KidsStory
Legal

COPPA Compliance Statement

Children's Privacy Notice (COPPA Compliance Statement)

Effective date: [EFFECTIVE_DATE] Operator: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates Primary contact for parents: [PRIVACY_EMAIL]

āš ļø LEGAL REVIEW REQUIRED by US attorney before publication. COPPA applies to foreign-based operators that direct their services to US children or knowingly collect personal information from US children (16 C.F.R. Ā§312.2; FTC International Enforcement Guidance). A UAE-incorporated operator that markets to US parents is in COPPA's extraterritorial scope ā€” the FTC has publicly asserted jurisdiction over foreign operators in cases such as Musical.ly / TikTok. COPPA is FTC-enforced and carries statutory penalties up to USD $51,744 per violation (as adjusted). The verifiable-parental-consent method finally selected MUST be signed off by counsel, because current UI (a single modal checkbox) is not by itself a COPPA-compliant VPC method for the upload of a child's photograph.

This notice explains how YOU BABY STUDIO L.L.C ā€” although incorporated in the United Arab Emirates ā€” complies with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Ā§6501 et seq.) and the FTC's Children's Online Privacy Protection Rule (16 C.F.R. Part 312, as updated) in respect of users in the United States. It is incorporated into the Privacy Policy by reference.

The fact that the controller is outside the United States does not relieve us of COPPA obligations; we accept the FTC's extraterritorial enforcement authority over foreign operators that direct services to US children or knowingly collect personal information from US children.

1. Who we are

YOU BABY STUDIO L.L.C is the "Operator" of the Service for COPPA purposes. We are a limited liability company registered in Dubai Mainland (Department of Economy and Tourism ā€” DET), United Arab Emirates (commercial licence 930633). We are reachable at:

  • COPPA contact email: [PRIVACY_EMAIL]
  • Postal address: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates
  • Phone (optional): +971-58-571-8010

For ease of service of process in the United States we nominate [US_AGENT_FOR_SERVICE] at [US_AGENT_ADDRESS] (counsel to appoint, e.g. through a corporate-service provider such as CSC, InCorp or equivalent). An agent is not strictly required by COPPA but is recommended so that the FTC and state AGs have a domestic point of contact.

2. Nature of the Service

The Service generates personalised children's fairy tales (PDF and/or video) from inputs supplied by a parent: the child's first name, age, gender, and one to three photographs. Although the content produced by the Service is intended for children, the Service itself is operated by and for the parent (age 18+). Children do not have their own accounts, cannot log in, and cannot initiate transactions.

3. Information collected from / about a child

We collect only what is necessary to generate the requested story:

  • The child's first name.
  • The child's age (used to tune story vocabulary / length).
  • The child's gender (used to tune narrative pronouns and character design).
  • One to three photographs of the child, used only to produce the illustrated cartoon character.
  • Optional story preferences (topic, genre) that may reflect the child's interests.

We do not collect:

  • The child's surname, address, phone number, or persistent identifier.
  • Geolocation of the child.
  • Audio recordings of the child.
  • Any information directly from the child through the interface ā€” the parent is the sole input channel.

4. Uses of the child's information

The information is used only to:

  1. Generate the specific story the parent requested;
  2. Deliver the output PDF / video to the parent's account;
  3. Retain the output so the parent can re-download it while the account is active;
  4. Fulfil legal obligations (accounting records of the transaction).

We do not use a child's information to:

  • Train our AI models or those of our vendors (contractually prohibited).
  • Serve advertising of any kind to anyone.
  • Enable any in-app social feature that lets the child talk to other children or strangers ā€” there is none.

5. Disclosures of the child's information

The child's name, age, gender and photo are transmitted to the AI sub-processors listed in the Privacy Policy Ā§5 strictly to generate the requested output. Every sub-processor is contractually bound to:

  • Use the inputs only for the specific generation request;
  • Not retain the inputs after the response is delivered beyond technically necessary short-term caching;
  • Not use the inputs to train any model;
  • Implement reasonable security.

We do not disclose the child's information for any other purpose, and we do not condition participation in any activity on the child (or parent) disclosing more information than is reasonably necessary.

6. Verifiable Parental Consent (VPC)

Before any child information is uploaded, the Service obtains verifiable parental consent ("VPC") in accordance with 16 C.F.R. Ā§312.5.

[LEGAL REVIEW REQUIRED ā€” select and configure the VPC method]

The FTC rule lists several approved VPC methods. Below is the currently deployed method (M1) and the upgrade plan (M2), because a single on-screen checkbox is not by itself a sufficient VPC for collection of a child's photograph. Counsel must confirm which of M2 (or a combination) is appropriate for launch.

