📱 KOSI is an interactive storytelling application for children ages 5-8. This privacy policy describes how we collect, use, and protect user information, with special emphasis on protecting children's data.
1. COPPA Compliance
KOSI complies with the Children's Online Privacy Protection Act (COPPA) and GDPR regulations for child protection. The application requires parental consent and supervision for all functions.
2. Information We Collect
2.1 Data collected from children:
- Child's first name: Stored locally on device and on secure server for experience personalization
- Voice requests: Processed temporarily for story generation, not permanently stored
- App activity: History of stories listened to (stored anonymously for service improvement)
- Device identifier: Used for pairing and synchronization
2.2 Data collected from parents:
- Email address: For account creation and important communications
- Payment information: Securely processed through third-party providers (Stripe)
- Voice recordings (optional): Only if parent enables voice cloning feature
2.3 Technical data:
- Device model and OS version
- App version
- Language settings
- Usage data (crash reports, performance)
3. How We Use Information
Children's data:
- Personalizing stories with child's name
- Generating age-appropriate educational content
- Synchronization between device and parental dashboard
- Improving quality of generated stories
Parents' data:
- Authentication and account management
- Payment processing and subscription management
- Service communications and updates
- Technical support
4. Voice Cloning Feature (Optional)
⚠️ Important note: The voice cloning feature is completely optional and requires explicit activation by the parent.
How it works:
- Parent records 15-60 seconds of clear speech
- Recording is encrypted and securely sent to ElevenLabs (text-to-speech provider)
- A voice model is generated used only for story narration
- Recording can be deleted at any time by parent
Voice data protection:
- All recordings are encrypted in transit and at rest
- Not shared with third parties (except ElevenLabs for processing)
- Parent has full control: can delete voice at any time
- Voice model cannot be used to recreate voice in other contexts
5. Third-Party Services
5.1 OpenAI (ChatGPT):
- Purpose: Story content generation
- Data sent: Child's request (e.g., "story about a dragon"), selected language
- Data NOT sent: Child's name, voice recordings, personal data
- Storage: OpenAI does not store requests per API terms
5.2 ElevenLabs (Text-to-Speech):
- Purpose: Story narration and voice cloning (optional)
- Data sent: Story text, voice recording (only if parent enables voice cloning)
- Storage: Voice model is stored encrypted for functionality
- Deletion: Parent can delete at any time through dashboard
5.3 Supabase (Backend & Database):
- Purpose: Secure data storage, authentication, synchronization
- Security: All data encrypted, access controlled through RLS (Row Level Security)
- Location: EU servers (GDPR compliant)
5.4 Stripe (Payments):
- Purpose: Payment processing and subscription management
- Data: Card information, parent email
- Security: PCI DSS compliant, KOSI does not store card data
6. Security
- Encryption: All data in transit uses HTTPS/TLS
- Storage: Data encrypted on secure servers
- Access: Restricted through authentication and granular permissions
- Audit: Continuous monitoring for suspicious activities
- Backup: Regular backups to prevent data loss
7. Parental Control
Parents have complete control over child's data through dashboard.kosiapp.com:
- View all stories listened to
- Manage app settings (language, voice cloning)
- Delete child data
- Disable features (voice cloning, story history)
- Export personal data (GDPR)
- Delete account and all associated data
8. User Rights (GDPR)
- Right of access: Parents can request a copy of all data
- Right to rectification: Correction of incorrect data
- Right to erasure: Complete deletion of data
- Right to portability: Export data in JSON format
- Right to object: Object to processing of certain data
9. Data Retention
- Child data: Kept while account is active, deleted within 30 days after account closure
- Voice recordings: Deleted immediately upon request or 30 days after account closure
- Story history: Kept for 1 year or until manual deletion
- Technical data: Anonymized after 90 days
10. Data Sharing
🔒 KOSI does NOT sell, rent, or share children's data with third parties for marketing purposes.
Data may be shared only in the following situations:
- With explicit consent: If parent requests
- Service providers: OpenAI, ElevenLabs, Supabase, Stripe (for functionality only)
- Legal obligations: If required by law or authorities
- Protection: To prevent fraud or protect safety
11. Advertising and Marketing
KOSI does NOT contain:
- ❌ Third-party advertisements
- ❌ Tracking for advertising
- ❌ Links to external sites (except parental dashboard)
- ❌ In-app purchases accessible to children (all purchases through parental dashboard)
12. Policy Changes
We will notify parents via email 30 days before any significant changes to this policy. Continued use of the application after changes constitutes acceptance of the new policy.
13. Jurisdiction
KOSI operates in compliance with:
- COPPA (USA) - Children's Online Privacy Protection Act
- GDPR (EU) - General Data Protection Regulation
- Regulation (EU) 2016/679 on data protection