LoreZest Privacy Policy
Last Updated: February 17, 2026
Effective Date: February 17, 2026
Version: 1.0
1. Introduction
Welcome to LoreZest ("we," "our," or "us"). LoreZest is a mobile application operated by Optodish Inc. ("Company") that provides AI-generated personalized storybooks for children. We are deeply committed to protecting the privacy of our users, especially the children who use our app.
This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you use the LoreZest mobile application (the "App") and related services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understand this Privacy Policy.
Important: LoreZest is designed for use by parents or legal guardians ("Parents") who create and manage accounts on behalf of their children. Children do not interact directly with the Service without parental oversight. All account creation, data input, and management functions are controlled by the Parent.
2. COPPA Compliance Statement
LoreZest is committed to complying with the Children's Online Privacy Protection Act (COPPA), which protects the privacy of children under 13 years of age. Because our Service involves children's content and data:
- Parental consent is required before any child-related information is collected.
- Only the Parent creates accounts and provides child information (name, photo, reading preferences).
- We do not collect personal information directly from children.
- We do not condition a child's participation on providing more personal information than is reasonably necessary.
- Parents may review, modify, or delete their child's personal information at any time.
- Parents may revoke consent and request deletion of all child data.
- We do not share children's personal information with third parties for marketing purposes.
3. Information We Collect
3.1 Parent Account Information
When a Parent creates an account, we collect:
| Data Type | Purpose | Required |
|---|
| Email address | Account creation, login, communication | Yes |
| Authentication credentials | Secure access to account | Yes |
| OAuth provider ID (Google/Apple) | Social login authentication | If used |
| Subscription & payment status | Manage premium access | Yes |
Note: We do not process or store payment card details. All payment processing is handled by Apple App Store, Google Play Store, and RevenueCat (our subscription management provider).
3.2 Child Profile Information
When a Parent creates a child profile, we collect:
| Data Type | Purpose | Required |
|---|
| Child's first name | Personalize stories with child as main character | Yes |
| Child's photo | Generate personalized story illustrations featuring the child | Optional |
| Reading level | Tailor story complexity and vocabulary | Yes |
| Preferred voice | Select narration voice for audio playback | Optional |
3.3 Usage & Activity Data
We automatically collect the following to provide and improve the Service:
| Data Type | Purpose |
|---|
| Reading sessions | Track progress (time, pages, completion) |
| Stories generated | Monitor usage limits and preferences |
| Vocabulary words saved | Support learning features |
| Badges & achievements | Gamification and motivation |
| Reading streaks | Encourage consistent reading habits |
| Practice session scores | Track quiz/spelling/matching activity |
| Story preferences | Categories, art styles, goals selected |
3.4 Technical & Device Data
We may collect standard technical data necessary to operate the Service:
- Device type and operating system version
- App version
- Crash reports and error logs
- General usage analytics (no personal identifiers)
We do not collect:
- Precise geolocation data
- Contact lists or address books
- Microphone recordings (audio permissions are used solely for future read-aloud features, not recording)
- Browsing history outside the App
- Advertising identifiers or tracking cookies
4. How We Use Information
4.1 Primary Uses
We use collected information exclusively to:
- Provide the Service — Generate personalized stories, narrate them with audio, track reading progress, and enable vocabulary learning.
- Personalize content — Use the child's name and (optionally) photo to create stories featuring the child as the main character.
- Enable parental oversight — Allow Parents to monitor their child's reading habits, progress, and achievements.
- Manage accounts & subscriptions — Process subscription changes, authenticate users, and enforce usage limits.
- Send email digests — Deliver weekly/biweekly/monthly reading progress reports to Parents (premium feature, opt-in).
- Improve the Service — Analyze aggregate, de-identified usage patterns to enhance features and fix bugs.
4.2 What We Do NOT Do
- We do not serve advertisements to children or adults.
- We do not use children's data for behavioral advertising or marketing profiling.
- We do not sell, rent, or trade any personal information.
- We do not use children's photos for any purpose other than generating story illustrations for that specific child.
- We do not build user profiles for advertising purposes.
- We do not engage in automated decision-making that produces legal or similarly significant effects.
