Privacy Policy

1. Introduction

Welcome to Storybox! This Privacy Policy explains how Sleektech LLC("Company," "we," "our," or "us") collects, uses, discloses, and protects information when you or your child uses our mobile application, Storybox (the "App"), and our website at mystorybox.co (the "Website").

Storybox is an interactive storytelling application designed for children ages 3-10. We are committed to protecting the privacy of all our users, especially children. This Privacy Policy is designed to help parents and guardians understand our data practices.

By using the App or Website, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use the App or Website.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Parent's email address:Provided via Apple or Google Sign-In; used for account management and parental consent verification
• Authentication via Apple or Google Sign-In:We receive only your email address and a unique identifier from these services; we do not receive or store passwords
• Profile preferences:Reading level and theme color are synced to your account for cross-device consistency. These are not used for data collection, marketing, or profiling
• Support identifier:A unique support ID (e.g., SBOX-XXXX-XXXX) is automatically generated for your account. This is used only for customer support inquiries and is not linked to any external service

3.2 App Usage Information

We collect limited information to operate the service:

• Story credits balance:Number of remaining and used story credits, stored in your account
• Purchase transaction records:Credit pack purchases processed through the Apple App Store and routed through RevenueCat for receipt validation and credit fulfillment
• Story generation records:When a story is generated, we temporarily store the story topic, reading level, generated story content, and a random device identifier in our database. This is used solely to deliver the completed story, recover interrupted generations (e.g., if the app closes during creation), and prevent duplicate charges across devices. These records expire automatically after 24 hours
• Cloud backup:Story text and illustrations are automatically backed up to secure cloud storage (Cloudflare R2 in the United States) for cross-device access and to protect against accidental deletion
• Push notifications:If you allow notifications, we store a device token to send you a notification when a story is ready. The notification is generic (for example, “A new adventure is waiting for you.”) and contains no story content. Device tokens are stored in our database and sent to Apple Push Notification service (APNs) to deliver notifications. We may also send a local reminder notification if the app has not been used in 7 days. This reminder is scheduled entirely on your device and does not require server communication
• Live Activity token:When Live Activities are enabled and a story is generating, we store a per-generation Apple push token so the Lock Screen / Dynamic Island progress card keeps advancing while the app is backgrounded or closed. We attempt to delete the token when the generation completes or fails; if that delete fails transiently, the token is removed when the underlying generation record itself is deleted (generation records expire after 24 hours — see Section 9)
• Service quality metrics:We record one-time timestamps when your child reads their first story and favorites their first story, plus a count of total stories generated. These are used only to understand whether the app is working well for new users and are not used for profiling, advertising, or behavioral tracking
• Setup measurement: To understand where new users complete or abandon account setup, we record screen-transition timestamps during the setup flow together with a short-lived random identifier generated on your device. The identifier is cleared automatically when your child reaches the home screen, when you sign out, or when a different user signs in on the same device. It is not linked to your name, email, child profile, advertising, or behavioral tracking.

We do not use third-party analytics services, advertising SDKs, or behavioral tracking. We do not collect crash reports or technical diagnostics.

3.3 Additional Settings

Other preferences (such as dark mode) are stored locally on your device only and are not sent to our servers.

4. How We Use Information

We use the information we collect for the following purposes:

• Provide the Service: Create and manage your account, generate personalized stories, track story credits, and recover interrupted story generations
• Generate Stories: Process your child's spoken story prompts to create illustrated stories and back them up to cloud storage
• Verify Parental Consent: Send verification codes to the parent's email address
• Customer Support: Respond to inquiries and provide assistance
• Parental Controls: A parental PIN is stored on-device only (in the iOS Keychain) to restrict access to purchases and account management. Only the parent who set the PIN (or who can verify via email) can access these features
• Security: Protect against fraud, unauthorized access, and other security threats
• Legal Compliance: Comply with applicable laws and legal obligations

We do not use children's information for behavioral advertising, profiling, or any purpose not directly related to providing the storytelling service.

6. Story Content

Stories created in Storybox are your personal property. Here is how story data is handled:

