Privacy Policy

Little Legend ("we", "us", "our") is the data controller for the personal data described in this policy.

For data protection questions contact us at privacy@little-legend.app.

Account data: email address, password hash, account creation date, sign-in events.

Child data you provide: first name, optional age, and an uploaded photo. We do not ask for surnames, addresses, school information, or contact details for any child.

Story data: themes, art styles, and the AI-generated stories and illustrations created for you.

Technical data: device type, browser, IP address (hashed for abuse prevention only), and basic usage analytics if you opt in.

Performance of contract — to create the personalised storybook you requested.

Consent — for processing a child's photo, recorded via the parental consent step at upload time. Consent can be withdrawn at any time by deleting the photo or your account.

Legitimate interest — for fraud prevention, security, and improving service reliability (no profiling of children).

Photos are used solely as a visual reference for the AI illustration system to generate book artwork that resembles your child.

We do not run facial recognition, build face embeddings, or store biometric identifiers.

Photos are never used to train AI models — neither ours nor our sub-processors'.

Photos are stored in a private, access-controlled bucket. Only you (the account owner) and our backend can read them.

Photos are automatically deleted from storage 30 days after the book is generated. Guest (signed-out) photos are deleted within 24 hours.

Lovable Cloud (managed Supabase) — hosting, database, and file storage. Located in the EU.

Lovable AI Gateway — runs the text and image generation models on our behalf. No user data is retained by model providers for training.

Stripe — payment processing if you subscribe. We never see or store your card details.

Access — request a copy of your data via Account → Export.

Erasure — delete your account and all associated data via Account → Delete.

Portability — your export is provided as machine-readable JSON.

Rectification — edit your account details at any time, or contact us.

Withdraw consent — revoke parental consent by deleting the relevant book.

Complaint — you can lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

Child photos: 30 days after book generation (24 hours for guest flow).

Generated books: kept while your account is active; deleted on account deletion.

Account data: kept while your account is active; deleted within 30 days of deletion request.

Consent records: retained for 6 years for legal-evidence purposes, in anonymised form after account deletion.

Encryption in transit (TLS) and at rest. Private storage buckets with row-level access control. Server-side input validation. Rate limiting on sensitive actions. Audit logging.

Accounts may only be created by adults (18+) who are the parent or legal guardian of the child featured in their books. Children do not interact with the service directly.

This policy is version 2026-05-21.1. We will notify you in-app of material changes and ask you to re-consent.