[DRAFT — pending legal review] This document has not been reviewed by a lawyer. Do not treat it as final legal text. All sections marked [TBD] require confirmation before going live.

Privacy Policy

Last updated: [TBD — insert date before launch]

1. Who We Are

Clouds' Children ("we", "us", "our") operates the website and application available at cloudyapp.io and its subdomains (auth.cloudyapp.io, hub.cloudyapp.io, dreamweaver.cloudyapp.io).

Contact:
Privacy enquiries: privacy@cloudyapp.io
Registered entity: [TBD — legal entity name, address, country of registration]

2. Information We Collect

Clouds' Children is a platform designed for children aged [TBD — confirm age range, e.g. 6–16]. We collect the minimum data necessary to operate the service.

From children (hero accounts)

Username (chosen by the child or parent)
Password (stored hashed — we never store plaintext)
First name (optional)
Age or date of birth (optional, used for content age-gating)
Story content generated during use (text prompts, choices, saved stories)

We do not collect email addresses directly from children. A parent or guardian email is collected solely to send the parental consent request.

From parents and guardians (adult accounts)

First name, last name
Email address
Username
Password (hashed)
Date of birth (optional)
Number of children (optional)

Automatically collected technical data

IP address (anonymised or pseudonymised where possible)
Browser type and version
Session duration and pages visited (via PostHog analytics — EU-hosted)
Authentication tokens (stored in secure HTTP-only cookies)

3. How We Use the Information

To create and manage user accounts
To personalise and generate story content for the child
To send parental consent requests and platform notifications to parents
To detect and prevent fraud, abuse, and security threats
To analyse usage patterns and improve the platform (aggregated, anonymised)
To comply with legal obligations (COPPA, GDPR)

We do not use children's personal information for advertising or marketing.

4. Disclosure to Third Parties

We share data only with the following service providers, each bound by data processing agreements:

Provider	Purpose	Data transferred
Supabase (US)	Database, authentication	Account data, story content
Vercel (US)	Hosting, edge functions	Request logs (IP, path)
OpenAI / OpenRouter (US)	AI story generation	Story prompts (no name/email)
RunPod (US)	AI image generation	Image generation requests
ElevenLabs (US)	AI narration (text-to-speech)	Story text segments
PostHog (EU)	Product analytics	Anonymised usage events
Brevo (EU)	Transactional email	Parent email address only

We do not sell personal data. We do not disclose personal data to advertisers or data brokers.

5. Parental Rights

Under COPPA, parents and guardians of children under 13 have the right to:

Review the personal information we have collected about their child by emailing privacy@cloudyapp.io.
Refuse further collection — parents may withdraw consent at any time, which will deactivate the child's account and stop data collection.
Delete their child's personal information by contacting us at the email above. We will process deletion requests within [TBD — e.g. 30 days].

We will not condition a child's participation in any activity on the collection of more personal information than is reasonably necessary for that activity.

6. Age Gate and Parental Consent

Children under 13 cannot create an account without verified parental consent. Our sign-up flow requires the child to provide a parent or guardian email address. We then send a consent request to that address. The account is not activated until the parent or guardian completes the consent form.

Adults creating accounts on behalf of or alongside a child must confirm they are 18 or older.

7. Legal Basis for Processing (GDPR)

Contract performance (Art. 6(1)(b)): Processing necessary to deliver the service (account creation, story generation, authentication).
Legal obligation (Art. 6(1)(c)): Processing required to comply with COPPA and other applicable law.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, platform stability. We balance these interests against data subjects' rights.
Consent (Art. 6(1)(a) / Art. 8): For children under 16 in the EU, we obtain verifiable parental consent. For analytics cookies, we seek user consent separately.

8. Data Retention

We retain personal data for as long as the account is active. Upon account deletion:

Account data and story content: deleted within [TBD — e.g. 30 days] of the deletion request.
Backups: purged within [TBD — e.g. 90 days] per our backup rotation schedule.
Server logs: retained for [TBD — e.g. 30 days] for security purposes, then deleted.

9. Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to:

Access (Art. 15): Request a copy of your personal data.
Rectification (Art. 16): Correct inaccurate or incomplete data.
Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Portability (Art. 20): Receive your data in a machine-readable format.
Objection (Art. 21): Object to processing based on legitimate interests.
Restriction (Art. 18): Request that we limit processing of your data.

To exercise any of these rights, contact us at privacy@cloudyapp.io. We will respond within [TBD — e.g. 30 days] and may request identity verification.

You also have the right to lodge a complaint with your local supervisory authority (e.g. CNIL in France, ICO in the UK).

10. International Data Transfers

Several of our service providers (Supabase, Vercel, OpenAI, RunPod, ElevenLabs) are based in the United States. When we transfer personal data from the EEA to the US, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission, or
The EU-US Data Privacy Framework where the provider is certified.

[TBD — confirm which providers are DPF-certified vs. SCC-covered and list them explicitly.]

11. Cookies and Analytics

We use the following categories of cookies:

Strictly necessary: Authentication tokens (HTTP-only, Secure). These cannot be disabled as they are required for the service to function.
Analytics: PostHog (EU-hosted instance). Used to understand how the platform is used. Anonymised where possible. Requires your consent.

[TBD — implement and link to cookie consent banner / cookie preference centre before launch.]

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify parents by email and display a notice on the platform. Continued use after the effective date constitutes acceptance of the revised policy.

13. Contact Us

For any questions about this Privacy Policy or to exercise your rights:
privacy@cloudyapp.io
[TBD — postal address]