Last updated: June 2, 2026
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law that imposes requirements on operators of websites and online services directed to children under 13, or that knowingly collect personal information from children under 13. The FTC published amended COPPA Rules in April 2025 (effective June 2025, compliance deadline April 22, 2026), expanding the definition of personal information to include biometric identifiers and strengthening data retention, consent, and disclosure requirements.
Because FableJar is designed to create personalized bedtime stories for children aged 3–10, COPPA compliance is a non-negotiable foundation of how we build and operate this service. We apply COPPA protections to all users globally, regardless of their country of residence, as our baseline privacy standard for children's data.
Our Compliance Model
FableJar is a parent-first platform. Children never have independent accounts.
- All accounts are created and held by a parent or legal guardian who must be at least 18 years old. Age verification is required at signup and recorded in our system.
- Children exist as profiles under the parent's account — they have no login credentials, no email address, and cannot access the service independently.
- The parent is the data controller for all child profile information at all times.
- Every action involving a child's data — profile creation, story generation, friend connections, avatar generation, voice narration — is initiated and controlled by the parent.
Verifiable Parental Consent
We obtain verifiable parental consent before collecting any information about a child.
- At signup, parents must verify they are 18 or older. This verification is recorded in our system.
- When creating a child profile, parents must explicitly consent to our data collection and third-party sharing practices. This consent is recorded with a timestamp.
- For paid plan users (Starter and Family), the Stripe payment transaction serves as additional parental verification, as a credit card is required.
- For specific features that collect sensitive data — voice cloning and reaction video recording — separate, feature-specific consent is required and recorded with its own timestamp. These features are blocked until consent is given.
- Consent can be withdrawn at any time by deleting the child profile, removing the specific feature (e.g., deleting a voice clone), or closing the account entirely.
What Data We Collect About Children
We collect the minimum information necessary to generate personalized stories. Below is the complete list of data we collect about or related to each child profile.
Profile data (entered by the parent):
- First name — used to address the child as the hero of their stories. We collect only the first name, never a full name.
- Gender — used for correct pronouns and consistent depiction in illustrations (girl, boy, or non-binary).
- Age range — a categorical range (3–4, 5–7, or 8–10), not an exact date of birth. Used to select age-appropriate vocabulary, story length, and themes. We deliberately do not collect a precise date of birth.
- Interests — topics the child enjoys (e.g., basketball, dinosaurs, art), used to personalize story content.
- Personality traits — up to three traits (e.g., kind, curious, shy), used to shape how the child's character behaves in stories.
- Current challenges — the emotional or social challenges the parent selects (e.g., making friends, fear of the dark), used to generate stories addressing those specific situations.
- Favourites — favourite colours, animals, and activities, used as personalization details in stories.
- Content format preferences (optional) — text size, layout, and other reading comfort settings. These are functional accommodations, not medical or health data.
Generated data (created by the service):
- Stories — personalized story text containing the child's first name and details from their profile.
- AI-generated illustrations — stylized illustrations depicting the child's avatar in story scenes.
- AI-generated audio — voice narration of stories, which contains the child's first name spoken aloud.
Biometric-adjacent data (with separate consent):
- Child's photograph (for avatar generation) — uploaded temporarily, processed to generate a stylized avatar, then permanently deleted. See “Avatar Photo Processing” section below.
- Child reaction video (optional, with separate consent) — a short video recorded by the parent of the child's reaction to a story. Stored in private, encrypted storage accessible only to the parent. See “Reaction Video Recording” section below.
Social connection data:
- Story friend names — first names of the child's real-life friends, entered by the parent or obtained through friend connections with other FableJar families.
- Friend connection records — records of which children are connected as story friends, managed entirely by parents through a verified consent process.
Data we do NOT collect about children:
We do not collect a child's email address, phone number, physical address, last name, precise date of birth, Social Security number or government-issued identifier, precise geolocation, or passwords/login credentials. Children have no accounts and no independent access to the service.
Avatar Photo Processing
When a parent uploads a child's photograph to generate a personalized avatar, the following process occurs:
- The photo is uploaded to our secure storage (Supabase, encrypted).
- The photo is compressed (maximum 512px, JPEG quality 80) and sent to Google's Gemini image model as inline data for avatar generation.
