Privacy policy

This Privacy Policy explains how Owl Aby, Inc. ("Owl Aby," "we," "our") collects, uses, shares, and protects information when you use our mobile app, website, and related services (together, the "Service"). It applies to all Owl Aby users globally and is written to comply with the EU GDPR, UK GDPR, California CCPA/CPRA, the US Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws.

If you have questions, the fastest way to reach us is privacy@owlaby.com.

1. Who we are & how to contact us

Owl Aby, Inc. is a Delaware corporation, headquartered at 1209 Orange Street, Wilmington, DE 19801, USA. For EU/UK data subjects, our representative is reachable at eu-privacy@owlaby.com. Our Data Protection Officer can be reached at dpo@owlaby.com.

2. What we collect

We collect only what we need to provide the Service. Specifically:

2.1 Information you give us

• Account information: your email address, password (stored hashed), display name, time zone, and language preference
• Subscription & billing: plan tier and renewal status. We never see your full credit card number — payments are handled by Apple, Google, or Stripe and we receive only a tokenized reference and the last four digits
• Child profile information (provided by you, the parent): first name or nickname, age in months/years, interests, favorite animal and color, and (optionally) a custom avatar selection
• Caregiver invitations: the email address you enter when inviting another caregiver
• Voice recordings (optional): if you opt into "narrate in your own voice" (coming 2026), the audio samples you record
• Stories & library: the prompts you choose and the generated stories saved to your library
• Support correspondence: emails, in-app messages, and any feedback you send us

2.2 Information we collect automatically

• Device & technical: device type, operating system version, app version, language, screen size, and a randomly-generated device identifier
• Usage: which screens you open, which features you use, and aggregate session metrics. We use this to understand what's working — never to build a profile about a specific child
• Crash logs & diagnostics: if the app crashes, we collect a stack trace and device state to fix the bug
• IP address & rough location: derived from your IP for security, fraud prevention, and to select a nearby server. We do not collect precise GPS location

2.3 Information we deliberately do not collect

• Your child's photograph (unless you upload one to set as their avatar)
• Precise location (GPS)
• Contacts, calendar, microphone access (except when you actively use voice recording), camera access (except when you actively upload an avatar)
• Browsing activity outside Owl Aby
• Health, biometric, racial/ethnic, religious, or political information

3. How we use information

We use the information we collect to:

• Provide the Service: authenticate you, generate personalized stories, narrate them, save them to your library, and synchronize across your devices
• Personalize: tailor stories, tips, and activity ideas to your child's age and interests
• Communicate: send service emails (trial reminders, security alerts, important account or policy updates) and respond to support inquiries
• Improve: understand which features parents find useful and where the app is frustrating, in aggregated, non-identifying form
• Keep it safe: detect and prevent fraud, abuse, and security incidents
• Comply with law: meet legal obligations and respond to lawful requests

We do not use your information to serve ads, train AI models, or sell to third parties.

4. Our legal bases (EU/UK users)

If you're in the EU, UK, or EEA, GDPR requires us to identify a "legal basis" for each use of personal data:

• Contract: to provide the Service you've signed up for (most of what we do)
• Legitimate interest: improving the Service, preventing fraud, and securing our systems — balanced against your rights
• Consent: optional features like your-voice narration; you can withdraw at any time
• Legal obligation: tax, accounting, and lawful-request compliance

5. Children's privacy

Children's privacy isn't a footnote at Owl Aby — it's a design decision. The Service is built so that only the parent or legal guardian holds an account. Children listen to stories the parent has set up. We do not knowingly collect personal information directly from children.

