luluTells — Privacy Policy

A bedtime-story app made for children aged 3–10, designed to be used with a parent or guardian.

Effective date: 8 June 2026 Version: 1.0.0 Last updated: 8 June 2026

1. Introduction

lulutells ("lulutells", "we", "us", "our") is a mobile application that creates personalised, AI-narrated audio stories for children aged 3 to 10, designed to be enjoyed together with a parent or guardian. Because lulutells is made for and used by children, we take privacy — especially children's privacy — extremely seriously.

This Privacy Policy explains, in plain language:

What information we collect about you and your child
Why we collect it and how we use it
Who we share it with (and who we do not share it with)
The rights you and your child have over that information
How we keep it safe

This policy is written for parents and legal guardians. The lulutells app does not knowingly create an account for any child directly — accounts are created and controlled by a parent.

We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act, India), the Children's Online Privacy Protection Act (COPPA, United States), the General Data Protection Regulation (GDPR) including GDPR-K (European Union), and the privacy guidelines of the Apple App Store and Google Play Store for children's apps.

2. Who We Are (Data Fiduciary / Data Controller)

Field	Detail
Legal entity	Devendra Mishra, sole proprietor
Trading as	lulutells
Registered country	India
Registered address	No 2240, AECS Layout, 11th Main A Block, Bangalore, Karnataka, India
Contact email (also the Grievance Officer inbox under DPDP Act §10)	support@lulutells.com
Grievance Officer (India, DPDP Act §10)	Devendra Mishra — reachable at the same address above

For the purposes of the DPDP Act, 2023, we are the Data Fiduciary. For the purposes of the GDPR, we are the Data Controller. For the purposes of COPPA, we are the Operator of an online service directed at children.

If you have any questions, complaints or requests regarding your or your child's personal data, please write to us at the email above. We respond to all privacy enquiries within 30 days.

3. Scope and Application

This Privacy Policy applies to:

The lulutells mobile application for iOS and Android
Any associated services we operate (e.g. story-generation backend)
All users of the app — parents, guardians and children — anywhere in the world

It does not apply to third-party services we link to (for example if you tap a link to our website from inside the app) — those services have their own privacy policies.

4. The Information We Collect

We collect the minimum information needed to make the app work safely. We do not collect more than we need. Specifically:

4.1 Information you give us about the parent

Data	When	Why
Phone number	When you log in via one-time password (OTP)	To authenticate you as the account holder and prevent abuse. Authentication is handled by Google Firebase Authentication on our behalf.

4.2 Information you give us about your child

Data	When	Why
Child's first name (or nickname)	During onboarding, entered by parent	Personalising the story narration (the story addresses the child by name)
Child's age (3–10)	During onboarding	Picking an age-appropriate story length and vocabulary
Preferred language (English or Hindi)	During onboarding	Picking the right narration language
Preferred "sidekick" character	During onboarding	Including that character in personalised stories

We do not ask for the child's last name, date of birth, address, email, school, photograph, location, contacts, or any other identifying information.

Where this is stored. Your phone number and your child's profile are stored in our secure cloud database (Google Firebase Firestore) linked to your account, and cached on your device, so your profiles sync across devices and can be restored if you reinstall the app or log in on a new phone. They are protected by access rules that restrict them to your authenticated account (see Section 10).

4.3 Information generated as you use the app

When a story is played, we keep a playback record so the app can show "recently played" stories, track listening streaks, and power optional reminders. Each record contains the story, how much of it was completed, when it was played, and a snapshot of the child's first name. This is stored to your account in our cloud database. It is operational data the app needs to function — it is not the same as the optional analytics described in Section 4.5.

4.4 Subscription and purchase information

lulutells offers an optional paid subscription with a free trial. When you start a trial or subscribe:

Data	Why we need it
Your purchase/subscription status, transaction identifiers and store receipts	To unlock premium features, manage your trial, and let you restore purchases on a new device
A random app-user identifier (your Firebase account ID)	To link your subscription to your account without exposing payment details

The actual payment is processed entirely by the Apple App Store or Google Play — we never see, receive or store your card number, bank details or billing address. Subscription status is managed on our behalf by RevenueCat, Inc. (see Section 6).