• Story Generation: When your child creates a story, the story prompt is sent to our content generation services to create the story text and illustrations. Our primary service is Google Gemini (via Cloudflare Workers). If this service is temporarily unavailable, a backup service (OpenAI, via Cloudflare Workers) may be used to ensure reliable story creation. In both cases, only the story prompt is sent — no audio, personal data, or device identifiers are sent to these services. The prompt is also temporarily stored in our database for generation recovery (see Section 3.2).
• Cloud Backup: All stories are automatically backed up to secure cloud storage (Cloudflare R2) in the United States. This protects against accidental deletion, saves storage space on your device, and allows stories to be viewed on other devices signed into the same account. We never read, analyze, or access your story content. Cloud storage exists solely for backup and cross-device access.
• Local Storage: Stories are automatically kept on your device for offline reading, in addition to the cloud backup.
• Deletion: Deleting a story removes it from both your device and cloud storage. Deleting your account removes all cloud-stored content.
• Sharing (parent-initiated): A parent (authenticated via the app's 4-digit PIN) can generate a time-limited public link to one of their stories. The link expires after 7 days. Anyone the parent shares the link with — and link-preview services (e.g. iMessage, Slack, social platforms) that fetch the link when it is pasted — can access the shared story, its illustrations, and its preview assets until the link expires.
• No Sharing: We do not sell, rent, or disclose your story content to any third party for their own purposes. Story data is processed only by our infrastructure providers (as described in Section 7) acting on our behalf.

7. Third-Party Services

We use the following third-party services to operate Storybox. We share only the minimum information necessary for each service to function:

7.1 Supabase (Database & Authentication)

We use Supabase to securely store account information (email address, credit balance, reading level, theme color, support identifier, device tokens for alert push notifications, Live Activity push tokens for in-flight story generations, story-sharing tokens for parent-initiated share links, and service quality timestamps) and temporary story generation records. Supabase stores your data in the United States. Supabase encrypts data at rest and in transit. Supabase processes data in accordance with their Privacy Policy.

7.2 Content Generation Services

We use the following services to generate story text and illustrations. In all cases, only the story prompt (a short description of the story topic) and reading level are sent. No audio, device identifiers, or other personal information is sent to these services.

Primary — Google Gemini (via Cloudflare Workers): Our primary content generation service. Story prompts are processed by our Cloudflare Worker, which sends them to Google Gemini for text and image generation. Google processes data in accordance with their Gemini API Terms of Service and Google Privacy Policy.

Backup — OpenAI (via Cloudflare Workers): If our primary service is temporarily unavailable, we use OpenAI as a backup to ensure stories can still be created without interruption. The same limited data is sent — only the story prompt and reading level. OpenAI processes data in accordance with their Privacy Policy. Both services are routed through Cloudflare Workers (see Section 7.6).

7.3 Apple and Google Sign-In

We offer sign-in through Apple or Google. We receive only your email address and a unique identifier from these services. We do not receive your password or other account details.

7.4 Resend (Email Service)

We use Resend to deliver transactional emails, including parental consent verification, PIN reset codes, account deletion verification, and account deletion confirmation. When you use the contact form on our website, your name, email, and message are also sent through Resend. We temporarily process your IP address for contact form rate limiting; this information is not stored permanently. Only the information necessary for each email is shared with this service. Resend processes data in accordance with their Privacy Policy.

7.5 Apple Speech Recognition

Storybox uses Apple's Speech Recognition service configured for on-device processing only. Audio is never sent to Apple's servers. On-device speech recognition is subject to Apple's Privacy Policy.

7.6 Cloudflare (Website, Cloud Storage & API Routing)

We use Cloudflare to host our website at mystorybox.co, to securely store cloud backups of your stories, and to route story generation requests to our content generation services (Google Gemini and OpenAI). Cloudflare Workers process authenticated API requests for story generation, rate limiting, and cloud storage. Cloudflare R2 stores story text and illustrations in the United States. When you visit our website, Cloudflare may process visitor IP addresses, browser type, and request metadata as part of content delivery. Cloudflare also collects operational logs from our backend services for performance monitoring and debugging, in accordance with their data retention settings. Cloudflare acts as a data processor on our behalf; we remain the data controller. Cloudflare processes data in accordance with their Privacy Policy.

7.7 Apple Push Notification Service (APNs)

If you enable notifications, Storybox uses Apple's Push Notification service (APNs) on two paths:

• Alert push (story ready): When a story finishes generating, we send a single generic alert push. The payload carries an internal story identifier (used to open the right story when you tap the notification) but no story title, prompt text, or other story content.
• Live Activity push (generation progress): While a story is generating, we send progress updates to the Lock Screen / Dynamic Island Live Activity (if enabled). The payload carries only progress data (phase, image count) and, on completion, an internal story identifier used to deep-link you into the finished story when you tap the card. No story title, prompt text, or child-name content is ever included in the Live Activity payload.

Both paths use APNs, which is subject to Apple's Privacy Policy.

7.8 Apple App Store (Payments)

Credit pack purchases are processed by Apple through the App Store and routed through the RevenueCat SDK, which we use for receipt validation and webhook-driven credit fulfillment. Apple processes payment card data; we receive only transaction identifiers (via Apple + RevenueCat) that we use to credit your account. We do not receive or store payment card details or billing information. Apple processes payment data in accordance with Apple's Privacy Policy. RevenueCat processes subprocessor data under their Privacy Policy.

