Privacy Policy

Last Updated: February 17, 2026

1. Our Commitment to Families

My Teddy Stories is built around the safety of children and families. This policy explains what personal data we collect, why we collect it, and how we protect it. We follow the requirements of the European General Data Protection Regulation (GDPR) and, where applicable, the U.S. Children's Online Privacy Protection Act (COPPA).

The data controller responsible for your personal data is: My Teddy Stories, 60 Route de Gardanne, Res La Victorine, 13710 FUVEAU, France, [email protected].

2. Children's Data — Our Architecture

Our Service is designed so that children never provide personal data to us. The children's section of the app is limited exclusively to reading stories that an adult account holder has already generated. All account creation, story generation, data input, and credit management is restricted to adults through a parental gate. We do not knowingly collect any personal data from children under the age of 16 (or 13 in jurisdictions where that threshold applies).

If you believe that a child has submitted personal data to us without appropriate parental consent, please contact us immediately at [email protected] and we will delete it promptly.

3. Data We Collect and Why

We collect only what is necessary to provide the Service. Below is a description of each category of data, why we collect it, and the legal basis under which we process it.

  • Account Information (email address and encrypted password)We collect this to create and manage your account. Legal basis: performance of the contract between you and us.
  • Story Inputs (children's or teddy bears' names, physical descriptions, and preferences such as favorite colors)We collect this to generate personalized story content as requested by you. Legal basis: performance of the contract. Note that while this data relates to children, it is provided by the adult account holder, who confirms by using the Service that they are the parent or legal guardian of the child concerned.
  • Uploaded ImagesYou may upload a photo to generate a personalized avatar. These images are processed ephemerally: they are transmitted to our AI provider solely for the purpose of generating the avatar and are deleted immediately upon completion. They are never stored permanently on our servers. We contractually require our AI providers not to retain or use submitted images for any purpose, including model training. Legal basis: your explicit consent, which you provide at the point of upload via an affirmative confirmation step.
  • Usage and Technical DataWe collect anonymized logs and analytics data (such as session duration and feature usage) to monitor performance and improve the Service. This data is not linked to your identity. Legal basis: our legitimate interest in maintaining and improving a functional service. This data is retained for a rolling period of 12 months, after which it is deleted or permanently anonymized.

4. AI Providers and Subprocessors

To generate text and images, we use the following third-party AI providers:

  • Google (Gemini) — text generation
  • Runware — image generation

We send only the minimum necessary prompts to these providers (for example, "A teddy bear walking through an autumn forest"). We do not send personal identifiers alongside these prompts. We do not use your personal data to train any AI model, public or private. All subprocessors are contractually required to process data solely on our instructions and to maintain data protection standards equivalent to those described in this policy. A current list of our subprocessors is available upon request.

If we engage a new subprocessor that will process personal data, we will notify you in advance.

5. Advertising and Cookies

Advertising

We display advertisements through Google AdMob, a service provided by Google LLC. AdMob may use your device's advertising identifier and certain usage data to serve personalized advertisements. We obtain your consent before personalized advertising is enabled. If you do not consent, you may still see non-personalized ads. For more information on how Google processes data for advertising purposes, please refer to Google's Privacy Policy at https://policies.google.com/privacy. Google AdMob is a data processor acting on our instructions and is included in our list of subprocessors.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies. We categorize these as follows:

  • Strictly necessary cookies: required for the website to function (session management, security). These do not require your consent.
  • Analytics cookies: used to understand how visitors use our site. These are only placed with your consent.
  • Advertising cookies: used by our advertising partners to serve relevant ads. These are only placed with your consent.

When you first visit our site, you will be presented with a consent management tool that allows you to accept or refuse non-essential cookies. You can update your preferences at any time via the Cookie Settings link in the footer of our website. Your consent choices are recorded and stored as required by applicable law.

6. Data Retention

We retain your data only for as long as necessary:

  • Account data (email, encrypted password): retained until you delete your account, then permanently deleted within 30 days.
  • Story inputs and generated books: retained as long as your account is active and deleted within 30 days of account deletion.
  • Uploaded images: deleted immediately after avatar generation (ephemeral — see Section 3).
  • Anonymized analytics logs: 12 months rolling, then deleted or permanently anonymized.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access: you may request a copy of the data we hold about you.
  • Correction: you may ask us to correct inaccurate data.
  • Deletion: you may request that we delete your data. You can also do this directly via the "Danger Zone" section of your profile.
  • Portability: you may request your data in a structured, machine-readable format.
  • Restriction: you may ask us to restrict processing of your data in certain circumstances.
  • Objection: you may object to processing based on legitimate interests.
  • Withdrawal of consent: where processing is based on your consent (such as image uploads), you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority. In France, this is the CNIL (www.cnil.fr).

8. Data Security

We use industry-standard security measures including encryption in transit (TLS) and encrypted storage of passwords. We do not store payment card data — payments are processed by our payment provider and subject to their security standards.

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app notification at least 30 days before the change takes effect. The current version is always available at www.myteddystories.com/privacy.

10. Contact

For any privacy-related questions, data rights requests, or concerns, please contact us at:

My Teddy Stories — [email protected]