Launching imagination rockets...
Last updated:
This Privacy Policy explains how ELEN Story AI ("we," "us," or "our") collects, uses, stores, shares, and protects information when you access or use our website, mobile applications, AI story-creation tools, public sharing features, and any related services (collectively, the "Service"). It applies to adults who create or manage accounts and to information associated with child profiles maintained under those accounts. It does not apply to third-party websites or services that have their own privacy notices. By using the Service, you acknowledge and agree to the practices described here. If you do not agree, please do not use the Service. If you use the Service on behalf of or in connection with a child, you represent that you are authorised to do so and that you will review AI-generated outputs before sharing them with that child.
Account and Profile Data: We collect information needed to create and operate your (the adult's) account, including name, email address, profile image, authentication credentials, language preference, notification settings, subscription status, and related account metadata. If you sign in with Google or Facebook, we receive the profile data those providers share with us. Child Profile Data — Anonymous by Design: Child profiles are anonymous preference sets that live under your account. They contain only a fictional "magical name" (a display handle of your choosing, not the child's real name), an avatar selected from a fixed set of cartoon characters, and a reading-level band (e.g. Beginner / Intermediate / Advanced / Tween). We do not collect a child's real name, exact age, birth year, birthday, email, phone number, location, voice, photo, or any other personal information. Children cannot create accounts, generate stories, or type free text through the Service. Prompts, Stories, and Generated Media: All prompts, story titles, story text, AI-generated illustrations, generated audio narration, video, PDFs, story metadata, and visibility settings are created and managed by the adult account holder. Generated audio is produced from story text by a text-to-speech service; the Service does not record, capture, or process microphone input from any user. Billing and Payments: When you make a purchase, we receive transaction-related data including plan type, subscription status, billing period, store or processor identifiers, and limited payment metadata. We do not store full card numbers. Technical, Diagnostic, and Usage Data: We automatically collect information such as IP address, browser and device type, operating system, app version, crash data, request metadata, cookie or consent status, security events, and, where permitted or consented to, analytics and performance data — these signals are tied to your (the adult's) account, not to a child. Support and Communications: When you contact us, respond to surveys, or request assistance, we process the content of those communications.
We use personal information to operate, secure, maintain, and improve the Service, including to: create and manage your account, child profiles, subscriptions, and billing records; generate stories, images, narrations, videos, translations, and other requested outputs; deliver and store your content across web and mobile; honour your visibility settings, including public sharing when you enable it; provide customer support, investigate incidents, detect abuse, and enforce our Terms of Service; measure product performance where a legal basis exists; and comply with legal obligations, protect rights, and resolve disputes. We may also use aggregated or de-identified data for analytics, security, service quality, and internal operations. We do not sell personal information for monetary consideration, and we do not knowingly use child profile data for behavioural advertising.
If you mark a story or media as public, share it via a public URL, or leave a default-public setting enabled, other users or members of the public may access it. Public content may be copied, downloaded, re-shared, cached, indexed, or otherwise viewed by others, and we may be unable to fully retrieve it after it has been made public. Accordingly, please do not include sensitive personal information, private family details, school records, health data, precise location data, government identification numbers, or any other information you do not wish to disclose in prompts, titles, descriptions, or public stories.