5.1 Information you provide about your child

When you create a child profile, you provide minimal data: a first name or nickname, age in months, and preferences (interests, favorite animal, favorite color). This data is used solely to personalize the stories and tips we generate for your family. It is:

• Never used to train AI models (ours or anyone's)
• Never shared with advertisers or data brokers — we don't work with either
• Never used to build cross-app behavioral profiles
• Encrypted in transit (TLS 1.3) and at rest
• Deletable at any time from inside the app

5.2 Parental controls & consent (COPPA)

For US users, we comply with the Children's Online Privacy Protection Act (COPPA). Because Owl Aby is a "parent-mediated" service:

• Only verified adults (18+) can create accounts
• You provide consent for your child's profile information when you create or edit it
• You can review, modify, or delete child profile information at any time from Profile → Children
• You can request a copy of all data associated with a child profile at privacy@owlaby.com
• You can refuse further collection by deleting the child profile or the entire account

5.3 EU/UK children (GDPR-K)

For users in the EU or UK, processing of child information requires parental consent for children under the digital age of consent (which varies by member state, generally 13–16). Because parents create accounts and child profiles on behalf of their children, that consent is provided at account/profile creation.

5.4 What we do not do

We do not enable children to chat with strangers. There are no public profiles, no friend lists, no social features, no comment sections, no DMs, no in-app purchases shown to children, and no advertising of any kind.

6. AI & our no-training promise

Owl Aby uses large language and image generation models, accessed through trusted enterprise APIs, to generate stories and illustrations. These providers operate under data processing agreements that include the following terms:

• Zero data retention: prompts and outputs are not retained by the model provider beyond the time needed to process the request (typically under 30 days for abuse-monitoring, then deleted)
• No training: your prompts, generated stories, voice recordings, and any other content from Owl Aby are never used to train, fine-tune, evaluate, or otherwise improve any AI model
• No human review by the model provider of personalized content, except as strictly required for safety abuse-monitoring on a sampled basis (without identifiable child data attached)
• Enterprise data processing agreements: each AI provider signs a DPA with terms equal to or stronger than this policy

We hold this commitment for as long as Owl Aby exists. If we ever need to change this — e.g., if a model provider's terms become incompatible with our promise and we need to switch providers — we will notify existing users by email at least 30 days before any change takes effect, and your data remains uncovered by the change.

7. Who we share data with

We share data only in these specific situations:

• Service providers (sub-processors): hosting, AI inference, email delivery, customer support tooling, and analytics — see Section 8
• Other caregivers you invite: when you invite another caregiver to a child profile, they see what you've granted them (read-only or parent-level access)
• Apple & Google: payment information for subscriptions purchased through their stores; we receive only a tokenized reference
• Legal & safety: if required by law, valid legal process, or to protect rights, safety, or property — we challenge overbroad requests and notify affected users where lawfully permitted
• Business transfers: in a merger, acquisition, or sale of assets, your data may be transferred to the successor, subject to this Privacy Policy

We do not sell or rent personal data. Owl Aby does not engage in cross-context behavioral advertising under any definition (CCPA/CPRA, GDPR, or otherwise).

8. Sub-processors

We use a small, carefully chosen set of vendors to operate the Service. Each is bound by a Data Processing Agreement with confidentiality, security, and no-training terms aligned with this policy.

• Amazon Web Services (AWS) — primary cloud hosting (us-east-1 & eu-west-1)
• OpenAI, Anthropic — language model inference for story generation (enterprise zero-retention APIs)
• ElevenLabs — narrator voice synthesis (enterprise no-training agreement)
• Stripe — payment processing for web purchases
• Apple App Store — payment processing for in-app purchases
• Postmark — transactional email delivery (trial reminders, security notices)
• Sentry — crash reporting (no PII; user identifiers are hashed)
• Plausible Analytics — privacy-respecting product analytics (no cookies, no cross-site tracking)

We maintain an up-to-date sub-processor list at owlaby.com/legal/subprocessors and notify subscribers by email when we add or change one.

9. Cookies & tracking

Our website uses a small number of strictly-necessary cookies (e.g., to keep you signed in) and one anonymous analytics cookie via Plausible. We do not use advertising cookies, tracking pixels, fingerprinting, or third-party social trackers. On mobile, we do not request the iOS App Tracking Transparency (ATT) permission because we do not track across other apps or websites.

