Privacy Policy
Last updated: April 2026
1. Introduction
Spintale ("we", "us", "our") is an AI-powered app that helps parents and guardians create personalised bedtime stories with their children. This policy explains what data we collect, why we collect it, how we protect it, and your rights under UK GDPR (Data Protection Act 2018).
Spintale is operated by Carmur Labs Ltd, registered in England and Wales. We act as the data controller for your personal data.
2. Data We Collect
Account Data
When you create an account, we collect your email address and authentication provider identifiers. This is necessary to provide the service (lawful basis: contract).
Child Profile Data
To personalise stories and operate Reader Mode, we collect your child's profile name, age, avatar choice, allowed age bands, and interests. Lawful basis: contract - this data is necessary to deliver the core product.
Story Content
We store the stories you create, including text, illustrations, and audio narration. Lawful basis: contract - the stories are the product being delivered.
Reading Progress and Safety State
We store per-child reading progress, recent reading history, and any parent-managed Reader Mode safety review decisions. Lawful basis: contract - this data is necessary to provide resume, history, and Reader Mode safety controls.
Subscription Data
Subscription status and billing are managed by Apple or Google. We receive your subscription status but do not process payment details directly. Lawful basis: contract.
Analytics
We collect anonymous usage analytics to improve the product. Child names and ages are never included in analytics data. You can opt out of analytics at any time. Lawful basis: legitimate interest.
Push Notifications
We only send push notifications if you grant permission via the iOS or Android prompt. Lawful basis: consent.
3. Data Residency
All infrastructure is deployed in the UK (AWS eu-west-2, London) or EU regions. Your data does not leave the UK/EU except where explicitly noted below under third-party processors.
| Service | Region | Data Stored |
|---|---|---|
| Database (Neon) | eu-west-2 | User accounts, story metadata, child profiles |
| File Storage (S3) | eu-west-2 | Story images, audio files |
| CDN (CloudFront) | Global edge | Cached story assets (no personal data) |
4. Third-Party Processors
We share data with the following processors to deliver the service:
| Service | Data Shared |
|---|---|
| AWS Bedrock (text generation) | Story prompts (may include child's name) |
| fal.ai (image generation) | Image prompts (no personal data - names excluded) |
| Fish Audio (narration) | Story text for speech (may include child's name) |
| RevenueCat (subscriptions) | User ID, subscription status |
| PostHog (analytics) | Anonymous usage events (EU Cloud) |
| Sentry (error monitoring) | Error data (may include user IDs) |
5. Data Retention
| Data | Retention |
|---|---|
| Active account data | Kept while your account is active |
| Stories and assets | Kept while your account is active |
| Deleted stories | Permanently removed when you delete them |
| Deleted child profiles | Soft-deleted and hidden from the app; permanently removed when the parent account is permanently deleted |
| Deleted accounts | 30-day soft delete, then all data permanently removed |
| Analytics data | Per PostHog retention settings |
| Error logs | 90 days |
6. Account Deletion
You can delete your account at any time from the Settings screen in the app.
- Tap "Delete Account" in Settings
- Confirm deletion in the dialog
- You will be signed out immediately
- After a 30-day grace period, all your data is permanently deleted, including:
- Your account and all associated data
- All story assets (images, audio)
- Subscription records
- Analytics data
During the 30-day grace period, you can contact us to restore your account. After 30 days, deletion is irreversible.
7. Your Rights
Under UK GDPR, you have the right to:
- Access - request a copy of all your personal data
- Rectification - correct inaccurate personal data
- Erasure - delete your account and all associated data
- Data portability - receive your data in a machine-readable format
- Object - opt out of analytics processing
To exercise any of these rights, contact us at support@spintale.app. Data export requests are currently handled manually by email. We will respond within 30 days.
8. Children's Data
Spintale is designed for parents and guardians, not for use directly by children. No child accounts exist - all data is stored under the parent's account.
We take extra care with children's data:
- We only collect what is needed: name (optional), age (required), and interests (required)
- Child profiles are private to the parent's account
- Child names and ages are excluded from analytics
- Child names are excluded from image generation prompts
9. Cookies & Tracking
The Spintale app does not use cookies. Our website uses anonymous analytics (PostHog) to understand how visitors use the site. We do not use advertising trackers or sell data to third parties.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via the app or email. The "Last updated" date at the top of this page indicates when this policy was last revised.
11. Contact
If you have questions about this privacy policy or how we handle your data, contact us at support@spintale.app.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.