- Regardless of whether the generation succeeds or fails, the original photo is permanently deleted from our storage immediately after the generation run finishes. This deletion is automatic and guaranteed — it occurs in a
finally block in our code, meaning it executes even if an error occurs. - The database pointer to the photo is nullified before the file is removed.
- What we retain is the generated stylized avatar illustration — not the original photograph.
The parent is shown a clear notice before uploading that explains: the image will be processed solely for avatar generation using AI, the image is not retained beyond the processing step, and it is removed automatically once the generation run finishes. Under the amended COPPA Rule, facial templates are classified as biometric personal information. While our avatar generation produces a stylized illustration (not a biometric facial template), we treat the source photograph as biometric data during the brief processing window and apply the protections described above.
Reaction Video Recording
FableJar offers an optional feature that allows parents to record a short video of their child's reaction while listening to a story. This feature requires separate, explicit consent:
- A specific consent checkbox must be checked before the recording feature is enabled. The consent timestamp is recorded in the database.
- Reaction videos are stored in a private, encrypted storage bucket with service-level access controls. They are not publicly accessible.
- Reaction videos are accessible only to the parent who created them, served via short-lived signed URLs.
- The parent can delete any reaction video at any time. Deletion is permanent and immediate.
- Reaction videos are never shared with third parties, never used for AI training, and never sent outside our secure storage.
- If the parent deletes their account, all reaction videos are permanently deleted as part of the account deletion process.
Voice Cloning
FableJar's voice cloning feature allows family members (parents, grandparents, aunts, uncles) to record their voice so that bedtime stories can be narrated in a familiar voice.
- We only record and process adult voices — never a child's voice. The voice recording endpoints require authentication as a parent, grandparent, or family member. There is no child role in our authentication system.
- Voice recordings are sent to ElevenLabs for voice clone generation. Only the adult's voice recording is sent.
- When a story is narrated using a cloned voice, the story text — which contains the child's first name — is sent to ElevenLabs and/or Google Cloud Text-to-Speech for audio generation. The child's first name appears in the narration text because the child is the hero of the story.
- Voice cloning requires separate, explicit consent. A consent checkbox must be checked before recording, and the consent timestamp is stored in the database. The recording feature is blocked until consent is given.
- Voice recordings can be deleted at any time by the parent. Previously generated narration audio remains playable, but the voice profile can no longer be used for new stories.
How We Use Child Data
- Child profile data is used solely to generate and personalize bedtime stories for that child.
- We never sell, rent, or share child data with third parties for marketing, advertising, or any non-essential purpose.
- We never serve advertisements to children or build advertising profiles from child data.
- Child data is never used to train any artificial intelligence model. See “AI Training Prohibition” section below.
AI Training Prohibition
In accordance with the FTC's guidance that disclosures of children's personal information to train or develop AI technologies are not integral to a service and require separate parental consent, we confirm the following:
- FableJar does not use any child data to train, fine-tune, or develop AI models.
- Our Google Gemini API access is on the paid tier. Under Google's paid-tier API terms, prompt data sent to Gemini is not used to train Google's models.
- We do not send any “train on this data” or “improve models” flags in our API calls to any AI provider.
- We are pursuing formal Data Processing Agreements (DPAs) with all AI vendors (ElevenLabs, Google Cloud TTS, Resend) to contractually confirm no-training terms alongside the existing Google Gemini paid-tier protections.
Third-Party Services and Data Sharing
FableJar uses the following third-party services to operate. We apply strict data-minimization practices. Below is a complete disclosure of every third party that receives data related to children, what data they receive, and why.
Google Gemini (Story Generation)
- Purpose: Generates personalized story text.
- What is sent: The child's first name is replaced with a placeholder token (CHILD_NAME) in every prompt — Gemini never sees the child's real name. However, the following child profile data IS sent in plaintext to generate an accurate, personalized story: physical appearance description, interests, personality traits, current challenges/themes, and friends' first names.
- Why it's integral to the service: Story generation is the core function of FableJar. The service cannot operate without it.
- Training: We are on the paid Gemini API tier. Under Google's terms, our prompt data is not used to train Google's models.