5. Third-Party Services
We use trusted third-party services solely to deliver core functionality. Each provider is bound by contractual obligations to protect data and use it only as directed by us.
5.1 Infrastructure & Backend
| Provider | Purpose | Data Shared |
|---|
| Supabase | Authentication, database, file storage | Account data, child profiles, stories, reading activity |
| Amazon Web Services (AWS) | Cloud infrastructure hosting | Data processed in transit |
5.2 AI & Content Generation
| Provider | Purpose | Data Shared |
|---|
| OpenAI | Story text generation | Child's first name, reading level, story preferences (no photos) |
| fal.ai (ByteDance SeedDream) | Story illustration generation | Child's photo (if provided), art style, scene descriptions |
| Amazon Polly | Text-to-speech narration | Story text content (no personal identifiers) |
Important safeguards for AI services:
- OpenAI: We send only the child's first name and story preferences. No photos, email addresses, or other identifying information is shared. Our API usage is configured with data privacy settings that prevent use of our data for model training.
- fal.ai (SeedDream): Child photos are transmitted solely to generate story illustrations. Photos are processed in memory and are not stored, retained, or used for training by the provider after image generation is complete.
- Amazon Polly: Receives only story text for audio conversion. No personal identifiers are included in requests.
5.3 Communication
| Provider | Purpose | Data Shared |
|---|
| Resend | Transactional emails (reading digests, contact responses) | Parent email address, email content |
5.4 Payment & Subscriptions
| Provider | Purpose | Data Shared |
|---|
| RevenueCat | Subscription management, receipt validation | Anonymous user ID, subscription status, platform |
| Apple App Store | iOS payment processing | As per Apple's terms |
| Google Play Store | Android payment processing | As per Google's terms |
5.5 Authentication
| Provider | Purpose | Data Shared |
|---|
| Google Sign-In | OAuth authentication | Email, profile name (as authorized by user) |
| Apple Sign In | OAuth authentication | Email (may be hidden per user preference), name |
5.6 Reference
| Provider | Purpose | Data Shared |
|---|
| Free Dictionary API | Word definitions for vocabulary feature | Individual words looked up (no user identifiers) |
6. Data Storage & Security
6.1 Data Storage
- All data is stored on Supabase infrastructure hosted in the Canada (us-east-1 region).
- Child photos are stored in secure, access-controlled cloud storage buckets.
- Story content (text, images, audio) is stored in encrypted cloud storage.
6.2 Security Measures
We implement industry-standard security measures, including:
- Encryption in transit: All data transmissions use TLS 1.2 or higher.
- Encryption at rest: Database and storage data is encrypted using AES-256 encryption.
- Row-Level Security (RLS): Database policies ensure users can only access their own data.
- Authentication tokens: Secure JWT-based authentication with token expiration and refresh.
- Access controls: Service role keys are restricted to server-side functions only.
- Minimal data access: Third-party services receive only the minimum data necessary to perform their function.
6.3 Data Breach Notification
In the unlikely event of a data breach affecting personal information, we will:
- Notify affected users within 72 hours of discovery.
- Notify relevant regulatory authorities as required by law.
- Take immediate steps to contain and remediate the breach.
- Provide guidance to affected users on protective measures.
7. Data Retention & Deletion
7.1 Retention Periods
| Data Type | Retention Period |
|---|
| Parent account data | Until account deletion |
| Child profile data | Until profile or account deletion |
| Child photos | Until profile or account deletion |
| Generated stories | Until manually deleted by Parent or account deletion |
| Reading activity data | Until profile or account deletion |
| Email history | 90 days after sending |
| Crash/error logs | 30 days |
7.2 Account Deletion
Parents may delete their account and all associated data at any time through:
- In-app deletion: Navigate to Settings → Account → Delete Account.
- Email request: Contact us at info@lorezest.com.
Upon account deletion, we will:
- Permanently delete all parent account information.
- Permanently delete all child profiles and associated data.
- Permanently delete all generated stories, images, and audio.
- Remove all data from cloud storage within 30 days.
- Purge data from database backups within 90 days.
7.3 Individual Child Profile Deletion
Parents may delete individual child profiles without deleting their entire account. This removes:
- The child's name and photo.
