Privacy Policy

1. Introduction

1.1. This Privacy Policy explains how The Dream Management Group FZE LLC, trading as "Once Upon a Me" ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our platform at onceuponame.io and our mobile application (collectively, "the Service").

1.2. Once Upon a Me is a parent-operated service. Parents and legal guardians create accounts and manage the Service on behalf of their children. Children do not create accounts or interact with the Platform directly.

1.3. We are committed to protecting the privacy of both parents and children. This policy has been designed with particular attention to children's data rights under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Children's Online Privacy Protection Act (COPPA), the ICO Age Appropriate Design Code (Children's Code), and the UAE Personal Data Protection Law (PDPL).

1.4. This policy is effective as of 3 June 2026 and applies to all users of the Service worldwide.

1.5. This Service is designed for use by parents and legal guardians. It is not a children's service. Children are the beneficiaries of content created through the Service, not its operators.

2. Data We Collect

2.1. We collect and process the following categories of personal data:

2.2. We do not collect data directly from children. All data relating to children is provided by their parent or legal guardian.

3. How We Use Data

3.1. We use the data we collect strictly for the following purposes:

• Parent account data: To create and manage your account, authenticate your identity, send transactional emails (story notifications, password resets, payment confirmations), and deliver push notifications.
• Child profile data: To personalise story content, tailor illustrations to the child's characteristics, apply content controls, and enable the friend feature.
• Child photographs: Solely to generate a character avatar. Photos are not used for any other purpose (see Section 4).
• AI-generated content: To deliver, store, and display your personalised storybooks within the Service, and to generate narration audio for subscriber stories.
• Payment data: To process transactions, manage subscriptions, and provide purchase history.
• Analytics data: To understand how the Service is used, identify issues, and improve the user experience. Analytics data is keyed to internal pseudonymous identifiers and does not identify individual children.
• Household data: To enable shared access between parents within the same family unit.
• Consent records: To demonstrate that valid consent was obtained for data processing, as required by applicable law.
• Access audit logs: To detect and investigate unauthorised access attempts and to comply with security monitoring obligations.
• Order & delivery data: To produce and deliver physical book orders through our print partners, and to send you order and dispatch updates.
• Safety screening: We screen uploaded photos and the illustrations our AI generates for safety and age-appropriateness before they are used or shown (see Sections 4 and 7).

3.2. We do not sell, rent, license, or trade your personal data or your children's data to any third party, for any purpose, under any circumstances. We do not use children's data for profiling, behavioural advertising, or automated decision-making.

3.3. AI transparency & governance. All stories, illustrations, avatars, and narration are generated by artificial intelligence and are clearly disclosed as AI-generated in the app. We do not use your child’s photographs or personal data to train AI models. We do not make decisions that produce legal or similarly significant effects about you or your child using solely automated means. Generated content is checked for safety before you see it, and any content you report is reviewed by a member of our team.

4. Photo Handling & Deletion

4.1. This section describes how we handle photographs of children. Given the sensitivity of children's images, we have implemented strict safeguards:

4.2. Parents may request immediate deletion of uploaded photographs at any time by contacting [email protected]. We will process such requests within 24 hours.

4.3. The generated avatar is a stylised illustration and does not constitute a photograph or biometric data. Avatars are retained as part of the child profile for as long as the account is active.

5. Third-Party Processors

5.1. We use the following third-party services to operate the Platform. Each processes data only as necessary to provide their specific function:

5.2. We have reviewed each processor's data handling practices and selected providers that offer appropriate safeguards for personal data. Where available, we use API-level access which typically provides stronger data protection guarantees than consumer-level services.

6. Data Retention

6.1. We retain data only for as long as necessary to provide the Service and fulfil the purposes described in this policy:

6.2. When you request account deletion, your account enters a 30-day recovery period during which your data is suspended but preserved. A recovery link is emailed to you immediately. After 30 days, all personal data is permanently anonymised or deleted, except where we are required by law to retain certain records (such as payment records for tax purposes). Your children’s stored photos, avatars, and story media are erased from our content delivery network when the last member of your household deletes their account; where a household still has other active members, that shared media is retained for them until the household itself is closed.

7. Children's Privacy

7.1. This is a parent-operated service designed for adults. It is not directed at children and we do not knowingly collect data directly from children. All child-related data is provided by their parent or legal guardian acting on their behalf.

