Privacy Policy

Last updated: March 17, 2026

1. Introduction

MirrorTales ("we", "our", "us") is committed to protecting the privacy of our users and their children. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our platform.

2. Information We Collect

We collect the following types of information:

  • Account information: Email address, display name, and authentication credentials.
  • Child profile data: Child's first name, age band, interests, reading preferences, and art style preferences.
  • Child photos: Uploaded temporarily for character sheet generation. Photos are processed by AI to extract visual features and are deleted after character sheet approval.
  • Reading activity: Stories read, reading duration, comprehension quiz responses, and streaks.
  • Payment information: Processed securely by Stripe. We never store credit card numbers.

3. How We Protect Children's Data

Children's privacy is our top priority:

  • Children do not have their own accounts. All data is managed by the parent.
  • Child photos are deleted after character sheet approval unless the parent opts to keep them.
  • AI-generated character sheets use stylized illustrations, never photorealistic images.
  • No child data is shared with third parties for advertising or marketing.
  • No child names, photos, or personal details are stored in application logs.
  • All child data is stored in encrypted databases with row-level security.

4. COPPA Compliance

MirrorTales complies with the Children's Online Privacy Protection Act (COPPA). We do not collect personal information directly from children under 13. All account creation and data management is performed by the parent or legal guardian.

5. GDPR & International Users

For users in the European Union and other jurisdictions with data protection laws, you have the right to access, correct, delete, or export your personal data at any time. Contact us at privacy@mirrortales.com to exercise these rights.

6. Data Retention & Deletion

Parents can delete their account and all associated data (including child profiles, stories, and reading history) at any time from the Settings page. Upon deletion, all data is permanently removed within 30 days.

7. Third-Party Services

We use the following third-party services to operate MirrorTales:

  • Supabase: Database and authentication (EU data center).
  • Stripe: Payment processing (PCI-DSS compliant).
  • Vercel: Website hosting.
  • Sentry: Error monitoring (PII scrubbed from all reports).
  • AI providers: Story and illustration generation. Child data sent to AI providers is limited to the minimum required and is not used to train their models.

8. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@mirrortales.com.