- All reading progress, sessions, and vocabulary data.
- All badges and achievements for that child.
8. Parental Rights
As a Parent using LoreZest, you have the right to:
- Access: Review all personal information we have collected about your child.
- Correct: Update or correct any inaccurate information about your child.
- Delete: Request deletion of your child's personal information at any time.
- Restrict processing: Limit how we use your child's data.
- Revoke consent: Withdraw consent for the collection of your child's information.
- Port data: Request a copy of your child's data in a portable format.
- Opt out of emails: Unsubscribe from reading digest emails at any time via the unsubscribe link in any email or through app settings.
To exercise any of these rights, contact us at info@lorezest.com or use the in-app settings.
9. Additional Compliance
9.1 GDPR (General Data Protection Regulation)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland:
- Legal basis for processing: We process data based on (a) contractual necessity to provide the Service, (b) legitimate interests in improving the Service, and (c) parental consent for children's data.
- Data transfers: Data is transferred to and processed in the Canada. We rely on Standard Contractual Clauses and provider certifications to ensure adequate protection.
- Data Protection Officer: For GDPR inquiries, contact dpo@lorezest.com.
- Right to lodge a complaint: You may file a complaint with your local data protection authority.
9.2 CCPA / CPRA (California Consumer Privacy Act)
For California residents:
- We do not sell personal information (as defined by CCPA/CPRA).
- We do not share personal information for cross-context behavioral advertising.
- California residents have the right to know, delete, correct, and opt out of the sale/sharing of personal information.
- To exercise your rights, contact info@lorezest.com.
9.3 CalOPPA (California Online Privacy Protection Act)
- This Privacy Policy is conspicuously posted and accessible from our App.
- We honor Do Not Track (DNT) signals — we do not track users across third-party websites.
- We will notify users of material changes to this policy.
9.4 FERPA (Family Educational Rights and Privacy Act)
LoreZest is not a school-operated service and does not receive funding from the U.S. Department of Education. However, if LoreZest is used in an educational context, we are committed to supporting FERPA principles by ensuring that educational records remain under parental control and are not disclosed without consent.
9.5 App Store & Play Store Guidelines
Our data practices comply with:
- Apple App Store Review Guidelines (Section 5 — Legal), including the Kids Category requirements.
- Google Play Families Policy and Designed for Families program requirements.
- Both platforms' requirements for transparent data collection disclosures and safety labels.
10. Cookies & Tracking Technologies
LoreZest is a native mobile application and does not use:
- Browser cookies
- Web beacons or pixel tags
- Third-party advertising SDKs
- Cross-app tracking identifiers
- Fingerprinting technologies
We may use standard mobile analytics provided by the platform (Apple/Google) that do not identify individual users.
11. Age Restrictions
- LoreZest accounts may only be created by individuals 18 years of age or older.
- Children under 18 may use the App only under the supervision of a Parent or legal guardian who has created an account.
- If we become aware that a child under 13 has provided personal information without verifiable parental consent, we will delete that information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this page.
- We will notify users via in-app notification or email.
- For changes affecting children's data, we will obtain renewed parental consent where required.
Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.
13. Analytics & Tracking
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products and services.
Website usage data is captured using first-party and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising.
Cookies Used by Microsoft Clarity
- _clck: Persists the Clarity User ID and preferences, unique to the site, attributed to the same user ID.
- _clsk: Connects multiple page views by a user into a single Clarity session recording.
Your Choices
When you first visit our website, you will be presented with a cookie consent banner. You can choose to accept or decline analytics cookies. If you decline, Microsoft Clarity will not set cookies and will operate in a limited, no-consent mode. You can change your cookie preferences at any time by clearing your browser's local storage and revisiting our site.
For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- General Support: info@lorezest.com
- Mailing Address: Optodish Inc., 925 Boulevard de Maisonneuve Ouest, Suite 259, Montréal, QC H3A 0A5, Canada
For COPPA-related inquiries or to exercise parental rights, please email info@lorezest.com with the subject line "COPPA Request."
We will respond to all privacy-related inquiries within 30 days.
© 2026 Optodish Inc. All rights reserved.