Privacy Policy

Last updated: June 2026

BabyStories generates personalized hardcover storybooks featuring your child. To do that, we ask you to upload a small number of photos and tell us a bit about your kid. We treat that information with the seriousness it deserves. This page describes, in plain language, what we do with that data and the rights you have over it.

Who we are

BabyStories is a product operated by FailFast Labs ("FailFast Labs", "we", "us", or "our"). For the purposes of the EU and UK General Data Protection Regulation (GDPR), FailFast Labs is the data controller responsible for your personal data. You can reach us about anything in this notice at hello@babystories.ai.

Photos of children

Kid photos are used for one purpose: generating illustrations for the book you create. They are never shared with other users, never used for advertising, and we neither use them to train AI models nor authorize our providers to train on them.

  • Default 90-day retention. By default, every uploaded photo is automatically deleted 90 days after upload — both the stored record and the underlying image file.
  • Opt-in to keep photos. If you'd like us to keep your photos so you can reuse them in future books, you can opt in from your account settings. Opt-in is off by default; you can revoke it at any time.
  • Private storage. Photos live in a private Cloudflare R2 bucket with no public-read access. The only way to retrieve a photo is through a signed URL that we scope to your account.
  • No logging of image bytes. Our server-side logs capture metadata (file size, mime type, storage key, your account id) but never the image contents.

Story and prompt data

The brainstorm chat history and the page outline you lock in are stored alongside your book so you can resume editing later. We run every user-submitted prompt through content moderation before passing it to any AI provider. Generated story text is also moderation-checked before we render an illustration for it.

What we collect and why

  • Account data (email, authentication identifiers) — to create and secure your account. Handled by our auth provider, Clerk.
  • Child data you provide (photos, first name or nickname, age, traits) — to generate the personalized book you ask us to make.
  • Book and order data (story content, illustrations, shipping address, order history) — to produce, print, and ship your book and provide support.
  • Payment data — handled directly by Stripe. We never see or store your full card number.
  • Usage and marketing analytics — to understand how the site is used and to measure our advertising. This includes page views, product-usage events, and ad-campaign identifiers (such as utm tags and Google click ids) from the link you arrived on. We never link analytics or ad measurement to your child's photos, name, age, or bio, and we never advertise to your child. See "Cookies and analytics" below for the details and how to opt out.

Legal bases for processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

  • Performance of a contract — to create your account, generate your book, and fulfill and ship your order.
  • Consent — for keeping your child's photos beyond the default 90-day retention window (the opt-in described above). You may withdraw this consent at any time without affecting prior processing.
  • Legitimate interests — to keep the service secure, prevent abuse, and improve the product using usage analytics, balanced against your rights.
  • Legal obligation — to comply with tax, accounting, and other applicable laws.

Your rights under GDPR

If you are in the EEA or UK, you have the right to:

  • Access the personal data we hold about you, and receive a copy of it.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time where we rely on it.
  • Lodge a complaint with your local data protection supervisory authority.

You can exercise the access, portability, and erasure rights yourself at any time (see "Your data, your call" below), or email hello@babystories.ai and a human will handle it. We respond to verified requests within 30 days.

Your data, your call

  • Data export. On request we provide your full account record — kids, books, orders, and photo metadata — as a downloadable archive.
  • Data deletion. On request we permanently delete your account and everything in it: every kid, photo, book, character description, and reference to your photos in our storage. There is no soft-delete on personal data.
  • Email us. If you'd rather have a human handle export or deletion, write to hello@babystories.ai.

Third parties we rely on

We use Clerk for authentication, Stripe for payments, Lulu Direct for print fulfillment, Cloudflare R2 for storage, several AI providers (OpenAI, Anthropic, Google) for moderation, story generation, and illustration, PostHog for product analytics, and Google (Tag Manager, Analytics, and Ads) to measure our advertising. Each provider sees only the data it needs to do its job. AI providers never receive your child's photo embeddings in a way that links back to your account. We do not sell your personal data for money.

International data transfers

We are based in the United States and our service providers may process your data in the US and other countries. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses — to ensure your data receives an equivalent level of protection.

Children under 13 (COPPA)

BabyStories is designed to be used by parents and guardians, not by children directly, and is not directed to children under 13. We do not knowingly collect personal information directly from children. The photos and information about your child that you upload are provided by you, the parent or guardian, treated as your data, and kept under your control — you may delete them at any time.

Consistent with the Children's Online Privacy Protection Act (COPPA), we apply the controls described above to a child's information: a default 90-day retention window with automatic deletion, opt-in (revocable) consent before we keep photos longer, private storage with account-scoped signed URLs, and a strict policy of never logging image bytes and never using a child's likeness to train AI models (nor authorizing our providers to). If you believe a child has provided us information without parental consent, or you want a child's data removed, email hello@babystories.ai and we'll delete it promptly.

California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request access to or deletion of that information, to opt out of "sharing," and to not be discriminated against for exercising these rights. We do not sell your personal information for money. Our use of Google's advertising tools to measure ad performance (see "Cookies and analytics") may be considered "sharing" for cross-context behavioral advertising under the CPRA — you can opt out using your browser's cookie controls or by emailing us. You can exercise all of these rights using the export and deletion options above, or by emailing hello@babystories.ai.

Cookies and analytics

We use cookies and similar technologies in three categories:

  • Essential. Our authentication provider (Clerk) and payment provider (Stripe) set strictly necessary cookies to keep you signed in and to process checkout securely. The site can't work without these.
  • Product analytics (PostHog). We use PostHog to understand how the site is used — page views and product-usage events such as which features and art styles are popular. Because this is a kids' product, we deliberately turn off the riskiest options: no autocapture (we never send the text you type, such as a child's name or bio), no session recording (we never record your screen), and when you're signed in we tie events to your account id only — never your child's name, age, photos, or bio.
  • Advertising measurement (Google). When enabled, Google Tag Manager loads Google Analytics and Google Ads tags so we can see which ads lead to a purchase. We record a purchase event (order id, total, currency, and basic line-item details such as product name and quantity) and store ad-click identifiers (Google and Microsoft click ids such as gclid, gbraid, and wbraid) along with utm campaign tags from your landing URL in a first-party cookie to attribute the order to a campaign. These are marketing parameters only — never your child's data.

Product analytics and advertising cookies are non-essential. You can opt out at any time using your browser's cookie controls (for example, blocking cookies for this site) or by emailing hello@babystories.ai.

Data security

We use industry-standard measures to protect your data, including encryption in transit, a private storage bucket with account-scoped access, and authentication handled by a dedicated provider. No system is perfectly secure, but we work to limit what we collect, how long we keep it, and who can access it.

Changes to this notice

If we materially change how we handle data, we'll update this page and note the change at the top. The version date above always reflects current practice.

Contact us

Questions about this policy, or want to exercise a privacy right? Email hello@babystories.ai. We're the fastest to reach by email.