COPPA-Conscious Privacy Statement
Mirror Story is designed to comply with the Children's Online Privacy Protection Act (COPPA). We never collect personal information directly from children. All accounts are created and managed by parents or legal guardians aged 18 or older.
AI-Generated Content Notice
All stories, conversation starters, illustrations, and Therapeutic Approach sections on Mirror Story are generated by artificial intelligence (OpenAI, Anthropic Claude for backup story text, and xAI for narration). The Therapeutic Approach section explains the storytelling techniques used in each story — it is not written by a licensed therapist, psychologist, or any other mental health professional, and does not constitute professional medical or psychological advice. If your child is experiencing significant distress or a clinical concern, please consult a qualified mental health professional. We use automated safety checks before and after story generation, but no automated system is perfect; parents should review each story and can report any concern from the parent section.
1. Who We Are
Sudhanav LLC ("we," "us," "our") is an AI-powered storytelling service for children, operated by parents on behalf of their children. We are headquartered in Texas, USA, and are committed to protecting the privacy of every family using our service. Data Controller: Sudhanav LLC Contact: contact@mirrorstory.app Response time: Within 5 business days
2. What Data We Collect
From parents (account holders only): • Email address (via Clerk authentication) • Payment information (processed by Stripe – we never see your card number) • Subscription status • Authentication and session data – collected and stored by Clerk for account security: device type and operating system, browser name and version, IP address, approximate location derived from IP (city and country), and login timestamps. This data is visible to you under Account → Security → Active devices and is retained until the session ends or you revoke it. It is never linked to child profiles. • IP address – also collected independently for rate limiting and abuse prevention; these copies are purged within 24 hours • Parent PIN and PIN reset information used to protect parent-only story sections From child profiles (stored under the parent's account): • Child's first name only • Child's age • Story preferences, pronouns, and story companion choice • Situation descriptions or story details provided by the parent • Generated stories, illustrations, narration/audio, conversation starters, and Therapeutic Approach sections • Parent review decisions and story visibility status, such as approved, archived, or reported • Recipient email addresses when a parent chooses to email or share a story • Parent-submitted story report details, including report reason, optional comment, story ID, and related story metadata Browser session draft data: • Unfinished story or series setup may be stored temporarily in your browser session so you can recover the flow if you navigate away. This can include the selected child profile, story type, theme or emotional focus, companion preference, illustration detail, and the parent note you typed before submitting. We NEVER collect directly from children: • Last names • Photographs or videos • Voice or audio recordings • Location data or device identifiers of any kind • Behavioral tracking or advertising data
3. How We Use Your Data
We use collected data to: • Generate personalized stories for your child • Process story, series, illustration, and narration requests asynchronously so generation can continue if you leave the page • Manage your subscription and payments • Send account-related emails (never marketing emails without your explicit consent) • Create and deliver story PDFs, email copies, or downloaded files when requested by the parent • Monitor service performance and fix errors (via Sentry) • Enforce rate limits and protect the service from abuse using IP address data • Apply automated safety filters to parent-provided situation details and generated story content to help prevent unsafe, inappropriate, or unsupported content from being created or shown • Keep therapeutic stories parent-controlled until a parent reviews, approves, archives, or reports them • Review parent-submitted reports about AI-generated story safety or quality and respond to support requests • Improve and maintain our service We NEVER: • Sell your data to third parties • Use your data for advertising or profiling • Share your child's information with any unauthorized party
4. Third-Party Services
We use the following trusted third-party services, each governed by their own privacy policies:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Clerk | Authentication | clerk.com/privacy |
| Supabase | Database hosting | supabase.com/privacy |
| Stripe | Payment processing | stripe.com/privacy |
| OpenAI | AI story generation and illustration generation | openai.com/policies/privacy-policy |
| Anthropic | Backup AI story generation | anthropic.com/privacy |
| xAI | AI text-to-speech narration | x.ai/legal/privacy-policy |
| Trigger.dev | Background job processing for story generation | trigger.dev/legal/privacy |
| Upstash Redis | Temporary cache for security and fraud prevention | upstash.com/trust/privacy.pdf |
| Resend | Transactional email | resend.com/legal/privacy-policy |
| Netlify | App hosting | netlify.com/privacy |
| Vercel | App hosting | vercel.com/legal/privacy-policy |
| Sentry | Error monitoring | sentry.io/privacy/ |
Data Sent to AI Providers
To generate each story and its illustrations, we use OpenAI's API as our primary provider. Anthropic's API is used only as a backup for story text generation. We send your child's first name, companion animal name, and the situation description you provide. This is the minimum required to create a personalised, age-appropriate story. For story narration, we send the generated story text to xAI's API to produce an audio reading of the story.
