TalyTales - Privacy Policy

Effective Date: November 4, 2025
Entity: onEins LLC, 3833 Powerline Rd, Suite 101‑K, Fort Lauderdale, Florida 33309, USA (“onEins,” “we,” “us,” “our”).

This Privacy Policy explains how we collect, use, disclose, and protect information about users of the TalyTales iOS application and related services (the “Service”). Capitalized terms not defined here have the meanings in our Terms of Use.

Who this is for. Accounts are created and operated by a parent or legal guardian. Parents may provide limited information about their child and other family members to personalize stories. We do not enable children to create accounts or submit data directly.

1. Scope

This Policy covers the TalyTales iOS app (iPhone & iPad) and in‑app features, including Offline Copies. It does not cover third‑party websites you visit via links or Apple’s own services.

2. Key Definitions (summary)

  • Tale — A personalized, AI‑generated story created from user inputs.
  • TaleMate — A customizable character (e.g., parent, friend, pet, plush toy).
  • Illustration — A stylized, non‑photographic image representing a person/character in a Tale (including Tale images and covers).
  • Plan Balance / Permanent Balance — Credits as described in our Terms (usage data may be personal data).
  • Offline Copy — A Tale and its Illustrations stored locally on the device for in‑app offline viewing.

3. Data We Collect

Account & identifiers. Email (or Sign in with Apple identifier), authentication/session tokens, device and OS metadata, subscription/IAP status from Apple, and minimal diagnostic information.

Child‑related personalization (provided by a parent/guardian). Child’s first name, month & year of birth (no day), relation, gender, accent color, TaleMates selected, and an optional photo to generate an Illustration.

Content you provide. Prompts/inputs for Tales, Tale texts, TaleMates, and settings.

Commercial information. Purchase history, Apple receipts metadata, and credit usage for Plan and Permanent balances.

Network/technical logs. IP‑derived region, timestamps, app events, crash/abuse detection logs, and paywall interaction events.

We do not intentionally collect: precise GPS location, address book/contacts, cross‑app advertising identifiers, bank/credit‑card numbers (purchases are processed by Apple), health/education records, or government IDs (unless you send them in free text, which we discourage).

4. Real Photos: Strictly Purpose‑Limited & Ephemeral

  • Sole purpose. A real photo (e.g., of a child, parent, or other person) is used only to generate a non‑photographic Illustration for use inside Tales.
  • Deletion timing. We delete the real photo immediately after successful generation (during the creation flow). If generation fails, we delete the photo within 24 hours via an automated cleanup process.
  • No biometrics. We do not create or store facial recognition templates or similar biometric identifiers.
  • No model training. We configure our AI providers so that content sent via their APIs is not used for model training.

5. How We Use Information (Purposes)

  • Provide the Service (create Tales/Illustrations; manage TaleMates; render Offline Copies).
  • Authenticate & secure accounts (Supabase Auth with email + one‑time passcode (OTP) and Sign in with Apple; JWT‑based authorization).
  • Operate storage/databases (Cloudflare R2 for images; Supabase Postgres for text/metadata; row‑level security so you can access only your own data).
  • Process purchases/credits via Apple IAP & subscriptions and operate Superwall paywalls.
  • Perform analytics to understand feature usage and paywall performance (Mixpanel; Apple App Analytics; Superwall eventing). We use analytics for product improvement, not cross‑context behavioral advertising.
  • Comply with law, resolve disputes, enforce our Terms, and protect users (especially minors) from harm.

We do not run targeted advertising and do not sell or “share” personal data for cross‑context behavioral advertising.

6. Storage & Security

  • Images (Illustrations, Tale images, covers). Stored in Cloudflare R2 with encryption at rest and in transit; access via short‑lived, JWT‑gated endpoints (e.g., signed URLs).
  • Text & metadata (Tale texts; TaleMate info; credit usage). Stored in Supabase Postgres with Row‑Level Security (RLS) and JWT‑based authorization.
  • Offline Copies. Stored on your device for in‑app viewing; removing the app or signing out may make them inaccessible.

We implement TLS, provider‑managed encryption at rest, least‑privilege internal access, and monitoring. No system is perfectly secure; please use strong device security.

7. Retention

  • Real photos: deleted immediately after successful generation; if generation fails, deleted within 24 hours.
  • Tales, TaleMates, Illustrations, account data: retained while your account is active or as needed to provide the Service.
  • Logs/diagnostics: limited retention (generally 6–12 months).
  • Backups: short lifecycle (generally ~30–45 days).
  • Transactions/receipts: retained as required by tax/accounting law (generally up to 7 years).

Upon account deletion, we permanently delete your in‑service Tales, Illustrations, balances, and account data (subject to legal retention). Offline Copies on your device are outside our servers; delete them in‑app or remove the app to purge local data.

8. Sharing & Disclosures

We do not sell personal data and do not share it for cross‑context behavioral advertising. We disclose data only to:

  • Processors (service providers) under contract who operate the Service for us:
    • Supabase (authentication/database)
    • Cloudflare R2 (object storage)
    • OpenAI API (image generation)
    • Google Gemini API (text & image generation; used with Cloud Billing)
    • Apple (App Store billing and App Store Connect analytics)
    • Mixpanel (product analytics)
    • Superwall (paywall SDK & analytics)
  • Legal/safety: to comply with law or protect users (especially minors), or respond to lawful requests.
  • Corporate events: in the event of a reorganization, merger, or sale, subject to this Policy.