4.5 Information collected automatically

Data	Why we need it
Device type, operating system version, app version	Diagnose crashes and ensure compatibility
Anonymous, randomly-generated install identifier	Distinguish one installation from another in our crash and error logs without identifying you
Crash and error diagnostics (stack traces, device state at time of error)	Detect and fix bugs. Collected via Google Firebase and Sentry (see Section 6).
Push notification token (Expo push token and the device's FCM/APNs token) — only if you grant notification permission	Deliver story reminders and account notifications to your device (see Section 13). Stored to your account.
App usage events (e.g. session start, feature used) — only if you opt in to app usage analytics	Understand how parents use the app so we can improve features. Contains no child data.
Approximate region (city/country, derived from your IP address) — only if you opt in to app usage analytics	Understand which regions use lulutells so we can prioritise languages and content for those areas. Never precise/GPS location, and never shared with advertisers.
Story engagement events (e.g. "story started", "story completed", progress milestones) — only if you separately opt in to story engagement analytics	Understand which stories children enjoy so we can improve the library. Linked only to an anonymous ID — never to a child's name, exact age, or contact details. Requires a separate explicit opt-in because it relates to your child's behaviour.

We do not collect:

Precise location (GPS). We do not access your device's GPS at all.
Your contacts, photos, calendar, microphone recordings or camera images
Advertising identifiers (IDFA on iOS, AAID on Android)
Browsing history outside the app
Your payment card or bank details (these stay with Apple / Google)

4.6 What we do not track

lulutells contains no third-party advertising. We never sell or rent your personal data. We never profile your child for advertising. We do not use any behavioural advertising trackers, social-media SDKs, or cross-app trackers.

5. How We Use Your Information

To deliver the service — generating and streaming a personalised story tailored to your child's name, age, language and sidekick, and storing your profiles and playback history so they sync across your devices.
To authenticate the parent — sending and verifying one-time passwords (OTPs) via Firebase Authentication.
To manage subscriptions — unlocking premium features, managing free trials, and restoring purchases through the Apple App Store / Google Play and our subscription manager (RevenueCat).
To send notifications you have allowed — story reminders and account notices, only if you grant notification permission (see Section 13).
To keep the app safe and reliable — diagnosing crashes and errors, fixing bugs, and protecting against abuse of our story-generation servers.
To improve app features — only if you have opted in to app usage analytics, we use anonymous, device-level session and feature-usage data (no child data) to understand how parents navigate lulutells.
To improve stories — only if you have separately opted in to story engagement analytics, we use anonymous story-interaction data (completion rates, genre preferences) to understand which stories children enjoy. This requires a separate explicit consent because it relates to your child's behaviour.
To comply with the law — for example, responding to a lawful court order.

We do not use your information to advertise to you or your child, build behavioural profiles, train third-party AI models, or for any purpose that is unrelated to providing lulutells.

5.1 Legal bases (GDPR users)

If you are in the European Economic Area or the United Kingdom, our legal bases under GDPR Article 6 are:

Performance of a contract (Art. 6(1)(b)) — for account authentication, story delivery, and managing your subscription
Legitimate interest (Art. 6(1)(f)) — for diagnosing crashes and errors and preventing abuse
Consent (Art. 6(1)(a)) — for sending push notifications you have allowed
Consent (Art. 6(1)(a)) — for app usage analytics (device/session-level events, no child data), which is off by default and enabled only if you opt in
Consent + parental consent (Art. 6(1)(a) + Art. 8 GDPR-K) — for story engagement analytics, which additionally requires your explicit parental consent because it relates to your child's behaviour patterns. You can withdraw this independently of app usage analytics at any time.

6. How We Share Your Information

We share your information only with the trusted service providers listed below, and only to the extent strictly needed to provide lulutells. These providers act as our Data Processors under written agreements that prohibit them from using your data for their own purposes.

