Privacy Policy
Privacy Policy
Effective date: [EFFECTIVE_DATE] Controller: YOU BABY STUDIO L.L.C — a limited liability company registered in Dubai Mainland (Department of Economy and Tourism — DET), United Arab Emirates, commercial licence 930633, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates Privacy contact: [PRIVACY_EMAIL] Data Protection Officer / Data Controller Representative: [UAE_DPO_NAME] — [DPO_EMAIL]
⚠️ LEGAL REVIEW REQUIRED — QUAD JURISDICTION. This draft is written for a controller in the United Arab Emirates serving users primarily in the United States, the European Economic Area / United Kingdom, and other territories. It MUST be reviewed by (a) UAE counsel for PDPL (Federal Decree-Law No. 45 of 2021) compliance, (b) US privacy counsel for COPPA / CCPA / CPRA / state-law compliance, and (c) EU/UK data-protection counsel for GDPR / UK GDPR, including the Art. 27 representative appointment.
YOU BABY STUDIO L.L.C is a Dubai Mainland company (DET licence 930633) and therefore falls under UAE Federal PDPL, not the free-zone regimes. If the operating entity is ever re-domiciled into DIFC or ADGM, this Policy MUST be re-drafted for the relevant free-zone data-protection law (DIFC DP Law No. 5/2020 or ADGM DP Regulations 2021) instead of PDPL, and the entity must register separately as a Data Controller with the free-zone regulator.
This Privacy Policy explains how KidsStory ("we", "us") collects, uses, shares and protects personal information when you visit or use [DOMAIN] (the "Service"). It applies to the international operation run by YOU BABY STUDIO L.L.C (UAE). Residents of the Russian Federation using the separate Russian operation must refer to that operation's privacy documentation; this Policy does not apply to them.
1. Who we are and how to reach us
YOU BABY STUDIO L.L.C is the Data Controller for the purposes of:
- the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL");
- the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR — for users in the EEA / UK the Service is offered under Article 3(2) GDPR extraterritorial scope;
- the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") — as a "business" collecting the personal information of California consumers;
- other US state comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MTCDPA and successor laws).
For any privacy question, exercise of rights, or complaint:
- Email: [PRIVACY_EMAIL]
- Data-protection queries (PDPL / GDPR / UK GDPR): [UAE_DPO_NAME] — [DPO_EMAIL]
- Post: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates
- Phone: +971-58-571-8010
- EU residents — Article 27 Representative:
[EU_REP_NAME],[EU_REP_ADDRESS],[EU_REP_EMAIL](to be appointed before EU launch). - UK residents — UK GDPR Art. 27 Representative:
[UK_REP_NAME],[UK_REP_ADDRESS],[UK_REP_EMAIL](to be appointed before UK marketing).
2. Summary (plain-English)
- You are the adult parent/guardian — the account holder. We collect your email and some basic technical information to run your account.
- You upload a child's photo, name, age and gender so we can make a personalized story. We treat that as sensitive data about a child and only keep the photo for a short time ([CHILD_PHOTO_RETENTION_DAYS] days by default).
- We send those inputs to a small number of AI vendors strictly to generate your order — they are contractually barred from using it to train their models.
- We do not sell personal information. We do not show behavioral ads.
- You have the right to access, delete, export and correct your data, and (in the EU/UK) to object or restrict processing. Click "Your privacy choices" in the footer or email us.
3. Categories of personal information we collect
3.1 From you (parent / account holder)
| Category | Examples | Purpose | Legal basis (GDPR / UK GDPR) | Legal basis (UAE PDPL) |
|---|---|---|---|---|
| Identifiers | email, account ID | create & secure your account, log you in | contract (Art. 6(1)(b)) | contractual necessity (Art. 4) |
| Optional profile | display name, avatar | personalise the interface | contract | contractual necessity |
| Device / connection | IP address, user-agent, approximate country from IP, session cookies | security, fraud prevention, language detection | legitimate interest (Art. 6(1)(f)) / legal obligation | legitimate interest (Art. 4) / consent where required |
| Commercial info | Token balance, order history | operate the paid service | contract | contractual necessity |
| Communication data | support emails, opt-in marketing preferences | respond to you | contract / consent | contract / consent |
| Authentication (if used) | Google / Apple Sign-In identifiers | identify you via third-party IdP | consent | consent |
We do not see or store your full card number. Stripe handles card data as an independent processor — see Stripe's privacy policy.