We do not send last names, contact details, or any other personally identifying information to any AI provider.
Some generation requests are processed asynchronously through background workers, including Trigger.dev. Those services help run the generation workflow; they are not used for advertising or child profiling.
How your data is protected by these providers:
- OpenAI (primary — story text and illustrations): Under OpenAI's standard API terms, which apply to all API customers, your submitted data is not used to train their models by default.
- Anthropic (backup — story text only): Under Anthropic's standard API terms, which apply to all API customers, your submitted data is not used to train their models by default.
- xAI (voice narration): Per xAI's published API security policy, xAI does not train on API inputs or outputs without explicit permission, and all API data is automatically deleted within 30 days.
International Data Transfers: Our third-party service providers (including Anthropic, OpenAI, Trigger.dev, Netlify, Vercel, and Stripe) may process data on servers located in the United States or other countries. If you are located in the European Economic Area (EEA) or United Kingdom, please be aware that your data may be transferred to countries that may not have the same data protection laws as your country. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to protect your data in such transfers.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR): • Contractual necessity – to provide you with the Mirror Story service • Consent – for optional communications and non-essential features • Legitimate interest – for fraud prevention, security monitoring, rate limiting, and service improvement • Legal obligation – to comply with applicable laws (e.g., COPPA, financial regulations) You have the right to withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK or your national DPA in the EU).
6. Cookies and Browser Storage
We use a minimal number of cookies and browser storage necessary for the service to function: • Authentication cookies – set by Clerk to maintain your login session. Clerk also stores session metadata (device, browser, IP, approximate location) server-side for the lifetime of the session; this is separate from the cookie itself and is not controlled by your browser cookie settings. • Performance cookies – used by Sentry for error monitoring • Browser session storage – used to restore unfinished story or series setup in the same browser session. This draft storage is local to your browser and is cleared when you submit the setup, discard the draft, or clear the browser session. We do not use advertising cookies, third-party tracking pixels, or behavioral analytics. You can manage or disable cookies and browser storage through your browser settings, though this may affect your ability to log in or recover an unfinished setup. To revoke an active session and its associated data, visit Account → Security → Active devices.
7. Parental Rights (COPPA)
As a parent or legal guardian, you have the right to: • Review the personal information we have collected about your child • Request correction of inaccurate data • Request deletion of your child's information • Refuse further collection of your child's information • Withdraw consent at any time To exercise these rights, visit our Data Deletion page or email contact@mirrorstory.app. We will respond within 5 business days.
8. Your Rights Under GDPR (EEA/UK Users)
In addition to COPPA rights above, if you are in the EEA or UK, you have the right to: • Access – request a copy of the personal data we hold about you • Rectification – correct inaccurate or incomplete data • Erasure – request deletion ("right to be forgotten") • Restriction – limit how we process your data • Portability – receive your data in a machine-readable format • Object – object to processing based on legitimate interest To make any of these requests, email contact@mirrorstory.app.
9. Data Retention
We retain your data for as long as your account is active. When you delete your account, all data – including child profiles and generated stories – is permanently deleted within 30 days. You may request immediate deletion at any time by contacting us. IP addresses used for rate limiting are retained for no longer than 24 hours and are automatically purged thereafter. Authentication session data (device, browser, IP, approximate location) collected by Clerk is retained for the lifetime of the active session and deleted when the session expires or is revoked by the user. Short-lived generation job data used to complete background story creation is retained only as needed to finish, retry, or fail the request.
10. Data Security
We use industry-standard security measures including: • Encrypted connections (HTTPS/TLS) • Secure database storage with row-level security (Supabase) • Access controls and authentication (Clerk) • Encryption for short-lived generation job data used by background workers • Real-time error and anomaly monitoring (Sentry) No system is 100% secure. In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable law.
11. Children's Privacy (COPPA Specific)
Mirror Story is a service directed at children but operated exclusively through parent accounts. Children do not create accounts, do not enter personal information, and do not interact with our systems directly. All data relating to children is stored under the parent's account and is subject to the parent's full control.
12. Reporting AI-Generated Content
Parents can report any generated story that feels unsafe, inaccurate, inappropriate, or concerning. We review these reports to improve Mirror Story's safety systems and may use report details, including the story ID, report reason, optional parent comment, and related story metadata, to investigate and address the concern.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email. The "Last updated" date at the top of this page will always reflect the most recent version.
14. Contact Us
For privacy questions, data requests, or COPPA concerns: Sudhanav LLC Email: contact@mirrorstory.app Response time: Within 5 business days