described above rather than hashing.
• Decryption only on demand: real names are decrypted server-side only when they need to be returned to an authenticated parent or tutor for display in the app. Names appear only as encrypted ciphertext in log output and are never included in error reports. Personalised story titles shown in reading history may contain a first name and are cached in your browser’s local storage for offline progress views; this on-device cache is cleared automatically when you sign out (see Section 11b).

9b. AI name isolation (three-stage tokenisation)

When generating stories, illustrations, quizzes, and other content through our AI content-generation providers (Anthropic and OpenAI), we use a three-stage privacy pipeline so that a child’s name and chosen character names are not shared with any AI provider:

1. Aliasing: before any prompt is sent to the AI, all real names are replaced with temporary privacy aliases — natural-sounding fictional names (e.g. “Bramble”, “Pippin”) that allow the AI to generate coherent prose without knowing the child’s identity.
2. Tokenisation: after the AI returns the generated text, privacy aliases are replaced with opaque entity tokens (e.g. “{{child:abc123}}”). These tokens carry no personal information and are what we store in the database.
3. Resolution: entity tokens are resolved back to the real display names only within your authenticated session — in your browser, or server-side for an authorised parent or tutor request — using data already available to that session. This means the stored story text itself contains no real names.

Exception — speech services: for text-to-speech and pronunciation assessment, the resolved story text (including the child’s first name) is sent to Microsoft Azure Speech Services. This is functionally necessary so the story can be read aloud with the correct name and so pronunciation scoring works against the actual text the child is reading. Azure processes this data transiently and does not store it (see Section 12a).

Free-text you enter: the aliasing above covers a child’s name and the character names they choose. Free-text you write yourself — such as place descriptions, story problems, quests, or notes — is sent to the AI as you typed it, and our spoken-comprehension feature transcribes what a child says aloud. We cannot reliably detect other people’s real names entered into free-text or spoken aloud, so please avoid including the real names of children or others in those fields (see our Terms of Use, Acceptable Use).

9c. Right to erasure

When a parent deletes a child profile or requests account erasure, we permanently delete the encrypted profile rows (including the encrypted real name and the privacy alias) along with any associated entity tokens. Because story text contains only opaque tokens (not real names), deletion of the profile renders any residual tokens unresolvable.

9d. Internal audit logging

Access to child profile data is recorded in an internal audit log used for security monitoring and abuse prevention. Actor and resource identifiers are pseudonymised (HMAC-SHA-256), client IP addresses are stored only as SHA-256 hashes (never in plaintext), and any free-text metadata is encrypted at rest using AES-256-GCM. We do not use these logs for profiling or analytics. Audit log records are retained for up to 5 years to support security investigations and regulatory compliance.

10. Your rights

• California (CCPA/CPRA): rights to know/access, correct, delete, and opt out of certain data uses; right to limit use of sensitive personal information where applicable; non-discrimination for exercising rights.
• Canada (PIPEDA and Quebec’s Law 25): rights to access and challenge accuracy, and to withdraw consent subject to legal/contractual restrictions and reasonable notice; for Quebec residents, additional rights to data portability and to be informed of automated processing.
• Australia (APPs): rights to access and correction; complaints may be submitted to us and, if unresolved, to the Office of the Australian Information Commissioner.

To exercise rights, see “Contact us” below. We may need to verify your identity and relationship to any child profile before responding. Authorised agent requests (e.g., under CCPA/CPRA) are supported where applicable.

Response times. Once we have verified your identity and relationship to any child profile, we respond to requests within the following timeframes:

• CCPA / CPRA: 45 days, extendable by an additional 45 days where reasonably necessary.
• PIPEDA / Quebec Law 25: 30 days.
• Australian Privacy Principles: within a reasonable period, typically 30 days.

We aim to acknowledge receipt of every request within 5 business days.

11. Cookies and local device storage

11a. Strictly necessary cookies

We use only strictly necessary cookies to operate the Services. These include:

• Session cookies — used to keep you securely logged in. These are set by our authentication provider (Supabase) and are required for the app to function.
• Family identifier cookies — used to associate your session with your family account. Required for access control.

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies. Because all cookies we set are strictly necessary for the Services to function, they do not require your prior consent under applicable privacy law. If we add optional cookies in the future (such as analytics), we will update this policy and implement a consent mechanism before doing so.