3.2 About the child (parent-provided content)
| Category | Examples | Purpose | Legal basis (GDPR / UK GDPR) | Legal basis (UAE PDPL) |
|---|---|---|---|---|
| Name, age, gender | "Alice, 5, girl" | generate the personalised story | contract with the parent + verifiable parental consent (COPPA) | parent's explicit consent (PDPL Art. 6) — child data |
| Photographs (biometric inputs) | 1–3 portraits | generate personalised illustrations | explicit consent (Art. 9(2)(a)) + verifiable parental consent (COPPA) | explicit consent for sensitive / biometric data (PDPL Arts. 6 & 15) |
| Story preferences | topic, genre, length | generate the requested story | contract | contractual necessity |
Under COPPA we treat all inputs about a child under 13 as "personal information from a child" and apply the additional protections described in COPPA Compliance.
Under GDPR / UK GDPR a child's photograph processed for the purpose of identifying a personalised cartoon character may constitute biometric data (Art. 9). We process it only on the basis of the parent's explicit consent, obtained via the in-product Photo Consent Modal BEFORE the file is uploaded to our servers.
Under UAE PDPL a child's photograph is treated as sensitive personal data (PDPL Art. 15, including biometric, health and similar categories). We process it only after obtaining the parent's explicit and separately documented consent and only to the extent necessary for the contractual purpose.
3.3 Automatically collected
| Category | Purpose | Legal basis |
|---|---|---|
| Strictly-necessary cookies (session, CSRF, auth refresh) | run the Service | legitimate interest / "strictly necessary" (GDPR, ePrivacy) |
| Analytics cookies / SDK events ([ANALYTICS_VENDOR]) | understand aggregate usage, debug | consent (collected via Cookie Banner) |
| Security / rate-limit signals | block abuse | legitimate interest |
See the Cookie Policy for the full cookie table.
3.4 Sensitive personal information (CCPA/CPRA)
For the purposes of California law we treat the following as sensitive personal information:
- Children's personal information (name + photo + age of a minor).
- Precise geolocation — we do not collect precise geolocation.
- Account log-in credentials.
We use sensitive PI only for the purposes permitted by CCPA Reg. §7027(m) (to deliver the requested service, to prevent security incidents and fraud, to comply with law). We do not use it to infer characteristics about you. Accordingly, the "Limit the Use of My Sensitive Personal Information" right does not require an additional work-flow, but we honour it anyway via [PRIVACY_EMAIL].
4. How we use personal information
4.1. To provide and operate the Service — create your account, take payment via Stripe, generate the stories you request, deliver them to you, and let you read and re-download them while your account is active.
4.2. To keep the Service secure — detect fraud, abuse, bot traffic, credential stuffing, and violations of the Acceptable Use Policy.
4.3. To communicate with you — order status, account and policy notices, support responses. Promotional email, if any, is opt-in only.
4.4. To comply with law — respond to lawful subpoenas, tax and accounting requirements, and regulator requests.
4.5. To improve the Service — aggregated / de-identified usage statistics only. We do not use User Content (photos, children's names, stories) to train AI models, ours or anyone else's.
