Privacy Policy

This Privacy Policy explains what information Storyfaire LLC (“we,” “us,” “our”) collects, how we use it, and your rights regarding your data. By using Storyfaire (“the Service”), you agree to the practices described here.

Age Requirement. The Service is intended for users aged 13 and older. We do not knowingly collect personal information directly from children under 13. If we learn that we have collected data directly from a child under 13, we will delete the account and associated data promptly.

Information About Children. Adult account holders may upload photos and other information about children, including children under 13, for the purpose of generating personalized storybooks. Section 5 of this Policy explains how we handle that information and the rights of parents and legal guardians.

Information you provide:

• Account information: name, email address, password
• Profile information: display name, avatar
• Content you create: stories, characters, story text, custom prompts
• Photos and images you upload, including photos of yourself and, with proper consent, photos of others (see our Terms of Service, Section 4)
• Information about subjects of stories: names, ages, relationships, and other details you provide about people featured in your stories
• Payment information, processed by our payment provider. We do not store full card details.
• Communications with us: support emails, feedback, survey responses

Information collected automatically:

• Device and browser information (type, operating system, screen size)
• Usage data (pages visited, features used, session duration)
• IP address and approximate location derived from it
• Cookies and similar technologies (see Section 8)

Information derived through processing:

• Biometric Information: facial geometry and similar identifiers derived from uploaded photos for the purpose of generating illustrated characters (see Section 4)
• Content moderation signals: flags generated by automated systems analyzing inputs and outputs for safety

Information from third parties:

• If you sign in with Google, we receive your name, email, and profile image from Google OAuth.

Sensitive Categories. Under certain laws (including California’s CPRA and the GDPR), some of the information above is treated as “sensitive personal information” or “special category data,” including biometric information, account credentials, and precise geolocation if applicable. We process such information only for the purposes described in this Policy.

We use your information to:

• Provide and operate the Service (account management, content generation, payment processing)
• Process your inputs through third-party AI providers to generate content
• Maintain safety and enforce our Terms of Service, including automated and human content moderation
• Communicate with you (account notifications, security alerts, product updates)
• Analyze anonymized, aggregated usage patterns to improve the Service
• Detect and prevent fraud, abuse, and violations of our Terms
• Comply with legal obligations

Legal Bases (for users in the EEA, UK, and Switzerland): We rely on the following legal bases under the GDPR and equivalent laws:

• Performance of a contract, to provide the Service you’ve signed up for
• Consent, for processing biometric information, for marketing communications you opt into, and for cookies beyond those strictly necessary
• Legitimate interests, for security, fraud prevention, and improving the Service, balanced against your rights
• Legal obligation, to comply with applicable law and law-enforcement requests

You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not:

• Sell your personal information to third parties
• Share your personal information for cross-context behavioral advertising
• Use your content or photos to train AI models
• Use your data for targeted advertising (if we introduce advertising in the future, we will update this Policy and notify you)

What It Is. To generate personalized illustrated characters, our AI providers process facial geometry and other biometric identifiers derived from photos you upload. We refer to this collectively as “Biometric Information.”

Purpose. Biometric Information is used solely to generate the illustrated content you request. We do not use it for identification, surveillance, behavioral analysis, advertising, or training AI models.

Consent. Before processing Biometric Information, we obtain your express consent through the upload acknowledgment described in our Terms of Service. For images depicting any minor, your consent represents that you are the parent or legal guardian, or have obtained written consent from one.

Retention. We and our AI providers retain Biometric Information only as long as reasonably necessary to generate the content you request. In no event do we retain Biometric Information for longer than three (3) years from the date of your last interaction with the Service. Upon account deletion or upon a verified deletion request, we initiate deletion of associated Biometric Information and instruct our AI providers to do the same.

No Sale or Profit. We do not sell, lease, trade, or otherwise profit from your Biometric Information.

Disclosure. We disclose Biometric Information only to:

• The AI providers strictly necessary to generate your content
• Law enforcement or other parties when required by law
• Other parties only with your separate written consent

State-Specific Rights. Residents of Illinois (under BIPA), Texas (under CUBI), Washington, and other states with biometric-privacy laws have specific rights regarding Biometric Information, including the right to know, access, and request deletion. To exercise these rights, contact us at support@storyfaire.com. We will verify your identity before responding (see Section 9).

Direct Collection. We do not knowingly collect personal information directly from children under 13. Account holders must be 13 or older.

Information About Children Collected From Adults. Account holders frequently use the Service to create stories featuring children, including children under 13. This information, which may include a child’s name, age, photo, relationship to the account holder, and other details, is collected from the adult account holder, not from the child, and is processed under the adult’s direction.

Parental Responsibility. When you upload information about any child under 18, you represent that you are the child’s parent or legal guardian, or that you have obtained verifiable consent from one. You are responsible for determining what is appropriate to provide.

Parental Rights. A parent or legal guardian may, at any time:

• Request access to information we hold about their child
• Request correction of inaccurate information
• Request deletion of all information about their child, including photos, story content, and any associated Biometric Information
• Withdraw consent for further processing

To exercise these rights, email support@storyfaire.com with the subject line “Parental Rights Request.” We will verify the relationship and respond within 30 days. We may request reasonable proof that you are the parent or legal guardian.

COPPA Compliance. To the extent the Children’s Online Privacy Protection Act applies to information we process about children under 13, we comply with its requirements, including obtaining verifiable parental consent where required and providing parental access and deletion rights.