We share information only to the extent reasonably necessary to operate the Service, comply with legal obligations, protect rights, or carry out a transaction you request. We engage the subprocessors listed below to process personal data on our behalf under written data processing agreements (DPAs), which in some cases are incorporated by reference into each provider's standard terms of service. Each subprocessor is permitted to use personal data only for the limited purpose described and is required to implement appropriate technical and organisational security measures. We update this list when we add or remove subprocessors. In the event of a merger, financing, restructuring, or asset sale, information may also be disclosed subject to customary confidentiality safeguards. Current subprocessors: • Supabase (United States / EU regions) — authentication, PostgreSQL database, file storage. Processes: account email, password hash, profile data, child-profile records (display name + content level + avatar only), story metadata. • Google LLC — Gemini, Imagen, Veo, and Cloud Text-to-Speech APIs (United States / EU). Processes: parent-supplied prompts, generated story text, image generation requests, and story text submitted to the text-to-speech service to produce narrated audio. Per Google's Generative AI Terms, customer prompts are not used to train Google models. • Cloudflare, Inc. (global edge network) — R2 object storage and Stream HLS video hosting. Processes: generated videos, audio files, PDFs, thumbnails. Cloudflare does not have access to plaintext account data. • Polar Software Inc. (United States) — subscription billing and credit-pack purchases on the web. Processes: parent name, email, billing address, payment-method tokens. Card numbers are handled directly by Polar's PCI-compliant processors and are never seen by us. • Apple Inc. and Google LLC — in-app purchases and receipt validation on iOS and Android. Processes: store purchase tokens, receipts, transaction identifiers. • Upstash, Inc. (United States / EU regions) — Redis-based rate limiting and abuse prevention. Processes: hashed user identifiers and request counters. No story content is stored. • Functional Software, Inc. d/b/a Sentry (United States) — error monitoring and crash reporting. Processes: error stack traces, user identifiers, request metadata. Personal data in error context is scrubbed where feasible. • Vercel Inc. (United States / global edge) — hosting and content delivery for the web application. Processes: HTTP request metadata and IP addresses for routing and security. We may additionally disclose information to advisors, authorities, courts, or counterparties when required by law, in response to valid legal process, or where reasonably necessary to protect the Service, our users, or our rights. We do not sell personal information for monetary consideration, and we do not knowingly use child profile data for behavioural advertising.
The Service is designed for adults. Children do not open ELEN Story AI accounts and do not provide personal information through the Service. The kid-mode interface is consumption-only — children can view and listen to stories created by the adult account holder, but cannot generate new stories or send free-text prompts. Child profiles under your account are anonymous (magical name + avatar + reading-level band only). We provide a separate Children's Privacy Notice with additional details.
Read our Children's Privacy Notice →Depending on where you are located, we process personal data on the basis of: contractual necessity (to provide the Service you have requested); your consent (for optional analytics and marketing communications); our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights; and compliance with legal obligations. Where consent is required, you may withdraw it at any time for the future by adjusting your cookie or marketing preferences within the Service.
We retain information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain account history, detect abuse, satisfy legal obligations, and enforce agreements. In practice, account records, child profiles, and story data are generally retained until you delete them or close your account; technical and analytics logs are retained according to operational needs and provider settings; and certain billing, fraud-prevention, legal-hold, and backup data may be retained for longer periods. When you delete content or close your account, we delete or anonymise active records within a reasonable timeframe, subject to technical constraints, legal obligations, backup cycles, and fraud-prevention or dispute-resolution requirements. Publicly shared or third-party cached copies may remain outside our control.
Depending on your jurisdiction, you may have rights to access, export, correct, delete, restrict processing of, or object to the processing of personal data about you. You may also withdraw consent for optional analytics or marketing. You can manage certain settings directly within the Service, including visibility preferences, marketing email opt-outs, legal-consent history, data export, and account deletion. We may require identity verification before processing certain requests, and we may limit or decline requests where a legal exception applies. Residents of the European Economic Area, United Kingdom, and certain US states (including California) have additional rights under applicable data-protection law. To exercise any right, contact us at [email protected].
We and our service providers may process information in countries other than where you reside, including countries that may not provide the same level of data-protection law as your home country. Where required, we rely on appropriate contractual, technical, or organisational safeguards — such as Standard Contractual Clauses — for cross-border data transfers.
We implement administrative, technical, and organisational safeguards including encrypted transmission (TLS), access controls, security logging, rate limiting, database-level security, and parent-side PIN or session protections for child-related features. No system is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials, devices, and parental PINs. Please notify us promptly at [email protected] if you suspect unauthorised access.
We may update this Privacy Policy from time to time. For material changes, we will update the version date, publish the revised Policy, display an in-product notice, or — where appropriate — request your renewed consent before continuing to process your data under the updated terms. Your continued use of the Service after a change is posted constitutes acceptance of the updated Policy, to the extent permitted by law.
If you have questions about this Privacy Policy, wish to exercise a privacy right, or need assistance with a child profile, please contact us at: Email: [email protected] | Website: https://elenstoryai.com/contact. We aim to respond to substantive privacy inquiries within 30 days.
You may request deletion of your account within the Service. Account closure is intended to remove your profile, child profiles, and associated story content from active product systems, subject to the retention exceptions described above. This action is generally irreversible; please export any content you wish to retain before closing your account.
This document is version 2026-04-28.3. If you have questions or concerns, please contact us at [email protected].