Privacy Policy

Last updated: February 2026

1. Introduction

[Company Name] ("we", "us", or "our") operates the Nitelit mobile application ("the App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

We take your privacy seriously, especially when it comes to children's data. Please read this policy carefully. If you do not agree with the terms of this policy, please do not use the App.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. Your password is hashed using bcrypt and is never stored in plain text.

Profile Data

We store your language preference and profile picture. Profile pictures are either uploaded by you (stored on Amazon S3) or automatically generated via Gravatar based on an MD5 hash of your email address.

Story Data

We collect the preferences you set for story creation, including selected themes, moods, age levels, character names, and language. For each generated story, we store the title, description, duration, language, play count, page text, and page illustrations.

Device Information

When you log in, we collect your device name and operating system version. This information is associated with your authentication token.

Subscription Data

We store your Stripe subscription ID, plan type, billing status, story usage count, and renewal date. We do not store your full payment details — payment processing is handled entirely by Stripe.

3. Children's Privacy

Nitelit is designed for use by parents and guardians. The App is operated by adults — we do not knowingly collect personal information directly from children under 16.

Character names and age levels entered by parents are used solely for story generation and are stored within the parent's account. We do not use children's information for advertising, tracking, or profiling purposes.

If you believe we have inadvertently collected personal information from a child, please contact us immediately so we can delete it.

4. How We Use Your Information

We use the information we collect to:

  • Generate personalized bedtime stories based on your preferences
  • Manage your account and authentication
  • Process payments and manage your subscription via Stripe
  • Maintain, improve, and secure the App
  • Communicate with you about your account, including password resets

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the data concerned and the context in which we collect it:

  • Contract performance: Processing necessary to provide you with the Nitelit service, generate stories, and manage your subscription.
  • Legitimate interests: Improving our App, preventing fraud, enforcing rate limits, and ensuring security.
  • Consent: Where you have given us explicit consent, such as for optional communications.

6. Third-Party Services

We use the following third-party services to operate the App. We only share the minimum data necessary for each service to perform its function.

Stripe (United States)

Payment processing, subscription management, checkout sessions, and billing portal. Stripe receives your name and email address. We store your Stripe customer ID, subscription ID, and price ID.

Anthropic (United States)

AI text generation for stories. Anthropic receives story parameters: theme, mood, age level, character name, and language. No personal user data (such as your name or email) is sent to Anthropic.

OpenAI (United States)

AI image generation for story illustrations. OpenAI receives image prompts derived from story content. No personal user data is sent to OpenAI.

Amazon Web Services (United States / EU)

Cloud storage for user-uploaded profile pictures via Amazon S3.

Gravatar / Automattic (United States)

Default profile picture service. Gravatar receives an MD5 hash of your email address to retrieve a profile image. Your actual email address is not shared.

7. International Data Transfers

Some of our third-party service providers are located in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with GDPR Article 46, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's participation in recognized data protection frameworks.

For story generation, only story parameters (theme, mood, age level, character name, language) are sent to US-based AI providers — no personal user data is transmitted. For payment processing, Stripe operates under Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.

You may request further details about the safeguards in place by contacting us at [email address].

8. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Passwords are hashed using bcrypt — never stored in plain text
  • All API communication is enforced over HTTPS
  • Authentication tokens are hashed before storage (via Laravel Sanctum)
  • Authentication tokens are stored securely on your device
  • Access to administrative functions is restricted via role-based access control

Story illustrations are stored on our server's filesystem. Profile pictures are stored on Amazon S3.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide you services. Specific retention periods:

  • Account and story data: Retained until you delete your account
  • Server logs (including IP addresses): Retained for up to 90 days, then automatically deleted
  • Billing records: Retained as required by Belgian tax and accounting law (up to 7 years for invoicing records)

Account Deletion

You can delete your account at any time from within the App. Deletion is processed immediately and is permanent and irreversible. The following data is permanently deleted:

  • Your user account and profile information
  • All personal access tokens
  • All generated stories, including text, pages, and illustrations
  • Your profile picture
  • Your Stripe customer data on our servers

Any active subscription is automatically cancelled upon account deletion. Stripe may retain customer records per their own data retention policy.

10. Your Data Rights (GDPR)

Under the GDPR and other applicable data protection laws, you have the right to:

  • Access your personal data — you can view your profile data at any time in the App
  • Rectify inaccurate data — you can update your name, email, language, and password at any time
  • Erase your personal data — you can delete your account and all associated data at any time (irreversible)
  • Restrict processing of your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at [email address]. We will respond to your request within 30 days, as required by the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):

Gegevensbeschermingsautoriteit
Drukpersstraat 35, 1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be

11. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you. Story generation is performed at your explicit request and based on parameters you provide.

12. Data Provision Requirements

Providing your name, email address, and password is required to create an account and use the App. Without this data, we cannot provide the service. Story preferences (theme, mood, age level, character name) are required to generate stories. Language preference and profile picture are optional.

13. Cookies and Tracking

The Nitelit App does not use cookies. Authentication is handled via secure tokens stored on your device. We do not use analytics or advertising trackers. If we add analytics in the future, this policy will be updated accordingly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and updating the "Last updated" date above. For significant changes that affect your rights, we will notify you via email or in-app notification at least 30 days before the changes take effect.

15. Contact Us

The data controller for the Nitelit App is:

[Company Name]
[Address]
Belgium
Enterprise number: [VAT/BCE number]
Email: [email address]

If you have questions about this Privacy Policy, wish to exercise your data rights, or have privacy concerns, please contact us at the email address above.