Privacy Policy
Last updated: June 3, 2026
Your privacy matters to us. This policy explains exactly what data we collect, how we use it, and how we keep it safe, including how we handle AI-generated content and your child's information.
Table of Contents
- 1. Introduction
- 2. Information We Collect
- 3. How We Use Your Information
- 4. AI-Generated Content & Image Generation
- 5. Children's Privacy (COPPA Compliance)
- 6. Cookies and Tracking Technologies
- 7. Data Storage, Security & Retention
- 8. Third-Party Services
- 9. Your Privacy Rights
- 10. Legal Basis for Processing (GDPR)
- 11. International Data Transfers
- 12. Changes to This Privacy Policy
- 13. Contact Us
1. Introduction
MumTales ("we", "us", or "our") is a personalized AI-powered children's storytelling platform operated by Hauper Technologies. We are committed to protecting your privacy and the privacy of the children whose stories are created on this platform.
This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your rights regarding your personal data. By creating an account or using MumTales, you agree to the practices described in this policy.
If you are a parent or guardian using MumTales on behalf of a child, this policy applies to both you and your child's data. We encourage you to read this document carefully.
2. Information We Collect
We collect information in several ways:
2.1 Information You Provide Directly
- **Account Information:** When you register, we collect your name, email address, and a hashed version of your password. We never store your password in plain text. - **Story Inputs:** The names, ages, themes, characters, and other story parameters you enter when generating a story. These inputs are used solely to generate your story and are associated with your account. - **Payment Information:** When you purchase credits, we collect billing details through our payment processor (Razorpay). We do not store your credit card numbers or bank details on our servers; all payment data is handled by Razorpay under their PCI-DSS-compliant infrastructure. - **Feedback and Support:** Any messages, feedback, or support requests you send us.
2.2 Information Collected Automatically
- **Usage Data:** Pages visited, features used, story generation events, credit usage, session duration, and navigation patterns within the app. - **Device and Technical Information:** IP address, browser type and version, operating system, device type, screen resolution, and referring URLs. - **Cookies and Similar Technologies:** Session tokens, preference cookies, and analytics cookies (see Section 7 for full details).
2.3 Information from Third Parties
- **Google Gemini API:** When you generate a story, your story parameters are sent to Google's Gemini API. Google may process this data in accordance with their own privacy policy. We do not receive any personal data back from Google beyond the generated story content. - **Amazon Web Services (AWS S3):** Story images and content may be stored in our AWS S3 buckets. AWS processes data under their Data Processing Agreement.
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Providing the Service
- Creating and managing your account - Generating personalized stories using AI based on your inputs - Managing and tracking your credit balance - Storing and displaying your previously generated stories - Delivering story content and images to your device
3.2 Processing Payments
- Verifying purchases and crediting your account - Preventing fraudulent transactions - Sending payment confirmation emails and receipts
3.3 Improving the Platform
- Analysing aggregated, anonymised usage patterns to improve features - Identifying and fixing bugs and performance issues - Understanding which story types and features are most valuable - Conducting internal research and product development
3.4 Communications
- Sending transactional emails (account creation, purchase confirmations, password resets) - Sending service-related announcements (major changes, maintenance windows) - Sending optional product updates and offers, but only if you have opted in
3.5 Safety and Legal Compliance
- Detecting, investigating, and preventing abuse, fraud, or policy violations - Complying with applicable laws, regulations, and lawful government requests - Enforcing our Terms and Conditions
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
4. AI-Generated Content & Image Generation
MumTales uses artificial intelligence to generate story text and, where applicable, accompanying illustrations. This section explains how AI processing works and what it means for your data.
4.1 Story Text Generation (Google Gemini)
When you create a story, the parameters you provide (child's name, age, theme, characters, moral lesson, language, etc.) are transmitted to Google's Gemini large language model API. This data is processed by Google to generate story text, which is then returned to our servers and stored in your account.
We use Gemini's API under a commercial agreement that restricts Google from using your prompts to train their models (as per Google's API data usage terms). However, you should be aware that data sent to any third-party AI service is subject to that service's own policies, and we recommend reviewing Google's API Terms of Service and Privacy Policy.
4.2 Story Images
Story illustrations and images generated for your stories are stored on Amazon Web Services S3 in encrypted buckets. These images are associated with your account and are accessible only by you (and our administrative team for support purposes). Images are not shared publicly unless you explicitly share your story through any future sharing features.
4.3 Content Moderation
All story inputs are processed through safety filters before being sent to the AI model. Our prompts are designed to produce age-appropriate, child-safe content only. We do not generate stories involving violence, adult content, discrimination, or any content that could be harmful to children.
If the AI generates content that you believe is inappropriate, please report it to us immediately at [email protected]. We will investigate and take corrective action.
4.4 No Training on Your Data
MumTales does not use your story inputs, story content, or personal data to train our own AI models or to improve third-party AI models. Your stories are yours.
4.5 Accuracy and Limitations
AI-generated stories are creative content and are not factual articles. While we take care to produce appropriate content, AI models can occasionally produce unexpected output. MumTales is not liable for AI-generated content that is inaccurate, incomplete, or not to your taste. Please review all generated content before sharing with children.
5. Children's Privacy (COPPA Compliance)
MumTales is a platform designed for parents, guardians, and educators to create stories for children. We take children's privacy exceptionally seriously.
5.1 Who Creates Accounts
MumTales accounts are created by adults (18 years or older). We do not knowingly allow children under 13 to create accounts directly. If you are under 13, please ask a parent or guardian to create an account and use MumTales on your behalf.
