Effective date: 2026-06-02 Last updated: 2026-06-02 Applies to: Fairyfy iOS and Android mobile applications and the fairyfyapp.com website (collectively, the “Service”).
Fairyfy is a mobile application that generates personalized fairy tales for children using artificial intelligence. The Service is intended to be used by a parent or legal guardian together with their child. Protecting children’s privacy is our highest priority, and this Privacy Policy describes — in plain language — what we collect, why, how long we keep it, and the rights you and your child have.
If you only want the short version: we collect the minimum information needed to make a story, we never sell data, we never serve third-party advertising to your child, we do not collect precise location, contacts, microphone, camera, biometrics, or advertising identifiers from children, and a parent can delete everything at any time by emailing parents@fairyfy.app.
1. Who we are (Data Controller)
The data controller responsible for personal data processed through the Service is:
[LEGAL_ENTITY_NAME][REGISTERED_ADDRESS]
[COUNTRY_OF_INCORPORATION]
Email: privacy@fairyfy.app
Data Protection Officer (DPO): dpo@fairyfy.app
EU representative (GDPR Art. 27): [EU_REPRESENTATIVE_NAME_AND_ADDRESS]
UK representative (UK GDPR): [UK_REPRESENTATIVE_NAME_AND_ADDRESS]
For all questions related to children’s data, parental consent, access, correction or deletion, please write to parents@fairyfy.app. We respond within 7 days and complete most requests within 30 days.
2. Audience and age
Fairyfy is designed for families with children aged 4 and older, with our primary audience being children aged 5 to 9. The Service is rated 4+ on the Apple App Store and is distributed under Google Play’s Designed for Families programme.
A child cannot create an account or use the Service independently. Access requires a parent or legal guardian account, and the parent must complete an age and consent confirmation before any child profile is created.
3. Data we collect
We collect only what is necessary to run the Service. We organise data by who it belongs to.
3.1 Parent / guardian account data
- Email address (used to create the account, recover access and contact you).
- Hashed password (we never store passwords in clear text).
- Display name (optional).
- Country and preferred language.
- Subscription status and purchase history at the receipt level (no card numbers — see §3.4).
- Device type, operating system version and app version (for support and crash diagnosis).
3.2 Child profile data (collected only with verifiable parental consent — see §5)
- Child’s first name or nickname (used only inside generated stories).
- Age band (for example “5–7” or “8–10”), not the exact date of birth.
- Story preferences chosen by the parent or by the child with the parent: hero, friends, items, location, villains, narrative style.
- Saved stories the parent or child marks as favourite.
We do not collect a child’s last name, photo, contacts, precise location, biometric data, voice recordings, advertising identifier (IDFA / AAID), behavioural profile, social-media identifiers, school, or device contacts.
3.3 Generated content
- The prompts, choices and parameters used to create each story.
- The story text generated by the AI model in response to those inputs.
3.4 Purchase data
When you subscribe or purchase tokens, the transaction is processed by Apple (StoreKit) or Google (Google Play Billing). Fairyfy receives a transaction receipt that includes a product identifier, subscription period and an anonymous purchase identifier. We never receive or store your full payment card number, CVV, or bank account number.
3.5 Technical and diagnostic data
- App version, OS version, device model class, language, time zone, country.
- Anonymous installation identifier used for crash deduplication and abuse prevention.
- Crash logs and performance metrics (Apple CrashReporter / Android crash logs).
- IP address at the time of each request, used for security, fraud prevention, and country detection. IP addresses are not linked to child profiles and are retained for a maximum of 90 days.
3.6 Website cookies and similar technologies
The Fairyfy website uses strictly necessary functional cookies (in particular a language preference cookie). We do not set advertising cookies, retargeting pixels, or behavioural-analytics cookies. Our website analytics provider (Plausible Analytics) operates without cookies. See §13.
4. What we never do
To make our commitments explicit, we will never:
- Sell, rent, license or trade personal data of a parent or a child.
- Show third-party behavioural advertising inside the Service, especially not to children.
- Use children’s content (their stories, choices or names) to train third-party AI models.
- Build advertising profiles, cross-app tracking profiles or audience segments from children’s data.
- Allow advertising SDKs, social-media SDKs or third-party trackers to operate inside the children’s experience.
- Ask children directly for personal information beyond what is needed to play.
5. Verifiable Parental Consent (COPPA & GDPR Art. 8)
Because Fairyfy is directed to children, we obtain verifiable parental consent before any child profile is created and before we process any child data.
We obtain verifiable parental consent through one of the following methods, each of which is recognised under COPPA Rule §312.5 and Article 8 GDPR:
- Email-plus — the parent confirms consent in-app and we send a confirmation email to the parent’s verified email address with a unique link. A reminder is sent after first use.
- Payment-based confirmation — when a parent completes a paid subscription using their own Apple ID or Google account, the App Store / Google Play age-verified payment serves as confirmation that an adult authorised the use.