10. Data retention

We hold onto data only as long as needed for the purpose collected:

• Account & profile data: for the life of the account, plus a 30-day grace window after you delete it (in case you change your mind)
• Stories & library: stored as long as the account exists; deleted with the account
• Voice recordings: stored only as long as the feature is active in your account; you can delete any recording immediately
• Billing records: kept for 7 years for tax and accounting compliance, as required by US and EU law
• Support correspondence: 24 months from the last interaction
• Crash logs & diagnostics: 90 days, then deleted
• Aggregate analytics: 24 months in aggregated, non-identifying form

After the relevant retention period, data is either permanently erased or anonymized so it can no longer be linked to you or your child.

11. Security

We take security seriously and apply industry-standard safeguards:

• TLS 1.3 in transit; AES-256 at rest
• Passwords stored using bcrypt with per-user salts
• Voice recordings stored encrypted with per-user keys
• Role-based access control inside the company; access to production data limited to a small on-call team and logged
• Quarterly third-party security reviews and annual penetration tests
• Bug bounty: report a security issue to security@owlaby.com — we respond within 24 hours and pay for valid reports

No system is perfectly secure. If we ever experience a data breach affecting your information, we will notify you by email within 72 hours of confirming the incident, including what happened, what data was affected, what we're doing about it, and what you should do.

12. International transfers

Owl Aby is headquartered in the US, with EU/UK data stored in eu-west-1. If you're in the EU or UK and we transfer your data outside that region, we rely on Standard Contractual Clauses (SCCs) and supplementary safeguards (encryption, access logging, contractual obligations) to ensure your data receives equivalent protection.

13. Your rights

Regardless of where you live, you have the right to:

• Access a copy of the data we hold about you and your child
• Correct inaccurate information
• Delete your account and all associated data
• Export your data in a portable format (JSON, audio, and story archive)
• Restrict or object to certain processing (where applicable)
• Withdraw consent at any time for optional features (e.g., your-voice narration)

Most of these you can do yourself in the app: Profile → Account → Privacy. For anything else, write to privacy@owlaby.com. We'll respond within 30 days (often much sooner). We won't charge a fee unless your request is excessive or repetitive, and we won't discriminate against you for exercising your rights.

14. California residents (CCPA / CPRA)

If you live in California, you have specific rights under the California Consumer Privacy Act and CPRA:

• Right to know: what personal information we collect, why, and who we share it with — covered above
• Right to delete: covered under Section 13
• Right to correct: covered under Section 13
• Right to limit use of sensitive personal information: we do not use SPI for any purpose other than providing the Service
• Right to opt out of sale or sharing: we do not sell or share (for cross-context advertising) personal information, so there's nothing to opt out of — but we honor Global Privacy Control (GPC) signals as a precaution
• Right of non-retaliation: we won't degrade or deny the Service if you exercise these rights

To exercise CCPA/CPRA rights, email privacy@owlaby.com with "California Privacy Request" in the subject. We verify identity via the account email on file.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes (e.g., new categories of data collected, new sub-processors of a sensitive nature, changes to children's privacy practices), we'll notify subscribers by email at least 30 days before the changes take effect and post the new version with an updated "Last updated" date. Continued use after the effective date means you accept the updated policy. If you don't agree, you can cancel and delete your account before the changes apply.

16. Contact & complaints

Have a question, a request, or a concern?

• General privacy: privacy@owlaby.com
• EU/UK data subjects: eu-privacy@owlaby.com
• Data Protection Officer: dpo@owlaby.com
• Security: security@owlaby.com
• Postal: Owl Aby, Inc. — Privacy, 1209 Orange Street, Wilmington, DE 19801, USA

If you're not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, your country's DPA in the EU, or the California Attorney General). We'd rather hear from you first so we can fix things — but we respect your right either way.

We wrote this policy ourselves, kept it short on purpose, and update it when something real changes — not for cosmetic reasons. If a sentence in here doesn't make sense to you, that's our fault. Email us and we'll fix it.