Privacy Policy
Last Updated: 2026-04-27
1. Who We Are
StoryWarm ("we", "us", "our") is operated by StoryWarm YayΔ±ncΔ±lΔ±k Ltd. Εti. (Turkey). We act as the data controller for personal information processed via our website (storywarm.com) and related services.
Contact:
- General: hello@storywarm.com
- Privacy / Data Requests: privacy@storywarm.com
- DMCA / IP Notices: dmca@storywarm.com
2. Information We Collect
2.1 Information You Provide Directly
- Waitlist (current): Email address, optional marketing consent.
- Account information (post-launch): Email, display name, password hash.
- Story input (post-launch): Child's name, age, favorite things, special moments β provided by you on behalf of your family. We do not collect data directly from children under 13.
- Payment information: Processed entirely by Polar; we never see your full card number.
- Optional reference photo (V1): Stored temporarily on Cloudflare R2 (EU region) and automatically deleted within 24 hours. We never train AI models on your photo.
2.2 Information Collected Automatically
- IP address, browser, OS, page views, timestamps (anonymized after 90 days)
- UTM tracking parameters (utm_source, utm_medium, utm_campaign)
2.3 What We Do NOT Collect
- β Voice recordings
- β Biometric face data (FLUX.1 Kontext stylizes; no face recognition)
- β Children's personal information collected directly from children under 13
- β Health information
- β Financial information beyond Polar-tokenized payment
3. How We Use Your Information
- Service delivery: Generate your personalized digital storybook (story via OpenAI; illustrations via Black Forest Labs FLUX 1.1 [pro])
- Customer support & communication
- Service improvement: Aggregated, anonymized analytics
- Legal compliance: Tax records, fraud prevention, DMCA processing
We do NOT:
- Sell personal data to third parties
- Share your story content with anyone outside the order fulfillment chain
- Train any AI models on your input or output
4. Children's Privacy (COPPA + GDPR-K)
StoryWarm is intended for parents, grandparents, and adults (age 18+). We do not knowingly collect personal information from children under 13 (US) / 16 (EU).
When you provide your child's name, age, or other details to create a personalized book, you do so as a parent or legal guardian providing third-party information about your own family.
If you believe a child has provided us with personal information without parental consent, contact us immediately at privacy@storywarm.com β we will delete it.
5. International Data Transfers
| Recipient | Country | Safeguard |
|---|---|---|
| OpenAI Inc. | USA | EU SCC + DPF |
| Black Forest Labs / fal.ai | Germany / USA | EU SCC + DPF |
| Polar (Merchant of Record) | USA / global | EU SCC + DPF |
| Cloudflare | USA / global (Frankfurt for us) | EU SCC + DPF |
6. Your Rights
EU/UK GDPR
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to object to processing
- Right to lodge a complaint with EU/UK supervisory authority
KVKK (Turkey)
You have all rights under KVKK Article 11. Contact: privacy@storywarm.com
CCPA/CPRA (California)
Right to know, delete, opt out of sale (we do not sell), non-discrimination.
To exercise any right: Email privacy@storywarm.com β we respond within 30 days.
7. Data Retention
| Data type | Retention |
|---|---|
| Waitlist email | Until you unsubscribe |
| Account information | Active subscription + 2 years |
| Order records | 7 years (Turkey Tax Code) |
| Reference photo (optional) | Maximum 24 hours, auto-deleted |
| IP / user agent | 90 days, then anonymized |
8. AI Disclosure
- Stories: Generated by OpenAI GPT
- Illustrations: Generated by Black Forest Labs FLUX.1 Kontext
- Each image embeds C2PA Content Credentials per EU AI Act Article 50 (effective August 2026)
9. Security
- TLS 1.3 encryption
- D1/Postgres Row Level Security
- Polar-tokenized payment processing
- Optional photos auto-deleted within 24 hours
- Annual security review
10. Changes
We will notify users of material changes 30 days before taking effect.
11. Contact
Privacy questions: privacy@storywarm.com
EU GDPR supervisory authority: your local DPA
UK ICO: ico.org.uk
Turkey KVKK: kvkk.gov.tr