- Platform parental control — when Apple Family Sharing (Ask to Buy) or Google Family Link approves the install, that approval is treated as parental consent.
A parent can review the child’s data, refuse further collection, or withdraw consent at any time from inside the app (Settings → Parental Zone) or by writing to parents@fairyfy.app. Withdrawal triggers full deletion within 30 days (see §10).
6. Why we process data (purposes and legal bases)
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Create and maintain the parent account | Account data (§3.1) | Performance of the contract (Art. 6(1)(b)) |
| Create the child profile and generate stories | Child profile (§3.2), generated content (§3.3) | Verifiable parental consent (Art. 6(1)(a) + Art. 8) |
| Bill subscriptions and tokens | Purchase data (§3.4) | Performance of the contract (Art. 6(1)(b)) |
| Diagnose crashes and improve stability | Technical data (§3.5) | Legitimate interest in service security (Art. 6(1)(f)) |
| Detect abuse, fraud and policy violations | Account, technical, content metadata | Legitimate interest in safety (Art. 6(1)(f)) |
| Comply with legal obligations | Account, purchase, security logs | Legal obligation (Art. 6(1)(c)) |
We do not rely on legitimate interest for any processing of a child’s personal data — for children, we rely only on parental consent and the contract necessary to deliver the requested story.
7. How AI generates the stories
Fairyfy uses a large language model provided by [LLM_PROVIDER] to generate each story. The model receives the structured prompt assembled from the parent’s and child’s choices (hero, friends, items, location, villains, narrative style, age band, language). It does not receive the parent’s email, payment data, real device identifier, or any data from other users.
We have a written data processing agreement with [LLM_PROVIDER] that includes the following commitments:
- Inputs and outputs are processed only to deliver the story to you, and are not used to train [LLM_PROVIDER]‘s general models.
- Data in transit is encrypted with TLS 1.2 or higher.
- The provider must notify us of any security incident affecting children’s data without undue delay.
We apply additional safety filters on top of the model: blocked-topic lists, age-appropriate vocabulary checks, content-classifier post-processing and a human moderation queue for content reported by a parent. Generated text is reviewed by a human only when a parent reports it through the in-app “Report this story” button or by writing to report@fairyfy.app.
AI is not perfect. Generated stories may occasionally contain inaccurate facts or imaginative elements that need a parent’s judgement. We ask parents to skim a story before reading it aloud to a young child and to use the report button if anything looks wrong.
8. Service providers and sub-processors
We use a small number of carefully selected service providers (“sub-processors”) to operate the Service. We do not sell data to any of them; they act on our instructions under written contracts that include GDPR Article 28 terms and equivalent safeguards.
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
| Apple Inc. | App distribution, StoreKit billing, push notifications, crash reports | Purchase receipts, anonymous IDs, crash logs | USA / EU |
| Google LLC | Android distribution, Google Play Billing, crash reports | Purchase receipts, anonymous IDs, crash logs | USA / EU |
| [LLM_PROVIDER] | Story generation | Prompt and generated text only — no email, no payment data | [LLM_PROVIDER_REGION] |
| [HOSTING_PROVIDER] | Application hosting and database | All account and content data | [HOSTING_REGION] |
| [EMAIL_PROVIDER] | Transactional email (account, consent, deletion confirmations) | Parent email address only | [EMAIL_REGION] |
| Plausible Insights OÜ | Website analytics (aggregated traffic statistics) | Anonymous page views, referrer URL, device type, browser; IP addresses anonymised; no cookies | EU |
We do not use third-party analytics SDKs, advertising SDKs, retargeting pixels, or social-network SDKs in any part of the Service that is accessible to children.
9. International data transfers
When personal data is transferred outside your country, we rely on the following safeguards, as applicable:
- EEA / Switzerland → third countries: EU Standard Contractual Clauses (Decision 2021/914) and, where required, supplementary technical measures (encryption in transit and at rest, key separation).
- United Kingdom → third countries: the UK International Data Transfer Addendum (IDTA) to the EU SCCs.
- Switzerland → third countries: the Swiss FDPIC-approved version of the SCCs.
A copy of the safeguards used for a specific transfer is available on request to dpo@fairyfy.app.
10. How long we keep data (retention)
| Data | Retention |
|---|---|
| Active parent account | Until the parent deletes the account or the account is inactive for 24 months (with one reminder before deletion) |
| Active child profile | Same lifetime as the parent account, deleted earlier on parental request |
| Generated stories | Same lifetime as the child profile; can be individually deleted in the app |
| Purchase receipts | Up to 10 years to satisfy accounting and tax obligations |
| Security logs (IP, request metadata) | Up to 90 days |
| Crash logs | Up to 90 days |
| Encrypted backups | 35 days rolling, then overwritten |
| Consent records (proof of parental consent) | For the lifetime of the account plus 3 years, as required to demonstrate compliance |
When you ask us to delete your account, we delete or irreversibly anonymise the data within 30 days. Encrypted backups are overwritten on the standard 35-day cycle.
