Privacy Policy

Story For Them ("we", "us") is run by Samy, a solo developer based in France. The service is accessible at www.storyforthem.com. For privacy questions or to exercise your rights, contact hello@storyforthem.com. The full data controller identity is on the Legal notice page.

• Account: email address and, if you set one, a salted hash of your password. We never see or store the plaintext password.
• Story brief:the child's first name, age, and the short description you provide on the create page. Optionally, a photo of the child (used to inform the illustration style) and an audio sample if you record a narrator voice.
• Generated content: the illustrated story, audio narration, and PDF we produce on your behalf.
• Order data: when you check out, Stripe collects your billing details and shares the order email and payment status with us. We do not see or store full card numbers.
• Technical logs: IP address, country (from a Cloudflare header), and request timestamps, used for rate limiting and abuse prevention.
• Cookies: a single first-party session cookie (mft_session, httpOnly, 30 days) so you stay signed in. Stripe and Cloudflare set their own cookies during checkout and bot verification respectively.

• Performance of the contract (Art. 6(1)(b)): generating, delivering, and supporting the personalized book you ordered.
• Legitimate interests (Art. 6(1)(f)): preventing abuse, rate limiting, and securing the service.
• Legal obligation (Art. 6(1)(c)): retaining payment-related records for accounting and tax purposes.
• Consent (Art. 6(1)(a) and Art. 9(2)(a) for sensitive data such as voice samples and photos): you provide these voluntarily when you enter the brief or record a voice. You can withdraw consent at any time by contacting us, which will cause the corresponding data to be deleted.

The service is purchased and operated by adults. Children do not interact with the site. The personal data of a child (first name, age, optional photo) is provided by an adult buyer who confirms they have authority to do so — typically a parent or legal guardian. We do not knowingly collect data directly from children under 15.

We treat photos and voice recordings of identifiable individuals as sensitive data and process them only to generate the personalized illustration and narration you ordered. They are never used to train third-party AI models on a non-anonymous basis (see "Sub-processors" below).

We use the following service providers to operate the product. Each receives only the data needed for its function and is bound by its own data-processing terms.

• Railway (hosting and storage) — United States.
• Cloudflare (CDN, bot verification, request routing) — global edge.
• Supabase (rate-limit counters, hashed keys) — European Union.
• OpenAI(story text and illustration generation) — United States. We use OpenAI's API; per OpenAI's API terms, inputs and outputs are not used to train their models.
• ElevenLabs(voice cloning and text-to-speech) — United States. Voice samples you submit are sent to ElevenLabs solely to generate the narration for your book.
• Stripe(payment processing) — United States. Stripe is the controller of cardholder data.
• Resend(transactional email such as magic-link sign-in) — United States.
• Print fulfillment partner (when you order a printed book): name and shipping address are shared with the partner for shipment.

International transfers to providers outside the EEA rely on Standard Contractual Clauses or equivalent safeguards.

• Account, briefs, generated books, and voice samples: kept while your account is active and for up to 12 months after your last activity, unless you ask us to delete them sooner.
• Payment records: retained for 10 years to comply with French accounting and tax law.
• Technical logs (IP, rate-limit counters): rolling window of up to 30 days.

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with the CNIL (French data protection authority, cnil.fr). To exercise any of these rights, email hello@storyforthem.com. We will respond within one month.

Sessions are signed and httpOnly. Passwords are stored as scrypt hashes. Files are kept on a private volume. Access to production credentials is restricted. No system is perfectly secure; if you discover a vulnerability, please email hello@storyforthem.com.

We may update this policy as the product evolves. Material changes will be communicated by email or through a notice on the site. The "Last updated" date at the top reflects the current version.