Privacy Policy
Last updated: May 2026
1. Who We Are
TinyBear is operated by MonkiLabs, an unincorporated team based in the Czech Republic and the controller of personal data processed through this service. Until MonkiLabs is formally incorporated, the founder(s) trading under the MonkiLabs name are the data controller; this section will be updated to name the registered entity once incorporation completes. For privacy enquiries, contact us via our contact form.
2. Information We Collect
We collect the following personal data:
- Account data: your name, email address, and password (hashed).
- Child profile data: the child's first name, age, personality traits, favourite story themes, and avatar selection. We do not collect the child's surname, photo, voice or any other directly identifying information.
- Usage data: stories generated, session timestamps, and in-app interactions. We do not use this data to build a behavioural profile of any child.
- Payment data: processed via Stripe once paid plans launch. We do not store card details on our servers. While TinyBear is in waitlist mode, no payment data is collected.
- Technical and telemetry data: IP address, browser/device user-agent, language preference, requested URLs, response status codes, and error diagnostics. We process this data on our legitimate interest in operating, securing and debugging the service (Article 6(1)(f) GDPR).
3. How We Use Your Data
- Generate personalised bedtime stories for your child.
- Maintain your account and subscription.
- Send transactional emails (story ready, account updates) via Resend.
- Operate, secure and monitor the service (uptime, error tracing, abuse prevention).
- Improve our service quality using aggregate, non-identifying metrics — for example, counts of stories generated per day, error rates by route, and average generation latency. We rely on legitimate interest (Article 6(1)(f) GDPR) for this aggregate analytics; you can object via the contact form.
We do not use children's personal data, prompts, or generated story content to train any AI model, neither our own nor those of OpenAI, Anthropic or any other provider. We send story prompts to those providers only for the immediate purpose of generating the requested story for your child, governed by API terms that prohibit training on inputs.
4. Children's Privacy (COPPA / GDPR-K)
TinyBear is a service designed for parents and legal guardians acting on behalf of their children — it is not intended for direct use by children. We collect a limited set of personal information about your child only with your verifiable parental consent, given when you create the child profile.
What this means in practice:
- Direct notice + parental consent. When you add a child profile, we tell you exactly what data we collect about that child (first name, age, traits, themes, avatar) and what we do with it. You confirm consent by completing the profile.
- Limited collection. We do not collect a child's surname, photo, voice recording, location, or any contact details. We never ask the child to enter free-text into the service.
- No advertising; no sharing for marketing. We do not profile children, serve them advertising, or share their data with any third party except the AI providers and infrastructure listed in Section 5 — and only as necessary to generate stories.
- No training. Children's profile data, prompts, and generated stories are not used to train any AI model.
- Parental review and deletion. As the parent or guardian, you can review the personal information we hold about your child, refuse to permit its further collection or use, and request deletion at any time from your account settings or via our contact form. Deleting a child profile removes the profile and all stories generated for that child.
- No knowing direct collection from children. We do not knowingly collect personal information directly from a child. If we ever discover we have inadvertently received such information without verifiable parental consent, we will delete it promptly.
If you are a regulator or parent with a question about our COPPA or GDPR-K compliance, please contact us via the contact form.
5. Sub-processors and Third-Party Services
This list is the canonical sub-processor list; the Data Policy refers to it. Each sub-processor is bound by a Data Processing Agreement (DPA) and, where the recipient is outside the EEA, by Standard Contractual Clauses (SCCs) and a transfer impact assessment.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| OpenAI | LLM story generation | Child first name, traits, story prompt context — never email, surname or payment data | US (SCCs) |
| Anthropic | LLM story generation (alternative provider) | Child first name, traits, story prompt context — never email, surname or payment data | US (SCCs) |
| Resend | Transactional email delivery (sign-up, password reset, story-ready) | Recipient email address and email content | EU (Frankfurt) |
| Stripe | Payment processing (activates when paid plans launch) | Name, billing address, payment instrument, transaction metadata | IE / US (SCCs) |
| Cloudflare Turnstile | Anti-bot verification on contact and waitlist forms | IP address, browser signals — used only to confirm you are not a bot | Global (Cloudflare Inc., SCCs) |
| Axiom | Server-side observability backend — Next.js distributed traces and Convex function logs are sent over OTLP/HTTPS directly to Axiom | Coarse browser family (no raw user-agent), request paths (no query strings), response codes, error stack traces, pseudonymised user identifiers. We strip query-string tokens, client IPs and LLM prompt/response payloads before export | EU Central 1 (Frankfurt) |
| Hosting provider (Germany) | Underlying server hosting on which we run our application, database (Convex), observability (Langfuse), and feature-flag (Unleash) services | All data processed by TinyBear, at rest and in transit, while running on our infrastructure | EU (Germany) |
We will publish the specific name of our hosting provider in this table once MonkiLabs is incorporated and the hosting contract is novated to the entity. Hosting today is in a German data centre, within the EEA.
