Privacy Policy

1. Introduction

Welcome to Bookbox! This Privacy Policy explains how Storybox Labs LLC ("Company," "we," "our," or "us") collects, uses, discloses, and protects information when you or your child uses our mobile application, Bookbox (the "App"), and our website at mybookbox.co (the "Website").

Bookbox is an interactive storytelling application designed for children ages 3-10. We are committed to protecting the privacy of all our users, especially children. This Privacy Policy is designed to help parents and guardians understand our data practices.

By using the App or Website, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not use the App or Website.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address - Required for account creation and communication
• Display name - Optional, used to personalize the experience
• Authentication credentials - Securely hashed passwords or tokens from Apple/Google Sign-In

3.2 App Usage Information

We collect limited analytics to improve our service:

• App interactions - Features used, stories created (count only, not content)
• Device information - Device type, operating system version, app version
• Crash reports - Technical information to identify and fix bugs

We do not use third-party analytics services that collect personally identifiable information from children.

3.3 User Preferences

We store your chosen preferences locally on your device and in your account:

• Selected age group (for story complexity)
• Theme color preferences
• App settings

4. How We Use Information

We use the information we collect for the following purposes:

• Provide the Service: Create and manage your account, generate stories, and sync content across devices
• Improve the App: Analyze usage patterns to enhance features and fix issues
• Customer Support: Respond to inquiries and provide assistance
• Security: Protect against fraud, unauthorized access, and other security threats
• Legal Compliance: Comply with applicable laws and legal obligations

We do not use children's information for behavioral advertising, profiling, or any purpose not directly related to providing the storytelling service.

6. Story Content and Ownership

Stories created in Bookbox are your personal property:

• User Ownership: You own the stories you create using Bookbox
• Encrypted Storage: Story content is encrypted both on your device and in cloud backup
• No Content Access: We do not read, analyze, or use your story content for any purpose other than displaying it back to you
• No Sharing: We do not share your stories with third parties

7. Third-Party Services

We use limited third-party services to operate Bookbox:

7.1 Supabase (Database & Authentication)

We use Supabase to securely store account information and encrypted story data. Supabase processes data in accordance with their Privacy Policy.

7.2 Google Gemini (Story Generation)

We use Google's Gemini service to generate story text and illustrations. When you create a story, we send only the story prompt (not your voice recording) to generate content. Google processes this data in accordance with their Privacy Policy.

7.3 Apple and Google Sign-In

If you choose to sign in with Apple or Google, we receive only your email address and a unique identifier. We do not receive your password or other account details from these services.

8. Data Storage and Security

We take the security of your data seriously and implement appropriate measures:

• Encryption in Transit: All data transmitted between the App and our servers is encrypted using TLS 1.3
• Encryption at Rest: Story content is encrypted before being stored in our database
• Local Storage: Stories are also stored locally on your device for offline access
• Access Controls: We limit employee access to personal data on a need-to-know basis
• Regular Audits: We regularly review our security practices and update them as needed

While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your information to the best of our ability.

9. Children's Privacy Rights

In accordance with COPPA and other applicable laws, we provide the following rights for children's personal information:

• Children are not required to provide more information than necessary to use the App
• We do not condition participation on disclosure of unnecessary information
• We do not share children's personal information with third parties except as described in this policy
• We provide parents the ability to review and delete their child's information

11. International Users (GDPR Notice)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process personal data based on:

• Contract: Processing necessary to provide the service you requested
• Consent: Where you have given explicit consent (which can be withdrawn)
• Legitimate Interests: For security, fraud prevention, and service improvement

Your GDPR Rights

• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Restrict processing of your personal data
• Right to Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Complain: Lodge a complaint with your local data protection authority

Children's Data (GDPR)

Under GDPR, parental consent is required for processing personal data of children under 16 years of age (or lower age as set by individual EU member states, with a minimum of 13). We obtain verifiable parental consent before processing children's personal data.

12. California Residents (CCPA Notice)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Your CCPA Rights

• Right to Know: Request disclosure of personal information collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

We Do Not Sell Personal Information

We do not sell personal information of any user, including children. We have not sold personal information in the preceding 12 months.

Children Under 16

Under CCPA, we must obtain opt-in consent before selling personal information of consumers under 16. Since we do not sell any personal information, this provision does not apply. However, we additionally require parental consent for children under 13 in compliance with COPPA.

13. Data Retention and Deletion

We retain personal information only as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy:

• Account Data: Retained until you delete your account
• Story Content: Retained until you delete individual stories or your account
• Usage Analytics: Aggregated and anonymized; individual data deleted after 12 months
• Support Communications: Retained for 3 years for quality and legal purposes

When you request account deletion, we will delete or anonymize your personal information within 30 days, except where we are required to retain certain information for legal or legitimate business purposes.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email (if you have provided one)
• Display a prominent notice in the App

For material changes affecting children's data, we will obtain new parental consent where required by law.