Provider	Purpose	Data shared	Where processed
Google Firebase (Google LLC)	Phone-number authentication (OTP); cloud database storing your account, child profiles and playback history (Firestore); crash reporting; push-notification delivery (Cloud Messaging); abuse prevention (App Check)	Parent's phone number; child profile (first name, age, language, sidekick); playback history; push token; anonymous device identifiers	Google data centres (US, EU, India)
AI narration provider	Generating and voicing personalised stories	Child's first name (sent ephemerally per story request), age, language, sidekick choice	Provider's servers (typically US)
Amazon Web Services, Inc. (AWS)	Hosting our story-generation backend on EC2; serving static legal/marketing assets from S3; caching generated audio in S3	All data described above, in transit; generated audio (no PII) stored in S3	AWS Mumbai region (ap-south-1), India
RevenueCat, Inc.	Managing subscriptions, validating store receipts and restoring purchases	Random app-user ID (your Firebase account ID), purchase/transaction history, store receipts, device identifiers, IP address. No payment card details — those stay with Apple / Google.	RevenueCat Cloud, United States
Apple App Store / Google Play	Processing the actual subscription payment	Your payment is handled entirely by the store under its own privacy policy; we receive only your subscription status	Per the store's own infrastructure
Sentry (Functional Software, Inc.)	Crash and error diagnostics	Stack traces, device type and state at the time of an error, app version, anonymous identifiers and (transiently) IP address. No child profile data.	Sentry Cloud, United States / EU
Expo (Expo / 650 Industries, Inc.)	Relaying push notifications to Apple APNs and Google FCM	Push notification token; notification payload (no child profile data beyond the child's first name shown in a reminder)	United States
PostHog, Inc.	Product analytics — two separate consent tiers (see below)	App usage analytics (opt-in): anonymous session stats, feature-usage events, device type, app version, and approximate region (city/country, derived from IP address) — no child data. Story engagement analytics (separate opt-in): story interaction events linked only to an anonymous ID. No child name, phone number, precise location or other PII is ever included in either tier.	PostHog Cloud, United States

A note on analytics. lulutells uses a two-tier analytics system — both tiers are off by default and controlled independently in Parents Corner → Privacy.

Tier 1 — App usage analytics (opt-in). If you choose to opt in, lulutells sends anonymous, device-level session and feature-usage events to PostHog, Inc. (San Francisco, CA, USA). These events contain only: a random Firebase UID, device type, app version, your approximate region (city/country, derived from your IP address), and general app signals such as "app opened" or "sound effects toggled". No child data of any kind is included.

Tier 2 — Story engagement analytics (separate opt-in). If you additionally consent to this tier, lulutells sends story interaction events (e.g. "story started", "story completed", progress milestones, favourites) to PostHog, Inc. These events are linked only to a random anonymous ID and contain story metadata such as genre and age-tier — never a child's name, exact age, phone number, or any contact detail. A separate consent is required for this tier because it relates to your child's behaviour. You may withdraw this consent at any time without affecting Tier 1.

PostHog, Inc. processes this data under a Data Processing Agreement compliant with GDPR and CCPA. Their privacy policy and DPA are available at posthog.com.

We never share your data with advertisers, data brokers, social networks, or anyone for marketing purposes. We may disclose information without your consent only when legally required to do so — for example, to comply with a valid court order or to protect the safety of a child.

7. Children's Privacy (the most important section)

lulutells is designed for use by children aged 3 to 10, with their parent or guardian's consent and active oversight.

7.1 Parental consent (COPPA, GDPR-K, DPDP Act)

Before you can create a child profile, lulutells presents you with this Privacy Policy and requires you to expressly accept it. By tapping "I am the parent or guardian and I accept", you confirm that:

You are at least 18 years old
You are the parent or legal guardian of the child whose name and age you enter
You give us your verifiable consent to process that information for the limited purposes set out in Section 5

You can withdraw consent at any time — see Section 8.