5.2 Children's Data in Stories
When you create a story featuring a child's name, age, or characteristics, we store this information as part of your story record. This data is: - Linked to your adult account only - Never shared with third parties for marketing - Never used to build profiles about children - Stored only as long as necessary to provide the service
5.3 Parental Controls
As the account holder, you have full control over your account and all stories within it. You can delete any story and all associated data at any time from your account dashboard.
5.4 COPPA
We comply with the Children's Online Privacy Protection Act (COPPA) in the United States. If you believe we have inadvertently collected personal information from a child under 13 without parental consent, please contact us immediately at [email protected] and we will delete that information promptly.
5.5 GDPR: Children in the EU/UK
Under GDPR and the UK GDPR, the age of digital consent varies by country (typically 13-16). If you are using MumTales in the EU or UK, you confirm that you are an adult and that any story inputs relating to children are provided under your own authority as a parent or guardian.
7. Data Storage, Security & Retention
7.1 Where We Store Your Data
Your data is stored on: - **MongoDB Atlas**: Account information, story metadata, and credit balances are stored in MongoDB Atlas clusters. Data may be hosted in the United States or European regions depending on your location and our infrastructure configuration. - **Amazon S3**: Story images and generated content files are stored in AWS S3 with server-side encryption (AES-256). - **Vercel**: Our application is deployed on Vercel's edge infrastructure. Vercel may process request data (IP addresses, headers) as part of request routing.
7.2 Security Measures
We implement industry-standard security practices including: - Passwords are hashed using bcrypt with an appropriate work factor; plain-text passwords are never stored - Authentication tokens are HTTP-only cookies (inaccessible to JavaScript) - All data in transit is encrypted using TLS 1.2 or higher (HTTPS) - Database credentials and API keys are stored as environment variables, never in source code - AWS S3 buckets are private by default with no public access - We conduct periodic reviews of our security posture
Despite these measures, no system is 100% secure. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.
7.3 Data Retention
- **Account data:** Retained for as long as your account is active, plus a 90-day deletion window after account closure - **Story data:** Retained for the lifetime of your account; you may delete individual stories at any time - **Payment records:** Retained for 7 years as required by financial regulations - **Server logs:** Automatically purged after 30 days - **Anonymised analytics data:** May be retained indefinitely as it cannot identify you
7.4 Account Deletion
You may request full deletion of your account and all associated data by contacting [email protected]. We will process deletion requests within 30 days. Note that payment records required for legal compliance may be retained in anonymised form.
8. Third-Party Services
MumTales integrates with the following third-party services. Each has its own privacy policy that governs how they handle data:
| Service | Purpose | Data Shared | |---|---|---| | Google Gemini API | AI story text generation | Story parameters (name, age, theme, etc.) | | Amazon Web Services S3 | Image and content storage | Story images, generated files | | Razorpay | Payment processing | Billing information, transaction amount | | MongoDB Atlas | Database hosting | All account and story data | | Vercel | Application hosting & CDN | Request metadata, IP addresses |
We have Data Processing Agreements in place with all processors who handle personal data on our behalf, as required by GDPR. We do not authorise any of these processors to use your personal data for their own purposes beyond what is necessary to provide us with their services.
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 Rights Under GDPR (EU/UK Residents)
- **Right of Access:** Request a copy of all personal data we hold about you - **Right to Rectification:** Ask us to correct inaccurate or incomplete data - **Right to Erasure ("Right to be Forgotten"):** Request deletion of your personal data, subject to legal retention obligations - **Right to Restriction:** Ask us to limit how we process your data in certain circumstances - **Right to Data Portability:** Receive your data in a structured, machine-readable format (JSON/CSV) - **Right to Object:** Object to processing based on legitimate interests or for direct marketing purposes - **Right to Withdraw Consent:** Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
9.2 Rights Under CCPA (California Residents)
- Right to know what personal information we collect and how it is used - Right to delete personal information - Right to opt out of the sale of personal information (we do not sell personal information) - Right to non-discrimination for exercising your privacy rights
9.3 How to Exercise Your Rights
To exercise any of the above rights, contact us at [email protected] with the subject line "Privacy Rights Request". We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.
If you are an EU/UK resident and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your national DPA in the EU).
10. Legal Basis for Processing (GDPR)
For users in the European Economic Area and United Kingdom, our legal bases for processing personal data are:
- Contract Performance: Processing necessary to provide you with the MumTales service, manage your account, generate stories, and process payments - Legitimate Interests: Processing for fraud prevention, platform security, analytics, and service improvement, where these interests are not overridden by your rights - Legal Obligation: Processing required to comply with financial regulations, court orders, or other legal requirements - Consent: Where we send optional marketing communications or use non-essential analytics cookies, we rely on your explicit consent, which you may withdraw at any time
11. International Data Transfers
MumTales operates globally and your data may be transferred to and processed in countries other than your country of residence, including the United States, where many of our third-party service providers are based.
Where we transfer personal data from the EEA or UK to countries not recognised as providing an adequate level of protection (such as the United States), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO, or on other lawful transfer mechanisms.
By using MumTales, you acknowledge that your data may be transferred internationally as described in this policy.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make material changes, we will: - Update the "Last Updated" date at the top of this page - Send you an email notification to the address on your account (for significant changes) - Display a prominent notice within the MumTales application
Your continued use of MumTales after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you should stop using the service and contact us to delete your account.
13. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
Email: [email protected] General: [email protected]
Hauper Technologies
MumTales Privacy Team
We aim to respond to all privacy-related enquiries within 5 business days, and to all formal data subject requests within 30 days.
For EU/UK residents, our representative for data protection purposes can be contacted at the email above.
Questions about your privacy?
We're happy to help. Reach out and we'll respond within 5 business days.
[email protected]