Google Gemini Image Model (Avatar and Illustration Generation)
- Purpose: Generates the child's AI avatar from a parent-uploaded photo, and generates story illustrations.
- What is sent: For avatar generation, the child's photo is sent as compressed inline data, then permanently deleted from our systems (see “Avatar Photo Processing” above). For story illustrations, the child's name is replaced with a generic descriptor (“a girl” / “a boy” / “a child”). Friends' first names may appear in illustration prompts for visual consistency.
- Why it's integral to the service: Illustrations are a core part of every FableJar story.
- Training: Same paid-tier terms as above — not used for training.
ElevenLabs (Voice Cloning and Narration)
- Purpose: Generates voice clones from adult family members' recordings and produces audio narration of stories.
- What is sent: Adult voice recordings for cloning. Story text for narration, which contains the child's first name as it appears naturally in the story.
- What is NOT sent: Child voice recordings are never collected or sent. No child photos or profile data are sent.
- Why it's integral to the service: Voice narration is a core feature of FableJar.
Google Cloud Text-to-Speech (Narration)
- Purpose: Generates audio narration of stories using standard AI voices.
- What is sent: Story text for narration, which contains the child's first name.
- What is NOT sent: No child photos, profile data, or voice recordings.
- Why it's integral to the service: Text-to-speech narration is a core feature.
Resend (Transactional Email)
- Purpose: Sends transactional emails including story-sharing notifications, friend request notifications, voice recording invitations, and referral emails.
- What is sent: The child's first name appears in email subject lines and body text for story-sharing and friend-connection emails (e.g., “A new story featuring Svara was just created!”). These emails are sent to parent email addresses only — never to children.
- Why it's integral to the service: Email is the primary communication channel for sharing stories between families and for the parental verification process for friend connections.
Supabase (Authentication and Data Storage)
- Purpose: Authentication, database storage, and file storage for all FableJar data.
- What is stored: All child profile data, stories, illustrations, audio files, voice recordings, and reaction videos. All data is encrypted at rest. Row-level security policies restrict access so that each family can only access their own data.
- Infrastructure: Self-hosted on our infrastructure.
Cloudflare (CDN and Security)
- Purpose: Content delivery network and DDoS protection.
- What is processed: Standard network traffic required to deliver the service. No child profile fields are sent in CDN request payloads.
Stripe (Payments)
- Purpose: Payment processing for paid plans.
- What is sent: Parent billing information only (parent email and account ID). No child names, child profile data, or child-related information is sent to Stripe.
Langfuse (AI Observability — Self-Hosted)
- Purpose: Monitoring and debugging AI story generation quality. Self-hosted on our own infrastructure — no data leaves our servers.
- What is stored: AI generation traces including prompts sent to Gemini. The child's first name is tokenized in these traces, but appearance descriptions, interests, challenges, and friends' first names may appear in trace data. Traces also include a child profile identifier for debugging purposes.
- Retention: Traces are retained for up to 90 days for quality monitoring, then purged.
- Access: Self-hosted, accessible only to our engineering team. Not shared with any external party.
No Advertising. We do not serve advertisements to children or on any authenticated page of FableJar. We do not build advertising profiles from child data. No advertising SDKs, pixels, or tracking scripts are loaded on any page where child data is accessible.
Analytics and Tracking
- Google Tag Manager (GTM) and Google Analytics (GA) are blocked on all authenticated routes (/dashboard/*, /create/*) by both server-side and client-side guards. No analytics scripts load on any page where child data is displayed, created, or accessed.
- No third-party analytics, heatmapping, session-recording, or tracking tools are used anywhere in the authenticated application. We do not use Sentry, PostHog, Hotjar, Mixpanel, Amplitude, or Facebook Pixel.
- The only cookies set on authenticated pages are essential/functional: the Supabase authentication session cookie (httpOnly), a language preference cookie (NEXT_LOCALE), and a referral attribution cookie (30-day expiry). No analytics or advertising cookies are set.