5. Processors and international transfers
We share personal information with the independent processors listed below strictly to perform the functions described. Every processor is bound by a written data-processing agreement (DPA), including, where applicable, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the UAE PDPL cross-border transfer safeguards.
| Processor | What it does | What we send | Location |
|---|---|---|---|
| [MERCHANT_OF_RECORD] (Stripe / Paddle / Lemon Squeezy) | Payments, fraud detection, and — where MoR applies — invoicing and indirect-tax collection | Email, billing info entered at checkout | US / IE |
| Amazon Web Services, Inc. or Cloudflare, Inc. | Object storage (S3 / R2) for generated PDFs & uploaded photos | File blobs + metadata | AWS me-central-1 (UAE) / EU / US region — final choice pending |
| fal.ai (Features & Labels, Inc.) | Image generation (illustrations from child photo) | Child photo + generation parameters | US |
| OpenAI-compatible LLM provider (Poyo.ai or successor) | Story-text generation | Child's first name, age, gender, story preferences | US |
| ElevenLabs, Inc. | Text-to-speech narration | Story text | US |
| SendGrid / Postmark | Transactional email delivery | Email address, message content | US |
| Google LLC (Google Sign-In, if enabled) | Federated login | OAuth tokens, email | US |
| Apple Inc. (Sign in with Apple, if enabled) | Federated login | Apple ID token, relay email | US |
| [ANALYTICS_VENDOR] (PostHog / GA4 — TBC) | Product analytics, aggregate stats | Pseudonymous device identifiers, page views, in-app events | US / EU |
| Our hosting provider ([HOSTING_PROVIDER]) | Application hosting and backups | All of the above at rest | UAE / EU / US — final region pending |
| YOU BABY STUDIO L.L.C internal data centre / office | Controller-side access for support and admin | Ticket contents, account metadata | United Arab Emirates |
5.1 Cross-border data transfers — UAE controller → user jurisdictions
Because the controller is established in the UAE, all user personal information processed by us is ultimately transferred to and accessed from the United Arab Emirates for administration, storage of back-ups and support. This is a cross-border transfer under GDPR / UK GDPR and (in reverse) a transfer under UAE PDPL.
- Transfers from the EEA / UK to the UAE. The European Commission has not issued an adequacy decision for the UAE, except for some categories under the DIFC regime. We therefore rely on the EU Standard Contractual Clauses (Module 4 — controller-to-controller where the UAE entity is a separate controller; or Module 2 — controller-to-processor where a UAE-based sub- processor is engaged) supplemented by the technical and organisational measures described in §9, and, where required, by a Transfer Impact Assessment (TIA) that we keep on file. For UK residents the UK IDTA or the UK Addendum to the EU SCCs is used.
- Transfers from the UAE to the US / EU / other countries. Under PDPL
Art. 22 the transfer of personal data outside the UAE is permitted:
- to jurisdictions with adequate protection as determined by the UAE Data Office (to be published in the Executive Regulations); and
- otherwise on the basis of the data subject's explicit consent, the conclusion of appropriate contractual clauses with the recipient, or the necessity of the transfer for the performance of the contract. Each of our US-based processors (fal.ai, ElevenLabs, SendGrid, etc.) is engaged under a written contract containing PDPL-compliant clauses; the parent's explicit consent obtained through the Photo Consent Modal also authorises the transfer of the child's photograph to those US-based AI vendors for the sole purpose of generating the requested story.
- Transfers from the US to the UAE. For US residents, US privacy law does not restrict the outbound transfer per se; we disclose it to comply with CCPA / state-law transparency requirements (see §7.2).
- No transfer to Russia. The Russian entity operates on independent infrastructure. No cross-system transfers occur between the Russian and international operations.
Copies of the EU SCCs, the UK IDTA and the UAE cross-border clauses in use are available on request to [DPO_EMAIL]. A list of all processors with their current location is maintained and updated without undue delay; the current table in this Policy is authoritative as of the Effective Date.
6. How long we keep personal information
| Data | Retention |
|---|---|
| Child photographs (uploaded originals) | Auto-deleted after [CHILD_PHOTO_RETENTION_DAYS] days, or immediately on parent request |
| Generated PDFs and story assets | Kept while your account is active, so you can re-download |
| Account profile + order history | While the account is active, then [DATA_RETENTION_DAYS_GRACE] days after deletion request |
| Inactive accounts | Deleted after [DATA_RETENTION_DAYS_INACTIVE] days of inactivity + [DATA_RETENTION_DAYS_GRACE] days grace |
| Payment records | Retained for 7 years to comply with US tax, accounting and anti-fraud law |
| Server logs (IP, user-agent) | 30 days |
| Back-ups | Encrypted, rotated out within 35 days |
7. Your privacy rights
7.1 Rights available to every user
Wherever you are, you can always ask us to:
- Access — tell you what personal information we hold about you and get a copy.