11b. Local device storage

Some data is stored locally on your device using browser storage (localStorage) to provide a faster experience and keep progress data available offline. This includes reading preferences, pronunciation scores, and practice word history. Some of this data — in particular pronunciation and paragraph-level reading assessments— is also synchronised to our servers so that progress is preserved across devices and survives a browser cache clear. See Section 8 for retention details. You can clear the on-device copy at any time through your browser settings, and you can request deletion of the server-side copy from your account.

12. Third-party services

We use a small number of third-party providers to power core features. Below is a transparent summary of each provider, what data is shared, and how it is handled.

12a. Microsoft Azure Speech Services

Purpose: speech-to-text (real-time word tracking while a child reads aloud), pronunciation assessment (accuracy, fluency, completeness, and prosody scoring), and text-to-speech (reading stories aloud to the child).

• Data sent: audio from the device microphone (streamed in real time), and reference text for pronunciation comparison and speech synthesis. Reference text is the story content being read or spoken, which may include the child’s first name.
• Data returned: recognised words, accuracy scores, phoneme-level feedback, and synthesised speech audio.
• Storage by Microsoft: under Microsoft’s Azure Cognitive Services terms, audio submitted through the Speech API is not stored by Microsoft after processing is complete, and is not used to improve Microsoft models, unless the customer explicitly opts in to human review (which we have not enabled). See Microsoft’s Speech Service data privacy documentation for full details.
• Our retention: we discard audio immediately after receiving results. Only numerical scores and text are kept.

12b. Anthropic (Claude)

Purpose: primary AI provider for generating personalised stories and narrative content.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to Anthropic. All names are replaced with temporary privacy aliases before any data reaches Anthropic (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated story text and related narrative content.
• Storage by Anthropic: under Anthropic’s API terms, data submitted through the API is not used to train Anthropic models. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted. See Anthropic’s privacy policy for full details.
• Our retention: generated stories are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12c. OpenAI

Purpose: generating illustrations, reading comprehension quizzes, content moderation, and fallback story generation.

• Data sent: approximate age, interests, character descriptions, place descriptions, reading level, and story context. Real names are never included in prompts sent to OpenAI. All names are replaced with temporary privacy aliases before any data reaches OpenAI (see Section 9b). No audio, no identifiable names, and no sensitive personal data are sent.
• Data returned: generated images, quiz questions, and related content.
• Storage by OpenAI: under OpenAI’s API data usage policy, data submitted through the API is not used to train OpenAI models. API inputs and outputs may be retained for up to 30 days for trust and safety monitoring, after which they are deleted. See OpenAI’s enterprise privacy page for full details.
• Our retention: generated images and content are saved as part of the child’s profile. The prompts used to generate them are not stored by us after the request completes.

12d. Voice transcription and spoken responses

When your child uses voice features (such as reading aloud or spoken comprehension answers), their speech is converted to text. These transcripts are used for pronunciation scoring (via Microsoft Azure) and comprehension evaluation (via Anthropic or OpenAI). Please be aware:

• Transcripts may contain names: if your child speaks their own name, a friend’s name, or other personal information while answering a question or reading aloud, that information will appear in the transcript. Transcripts sent to our AI providers for comprehension evaluation do not include any child profile data (such as the child’s name or age), but the transcript itself may contain whatever the child says.
• Speech assessment reference text: for pronunciation assessment, the story text being read (including the child’s first name if it appears in the story) is sent to Microsoft Azure Speech Services as reference text. This is necessary for accurate phoneme-level scoring. Azure processes this data transiently and does not store it after the assessment is complete.
• No audio retention: neither Story Gliders nor our providers store any audio recordings. Only derived text transcripts and numerical scores are retained.

12e. Supabase (authentication and database hosting)

Purpose: identity and authentication for parent accounts, and managed PostgreSQL hosting for our application database.

• Data sent: parent email, hashed password, session tokens, and the encrypted profile, story, and progress rows that make up the application database. Child PII (names, interests, etc.) is encrypted server-side with AES-256-GCM before it ever reaches Supabase.
• Data returned: authentication results, session cookies, and database query results.
• Storage by Supabase: data is stored in the region we configure for the project under Supabase’s standard data processing terms. See Supabase’s Data Processing Addendum.
• Our retention: account and profile data are retained while the parent account exists; deletion of a child profile or account removes the corresponding rows.