  • M1 (deployed) ā€” Signed acknowledgement in-app. The account holder confirms under penalty of perjury, via a dedicated modal immediately before the first child-photo upload, that they are (a) 18+ and (b) the parent or legal guardian of the child in the photo. The IP, user-agent, timestamp, account ID and policy version are logged. āœ… Acceptable as a baseline evidentiary record, but not by itself a listed Ā§312.5 VPC method.

  • M2 (upgrade, pre-launch) ā€” one of the following FTC-approved methods:

    • Credit/debit-card transaction. Because every account that uploads a photo must first purchase a Token package through Stripe, a monetary charge tied to the same cardholder can satisfy Ā§312.5(b)(2)(v). Counsel must confirm that a Stripe charge for the token package is sufficient (FTC has accepted small charges on the parent's credit card as VPC).
    • Government-issued ID check via an identity-verification vendor (e.g. Persona, Stripe Identity, Onfido). Required if the cardholder route is unavailable, e.g. first-generation free trial.
    • "Email-plus" ā€” parental email consent followed by (i) a confirmation email after a reasonable delay, or (ii) a phone-call / SMS step. Lower-assurance; only acceptable for use cases where child data is not disclosed to third parties. Our AI-vendor transfer rules this out for photo upload.

Until M2 is live, the Service SHALL NOT permit upload of a child's photograph without a prior successful Stripe transaction from the same cardholder, and SHALL log the Stripe transaction ID and the consent record together in the database. See the Technical Compliance Checklist item Ā§C.

7. Parental rights

A parent may at any time:

  1. Review the personal information we have collected from or about their child.
  2. Refuse to permit further collection or use of the child's information.
  3. Delete the child's information from our systems.

Submit a request to [PRIVACY_EMAIL] with:

  • The parent's name and the account email;
  • The child's first name as entered in the Service;
  • A brief description of the request (review / delete / stop collection).

We will verify the request by comparing it to the account of record and, for deletions, will act within 30 days. Deletion of the child's information will usually require closure of the associated order(s); we will advise the parent of any consequences before acting.

8. Data security and retention for child data

  • Photographs are auto-deleted after [CHILD_PHOTO_RETENTION_DAYS] days, or immediately on parent request.
  • Generated assets (PDF / video) remain while the account is active, then follow the general retention schedule in the Privacy Policy.
  • Encryption at rest, least-privilege access, and audit logging apply as described in Privacy Policy Ā§9.

9. No behavioural advertising, no data brokers, no profiling

The Service does not engage in:

  • Targeted advertising to the parent or the child;
  • Sale or sharing of any child personal information to any party other than the sub-processors that directly generate the requested story;
  • Automated profiling of children.

10. Operator of third-party plug-ins / SDKs

We have assessed every third-party SDK bundled in the Service:

  • [ANALYTICS_VENDOR] is configured to exclude any page or event that handles child data. Analytics is triggered only on parent-facing pages (landing, pricing, account management) and never fires during the photo-upload / generation flow.
  • No advertising, retargeting, attribution or fingerprinting SDK is present.

11. Changes to this Notice

Material changes require new parental consent before we apply them retroactively to information already in our possession. We will email all account holders 7 days before the change takes effect and collect renewed consent on next login.

12. Equivalent protections for children outside the United States

Although this Notice addresses COPPA specifically, the protections described above are applied to every child whose information is processed by the Service, regardless of the child's country:

  • EU / UK children under 16 (or the lower age of consent set by national law ā€” e.g. 13 in the UK, 13-16 in EU Member States under GDPR Art. 8) ā€” parental consent is required for the processing of their personal data; the Photo Consent Modal doubles as Art. 8 parental-consent evidence.
  • UAE children ā€” personal data of a minor may be processed only with the documented consent of the parent or legal guardian (UAE PDPL Art. 6 and the Executive Regulations). The Photo Consent Modal doubles as PDPL parental- consent evidence.

13. Filing a complaint

If you areContact
A US parentFederal Trade Commission ā€” https://reportfraud.ftc.gov Ā· Consumer Response Center, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580 Ā· your state Attorney General
A UAE residentUAE Data Office ā€” https://www.uae-dataoffice.ae
An EU / UK residentYour local Data Protection Authority; in the UK the ICO (https://ico.org.uk)

You may also contact [PRIVACY_EMAIL] at any time; we will acknowledge your complaint within 3 business days and provide a substantive response within 30 days.

YOU BABY STUDIO L.L.C Ā· Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates Ā· Version [EFFECTIVE_DATE]

This document is provided in English, the governing language of this site. An Arabic translation may be available on request; in case of conflict the English version prevails.