Home / Privacy Policy

Privacy Policy

Last updated: January 1, 2026  ·  Effective: January 1, 2026

👶
Children's Privacy (COPPA)

TrueTales is designed for children. We take COPPA compliance extremely seriously. We do not collect personal information directly from children under 13. All child profile data is associated with the parent/guardian account. See the Children's Privacy section below for full details.

1. Who We Are

TrueTales ("TrueTales," "we," "us," or "our") operates the website truetales.us and related services (the "Service"). We are committed to protecting the privacy and security of your personal information.

For questions about this policy, contact us at our contact page or by email at privacy@truetales.us.

2. Information We Collect

Information You Provide Directly

  • Account registration: email address, full name (optional), and password (stored as a bcrypt hash — we never store your plain-text password).
  • Child profiles: first name, age range, and avatar selection. Created by the parent/guardian. No contact details, photos, or precise ages are required.
  • Parent PIN: A 4-digit PIN you set to protect parental controls. Stored as a bcrypt hash.
  • Contact form submissions: name, email address, and the content of your message.
  • Billing information: We use Stripe for all payments. We never see, store, or process your credit card number. Stripe handles all payment data under their own Privacy Policy.

Information Collected Automatically

  • Playback logs: which stories you play, how long you listen, and whether you complete a story. Used to power your listening history and achievement badges.
  • Session tokens: HTTP-only cookies containing signed JWT tokens. These authenticate your session. They contain only your user ID and expiry — no personal data.
  • Server logs: standard web server logs (IP address, browser type, pages visited, timestamps). Retained for 30 days for security and debugging purposes only.

Information We Do NOT Collect

  • We do not use advertising trackers, retargeting pixels, or third-party analytics SDKs.
  • We do not sell, rent, or trade your personal information to any third party.
  • We do not collect geolocation data beyond the country level (derived from IP for security purposes only).
  • We do not record or store any audio from your device.

3. How We Use Your Information

  • Providing the Service: authenticating your account, streaming audio content, tracking playback progress.
  • Subscription management: linking your account to your Stripe subscription, processing renewals and cancellations.
  • Achievements and gamification: computing listening streaks, badge progress, and XP from your playback history.
  • Parental controls: enforcing daily listening limits and bedtime restrictions for child profiles.
  • Customer support: responding to contact form submissions and account inquiries.
  • Security: detecting and preventing fraud, unauthorized access, and abuse of the Service.
  • Legal compliance: meeting our obligations under applicable law.

We do not use your information for advertising, profiling, or sale to third parties under any circumstances.

4. Children's Privacy (COPPA Compliance)

TrueTales is subject to the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information directly from children under 13.

How child profiles work: When a parent or guardian creates a child profile on their account, only a first name, age range, and avatar emoji are stored. This information is attached to the parent's account — not to a separate child account. Children do not create their own accounts, provide their own email addresses, or communicate directly with TrueTales.

Parental access and control: Parents and guardians may review, modify, or delete child profiles at any time through the Parent Control Portal, accessible from their account dashboard.

If you believe we have inadvertently collected information from a child under 13 without verifiable parental consent, please contact us immediately at privacy@truetales.us. We will delete such information promptly.

5. Stripe and Payment Processing

All payment processing is performed by Stripe, Inc. When you subscribe, you are directed to a Stripe-hosted checkout page. TrueTales never receives, processes, or stores your full credit card number, CVV, or billing address.

TrueTales receives from Stripe: a tokenized customer ID, a subscription status, and the last-four digits of your card (for display purposes only). Stripe is PCI-DSS Level 1 certified. Their privacy policy is available at stripe.com/privacy.

6. Cookies and Session Management

We use two HTTP-only, same-site cookies to manage your session:

  • access_token: A signed JWT valid for 60 minutes. Contains your user ID. Used to authenticate API requests.
  • refresh_token: A signed JWT valid for 30 days. Used to issue new access tokens without requiring you to log in again.

These cookies are marked HttpOnly (not accessible to JavaScript), SameSite=Lax (not sent on cross-site requests), and Secure in production (HTTPS only). We do not use advertising cookies, tracking pixels, or any third-party cookie from an ad network.

7. Data Sharing

We share your data only in the following limited circumstances:

  • Stripe: Payment processing only, as described above.
  • Infrastructure providers: Server hosting and database providers who process data on our behalf under strict data processing agreements.
  • Legal requirements: If required by valid legal process (court order, subpoena) or to protect the safety of users or the public.

We do not share your data with data brokers, advertisers, social media platforms, or any marketing service.

8. Data Retention

  • Account data: Retained for the life of your account and deleted within 30 days of account deletion.
  • Playback logs: Retained for 2 years. Used to compute achievements. Anonymized aggregates may be retained indefinitely for platform improvement.
  • Contact form submissions: Retained for 12 months, then deleted.
  • Server logs: Retained for 30 days.
  • Stripe data: Governed by Stripe's retention policies.

9. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update your email address and name in your account settings.
  • Deletion: Request deletion of your account and associated data. Contact us at privacy@truetales.us. We will process deletion within 30 days.
  • Portability: Request an export of your listening history data in JSON format.
  • Objection: Object to processing in certain circumstances.

California residents have additional rights under CCPA. Virginia, Colorado, Connecticut, and other state residents may have rights under their respective state privacy laws. Contact us to exercise any of these rights.

10. Security

We implement reasonable technical and organizational measures to protect your information, including: bcrypt password hashing, signed JWT tokens, HTTPS-only transmission in production, and database encryption at rest. However, no internet transmission or storage system is 100% secure. Please use a strong, unique password for your TrueTales account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via email and by displaying a banner on the site. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after a change constitutes acceptance of the revised policy.

12. Contact Us

For privacy-related questions, requests, or concerns, contact us at:

Terms of Service → Contact Us → Back to Home →