We maintain contracts with processors requiring confidentiality, security, and compliance with applicable law.

9. U.S. State Privacy Disclosures (including CA/CPRA)

Notice at Collection (California). Categories we may collect, purposes, typical retention, and whether we “sell” or “share”:

CPRA-Kategorien & Datenverarbeitung
Category (CPRA) Examples Purpose Typical Retention Sell/Share
Identifiers email; Sign in with Apple identifier; device IDs; IP-region account, auth, security life of account; logs 6–12 mo. No
Customer records subscription/IAP status; receipts metadata; credit usage billing, credits up to 7 yrs (tax) No
Characteristics child’s first name; month & year of birth; relation; gender personalization life of account No
Internet/technical app events, diagnostics, crash logs, paywall events (Superwall), product analytics (Mixpanel), App Store Connect analytics reliability, product analytics limited, per above No
Audio/visual Real photo (temp) to generate Illustration; Illustrations create stories photo: minutes/≤24h; Illustration: life of account No
Inferences minimal, not for ads N/A N/A No

Your rights (where applicable). Depending on your state, you may have rights to access, correct, delete, and obtain a portable copy of your data and to opt out of sale/sharing (not applicable here). You will not be discriminated against for exercising rights. Submit requests in‑app, via legal@oneins.studio, or through our web form at https://www.talytales.com/contact.

Opt‑out signals (GPC). We recognize Global Privacy Control (GPC) on our website where applicable. Native iOS apps do not emit the browser‑level GPC header; regardless, we do not sell/share personal data.

Appeals (where required, e.g., VA/CO/CT). If we deny your request, you may appeal by replying to our decision within 30 days; we respond within 45 days with reasons and further options.

State patchwork note. We apply a harmonized rights workflow across U.S. jurisdictions to the extent feasible while honoring state‑specific requirements.

10. Children’s Privacy

Parents/guardians operate accounts and may enter limited child information and, optionally, upload a child’s photo solely to generate an Illustration; real photos are deleted as set out above. We implement safeguards against sexualized, exploitative, or violent content involving minors and may report suspected child exploitation or imminent risk to authorities.

For users under 13 in the U.S., parental consent is required. TalyTales obtains such consent through verified payment processing (e.g., via Apple Pay or credit card) before any personal data, such as a photo, is collected. The parental consent notice is displayed on the subscription purchase screen.

11. International Users (EEA/UK/Switzerland)

Controller. onEins LLC is the data controller.
Legal bases (GDPR/UK GDPR). Performance of contract (providing the Service), consent (e.g., for child photo uploads), legitimate interests (security/analytics), and legal obligations (tax/compliance).

Transfers. We transfer data to the United States and other countries where our providers operate using appropriate safeguards, including Standard Contractual Clauses and the UK IDTA, plus technical/organizational measures (encryption; access controls).
EU/UK representative; DPO. Not appointed at this time.
Your rights. Access, rectification, erasure, restriction, portability, objection (including to processing based on legitimate interests), and withdrawal of consent at any time (without affecting prior processing). You may lodge a complaint with your supervisory authority.

12. Security Measures

We apply industry‑standard safeguards: TLS in transit; encryption at rest by our providers; JWT‑gated access; row‑level security (RLS) in Supabase; short‑lived signed URLs for media; least‑privilege internal access; monitoring. No system is perfectly secure; please use strong device security.

13. Analytics & SDKs

  • Mixpanel (product analytics). Used to understand feature adoption and improve the app. We configure Mixpanel for product analytics—not cross‑context advertising.
  • Apple App Analytics (App Store Connect). We receive aggregated developer analytics provided by Apple.
  • Superwall (paywalls). We use Superwall’s SDK to render paywalls, run experiments, and track paywall events.

Where required, we maintain data processing addenda with these providers.

14. Your Choices & Controls

  • Photos optional. You can create Tales without uploading photos.
  • Offline Copies. You control local offline availability in‑app.
  • Data rights. Access/correction/deletion/portability requests: in‑app, via legal@oneins.studio, or https://www.talytales.com/contact. We verify identity via your signed‑in session/email and respond within statutory timelines.
  • Do Not Sell/Share. We do not sell/share personal data. GPC signals are honored on our website where applicable.

15. Support Access; Moderation; Law Enforcement

We do not routinely review your Tales or Illustrations. Support administrators may access Tale texts/Illustrations only in a specific support case (upon your request/consent) or where legally required, and always on a least‑privilege basis. We may review or preserve information to comply with law, protect users, and enforce our Terms.

16. Changes to This Policy

We may update this Policy to reflect operational or legal changes. We will post updates in‑app and revise the Effective Date. Material changes will be communicated as required by law.

17. Contact

  • Privacy & Legal: legal@oneins.studio
  • Support: support@oneins.studio
  • Web form: https://www.talytales.com/contact
  • Postal: onEins LLC, 3833 Powerline Rd, Suite 101‑K, Fort Lauderdale, FL 33309, USA
  • DMCA Agent: Sebastian Dittmann (see Terms of Use for details)