7.2 What we never do with children's data

We never display third-party advertising to children
We never make personal data of a child publicly available
We never use children's data to train external AI models
We never share, sell, rent or trade children's data
We never ask the child directly for personal information beyond the four onboarding fields (first name, age, language, sidekick)
We never use behavioural advertising, retargeting or cross-app tracking on children

7.3 Data minimisation

We collect the least information necessary. The core profile we ask you to provide for one child is just four fields: first name, age, language and sidekick choice. As stories are played, we also keep a playback record (which story, how much was completed, when) tagged with the child's first name so you can see recently-played stories and listening streaks. We never collect the child's last name, address, photograph, voice recording, school, location, date of birth or any identifier that could be used to contact the child outside lulutells. You can delete the playback history at any time (Settings → clear history) or delete everything by deleting the account.

7.4 Direct notice to parents (COPPA)

This Privacy Policy is the direct notice to parents required under COPPA. You acknowledge receipt of this notice by accepting it in-app. A copy of the policy is also available at https://lulutells.com/privacy-policy.html and within the app under Settings → Privacy Policy.

8. Your Rights and Parental Controls

You have the following rights over your data and your child's data. Most can be exercised directly in the app; for the rest, write to support@lulutells.com.

Right	How to exercise	Available under
See what data we hold about you or your child	Email support@lulutells.com — we will reply within 30 days	DPDP §11, GDPR Art. 15, COPPA §312.6
Correct any inaccurate data	In-app: Settings → Edit Child Profile, or email us	DPDP §12, GDPR Art. 16
Delete all data	In-app: Settings → Delete Account, or email us	DPDP §12, GDPR Art. 17, COPPA §312.6
Withdraw consent for processing	In-app: toggle either or both analytics options off in Parents Corner → Privacy, delete the profile, or email us	DPDP §6(4), GDPR Art. 7(3)
Object to processing	Email us with the reason	GDPR Art. 21
Data portability — receive your data in a machine-readable file	Email us — we will reply within 30 days	DPDP §11, GDPR Art. 20
Stop further collection while keeping existing data	Disable either or both analytics options in-app, or email us	COPPA §312.6
Lodge a complaint with a regulator	India: Data Protection Board of India. EEA/UK: your national DPA. US: FTC.	All

Withdrawing consent is as easy as giving it. Deleting the account in the app erases all stored data within 30 days, with the exception of records we are legally required to retain (see Section 9).

9. How Long We Keep Your Data

Data type	Retention period
Parent phone number + child profile (name, age, language, sidekick)	Until you delete the account, then up to 30 days for backup purge
Story playback history (incl. child's first-name snapshot)	Until you clear history in-app or delete the account, then up to 30 days for backup purge
Push notification tokens	Until you turn off notifications or delete the account
Subscription / purchase records	Held by RevenueCat and the app stores under their own policies for as long as your subscription is active; financial transaction records are retained for as long as required by applicable tax and accounting law
Anonymous analytics events — app usage (Tier 1) and story engagement (Tier 2), each independently opt-in	12 months from collection, then deleted automatically
Crash and diagnostic logs (Firebase, Sentry)	90 days
Records we are required by law to keep (e.g. tax)	As required by applicable law, then deleted

After the retention period ends, data is either deleted or fully anonymised so it can no longer be linked back to you or your child.

10. How We Keep Your Data Safe

Encryption in transit — all communication between the app and our servers uses HTTPS / TLS 1.2 or higher.
Encryption at rest — data stored by our service providers (Firebase, PostHog, cloud host) is encrypted at rest.
Access controls — only Devendra Mishra and explicitly-authorised contractors can access the production backend, using multi-factor authentication.
Cloud storage with strict access rules — your account, child profiles and playback history are stored in our cloud database (Google Firebase Firestore) under security rules that allow only your own authenticated account to read or write your data. A copy is also cached on your device using the operating system's secure storage (iOS Keychain-backed AsyncStorage on iPhone, encrypted SharedPreferences on Android) for fast, offline access.
No retention on AI provider — story-generation requests are sent ephemerally; the AI provider does not retain prompts beyond the time required to fulfil the request.