We operate our own self-hosted instances of Convex (database), Langfuse (LLM tracing) and Unleash (feature flags). These are open-source software components running on the infrastructure listed above; the upstream open-source projects do not receive any user data.
If you would like a copy of any DPA, contact us via the contact form.
6. Cookies
We use only strictly necessary cookies and equivalent storage — for authentication, session management and remembering your language preference. We do not use advertising or cross-site tracking cookies, and we do not run third-party analytics that profile our visitors. On that basis, we do not display a cookie consent banner. Cloudflare Turnstile sets short-lived security cookies on the contact and waitlist forms only, and Stripe Checkout will set fraud-prevention cookies on the Checkout page only when paid plans launch — both are limited to the page where they are needed and serve a strictly necessary security or payment purpose. See our Cookie Policy for the full list and per-page detail.
7. International Transfers
Where personal data is transferred outside the European Economic Area (EEA) — for example to OpenAI, Anthropic, Stripe or Cloudflare in the United States — the transfer is protected by the European Commission's Standard Contractual Clauses (2021/914) together with supplementary technical and organisational measures. Resend and Axiom are configured to use EU regions; our hosting provider is in Germany. You can request a copy of the SCCs and our transfer impact assessments via the contact form.
8. Data Retention
| Category | Retention |
|---|---|
| Account data (name, email, hashed password) | While your account is active; deleted within 30 days of account closure |
| Child profile and generated stories | Same as account; deleted within 30 days of profile or account deletion |
| Server-side telemetry (traces, logs) | Up to 90 days, then deleted automatically |
| Payment records (invoices, transaction metadata) | Retained for up to 10 years as required by Czech / EU accounting and tax law, even after account closure; this is the only category that survives account deletion |
| Marketing-consent records | While consent is active and for 3 years after withdrawal, to evidence opt-out |
9. Data Breach Notification
If we suffer a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and where feasible within 72 hours of becoming aware, in line with Articles 33 and 34 GDPR. We will also notify the competent supervisory authority where the law requires it. Where US state breach-notification law applies (e.g. California Civil Code § 1798.82), we will notify affected residents within the timelines set by that law.
10. Your Rights — EU/EEA/UK (GDPR)
Under GDPR (and equivalent UK law), you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your data.
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to pause processing your data.
- Objection — object to processing based on legitimate interest, including the aggregate analytics described in Section 3.
- Not be subject to automated decision-making — TinyBear does not make automated decisions that produce legal or similarly significant effects about you.
To exercise any right, use our contact form. We respond within 30 days (extendable by 60 further days for complex requests).
You also have the right to lodge a complaint with your local data-protection supervisory authority. EU residents can find their authority via the European Data Protection Board; UK residents can complain to the Information Commissioner's Office (ICO).
11. Your Rights — California, Virginia, Colorado, Connecticut, Utah, and Other US States
If you are a resident of a US state with a comprehensive consumer-privacy law (such as the California Consumer Privacy Act / CPRA, the Virginia VCDPA, the Colorado CPA, the Connecticut CTDPA, the Utah UCPA, and others taking effect through 2026), you have the following rights with respect to the personal information we collect about you and your child:
- Right to know — request the categories and specific pieces of personal information we collect, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
- Right to delete — request deletion of personal information we collect from you, subject to limited exceptions (for example, payment records we are required to retain for tax purposes).
- Right to correct inaccurate personal information.
- Right to data portability — receive your information in a portable, readily-usable format.
- Right to opt out of "sale" or "sharing" — we do not sell your personal information and we do not share it for cross-context behavioural advertising. This includes the personal information of any child whose profile is on the account.
- Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to operate the service for you.
- Right to non-discrimination — we will not deny you the service, charge you a different price, or provide a different level of quality because you exercised any of these rights.
- Authorised agent — you can designate an authorised agent to make a request on your behalf via the contact form; we will verify the agent's authority before responding.
To exercise any right, use our contact form. We respond within 45 days (extendable by 45 further days where the law allows).
California "Shine the Light" (Cal. Civ. Code § 1798.83). California residents can request information about disclosures of personal information to third parties for the third parties' direct marketing purposes. We do not make such disclosures.
Notice at Collection (CPRA). The categories of personal information described in Section 2 are collected for the business purposes described in Section 3. We retain each category for the periods set out in Section 8. We do not sell or share personal information for cross-context behavioural advertising.
12. Contact
MonkiLabs — please use our contact form for any privacy enquiry, rights request, breach question, or to ask for a copy of a Data Processing Agreement.