Privacy Policy

Effective date: May 1, 2026  ·  Last updated: April 24, 2026

1. What we collect

1.1 On your device only

• Child's first name / nickname
• Child's birth date
• Gender and local-only profile fields not needed for story generation
• The text of generated stories after download
• The audio of downloaded stories (for offline playback)
• UI preferences (chosen narrator voice, real-name sharing toggle)

1.2 Sent to our servers

• Anonymous device identifier ("client ID") — a random UUID generated on first launch. Not linked to your Apple ID unless you explicitly sign in with Apple.
• Story generation context: scenario ID, story world ID, age band (one of "2", "3", "4", "5+"), favorite animal type, optional narrator voice, optional tone, and optional story element. We do not send the child's first name or birth date in the current app.
• Story metadata after generation: story ID, audio URL, generation duration, provider used, completion status
• Subscription tier (via RevenueCat — "free" / "standard")
• Timezone offset at request time, used only to compute your monthly quota window

1.3 Bonus / referral system (only if you use it)

• If you share your invite code, we store the 6-character code, your device ID, and timestamps of successful referrals
• When another parent accepts your invite, we link their device ID to their Apple ID (via Sign in with Apple) solely to prevent abuse — this is the only way we can confirm the invite reward isn't being self-claimed
• Their Apple ID is stored as the opaque sub value Apple returns — not their email or name

1.4 Sign in with Apple (optional)

If you tap "Sign in with Apple" in Settings (required only to claim invite rewards):

• Apple gives us a stable, opaque user ID (the sub claim)
• We do not receive your real Apple ID email unless you explicitly share it
• We store only the sub + your device ID, linked together

1.5 Anonymous analytics (PostHog)

We use PostHog to understand which scenarios are picked, where users drop off, and whether new features help. These events are never linked to your child's data. Typical events:

• ftu_completed, first_story_generated, story_play_completed
• helpful_tapped, share_card_saved
• purchase_started, purchase_succeeded

PostHog is configured with autocapture: false — we only send events we explicitly code. No IDFA, no cross-app tracking.

1.6 Crash & performance data

We use Apple's built-in crash reporting. You can opt out in iOS Settings → Privacy & Security → Analytics & Improvements → Share With App Developers.

2. Third-party services we use

Service	Purpose	Data sent
Alibaba Cloud DashScope	AI text + text-to-speech generation	Story generation context (scenario, world, age band, favorite animal type, optional tone/voice). No child first name or birth date.
Cloudflare Workers + R2	API hosting, audio file storage	Everything in §1.2 passes through here
Supabase	Story metadata, bonus ledger, referral tracking	Everything in §1.2 and §1.3
RevenueCat	Subscription management	Your Apple Transaction ID, subscription status
Apple (App Store, SIWA)	Payments, optional auth	Apple handles payment data directly — we never see your card
PostHog	Product analytics	Events in §1.5

We have a data-processing agreement with each vendor where applicable. None of them receive your child's first name or birth date. Story-generation vendors receive only the selected story context needed to produce the audio.

3. Children's privacy

HabitStories is a tool for parents, not a product for children. The account holder is always an adult. Your child should not use the device unsupervised while HabitStories is open.

Because of this, we do not target children under 13 for data collection. The child's first name and birth date stay local to your device. Story generation uses only the selected story context needed to produce the audio, such as age band, scenario, world, and favorite animal type.

If you discover a child has somehow created an account directly (which our UX doesn't support), email [email protected] and we'll delete the associated device record immediately.

4. Your rights

4.1 Delete your data

• Local data: Settings → Data & Privacy → Reset App Data wipes the device instantly.
• Server-side data: Email [email protected] with the device ID from Settings → About. We'll delete all server rows linked to that ID within 7 days.
• Apple ID link: iOS Settings → Apple ID → Password & Security → Apps Using Apple ID → HabitStories → Stop Using Apple ID.

4.2 Export your data

Email [email protected]. We return a JSON dump of every row linked to your device ID within 14 days.

4.3 Opt out of analytics

iOS Settings → Privacy & Security → Tracking: HabitStories — toggle off. We also honor the system-level ATT prompt.

5. How long we keep data

Data	Retention
Story metadata on server	180 days, then purged
Audio files on R2	30 days after last access
Bonus / referral records	24 months, then anonymized
Crash logs	90 days
PostHog events	365 days
Device → Apple ID binding	Until you delete, or anonymized after 24 months inactivity

6. Where your data lives

• Cloudflare Workers: distributed edge (nearest PoP to you)
• Supabase: US East
• R2 storage: Cloudflare global
• RevenueCat: US East
• PostHog: US (us.i.posthog.com)

If you're in the EU/UK and this matters to you, email us and we'll clarify or suspend your record.

7. Security

All data in transit is encrypted via HTTPS/TLS. On-device data is protected by iOS device encryption. We apply standard security practices to our server-side infrastructure.

8. Changes to this policy

We'll update this document when things change. Material changes will be flagged in the app on next launch with a short summary. The "Effective date" at the top always reflects the current version.

9. Contact

[email protected]

We're a small team. A real person reads every message, usually within 24 hours.