Privacy Policy
Last updated: January 1, 2025
1. Our Commitment to Children's Privacy
StoryKind is designed for children and families. Protecting children's privacy is our highest priority. We comply with the Children's Online Privacy Protection Act (COPPA) and never collect more information than necessary to provide our service.
2. About Us (Data Controller)
Firmify EOOD ("Firmify"), a company registered in Bulgaria (UIC 208745197), operates the StoryKind service at storykind.tech. StoryKind is a product brand of Firmify.
For privacy-related questions or to exercise your data rights, email [email protected] or write to us at: Sofia, Maestro Kanev 66B, Bulgaria.
3. Information We Collect
From Parents
- Email address (for account creation and communication)
- Payment information (processed securely by Stripe — we never store full card details)
- Account preferences and settings
From Children
- First name only — never last name
- Age (3-10)
- Avatar choices (hair style, colour, skin tone, etc.) — see §3a below
- Story interests (e.g., "dinosaurs", "space")
- Reading level and reading history
- Quiz answers and vocabulary progress
We NEVER collect: last names, physical addresses, school names, precise location data, photographs, contact information, or any other personally identifiable information about children.
3a. Avatar and Face Embedding
When a parent configures a child's avatar (hair colour, skin tone, eye colour, hair style), these categorical choices are used to render a synthetic cartoon face image on our servers. That image is then encoded into a 512-dimensional numerical vector ("face embedding"), which is stored in our database to keep the child's illustrated character looking consistent across different stories.
No photograph of the child is taken or uploaded at any stage. The vector is derived entirely from categorical style choices; it does not enable facial recognition or identification of any person. The face embedding is deleted automatically when the child's profile is deleted.
4. Legal Bases for Processing (GDPR)
We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):
- Contractual necessity (Art. 6(1)(b)) — To provide the StoryKind service: account creation, story generation, progress tracking, and billing.
- Consent (Art. 6(1)(a)) — Parental consent for creating child profiles, voice processing in Duet mode, and sharing reading data with teachers (class enrollment).
- Legitimate interests (Art. 6(1)(f)) — Service security, fraud prevention, and improvement of story generation quality (aggregated, not per-child).
5. Parental Consent
Before a child profile can be created, a parent must verify their identity through a simple math challenge (parental gate) and provide explicit consent. This consent is recorded with a timestamp and IP address, and can be revoked at any time by deleting the child profile.
We track three separate consent events:
- Account consent — required before any child profile is created
- Voice consent — required before enabling Duet (read-aloud) mode
- Teacher-share consent — required before a child's reading data is shared with a teacher
We do not allow children to create accounts directly. All accounts are parent or teacher accounts; child profiles are created and controlled by the adult.
6. How We Use Information
- Generate personalised stories based on the child's interests and reading level
- Track reading progress to adapt Lexile levels
- Provide comprehension analytics to parents and teachers
- Improve our story generation quality (using aggregated, anonymised patterns — never individual child data)
We never sell, rent, or share personal information with third parties for marketing.
7. Data Storage, Security, and Retention
All data is stored on encrypted servers. We use industry-standard security practices including encryption at rest and in transit.
Retention schedule
| Data category | Retention period | Deleted when |
|---|---|---|
| Parent account, email, preferences | While account is active | DELETE /v1/me (manual) |
| Child profile, stories, quiz results, Lexile history | While child profile exists | Child profile deleted |
| Face embedding vector | While child profile exists | Child profile deleted (automatic) |
| Parental consent records | While parent account exists | Account deleted |
| Cloudflare R2 media (illustrations, audio) | While story exists | Story / child deleted (best-effort) |
| Duet mode voice audio | Ephemeral — seconds | Never stored beyond processing |
| Inactive accounts | No auto-delete — families pause and return | Manual deletion only |
If you cancel your subscription, your account and data remain until you delete them. To request account deletion, visit Dashboard → Settings → Account, or email [email protected].
Voice recordings from Duet mode are processed immediately to generate a fluency score and are not stored on our servers beyond the duration of processing (typically a few seconds). We do not build voice profiles or retrain models on your child's voice recordings.