7.9 RevenueCat (Purchase Receipt Validation)

We use RevenueCat as the payments SDK intermediary for Apple in-app purchases. RevenueCat receives the Apple transaction identifier and an internal application user identifier (derived from your Storybox account) and returns purchase metadata that our server uses to grant credits to your account. RevenueCat does not receive payment card data. RevenueCat processes data under their Privacy Policy.

8. Data Storage and Security

We take the security of your data seriously and implement appropriate measures:

• Encryption in Transit: All data transmitted between the App and our servers is encrypted using TLS
• Server-Side Encryption: Account data stored in Supabase is encrypted at rest by Supabase's infrastructure
• Authentication Tokens: Stored securely in the device Keychain, protected by the operating system
• Cloud Storage: Stories are automatically backed up to Cloudflare R2 in the United States, encrypted in transit (TLS), and accessible only to the authenticated account owner via cryptographically verified requests
• Local Storage: Stories are also kept on your device for offline reading, protected by the device's built-in security
• Access Controls: Server-side data is protected by row-level security policies that restrict access to only the authenticated account owner
• OAuth-Only Authentication: We use Apple and Google Sign-In exclusively; we do not store passwords

We maintain a written children's data security program that describes our security measures, access controls, incident response procedures, and vendor security requirements. This program is reviewed annually.

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your information to the best of our ability.

9. Data Retention

We retain personal information only as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:

When you request account deletion, we will delete your personal information within 30 days, except where we are required to retain certain information for legal or legitimate business purposes (such as purchase records).

10. Third-Party Disclosure

We share limited data with the third-party services listed in Section 7 solely to operate the App. Specifically:

• We do not sell children's personal information
• We do not share children's personal information for marketing, advertising, or any unrelated commercial purpose
• We do not use third-party advertising SDKs or analytics services
• All third-party data sharing is limited to what is necessary to provide the storytelling service

Separate Consent for Third-Party Sharing: Under COPPA, parents may consent to our collection and use of a child's information without consenting to the disclosure of that information to third parties. If you wish to allow us to collect your child's information but restrict third-party disclosure, please contact us at support@mystorybox.co. Please note that restricting third-party disclosure may limit certain features (such as personalized story generation, which requires sending data to our content generation services).

11. Children's Privacy Rights

In accordance with COPPA and other applicable laws, we provide the following protections for children's personal information:

• Children are not required to provide more information than necessary to use the App
• We do not condition participation on disclosure of unnecessary information
• We do not share children's personal information with third parties except as described in this policy
• We provide parents the ability to review and delete their child's information
• We retain children's data only for as long as necessary (see Section 9)

13. International Users (GDPR Notice)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process personal data based on:

• Contract: Processing necessary to provide the service you requested
• Consent: Where you have given explicit consent (which can be withdrawn)
• Legitimate Interests: For security, fraud prevention, and service improvement

Your GDPR Rights

• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Restrict processing of your personal data
• Right to Portability: Request your data in a portable format by contacting support@mystorybox.co; we will provide your account data and cloud-stored stories within 30 days
• Right to Object: Object to processing based on legitimate interests
• Right to Complain: Lodge a complaint with your local data protection authority

Children's Data (GDPR)

Under GDPR, parental consent is required for processing personal data of children under 16 years of age (or lower age as set by individual EU member states, with a minimum of 13). We obtain verifiable parental consent before processing children's personal data.

International Data Transfers

Your data is processed and stored in the United States. If you are located outside the United States, including in the EEA, UK, or Switzerland, your personal data is transferred to the US when you use our services. The following service providers process data in the United States on our behalf:

• Supabase: Account data and authentication (United States)
• Cloudflare: Website hosting, cloud storage, and API processing (global edge network, storage in United States)
• Google: Story and illustration generation via Gemini API
• OpenAI: Backup story and illustration generation
• Resend: Transactional email delivery (United States)

Where required by applicable law, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for your data. You may contact us at support@mystorybox.co to request information about the specific safeguards in place for international transfers.

14. California Residents (CCPA Notice)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Your CCPA Rights

• Right to Know: Request disclosure of personal information collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

We Do Not Sell Personal Information

We do not sell personal information of any user, including children. We have not sold personal information in the preceding 12 months.

Children Under 16

Under CCPA, we must obtain opt-in consent before selling personal information of consumers under 16. Since we do not sell any personal information, this provision does not apply. However, we additionally require parental consent for children under 13 in compliance with COPPA.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and provide additional notice as appropriate, such as a prominent notice in the App and, for changes that materially affect how children's personal information is collected, used, disclosed, or retained, email where we have a parent or guardian email address on file. If required by law, we will obtain new parental consent before the change takes effect.