7.2. Protecting children's privacy is central to how we have designed the Service. The following safeguards are built into the Platform:

• Parent-operated model: Children do not create accounts, log in, or interact with the Platform. All operations are performed by the parent or legal guardian.
• Parental consent at the point of collection: Account creation requires an adult (18+) to register with a valid email address and password, and the account holder confirms they are the child's parent or legal guardian. Consent to process a child's data — including the separate, explicit consent required before any child photograph is shared with our AI providers — is captured from that authenticated adult at the point each type of data is collected.
• No child profiling: We do not create behavioural profiles of children, track their activities, or make automated decisions about them.
• No advertising: The Service contains no advertisements, no ad networks, and no marketing content targeted at children.
• No tracking of children: We do not use tracking cookies, browser fingerprinting, or any tracking SDKs that collect data about children. Our analytics (PostHog) track parent usage patterns only, at an aggregate level.
• Content controls: Parents can configure per-child content controls including excluded themes, bedtime mode, and preferred values or life lessons.
• Minimal data collection: We collect only the child data necessary to generate personalised stories: first name, age, gender, and optional interests.
• Photo deletion: Child photographs are permanently deleted within 24 hours of avatar acceptance, and whenever you delete the child profile or your account (see Section 4).
• Automated deletion: Reference photos are removed by an automated deletion process backed by an automated storage sweep that reclaims any orphaned file, so deletion does not depend on manual intervention.
• Tenant isolation: Each household's data is strictly isolated. Parents can only access data belonging to their own household. This isolation is enforced at both the application and database level.
• Rate-limited access: Authentication endpoints are protected against brute-force attacks to prevent unauthorised access to children's data.
• Audit trail: Access to children's data is logged for security monitoring purposes.

7.3. Connected families (“Friends”). If you choose to connect your child with another family using a friend code, that family can see your child’s first name, cartoon avatar, and exact age in years (not an age range), and may include your child as a named character in stories they create. This sharing happens only after you enter or accept a friend code. You can disconnect at any time, which stops any further sharing — but disconnecting cannot retrieve or delete content the other family has already generated. Only share friend codes with families you know and trust.

7.4. If you believe we have inadvertently collected personal data from a child without proper parental consent, please contact us immediately at [email protected]. We will investigate and delete any such data promptly.

8. Your Rights

8.1. Under the UK GDPR, EU GDPR, UAE PDPL, and applicable data protection laws, you have the following rights regarding your personal data and your child's personal data:

• Right of access: You may request a copy of all personal data we hold about you and your children.
• Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
• Right to erasure: You may request that we delete your personal data and your children's data. You can delete your account and all associated data yourself at any time from Profile → Delete Account in the app, or — if you have removed the app — at onceuponame.io/delete-account, or by emailing [email protected]. Deletion starts a 30-day recovery window, after which your data is permanently deleted (see Section 6).
• Right to restrict processing: You may request that we limit how we process your data in certain circumstances.
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to object: You may object to processing of your personal data in certain circumstances, including processing for direct marketing purposes.

8.1.1. Data export. You can download a copy of your data yourself at any time from Profile → Download my data in the app, in a structured, machine-readable JSON format. This self-service export covers your account, your child profiles, your stories’ metadata, and roughly the last 90 days of activity events; for a complete copy of everything we hold, contact [email protected].

8.2. To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. In complex cases, we may extend this period by a further 60 days, in which case we will inform you of the extension and the reasons for it.

8.3. You will not be charged a fee for exercising your rights unless your request is manifestly unfounded or excessive.

8.4. If you are a resident of the United Arab Emirates, you have additional rights under the UAE Personal Data Protection Law (PDPL), including the right to access, rectify, and erase your personal data, and the right to object to processing.

9. Cookies & Tracking

9.1. We use a minimal set of cookies and tracking technologies:

• Authentication cookies: Strictly necessary httpOnly cookies used for session management and keeping you logged in. These cannot be disabled as they are essential for the Service to function.
• Analytics (PostHog): We use PostHog for product analytics to understand how the Service is used and to identify areas for improvement. PostHog collects product-usage events keyed to internal pseudonymous identifiers (no name, email, or IP). No personally identifiable information about children is tracked.

9.2. We do not use:

• Advertising or marketing cookies
• Third-party tracking pixels or beacons
• Browser fingerprinting
• Cross-site tracking
• Social media tracking widgets

10. International Transfers

10.1. Our entity is established in the United Arab Emirates (UAE). To deliver the Service, your personal data may be processed in the following locations:

• United States: Google (Gemini), Anthropic, OpenAI (via Kie.ai, fallback only), Kie.ai, fal.ai, xAI, Prodia, Inngest, PostHog (analytics, opt-in only), RevenueCat (mobile purchases), Expo (push notifications), Resend (transactional email), and the identity providers Apple (Sign in with Apple) and Google (sign-in).
• European Union / United Kingdom: our database is hosted by Supabase on Amazon Web Services in the EU (London, eu-west-2); Cloudflare R2 (CDN) and Stripe operate global edge / EU infrastructure.
• Print fulfilment: Prodigi and CloudPrinter (selected per order) print and ship, where possible, from facilities in or near the destination country.

10.2. Where we transfer personal data out of the United Kingdom or the EEA to a country without an adequacy decision (including the United States and the UAE), we put appropriate safeguards in place: the UK International Data Transfer Agreement (IDTA) / Addendum and the European Commission’s Standard Contractual Clauses (SCCs), together with a data processing agreement with each processor and data minimisation.

