Storyora Logo
Storyora

Privacy Policy

Effective date: 18 April 2026

Storyora ("we", "us", or "our") is an AI-powered web application that lets parents create personalised photo storybooks for their children. Because we process data about children, we take privacy seriously and comply with the General Data Protection Regulation (GDPR) and the Children's Online Privacy Protection Act (COPPA). This policy explains what data we collect, why we collect it, how long we keep it, and the rights you have over it.

1. Who We Are

Storyora is operated by Storyora. If you have any questions about this policy or how we handle your data, please contact us at support@storyora.ai.

2. Data We Collect

We collect only the data needed to deliver the service. Here is a summary of each category:

CategoryData PointsLegal BasisRetention
Account & ProfileEmail address, full name, password hash, profile photo, account creation date, last login date, user roleLegitimate interest + ConsentDuration of account, then purged 30 days after account deletion
Child ProfileChild's first name, age, gender (optional), favourite thingsParental consent (COPPA)Until story or account deletion, then 30-day grace period
Photos & MediaPhotos you upload of your child, stored in a private encrypted bucketConsent + contract performanceUntil you delete the story or your account, then purged within the 30-day grace period
Story ContentAI-generated story text, edits you make, template used, AI model version, creation timestamps, read countLegitimate interest (contract performance)Until story or account deletion, then 30-day grace period
Story Edit HistoryOriginal AI text, your replacement text, page number, edit timestampLegitimate interest (audit trail)Until story deletion or 30-day grace period
Activity & Usage LogsLogin timestamps and IP address, story creation, view and download eventsLegitimate interest (security & operations)90 days
CommunicationsEmails sent (verification, password reset, account notifications, story-ready alerts), communication preferencesLegitimate interest + Consent1 year
Payments & BillingOrder status, payment method type, last 4 digits of card, billing history (no full card numbers stored)Legal obligation + Contract performance7 years (tax & legal compliance)
Consent RecordsPrivacy policy version accepted, parental consent timestamp and methodLegal obligation (GDPR Art. 7, COPPA)Indefinitely
Content Moderation AuditModeration flags, flag reasons, admin decisions, appeal recordsLegitimate interest (safety & legal compliance)2 years
Account Deletion AuditDeletion request timestamp, initiator, soft-delete date, hard-delete dateLegal obligation (GDPR Art. 17)Indefinitely

3. How We Use Your Data

  • Authenticate you and manage your account securely.
  • Generate personalised, illustrated storybooks for your child.
  • Serve your stored stories through the digital library and story reader.
  • Generate, regenerate, and export story PDFs.
  • Process payments for printed book orders.
  • Send transactional emails (story ready, password reset, account verification).
  • Send marketing emails only if you have opted in.
  • Moderate content to keep the platform safe for children.
  • Investigate security incidents and improve service reliability.
  • Comply with applicable law and protect our legal interests.

We never sell your data or your child's data to third parties.

4. Children's Privacy & Parental Consent

Storyora is a service for parents and guardians. Children do not register accounts — only parents do. When you create a child profile and upload photos of your child, you are acting as the parent or legal guardian and giving explicit consent under COPPA for us to process that child's information solely to create personalised stories.

  • We do not knowingly allow children under 13 to create their own accounts.
  • Child profiles are linked to your parent account and are visible only to you and to our administrators (for moderation purposes).
  • You can delete a child profile and all associated stories at any time from your account settings.
  • All photos uploaded for a child are stored in a private, encrypted S3 bucket and are never made public.

5. How We Handle Photos

  • Photos are stored in a private encrypted AWS S3 bucket and are never publicly accessible.
  • Access is served exclusively via short-lived CloudFront signed URLs that expire automatically.
  • Photos are used only to generate your personalised storybook illustrations using face-swap AI technology.
  • When you delete a story, the associated photos are immediately deleted from storage.
  • When you delete your account, all photos are permanently deleted from storage after the 30-day grace period ends.
  • We do not use your photos to train AI models.

6. Third-Party Services

We work with the following service providers. Each acts as a data processor under a data processing agreement or equivalent terms:

ServicePurposeRegion
Supabase (PostgreSQL)Hosted databaseAWS us-east-1
AWS S3 + CloudFrontPrivate media storage and CDN for signed URLsAWS ap-south-1
Vercel BlobPDF export storageGlobal CDN
Google Generative AI (Gemini / Imagen 3)Story illustration generation and face-swap personalisationGoogle Cloud
OpenAIContent moderation (Moderation API only)US
Google OAuth / Facebook OAuth / Apple Sign InOptional social loginGlobal
CashfreePayment processing (printed book orders)India
ResendTransactional email deliveryUS
SentryError monitoring and exception trackingUS
InngestBackground job queue (story generation, PDF jobs)US
PiAPILegacy face-swap supportGlobal

We do not share your personal data with any other third parties except as required by law.

7. Data Security

  • Passwords are hashed with bcrypt and never stored in plain text.
  • All data in transit is protected by TLS/HTTPS.
  • Photos and PDFs are stored in private S3 buckets with no public access policies.
  • Short-lived signed URLs are used whenever media is served to browsers.
  • Authentication tokens and password-reset tokens are time-limited and single-use.
  • We monitor for errors and security incidents using Sentry. We configure Sentry to avoid sending sensitive personal data in error payloads.

8. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — Request a copy of all data we hold about you. You can do this from your Privacy Settings.
  • Right to data portability (Art. 20 GDPR) — Download your data in JSON or CSV format from your Privacy Settings.
  • Right to erasure (Art. 17 GDPR) — Delete your account and all associated data. We permanently purge data after a 30-day grace period, giving you time to cancel if you change your mind.
  • Right to rectification (Art. 16 GDPR) — Update your name or email address from your account settings.
  • Right to restrict processing — Contact us and we will suspend processing while we investigate.
  • Right to withdraw consent — You can unsubscribe from marketing emails at any time from your Privacy Settings. Withdrawing consent for data collection for core features will require account deletion.
  • COPPA parental rights — As the parent or guardian whose consent governs child profiles, you can review, edit, or delete all child profiles and associated data at any time.

To exercise any right not accessible via the app, email us at support@storyora.ai. We will respond within 30 days.

9. Data Retention Summary

  • Account and child profile data: until account deletion + 30-day grace period.
  • Photos and stories: until deleted by you, or with the account after the grace period.
  • Activity and security logs: 90 days.
  • Communication history: 1 year.
  • Payment and billing records: 7 years (legal obligation).
  • Consent and deletion audit records: indefinitely (legal obligation).

10. Cookies & Local Storage

Storyora uses a session cookie set by NextAuth.js to keep you logged in across page loads. This cookie is strictly necessary for the service to function and does not require consent under ePrivacy rules. We do not set advertising or tracking cookies.

11. International Data Transfers

Storyora is designed and built in India. Some of our third-party processors — including AWS, Google Cloud, OpenAI, Sentry, and Resend — are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on the Standard Contractual Clauses approved by the European Commission, or equivalent transfer mechanisms provided by the processor.

12. Changes to This Policy

We may update this policy as the service evolves. When we make material changes, we will update the effective date at the top of this page and, where required by law, notify you by email. We encourage you to review this page periodically. Continued use of Storyora after an update constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or wish to exercise your data rights, please contact us at: support@storyora.ai.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

← Back to Storyora