No system is 100% secure. If we ever become aware of a personal data breach affecting you or your child, we will notify you and the relevant authority without undue delay and in any event within 72 hours (GDPR) / as required under §8(6) of the DPDP Act, 2023.

11. International Data Transfers

lulutells is operated from India. Some of our service providers process data in the United States, the European Union and other countries. When data is transferred outside India or outside the European Economic Area / United Kingdom, we rely on appropriate safeguards:

Standard Contractual Clauses (EU Commission's 2021 SCCs) where required by GDPR
Service-provider data-processing agreements that bind the recipient to standards equivalent to the DPDP Act and GDPR
Where the transfer is to a country with adequate protection (e.g. EU adequacy decisions), we rely on that adequacy decision

You can request a copy of our SCCs by writing to support@lulutells.com.

12. Permissions Used by the App

lulutells uses the following device permissions. Apart from the optional Notifications permission, none of them are used to collect personal data — they are used purely for the technical functioning of audio playback.

Permission	Platform	Why
Microphone (`NSMicrophoneUsageDescription` / `RECORD_AUDIO`)	iOS, Android	Required by the audio framework for audio session routing (handling speaker vs. headphones, ducking ambient music when narration plays). We do not record sound from the microphone. We do not store, transmit or analyse microphone input.
Modify audio settings	Android	Adjust the volume of narration vs. ambient music.
Vibrate	Android	Optional haptic feedback when tapping interactive story elements.
Background audio	iOS	Allow a story to keep playing if you lock the screen or switch apps.
Notifications (`POST_NOTIFICATIONS` on Android / notification authorisation on iOS)	iOS, Android	Send the story reminders and account notices described in Section 13. Optional — you can decline, and the app works without it.
Internet	iOS, Android	Stream the story from our backend and sync your profiles.

We do not request location, camera, photo-library, contacts, calendar, Bluetooth, or any tracking permissions.

13. Push Notifications

Push notifications are optional and only sent if you grant notification permission. You can turn them off at any time in your device settings, and reminder timing is configurable inside the app (Parents Corner). lulutells sends two kinds of notification:

Account & service notices — for example, a one-time password (OTP) for sign-in, or a reminder that your free trial is about to end.
Story reminders (engagement) — for example, a gentle bedtime reminder ("Story time for [child] 🌙"), a "don't break your streak" nudge, or a note that new stories are available. These reminders may include your child's first name so they feel personal. They are scheduled to respect quiet hours (10 PM – 8 AM) and exist only to help your family enjoy the app — they are not third-party advertising.

We do not show third-party advertising, and we will never share or sell your phone number or any contact information — yours or your child's — to advertisers or for third-party marketing.

14. Changes to This Policy

We may update this policy from time to time. When we make a material change (for example, a new type of data collection, a new service provider, or a change to children's data handling), we will:

Update the version number and effective date at the top of this document
Show you the updated policy in the app and require you to accept it again before continuing to use lulutells
Email you at the address on file if we have one

The current version is always available at https://lulutells.com/privacy-policy.html and in the app under Settings → Privacy Policy.

15. Contact Us / Grievance Officer

Devendra Mishra
Sole proprietor, trading as lulutells
No 2240, AECS Layout, 11th Main A Block, Bangalore, Karnataka, India
India

Contact / Grievance Officer (DPDP Act §10): support@lulutells.com

We acknowledge all requests within 7 working days and respond substantively within 30 days.

Regulatory authorities

If you are not satisfied with our response, you have the right to complain to:

India — Data Protection Board of India (once constituted under DPDP §18)
European Economic Area / UK — your national Data Protection Authority (a list is available at edpb.europa.eu/about-edpb/board/members_en)
United States — Federal Trade Commission, at reportfraud.ftc.gov

16. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India. Disputes will be subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka, India, without prejudice to your right under your local law to bring a claim before a regulator in your home country.

This document is provided in English. In the event of any conflict between this English version and a translated version provided in the app (e.g. हिंदी), the English version prevails.