10.3. You may contact us for more information about the specific safeguards applied to international data transfers.

11. Security

11.1. We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
• Password security: Passwords are hashed using Argon2, a memory-hard hashing algorithm that is resistant to brute-force and rainbow-table attacks. We never store passwords in plain text.
• Password policy: Passwords must meet minimum complexity requirements (8+ characters with mixed case and numbers).
• Authentication: JWT-based authentication with secure token management ensures only authorised users can access account data.
• Constant-time authentication: Internal authentication mechanisms use constant-time comparison to prevent timing-based attacks.
• Rate limiting: Authentication endpoints are protected against brute-force attacks with automatic rate limiting.
• API security: All API keys and secrets are stored securely as environment variables and are never exposed to client-side code.
• Access control: Household-based access model ensures parents can only access data belonging to their own household.
• Upload validation: File uploads are restricted to approved image types (JPEG, PNG, WebP, HEIC) with a 10MB size limit.
• Access & security-event logging: Access to personal data and security events (such as failed log-in attempts) are logged to detect and investigate anomalies. These logs are kept for a limited period (up to 12 months), are used only to protect the security and integrity of the Service on the basis of our legitimate interests, and are never used for advertising or to profile children. Email and IP addresses in these logs are stored in pseudonymised (hashed) form.
• Automated deletion: An automated cleanup process runs regularly (at least hourly) to ensure photos are deleted within the 24-hour window described in Section 4.
• Breach notification: If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and will inform affected users without undue delay where the breach is likely to result in a high risk.

11.2. While we take all reasonable precautions, no method of transmission or storage is completely secure. If you become aware of any security concern or vulnerability affecting your account or the Service, please contact us immediately at [email protected].

12. Regional Provisions

12a. United Kingdom & European Union

12a.1. If you are located in the United Kingdom or the European Union, the UK GDPR and/or EU GDPR applies to our processing of your personal data.

12a.2. Our legal basis for processing your personal data is consent (provided at account creation) and legitimate interests (to operate and improve the Service). Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms.

12a.3. We have designed the Service with the principles of the ICO Age Appropriate Design Code (Children's Code) in mind, including data minimisation, high privacy defaults, and transparency appropriate to the age of the children who benefit from the Service.

12a.4. You have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO). In the European Union, this is your local Data Protection Authority.

12b. United States

12b.1. COPPA: We do not knowingly collect personal information directly from children under 13 years of age. All child data is provided by a verified parent or legal guardian who has created an account and consented to the processing of their child's data.

12b.2. California (CCPA/CPRA): If you are a California resident, you have the right to know what personal information we collect, the right to request deletion of your personal information, and the right to opt out of the sale of personal information. We do not sell personal information.

12b.3. We do not discriminate against users who exercise their privacy rights.

12c. United Arab Emirates

12c.1. The UAE Personal Data Protection Law (PDPL) applies to our processing of your personal data. Children's data is classified as sensitive personal data under the PDPL and is afforded additional protections.

12c.2. Consent from the authenticated adult account holder is collected and documented at the point of account creation, child profile creation, and — for the separate, explicit consent to share a child's photograph with our AI providers — at the point the photograph is added, in accordance with the PDPL's requirements for processing sensitive personal data.

12c.3. You have the right to lodge complaints with the UAE Data Office or the relevant free zone authority regarding our handling of your personal data.

13. Changes to This Policy

13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.2. For minor changes, we will update the effective date at the top of this page. For material changes that significantly affect how we handle your data or your children's data, we will:

• Notify you by email at the address associated with your account
• Display a prominent notice within the Service
• Where required, seek your renewed consent before continuing to process data under the new terms

13.3. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

13.4. Business transfers. If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, or in the event of insolvency, personal data may be transferred to a successor or affiliate. Any successor will be bound by commitments at least as protective of your data as those in this Privacy Policy, and we will notify you (by email or in-app notice) of any such change and of any choices you may have.

14. Contact

14.1. The Dream Management Group FZE LLC, trading as Once Upon a Me, is the data controller responsible for your personal data. If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

The Dream Management Group FZE LLC

Trading as Once Upon a Me

BC-890780, 26th Floor, Amber Gem Tower

Ajman, P.O BOX: 4848, United Arab Emirates

Privacy enquiries & data-rights requests: [email protected]

Concerns about a child’s data: [email protected] (please mark “Child Data” in the subject line)

General support: [email protected]

Website: onceuponame.io

Representative (Article 27 EU GDPR & UK GDPR): We value your privacy and your rights as a data subject and have therefore appointed Prighter Group, with its local partners, as our privacy representative and your point of contact for the following regions: the United Kingdom (UK) and the European Union (EU). Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter, or make use of your data-subject rights, please visit app.prighter.com/portal/once-upon-a-me.

EU representative: iuro Rechtsanwälte GmbH t/a Prighter, Schellinggasse 3, 1010 Vienna, Austria. Prighter is the controller’s representative under Article 27 of the EU GDPR.

UK representative: Prighter Ltd, 20 Mortlake Mortlake High Street, London, SW14 8JN, United Kingdom. Prighter is the controller’s representative under Article 27 of the UK GDPR.

powered by Prighter

powered by Prighter

14.2. If you are not satisfied with our response to your data protection concern, you have the right to lodge a complaint with a supervisory authority: