Privacy Policy

Last updated: April 11, 2026

1. Introduction

This Privacy Policy describes how Ezducate.ai ("we," "us," or "our"), operating the EZStory platform at ezstory.app, collects, uses, discloses, and protects your information and the information of children who use our service. EZStory is a personalized children's book creation platform designed for parents, teachers, and children ages 3-18, including those with special needs such as autism, ADHD, and learning disabilities.

We are committed to complying with the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the General Data Protection Regulation (GDPR), and other applicable privacy laws. We recognize the particularly sensitive nature of the data we handle, including information about children's special needs and learning disabilities.

2. Information We Collect

2.1 Account Information (from Parents and Teachers)

  • Full name and email address
  • Password (stored in hashed form only)
  • Account role (Parent, Teacher, or Admin)
  • Organization or school affiliation (for teachers)
  • Payment and billing information (processed by Stripe; we do not store card numbers)

2.2 Child Profile Information

  • Child's first name (or nickname/alias)
  • Age or date of birth
  • Reading level and grade
  • Interests, favorite topics, and character preferences
  • Special needs information (e.g., autism spectrum, ADHD, dyslexia, sensory sensitivities, learning disabilities)
  • Accessibility preferences (text size, color themes, simplified layouts, reduced animations)
  • Reading progress and session data

2.3 Content and Usage Data

  • AI-generated stories and illustrations created through the platform
  • Story customization preferences and prompts
  • Reading session duration, pages read, and completion data
  • Gamification data (achievements, streaks, points)
  • Text-to-speech usage and audio preferences

2.4 Technical Information

  • Device type, operating system, and browser information
  • IP address (for security and rate limiting purposes only)
  • Authentication tokens and session identifiers
  • Error logs and performance metrics

3. How We Use Your Information

  • Story Generation: Child profile data (name, age, interests, reading level, special needs) is sent to our AI service to generate personalized, age-appropriate stories.
  • Accessibility Customization: Special needs and accessibility preferences are used to adapt the reading experience (e.g., simplified text, visual supports, sensory-friendly themes).
  • Reading Analytics: Session data helps parents and teachers track reading progress and identify areas for support.
  • Text-to-Speech: Story content is processed through audio synthesis to provide narration for emerging readers.
  • Account Management: To maintain your account, process payments, and communicate service updates.
  • Service Improvement: Aggregated, de-identified usage patterns help us improve our AI models and platform features.
  • Security: To detect and prevent fraud, abuse, and unauthorized access.
  • Legal Compliance: To comply with applicable laws and respond to legal requests.

4. Children's Privacy (COPPA Compliance)

EZStory is designed to be used by parents and teachers on behalf of children. We take children's privacy extremely seriously and comply fully with COPPA requirements:

  • Parental Consent Required: Only parents, legal guardians, or authorized teachers may create child profiles. Children cannot create their own accounts.
  • Minimal Data Collection: We collect only the information necessary to provide personalized story experiences. We do not require a child's last name, home address, or phone number.
  • No Behavioral Advertising: We never use children's data for targeted advertising, behavioral profiling, or marketing purposes.
  • No Social Features for Children: Children cannot publicly share content, communicate with other users, or access social features.
  • Parental Control: Parents can review, modify, or delete all child profile data at any time through their account settings.
  • Teacher Access: Teachers may access student data only within their assigned classrooms, with parental knowledge and appropriate organizational authorization.
  • Data Retention Limits: Child data is retained only as long as the account is active. Upon deletion, child data is permanently removed within 30 days.
  • Verifiable Parental Consent: We implement age-gating and consent mechanisms in compliance with COPPA requirements before collecting any child information.

5. Special Needs and Sensitive Data

We recognize that information about a child's special needs (autism, ADHD, learning disabilities, sensory sensitivities) is particularly sensitive. We apply additional protections to this data:

  • Purpose Limitation: Special needs data is used exclusively to customize the reading experience and generate appropriate content. It is never used for any other purpose.
  • Minimal Sharing: Special needs details are processed locally where possible. When sent to AI services for story generation, only the minimum necessary context is included (e.g., "generate a story suitable for a child with sensory sensitivities").
  • No Discrimination: Special needs data is never used for discriminatory purposes, profiling, or shared with insurance companies, employers, or educational institutions beyond the scope of service delivery.
  • Enhanced Security: Special needs data receives additional encryption and access controls beyond standard personal data.
  • Explicit Consent: We obtain specific, informed consent before collecting special needs information, separate from general account creation.

6. Third-Party Services and Data Sharing

We use the following third-party services to operate EZStory. We share only the minimum data necessary for each service to function:

6.1 Google Gemini (AI Story Generation)

Data shared:Child's first name, age, interests, reading level, and relevant accessibility needs (in summarized form) are sent to Google's Gemini AI to generate personalized stories and illustrations.

Purpose: Core story and illustration generation.

Retention: Google processes data according to their AI data usage policies. We do not opt in to model training programs with user data.

6.2 OpenAI (Text-to-Speech)

Data shared: Story text content is sent for audio synthesis.

Purpose: Generating narration audio for stories.

Note:No child personal information is included in TTS requests—only the story text itself.

6.3 Stripe (Payment Processing)

Data shared: Parent/guardian billing information (name, email, payment method).

Purpose: Processing subscription payments and managing billing.

Note: We never store credit card numbers. All payment data is handled directly by Stripe under PCI DSS compliance.

6.4 Supabase (Database and Authentication)

Data shared: All account and profile data is stored in our Supabase PostgreSQL database.

Purpose: Data storage, user authentication, and row-level security enforcement.

Security: Data is encrypted at rest and in transit. Row-level security ensures users can only access their own data.

6.5 Vercel (Hosting and Deployment)

Data shared: Standard web request data (IP addresses, request headers).

Purpose: Application hosting, CDN delivery, and serverless function execution.

6.6 Resend (Transactional Email)

Data shared: Parent/teacher email addresses and email content.

Purpose: Sending account verification, password reset, and service notification emails.

Note: We do not send marketing emails to children or use email for advertising.

We do not sell personal information. We do not share data with data brokers, advertising networks, or any parties not listed above. We do not use children's data for any form of advertising.

7. Data Security

We implement comprehensive security measures to protect your data:

  • All data transmitted between your device and our servers is encrypted using TLS 1.3
  • Data at rest is encrypted using AES-256 encryption
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • Row-level security (RLS) in our database ensures data isolation between users
  • CSRF protection, rate limiting, and input validation on all API endpoints
  • Two-factor authentication available for administrator accounts
  • Regular security audits and penetration testing
  • Admin access requires elevated authentication and is logged
  • Automated security alerts for suspicious activity

8. Data Retention and Deletion

  • Active Accounts: Data is retained for the duration of your active account.
  • Account Deletion: Upon account deletion, all personal data, child profiles, and generated content are permanently deleted within 30 days.
  • Child Data: Individual child profiles can be deleted at any time by the parent/guardian without deleting the entire account.
  • Reading Sessions: Historical reading data is deleted with the associated child profile.
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion for disaster recovery purposes, after which it is permanently purged.
  • Legal Obligations: We may retain certain data as required by law (e.g., billing records for tax purposes) even after account deletion.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of all personal data we hold about you and your children.
  • Rectification: Correct inaccurate or incomplete information at any time through your account settings.
  • Deletion: Request deletion of your account and all associated data.
  • Data Portability: Export your data (including generated stories) in a standard format.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing of your data for specific purposes.
  • Withdraw Consent: Withdraw consent at any time for optional data processing.
  • Parental Rights (COPPA): Parents may at any time review, request deletion of, or refuse further collection of their child's data by contacting us.

To exercise any of these rights, contact us at privacy@ezducate.ai. We will respond to verified requests within 30 days.

10. Cookies and Local Storage

EZStory uses cookies and browser local storage for essential functionality. For full details, please see our Cookie Policy.

  • Essential Cookies: Authentication tokens, session management, and CSRF protection. These are required for the service to function.
  • Preference Cookies: Theme settings, accessibility preferences, and reading position. These improve your experience.
  • Analytics: We use minimal, privacy-respecting analytics to understand usage patterns. No third-party tracking cookies are used.

We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking.

11. International Data Transfers

Our services are hosted in the United States. If you are accessing EZStory from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where required.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. For material changes, we will:

  • Post the updated policy with a new "Last updated" date
  • Send email notification to all registered users
  • Provide a summary of changes
  • Obtain fresh consent where required by law

Continued use of EZStory after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle data, please contact us:

For COPPA-related inquiries or to exercise parental rights regarding your child's data, please email privacy@ezducate.ai with the subject line "COPPA Request."