StoriPath

Privacy Policy

Plain-language summary of what data we collect and how we use it. Starting point — not legal advice.

What we collect

  • Account info: your email and password (the password is hashed by Supabase Auth and we never see it in plain text).
  • Child profile info you choose to enter: name, age, physical description, interests, communication notes. Keep this minimal. Do not enter government IDs, medical diagnoses, insurance numbers, or other sensitive identifiers.
  • Story content: the request fields you fill in, the Generated text/images, the BCBA-style explanation, and any edits you make.
  • Operational data: timestamps, IP addresses (briefly via Supabase), error logs, and quota counters.

How we use it

  • To run the product (generate stories, store and display them).
  • To authenticate you and prevent abuse.
  • To enforce per-user quotas.
  • To debug errors.

Third parties we send your data to

  • Supabase— hosts our database, authentication, and file storage. Subject to Supabase's own privacy practices.
  • OpenAI— our content-generation provider. The child's profile (with their name replaced by a placeholder before sending) and story request fields are passed to OpenAI to produce the story text and images. Per OpenAI's API policy, this data is not used to train their models, but is logged for abuse monitoring.

We do not sell your data. We do not show ads. We do not share data with advertisers or analytics brokers.

Children's data

Accounts can only be created by adults (18+). Child information is entered by a parent, guardian, or licensed provider on the child's behalf. We do not have direct accounts for children under 13. If you believe a child has created an account, contact us and we will remove it.

Readers (parents)

When a therapist invites you as a reader, you only see stories for the specific child you were invited to read for. You cannot see other children's data, create new stories, or modify existing ones.

Retention and deletion

We keep your data while your account is active. To delete your account and all associated data (child profiles, stories, images), use the in-app delete control or email an administrator. Deletion is permanent and cannot be undone.

Security

Data is encrypted in transit (HTTPS) and at rest by Supabase. We use row-level security in the database to keep accounts separate. That said, no online service is perfectly secure; keep child data minimal.

Compliance status

This service is not HIPAA compliant. Do not enter protected health information. We are not currently certified under COPPA, FERPA, or GDPR.

Changes

We may update this policy. The "last updated" date at the bottom of the page reflects the most recent change.

Contact

Privacy questions or deletion requests? Email the account administrator. (Replace with a real privacy contact before launch.)