Data Retention
We maintain the following data retention policy for children's personal information:
| Data Type | Retention Period | Deletion Method |
|---|
| Child profile data (name, age range, gender, interests, traits, challenges, favourites) | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| Stories and story text | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| AI-generated illustrations | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| AI-generated audio narration | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| Child avatar (generated illustration) | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| Source photograph (for avatar generation) | Deleted immediately after avatar generation completes — typically within seconds | Automatic deletion in code, guaranteed regardless of success or failure |
| Voice recordings (adult family members only) | Retained while the voice profile is active | Permanently deleted when parent removes the voice profile or deletes their account |
| Reaction videos | Retained while the parent account is active | Permanently deleted on parent's request or account deletion |
| AI generation traces (Langfuse, self-hosted) | Up to 90 days | Automatically purged after 90 days |
| Friend connection records | Retained while the connection is active | Deleted when either parent removes the connection or deletes their account |
| Guest stories (created before signup) | 7 days if unclaimed | Automatically deleted |
Upon a parent's deletion request, all child profile data, stories, illustrations, audio, voice recordings, reaction videos, and associated storage files are permanently deleted from our live database and storage. Deletion is immediate and irreversible. Database backups follow a rolling retention schedule; deleted data is fully purged from all backups within 30 days.
We do not retain children's personal information indefinitely. Data is retained only for the specific purpose for which it was collected (story generation and personalization) and only for as long as the parent account is active.
Data Security
We maintain a written information security program specifically addressing the protection of children's personal information. Key measures include:
- Encryption at rest: All child data stored in Supabase is encrypted at rest.
- Encryption in transit: All data transmitted between the user's browser and our servers, and between our servers and third-party APIs, is encrypted via TLS.
- Row-Level Security (RLS): Every database table containing child data has row-level security policies enforcing family-scoped access. A parent can only access their own family's data.
- Application-layer authentication: All API routes that access child data require authenticated parent sessions with family-membership verification, providing defense-in-depth alongside RLS.
- Private storage: Sensitive files (reaction videos, voice recordings) are stored in private buckets accessible only via short-lived, signed URLs generated server-side.
- Service-role access controls: Our API server accesses the database using service-role credentials with application-layer permission checks on every request.
- No child credentials: Children have no login credentials, no passwords, no email addresses, and no independent access to any system.
- Account deletion cascade: Account deletion permanently removes all child data from the database and recursively wipes all associated storage files (portraits, illustrations, audio, voice samples, reaction videos).
Parental Rights
As the parent or legal guardian, you have the right to:
- Review all personal information collected about your child at any time. All profile data, stories, illustrations, audio, and reaction videos are accessible from your dashboard.
- Modify your child's profile information at any time, including name, age range, interests, personality traits, challenges, and favourites.
- Delete your child's profile and all associated data at any time. Deletion is permanent and irreversible. All stories, illustrations, audio, voice references, reaction videos, and friend connections associated with that profile are permanently removed.
- Delete specific data — you can individually delete reaction videos, voice clones, and friend connections without deleting the entire profile.
- Withdraw consent for further data collection by deleting the child profile or closing your account entirely.
- Request a review of biometric-adjacent data — you can review and delete the child's avatar, reaction videos, and any data derived from a photograph at any time.
All of these actions are available directly from your dashboard. No need to contact support. However, you may also exercise any of these rights by emailing us at support@fablejar.com.
Friend Connections and Social Features
FableJar allows children's profiles to be connected as “Real Friends” so they can appear in each other's stories. This feature is designed with the following COPPA safeguards:
- No child directory or discoverability. Children's profiles are not searchable. Connections can only be made by entering another child's exact username, which is shared privately between parents offline.
- Two-sided parental consent. Sending a friend request requires the sending parent to verify their identity via email confirmation. Accepting a friend request requires the receiving parent to accept via a link sent to their account email. A child using the app alone cannot send, accept, or manage friend connections.
- Minimal data sharing. When two children are connected, the following data is shared between the two families for story generation purposes: the child's first name, age range, gender, avatar, interests, and personality traits. No parent information, email addresses, or location data is shared between families.
- Revocable at any time. Either parent can remove a friend connection at any time. Removal is immediate. Previously generated stories featuring both children remain in Memory Jar but no new shared stories can be created.
Contact
If you have questions about our COPPA compliance, wish to exercise any parental rights, or would like to report a concern, please contact us at:
Email: support@fablejar.com
We will respond to all COPPA-related inquiries within 5 business days.