- Delete — delete your account and associated data (subject to legal retention of payment records).
- Correct — fix inaccurate information.
- Export — receive your data in a portable, machine-readable format (JSON/CSV).
Submit a request to [PRIVACY_EMAIL]. We respond within 30 days (GDPR) or 45 days (CCPA, extendable by 45 days with notice). We will verify your identity before we act on a request.
7.2 California residents (CCPA / CPRA)
If you reside in California you also have:
- The right to know the categories and specific pieces of personal information we have collected about you in the last 12 months and the sources, purposes and recipients (§1798.110, §1798.115 CCPA).
- The right to opt out of "sale" or "sharing" of personal information. We do not sell personal information and we do not share personal information for cross-context behavioral advertising (CCPA/CPRA definitions). A mandatory "Your privacy choices" / "Do Not Sell or Share My Personal Information" link is nevertheless provided in the footer of [DOMAIN] as required by §1798.135.
- The right to limit the use of sensitive personal information — §1798.121. As noted in §3.4 we already use sensitive PI only for the narrowly permitted CCPA purposes.
- The right to non-discrimination — exercising any of the rights above will not cause us to deny you the Service, charge a different price, or provide a worse level of service (§1798.125).
- The right to correct inaccurate personal information (§1798.106).
- The right to opt out of automated decision-making technology (ADMT) once the related CCPA regulations are in force — the Service currently does not make legal-or-similarly-significant decisions about you by solely automated means.
You may designate an authorised agent to make a request on your behalf; we will verify the agent's authorisation (written permission + identity check) before acting.
Categories of PI collected in the last 12 months (§1798.110): identifiers; commercial information; internet / network activity; geolocation (approximate only); audio / visual information (child photos); professional or employment-related info (no); education info (no); inferences (no). Sources: directly from you; automatically from your browser; from the identity providers you chose to connect. Purposes and recipients: as listed in §§4–5 above. Sales / sharing in the last 12 months: none. Disclosures for a business purpose: to each processor listed in §5, for the purpose stated beside it.
7.3 Other US states
Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as they come into force) have equivalent rights of access, correction, deletion, portability, and (where applicable) opt-out of targeted advertising / sale / profiling. Submit requests to [PRIVACY_EMAIL].
7.4 EU / UK / Swiss residents (GDPR)
In addition to §7.1 you have:
- The right to object to processing based on our legitimate interests (Art. 21).
- The right to restrict processing (Art. 18).
- The right to withdraw consent at any time for processing based on consent (Art. 7(3)) — this does not affect the lawfulness of processing before the withdrawal.
- The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22).
- The right to lodge a complaint with your local data-protection supervisory authority. If you are in the EEA the list is at https://edpb.europa.eu/about-edpb/board/members_en; in the UK it is the ICO (https://ico.org.uk).
Because we are a UAE controller offering services to EU/UK residents, we have appointed Art. 27 representatives — see §1.
7.5 UAE residents and UAE PDPL rights
Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021), data subjects in the UAE have the following rights, which we honour for all users regardless of residency:
- Right to information about the processing of their personal data (Art. 13).
- Right to request the transfer and obtain a copy of their personal data in a structured, commonly used format (Art. 14 — data portability).
- Right to correct or rectify inaccurate personal data (Art. 15).
- Right to erasure of their personal data where the legal grounds for processing no longer apply (Art. 16).
- Right to restrict processing where the accuracy of the data is contested, the processing is unlawful, or the data is required for legal claims (Art. 17).
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 9).
- Right to object to automated processing that produces legal effects on the data subject (Art. 19).