11. Your rights and your child’s rights
You and your child have the following rights:
- Access — request a copy of the personal data we hold.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete the parent account and all child data (“right to be forgotten”).
- Restriction — ask us to temporarily stop processing certain data.
- Portability — receive your data in a machine-readable format (JSON).
- Objection — object to processing based on legitimate interest.
- Withdraw parental consent — at any time, with effect for the future. Withdrawal triggers deletion of the child profile within 30 days.
- No automated decisions with legal effect — we do not make any decision producing legal or similarly significant effects based solely on automated processing.
Send any request to parents@fairyfy.app with the email address used to register the account. We may ask one additional question to verify your identity. We will respond within 30 days (extendable by 60 days for complex requests, with notice). There is no charge for the first request per year.
You may also lodge a complaint with your local data protection supervisory authority. A list of EEA authorities is published by the European Data Protection Board at edpb.europa.eu.
12. Security
We use technical and organisational measures appropriate to the risk, including:
- TLS 1.2 or higher for all data in transit.
- Encryption at rest for databases and backups.
- Strict role-based access control with multi-factor authentication for staff.
- Regular dependency scanning, penetration testing and an internal incident-response procedure.
- A documented data-breach notification process: we notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach where required, and we notify affected parents without undue delay where the breach is likely to result in a high risk.
No system is ever 100% secure, but we work continuously to keep risk as low as possible.
13. Cookies and similar technologies on the website
The fairyfyapp.com website uses only strictly necessary cookies that do not require consent under the EU ePrivacy Directive:
lang— stores your chosen language for the next visit.consent— remembers your cookie banner choice, where shown.
We use Plausible Analytics (Plausible Insights OÜ, Estonia) for aggregated website statistics on fairyfyapp.com. Plausible is cookieless, does not use cross-site identifiers, anonymises IP addresses, and does not collect personal data from children. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) in understanding how visitors use our public website. We do not use Google Analytics, Meta Pixel, advertising cookies, retargeting pixels, or behavioural analytics in any part of the Service.
14. Regional addenda
14.1 European Economic Area, United Kingdom and Switzerland
You have all the rights listed in §11 under the GDPR, UK GDPR and Swiss FADP. Children’s data is processed only with verifiable consent of the holder of parental responsibility, in line with GDPR Article 8 (digital age of consent: 13 to 16 depending on the member state — we apply 16 as a default unless the local rule is lower).
You have the right to complain to your national data-protection authority (for example, CNIL in France, AEPD in Spain, BfDI in Germany, ICO in the United Kingdom, FDPIC in Switzerland).
14.2 United States — COPPA and CCPA / CPRA
COPPA. Fairyfy is directed to children under 13. The information we collect from children, the categories of third parties to whom that information may be disclosed (see §8), and the rights of parents to review, refuse or delete that information, are described in this Policy. The operator for COPPA purposes is [LEGAL_ENTITY_NAME], contactable at parents@fairyfy.app.
CCPA / CPRA (California). In the past 12 months we have collected the following categories of personal information as defined by the CCPA: identifiers, customer records, internet/electronic activity, and inferences for service personalisation. We have not sold or shared personal information of any consumer, and we have never sold or shared personal information of a child under 16. California residents have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. To exercise these rights, write to privacy@fairyfy.app.
14.3 Brazil — LGPD
The legal basis for processing under Brazilian Law No. 13,709/2018 mirrors §6 above. The encarregado (DPO) can be contacted at dpo@fairyfy.app.
14.4 Canada — PIPEDA
We process personal information in accordance with the ten fair-information principles of PIPEDA. You may contact our Privacy Officer at privacy@fairyfy.app and may complain to the Office of the Privacy Commissioner of Canada.
14.5 Australia — Privacy Act
We comply with the Australian Privacy Principles. Complaints may be sent to privacy@fairyfy.app and, if unresolved, to the Office of the Australian Information Commissioner.
15. Changes to this Privacy Policy
If we make any material change — for example, a new sub-processor for children’s data, a new category of data, or a new purpose — we will:
- Update the “Last updated” date at the top of this document.
- Notify the registered parent by email and via an in-app notice.
- Where the change requires new consent (in particular for any new processing of a child’s data), request that consent before the change takes effect for existing accounts.
You can always see the current version on this page and the most recent versions on fairyfyapp.com.
16. How to contact us
| Topic | |
|---|---|
| Privacy questions, general | privacy@fairyfy.app |
| Children’s data, parental consent, deletion | parents@fairyfy.app |
| Data Protection Officer | dpo@fairyfy.app |
| Report a story or content concern | report@fairyfy.app |
| Customer support | support@fairyfy.app |
Postal address:
[LEGAL_ENTITY_NAME][REGISTERED_ADDRESS]
[COUNTRY_OF_INCORPORATION]