12f. Stripe (payment processing)

Purpose: processing subscription payments (the card payment also serves as verifiable parental consent).

• Data sent: parent email and an internal family identifier. Card details are entered by the parent directly into Stripe’s hosted checkout and never pass through our servers. No child profile data is sent to Stripe.
• Data returned: customer and subscription identifiers, payment status, and webhook events confirming charges.
• Storage by Stripe: handled under Stripe’s standard data processing terms. See Stripe’s Data Processing Agreement.
• Our retention: we retain Stripe customer and subscription identifiers as long as the account is active so that billing and cancellations work; we do not store full card numbers.

12g. Brevo (transactional email)

Purpose: sending transactional emails such as welcome messages, weekly progress summaries, password resets, and account notifications.

• Data sent: parent email address, parent name, and template parameters needed to render the message (for example, a child’s first name in a weekly progress email).
• Data returned: delivery status and message identifiers.
• Storage by Brevo: handled under Brevo’s standard data processing terms. See Brevo’s Data Processing Agreement.
• Our retention: we do not store the email body once it has been sent; only the sent/delivered status is logged.

12h. Vercel (hosting and serverless compute)

Purpose: hosting the parent portal, running our serverless API functions, scheduled jobs, and platform logs.

• Data sent: any data processed by our application as part of normal request handling (e.g., parent session cookies, encrypted profile data on its way to or from the database). Application logs are scrubbed of plaintext PII before they are written.
• Data returned: hosting infrastructure does not return data to us beyond the standard request/response cycle.
• Storage by Vercel: handled under Vercel’s standard data processing terms. See Vercel’s Data Processing Addendum.
• Our retention: platform logs are retained on a short rolling window per Vercel’s defaults; we do not write child PII into logs.

12i. Cloudflare and other technical service providers

• Cloudflare (Turnstile bot protection): used on our public sign-in, sign-up, demo, and waitlist forms to block automated abuse. Data sent: a one-time challenge response and the requester’s IP address (used by Cloudflare to score the challenge). No child profile data, names, or content are sent. Turnstile is designed not to be used for cross-site tracking or advertising.
• Free Dictionary API (api.dictionaryapi.dev): used to look up child-friendly word definitions in the reader. Data sent (from our servers): the single English word a child taps — no names, profile data, or other personal information.
• Google Fonts: when generating a downloadable PDF report or data export, our server fetches a web font (Inter) from Google Fonts. This request comes from our server and contains no personal data.

12j. Sub-processor agreements

All sub-processors are bound by formal data processing agreements:

• Anthropic: we use the Anthropic API under their commercial terms and privacy policy, which prohibit Anthropic from using API inputs/outputs for model training.
• OpenAI: we use the OpenAI API under their Data Processing Addendum (DPA), which prohibits OpenAI from using API inputs/outputs for model training.
• Microsoft Azure: we use Azure Cognitive Services under the Microsoft Products and Services Data Protection Addendum (DPA), which binds Microsoft to confidentiality and security obligations as a processor. Microsoft’s HIPAA Business Associate Agreement (BAA) is also available for health-adjacent data if applicable.
• Supabase: we use Supabase under their Data Processing Addendum.
• Stripe: we use Stripe under their Data Processing Agreement.
• Brevo: we use Brevo under their Data Processing Agreement.
• Vercel: we use Vercel under their Data Processing Addendum.

We bind the processors that handle personal data to confidentiality and security obligations, and we review their data-handling practices regularly. Other than parent-initiated educator sharing described in Section 6 and the service providers listed in this section, we do not share child data with third parties. Some providers (such as our bot-protection provider) receive only limited technical data, such as an IP address, and never receive child names, content, or profile data.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. For material changes, we will provide additional notice (e.g., via the parent portal).

14. Contact us

If you have questions, concerns, or requests about this Privacy Policy or our data practices, please contact our privacy team at contact@storygliders.com. You may also contact the relevant regulator in your region — in Canada, the Office of the Privacy Commissioner of Canada (or the Commission d’accès à l’information du Québec for Quebec residents); in Australia, the Office of the Australian Information Commissioner (OAIC); and in California, the California Privacy Protection Agency.

Story Gliders Inc., 430 Wickstead Avenue, North Bay, Ontario P1A 3H1, Canada. Telephone: +1 647-269-3625.

Privacy Officer: questions or complaints about how we handle personal information may be directed to our Privacy Officer at contact@storygliders.com.