KidsStory
Get started
Legal

COPPA Compliance Statement

Children's Privacy Notice (COPPA Compliance Statement)

Effective date: April 29, 2026 Operator: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates Primary contact for parents: privacy@kidsstory.art

This notice explains how YOU BABY STUDIO L.L.C — although incorporated in the United Arab Emirates — complies with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. §6501 et seq.) and the FTC's Children's Online Privacy Protection Rule (16 C.F.R. Part 312, as amended by the FTC Final Rule published on 22 April 2025, effective 23 June 2025, with full compliance from 22 April 2026) in respect of users in the United States. It is incorporated into the Privacy Policy by reference.

The fact that the controller is outside the United States does not relieve us of COPPA obligations; we accept the FTC's extraterritorial enforcement authority over foreign operators that direct services to US children or knowingly collect personal information from US children.

1. Who we are

YOU BABY STUDIO L.L.C is the "Operator" of the Service for COPPA purposes. We are a limited liability company registered in Dubai Mainland (Department of Economy and Tourism — DET), United Arab Emirates (commercial licence 930633). We are reachable at:

  • COPPA contact email: privacy@kidsstory.art
  • Postal address: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates
  • Phone (optional): +971-58-571-8010

For service of process and regulator correspondence in the United States, please direct mail to Legal & Compliance, YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates or email privacy@kidsstory.art.

2. Nature of the Service

The Service generates personalised children's fairy tales (PDF and/or video) from inputs supplied by a parent: the child's first name, age, gender, and one to three photographs. Although the content produced by the Service is intended for children, the Service itself is operated by and for the parent (age 18+). Children do not have their own accounts, cannot log in, and cannot initiate transactions.

3. Information collected from / about a child

We collect only what is necessary to generate the requested story:

  • The child's first name.
  • The child's age (used to tune story vocabulary / length).
  • The child's gender (used to tune narrative pronouns and character design).
  • One to three photographs of the child, used only to produce the illustrated cartoon character. We treat photographs and any facial features automatically derived from them as "biometric identifiers" within the meaning of 16 C.F.R. §312.2 (as amended in 2025).
  • Optional story preferences (topic, genre) that may reflect the child's interests.

We do not collect:

  • The child's surname, address, phone number, or persistent identifier.
  • Geolocation of the child.
  • Audio recordings of the child.
  • Any information directly from the child through the interface — the parent is the sole input channel.

4. Uses of the child's information

The information is used only to:

  1. Generate the specific story the parent requested;
  2. Deliver the output PDF / video to the parent's account;
  3. Retain the output so the parent can re-download it while the account is active;
  4. Fulfil legal obligations (accounting records of the transaction).

We do not use a child's information to:

  • Train our AI models or those of our vendors. Disclosures of children's personal information for the purpose of developing or training artificial intelligence technologies are not considered "integral" to the Service under 16 C.F.R. §312 (as amended in 2025) and would require separate verifiable parental consent. We do not perform such disclosures and do not request that separate consent.
  • Serve advertising of any kind to anyone.
  • Enable any in-app social feature that lets the child talk to other children or strangers — there is none.

5. Disclosures of the child's information

The child's name, age, gender and photo are transmitted to the AI sub-processors listed in the Privacy Policy §5 strictly to generate the requested output. Every sub-processor is contractually bound to:

  • Use the inputs only for the specific generation request;
  • Not retain the inputs after the response is delivered beyond technically necessary short-term caching;
  • Not use the inputs to train any model;
  • Implement reasonable security.

We do not disclose the child's information for any other purpose, and we do not condition participation in any activity on the child (or parent) disclosing more information than is reasonably necessary.

6. Verifiable Parental Consent (VPC)

Before any child information is uploaded, the Service obtains verifiable parental consent ("VPC") in accordance with 16 C.F.R. §312.5. We use the credit/debit-card-transaction method permitted by §312.5(b)(2)(v):

  1. The account holder must complete a successful paid Token purchase through Stripe before the photo-upload flow becomes available. The Stripe transaction ties the consent to a real, identifiable cardholder.
  2. Immediately before the first photograph is uploaded, the account holder must confirm via a dedicated modal that they are (a) 18 years or older and (b) the parent or legal guardian of the child shown in the photo.
  3. The Stripe transaction ID, IP address, user-agent, timestamp, account ID and the version of this Notice in force are logged together as a single VPC record and retained for the life of the account.

A parent may withdraw consent at any time per §7 below.

7. Parental rights

A parent may at any time:

  1. Review the personal information we have collected from or about their child.
  2. Refuse to permit further collection or use of the child's information.
  3. Delete the child's information from our systems.

Submit a request to privacy@kidsstory.art with:

  • The parent's name and the account email;
  • The child's first name as entered in the Service;
  • A brief description of the request (review / delete / stop collection).

We will verify the request by comparing it to the account of record and, for deletions, will act within 30 days. Deletion of the child's information will usually require closure of the associated order(s); we will advise the parent of any consequences before acting.

8. Data security and retention for child data

  • Photographs are auto-deleted after 7 days, or immediately on parent request.
  • Generated assets (PDF / video) remain while the account is active, then follow the general retention schedule in the Privacy Policy.
  • Encryption at rest, least-privilege access, and audit logging apply as described in Privacy Policy §9.

9. No behavioural advertising, no data brokers, no profiling

The Service does not engage in:

  • Targeted advertising to the parent or the child;
  • Sale or sharing of any child personal information to any party other than the sub-processors that directly generate the requested story;
  • Automated profiling of children.

10. Operator of third-party plug-ins / SDKs

We have assessed every third-party SDK bundled in the Service:

  • Google Analytics 4 is configured to exclude any page or event that handles child data. Analytics is triggered only on parent-facing pages (landing, pricing, account management) and never fires during the photo-upload / generation flow.
  • No advertising, retargeting, attribution or fingerprinting SDK is present.

11. Changes to this Notice

Material changes require new parental consent before we apply them retroactively to information already in our possession. We will email all account holders 7 days before the change takes effect and collect renewed consent on next login.

12. Equivalent protections for children outside the United States

Although this Notice addresses COPPA specifically, the protections described above are applied to every child whose information is processed by the Service, regardless of the child's country:

  • EU / UK children under 16 (or the lower age of consent set by national law — e.g. 13 in the UK, 13-16 in EU Member States under GDPR Art. 8) — parental consent is required for the processing of their personal data; the Photo Consent Modal doubles as Art. 8 parental-consent evidence.
  • UAE children — personal data of a minor may be processed only with the documented consent of the parent or legal guardian (UAE PDPL Art. 6 and the Executive Regulations). The Photo Consent Modal doubles as PDPL parental- consent evidence.

13. Filing a complaint

If you areContact
A US parentFederal Trade Commission — https://reportfraud.ftc.gov · Consumer Response Center, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580 · your state Attorney General
A UAE residentUAE Data Office — https://www.uae-dataoffice.ae
An EU / UK residentYour local Data Protection Authority; in the UK the ICO (https://ico.org.uk)

You may also contact privacy@kidsstory.art at any time; we will acknowledge your complaint within 3 business days and provide a substantive response within 30 days.

YOU BABY STUDIO L.L.C · Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates · Version April 29, 2026

This document is provided in English, the governing language of this site. An Arabic translation may be available on request; in case of conflict the English version prevails.