- Right to lodge a complaint with the UAE Data Office (https://www.uae-dataoffice.ae) if you believe your rights under PDPL have been violated.
Submit PDPL-related requests to [DPO_EMAIL]. Where the PDPL Executive Regulations prescribe a specific response time, we comply with that time; in the absence of a prescribed time we respond within 30 days.
7.6 Automated decision-making
The Service does not make legal or similarly significant decisions about you by solely automated means. AI systems are used to generate the story content you request; they do not make decisions about credit, employment, pricing, access to the Service, or any other legally significant matter. This position is the same under GDPR Art. 22, UK GDPR Art. 22, UAE PDPL Art. 19 and California ADMT regulations (once in force).
8. Children
See the separate COPPA Compliance Notice. Key points:
- The Service is designed to be used by a parent or legal guardian. The account holder must be 18 years or older.
- We require verifiable parental consent before we collect a child's name, age, gender or photograph.
- A parent can review, delete, or refuse further collection of the child's information at any time by emailing [PRIVACY_EMAIL].
- We do not condition a child's participation in any activity on disclosing more personal information than is reasonably necessary.
9. Security
We implement commercially reasonable technical and organisational safeguards:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 for object storage and database back-ups).
- Least-privilege access, audited admin actions.
- Password hashing (bcrypt / argon2id), MFA on all privileged accounts.
- Automated deletion of child photos per §6.
- Penetration testing and dependency scanning on a periodic basis.
No system is perfectly secure. In the event of a personal data breach that poses a risk to you we will notify:
- the relevant EU / UK supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33 / UK GDPR Art. 33);
- the UAE Data Office in accordance with PDPL Art. 9 and the applicable Executive Regulations;
- the US state regulators whose breach-notification statutes require disclosure (e.g. California Civil Code §1798.82, New York SHIELD Act, Massachusetts 201 CMR 17.00);
and affected users without undue delay.
10. Do Not Track / Global Privacy Control
We honour the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing for California residents per §1798.185(a)(19) CCPA regulations. Because we do not sell or share, GPC has no additional effect — but we detect it and log the opt-out. We do not currently respond differently to browser "Do Not Track" signals; their meaning in US law is not settled.
11. Marketing
We do not send promotional email unless you opt in. Every marketing email carries an unsubscribe link; opt-out takes effect within 10 business days as required by CAN-SPAM.
12. Links to third-party sites
The Service may link to third-party websites. Those sites have their own privacy practices and we are not responsible for them.
13. Changes to this Policy
We will post updates on [DOMAIN] and, for material changes, notify account holders by email at least 7 days before the new version takes effect. The "Effective date" at the top always reflects the current version. Prior versions are kept on request.
14. Contact and complaints
| Purpose | Contact |
|---|---|
| Any privacy question or rights request | [PRIVACY_EMAIL] |
| Data-protection officer / PDPL / GDPR / UK GDPR queries | [UAE_DPO_NAME] — [DPO_EMAIL] |
| UAE postal address (controller) | YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates |
| EU Article 27 representative | [EU_REP_NAME], [EU_REP_ADDRESS], [EU_REP_EMAIL] |
| UK Article 27 representative | [UK_REP_NAME], [UK_REP_ADDRESS], [UK_REP_EMAIL] |
| UAE complaint escalation | UAE Data Office — https://www.uae-dataoffice.ae |
| EU complaint escalation | Your local Data Protection Authority — https://edpb.europa.eu/about-edpb/board/members_en |
| UK complaint escalation | Information Commissioner's Office — https://ico.org.uk |
| California complaint escalation | California Attorney General — https://oag.ca.gov/privacy |
| US federal complaint escalation (COPPA / FTC) | https://reportfraud.ftc.gov |
YOU BABY STUDIO L.L.C · Commercial Licence 930633 · Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates · Version [EFFECTIVE_DATE]
This document is provided in English, the governing language of this site. An Arabic translation may be available on request; in case of conflict the English version prevails.