Enhanced Protection in EEA/UK. For children resident in the European Economic Area or United Kingdom, parental consent is required for the processing of personal data of children below the applicable age of digital consent (13–16, depending on country).

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

We share data only with the following categories of third-party service providers, and only as necessary to operate the Service:

• Cloud hosting and infrastructure providers, to store your account and content
• AI content generation providers, to process your inputs (text and images, including Biometric Information) and return generated content
• Payment processors, to handle Spark purchases (we do not store full payment details)
• Analytics providers, to understand aggregated, anonymized usage patterns
• Customer support tools, to respond to your inquiries
• Email and communications providers, to send you account-related notices

These providers access your data only to perform services on our behalf and are bound by contractual privacy obligations consistent with this Policy. A current list of major sub-processors is available on request at support@storyfaire.com.

Legal Disclosures. We may disclose your information if required by law, legal process, or to protect the rights, safety, or property of Storyfaire, our users, or the public. Where legally permitted, we will notify you of such requests.

Platform Administrators. Storyfaire administrators may access user content for purposes of content moderation, safety enforcement, and customer support. Access is logged and limited to authorized personnel.

Business Transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you and provide choices regarding your information where required by law.

The Service is operated from the United States, and your information will be processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those of your country.

Transfers from the EEA, UK, and Switzerland. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or the Swiss equivalent, as applicable. Where a destination country has been recognized as providing adequate protection, transfers may be made on that basis. Copies of the relevant safeguards are available on request.

Transfers from Other Jurisdictions. For users in Canada, Brazil, Australia, and other jurisdictions with data-export rules, we comply with applicable transfer requirements.

Essential Cookies. We use cookies necessary to operate the Service, including authentication and session management. These cannot be disabled.

Analytics Cookies. We may use cookies and similar technologies to understand how the Service is used and to improve your experience. You can manage your cookie preferences through your browser settings or, where required by law, through our cookie consent banner.

No Advertising Cookies. We do not currently use advertising or cross-site tracking cookies. If this changes, we will update this Policy and obtain consent where required.

You have the right to:

• Access your personal data through your account settings or by request
• Correct inaccurate information
• Delete your account and associated personal data through your account settings
• Export your content from the Service in a portable format
• Withdraw consent for optional processing at any time
• Object to certain processing based on legitimate interests

State-Specific Rights (United States). Residents of states with comprehensive privacy laws, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, have rights that may include the right to know, access, correct, delete, port, opt out of sale or sharing, opt out of targeted advertising, opt out of profiling for significant decisions, and limit use of sensitive personal information.

• California (CCPA/CPRA). You have the right to know what personal information we collect, correct inaccurate information, request deletion, opt out of sale or sharing, and limit the use and disclosure of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising.
• State Biometric Privacy Laws. Residents of Illinois, Texas, Washington, and other states with biometric-specific laws have additional rights regarding Biometric Information (see Section 4).

European Rights (GDPR/UK GDPR). Residents of the EEA, UK, and Switzerland have rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. You also have the right to lodge a complaint with your local data protection authority.

How to Exercise Your Rights. Email support@storyfaire.com describing your request. To protect your privacy, we may need to verify your identity, typically by confirming control of the email address on your account, or, for sensitive requests, by additional means. For parental rights requests on behalf of a child, see Section 5.

We will respond within 30 days (45 for complex requests under some laws). You will not be discriminated against for exercising your rights.

Authorized Agents. Where the law permits, you may designate an authorized agent to make a request on your behalf. We will require written authorization and may verify with you directly.

Security. We implement industry-standard security measures to protect your data, including encryption in transit and at rest, secure authentication, role-based access controls, and regular security review. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Breach Notification. If we experience a data breach affecting your personal information, we will notify you and applicable regulators within the timeframes required by law (for example, within 72 hours of discovery for GDPR-covered breaches).

Retention Periods. We retain different categories of information for different periods:

• Account information: for the life of your account; deleted within 30 days of account deletion
• Content you create: for the life of your account, unless you delete it sooner
• Biometric Information: only as long as needed to generate content, and no longer than 3 years from your last interaction (see Section 4)
• Payment records: for 7 years, as required by tax and accounting laws
• Support communications: for up to 3 years after resolution
• Logs and security records: typically 12 months
• Anonymized, aggregated data: may be retained indefinitely as it cannot be used to identify you

We may retain information longer where required by law or for legitimate safety, fraud-prevention, or legal-defense purposes.

Content in Marketing Materials. Content shared through public features may persist in marketing materials as described in our Terms of Service.

We use automated systems for content moderation, including filters that may decline to generate content that appears to violate our Terms or applicable law. These systems may result in failed generations, content removal, or account flagging.

Your Rights. Where automated decision-making produces legal or similarly significant effects (such as account termination), you have the right to:

• Be informed that an automated decision was made
• Request human review of the decision
• Contest the decision and provide additional context

To request human review, contact support@storyfaire.com within 30 days of the decision.

Changes. We may update this Privacy Policy from time to time. For material changes, particularly those affecting how we handle children’s information, biometric information, or your rights, we will provide advance notice via email or through the Service before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Contact. Questions or concerns about your privacy? Reach us at support@storyfaire.com.

For users in the EEA or UK, you may also contact your local data protection authority.