Tiny Tales - Privacy Policy

Last updated: March 4, 2026

Magic Mirror Works ("we", "us", or "our") built Tiny Tales as a subscription-based application for children's storytelling. This page informs you of our policies regarding the collection, use, and disclosure of information when you use Tiny Tales.

Children's Privacy (COPPA Compliance)

Tiny Tales is designed for use by children under parental supervision. We take children's privacy seriously:

• The app includes parental controls protected by a PIN that must be set by a parent or guardian
• Subscription purchases and account sign-in require parental PIN verification
• We do not knowingly collect personal information directly from children
• Story content created by children is stored locally on the device and is not uploaded to our servers unless a parent explicitly submits it to the shared library
• No advertising is displayed in the app
• No behavioral tracking or profiling of children is performed

If you believe a child has provided personal information without parental consent, please contact us so we can take appropriate action.

Information We Collect

Account Information (Optional)

If a parent chooses to sign in (required for subscriptions), we collect:

• Email address - from Google Sign-In or Apple Sign-In (Apple users may use a private relay email)
• User ID - a stable identifier from the sign-in provider

This information is used solely for subscription management and is stored securely on the device using encrypted storage (expo-secure-store). Email addresses are sent to our backend only for subscription status checks and whitelist verification.

Device Identifier

A random device identifier is generated for rate limiting and usage tracking purposes. This identifier:

• Is not linked to any personal information unless the user signs in
• Is used to enforce monthly story generation limits
• Is stored in our backend database (Cloudflare D1)

Story Prompts and Content

When generating stories, the text prompts entered by the user are sent to AI services for processing:

• Google Gemini API - for story text generation and character extraction
• AI/ML API (Flux 2) - for illustration image generation

Prompts are sent directly from the device to these services. We do not store story prompts on our servers. Generated stories and images are stored locally on the device.

Voice Input

Tiny Tales offers optional voice input for story ideas. Voice data is processed by the device's built-in speech recognition service (Google Speech Services on Android, Apple Speech on iOS). Voice audio is not sent to our servers.

Error and Crash Reports

We use Sentry to collect crash reports and error logs. This helps us fix bugs and improve app stability. Error tracking is enabled by default and can be turned off at any time in Settings > Privacy & Data. Sentry may collect:

• Device type and OS version
• App version and build number
• Error stack traces
• General usage breadcrumbs (e.g., which screen was active)

Session replay and screen recording are completely disabled — no visual recordings of app usage are ever captured. Sentry is configured with sendDefaultPii: false. API keys are automatically redacted from all logs. A pseudonymous device ID (not linked to any personal information) may be attached to error reports to help diagnose recurring issues.

This data is used solely for error analysis and app improvement. It is never used for advertising, behavioral profiling, or any other purpose.

Subscription and Purchase Data

Subscription purchases are processed through Google Play (Android) or the App Store (iOS) and managed by RevenueCat. We store:

• Subscription tier (Free, Standard, or Premium)
• Monthly usage count (stories generated this month)
• Subscription status and expiration date

We do not collect or store payment information (credit cards, billing addresses). All payment processing is handled by Google Play or the App Store.

Data Stored on Your Device

Tiny Tales stores the following locally on your device:

• Generated stories (text, images, and metadata)
• App settings (reading level, font preference, illustration style, parental PIN)
• Subscription status and usage counts
• Authentication tokens (in encrypted secure storage)
• Cached shared library index
• Translation cache for multilingual stories

This data can be cleared by uninstalling the app. The parental PIN is stored in encrypted device storage and is never transmitted.

Data Stored on Our Servers

Our backend (hosted on Cloudflare Workers) stores:

• Device subscription records - device ID, subscription tier, monthly usage count, whitelist status
• User-device links - associates a sign-in user ID with a device ID for subscription syncing
• Email whitelist - tester emails granted unlimited access
• Featured story submissions - stories voluntarily submitted by parents for the shared library (stored in Cloudflare R2)

We do not store story content, images, or prompts on our servers (except for voluntarily submitted featured stories).

Third-Party Services

Tiny Tales uses the following third-party services, each with their own privacy policies:

• Google Gemini API - Story text generation and character extraction
• AI/ML API - Image generation (Flux 2)
• RevenueCat - Subscription management
• Sentry - Error and crash reporting
• Google Sign-In - Authentication (optional)
• Apple Sign-In - Authentication (optional, iOS only)
• Google Play - In-app purchases (Android)
• App Store - In-app purchases (iOS)
• Cloudflare - Backend hosting (Workers, D1, KV, R2)

Data We Do NOT Collect

• Location data
• Contact lists or address books
• Photos or media files (we only save illustrations to your gallery when you choose to export)
• Advertising identifiers
• Behavioral analytics or usage profiling
• Payment information (handled by Google Play / App Store)

Data Retention

• Device subscription records are retained for as long as the device is active. Inactive records may be purged after 12 months of no activity.
• Crash reports are retained by Sentry for 90 days.
• Featured story submissions are retained until removed from the shared library.
• Local device data is retained until the app is uninstalled or data is cleared by the user.

Your Rights

You have the right to:

• Access - Request information about what data we hold about your device or account
• Deletion - Request deletion of your data from our servers by contacting us
• Portability - Export your stories from the app using the built-in share feature (.tinytale file format)
• Opt out - Use the app without signing in (limited to the free tier)

To exercise these rights, contact us at the email address below.

Permissions Used

• Microphone - For optional voice input when creating story ideas
• Speech Recognition - To convert voice input to text (processed on-device)
• Photo Library (write-only) - To save story illustrations when you choose to export them
• Notifications - For optional story time reminders (configured by parents)
• Internet - For AI story/image generation, subscription management, and shared library access

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the app after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, contact us at:
[email protected]