8. Your Rights
Parents and account holders have the right to:
- Access — View all data associated with your child's profile in the Dashboard
- Portability — Download a complete export of all child data in JSON format (stories, quizzes, reading events, and associated media URLs)
- Erasure — Delete your child's account and all associated data permanently, including stories, illustrations, narrations, and analytics
- Rectification — Update your child's profile information at any time
- Restriction and objection — Limit or object to certain processing by contacting us
- Revoke consent — Revoke parental consent at any time by deleting the child profile
- Complaint — Lodge a complaint with your local data protection supervisory authority (e.g., the Commission for Personal Data Protection (KZLD) in Bulgaria, or your local EU authority)
To exercise these rights, visit your Parent Dashboard or contact us at [email protected]. We aim to respond to all data rights requests within 30 days, as required by GDPR.
9. Third-Party Services (Subprocessors)
We use the following services that process limited data to deliver StoryKind. Child first name, age, interests, and story text are sent to AI-generation providers solely for generation purposes and are not retained or used by those providers to train their models.
| Provider | Purpose | Data processed | Region | Transfer safeguards | Privacy / DPA |
|---|---|---|---|---|---|
| Clerk | Authentication | Email, name, social login token | US | SCC | https://clerk.com/legal/dpa |
| Stripe | Payment processing | Billing info, email (no child data) | US | SCC | https://stripe.com/legal/dpa |
| Cloudflare R2 | Media storage | Story illustrations, narration audio | US/EU | SCC | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| OpenAI | Story text generation | Child first name, age, interests, story prompt | US | SCC | https://openai.com/policies/data-processing-addendum |
| Anthropic (Claude) | Story text generation (fallback) | Child first name, age, interests, story prompt | US | SCC | https://www.anthropic.com/legal/privacy |
| ElevenLabs | Text-to-speech narration | Story text (no child identifiers) | US | SCC | https://elevenlabs.io/privacy |
| Replicate | Illustration generation | Story context, art style, face embedding | US | SCC | https://replicate.com/privacy |
| Deepgram | Speech-to-text (Duet mode) | Voice audio (processed ephemerally) | US | SCC | https://deepgram.com/legal/dpa |
StoryKind does not use child data to train AI models, and we contractually require our subprocessors to process data only for the purpose of delivering our service.
International transfers: Subprocessors are primarily based in the United States. Data transfers from the EU are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR. Our lead supervisory authority is the Commission for Personal Data Protection (KZLD) in Bulgaria.
10. Teacher and Classroom Data
When you link your child to a teacher's classroom, the teacher can see your child's first name, reading progress, quiz results, and Lexile level. No other personal data is shared. This sharing is enabled only through explicit parent consent (you share the child's enrollment code with the teacher). You can remove your child from a classroom at any time from the Dashboard.
Roles: For family accounts, the parent is the data controller and StoryKind is the data processor. For school or district deployments operating under a Data Processing Agreement (DPA), the school district is the data controller and StoryKind is the data processor.
StoryKind is not a school official record system and does not claim blanket FERPA compliance on its own. Schools and districts requiring a DPA should contact [email protected].
11. Cookies and Analytics
We use the following types of cookies and analytics services:
Essential cookies: Authentication and session management cookies (provided by Clerk) are required for the service to function. These cannot be disabled.
Analytics cookies: With your consent, we use analytics services to understand how visitors interact with our marketing website (storykind.tech) and improve our product:
- Google Analytics 4 (GA4) — sets
_gaand_ga_*cookies to measure page views and marketing conversion events on public pages (landing, pricing, blog). Data is anonymised; we do not send personally identifiable information. Retained for up to 14 months. You can opt out at: https://tools.google.com/dlpage/gaoptout - PostHog — sets a session cookie (
ph_*) for product analytics (feature usage, onboarding, reading behaviour metrics). PostHog runs only on authenticated product pages. No child names, story content, or personally identifiable information is sent. Retained for up to 12 months. You can opt out at: https://posthog.com/docs/privacy
Analytics cookies are only set after you accept them via our cookie banner. You can withdraw consent at any time by clearing your browser cookies and reloading the site.
Error monitoring: If Sentry error monitoring is enabled, a minimal technical cookie may be set for crash reporting; no personal data is collected through this cookie.
We do not use advertising cookies, retargeting pixels, or third-party ad networks on any part of storykind.tech.
12. Children's Data and Automated Decisions
StoryKind does not make automated decisions with legal or similarly significant effects on children. Lexile level adaptation and story personalisation are editorial calibrations based on reading performance, not profiling or automated decision-making under Article 22 of the GDPR.
13. Contact Us
For privacy-related questions or to exercise your data rights:
Email: [email protected]
Postal address: Sofia, Maestro Kanev 66B, Bulgaria
Firmify EOOD, operating StoryKind — a Firmify Company
Last updated: May 2026