Privacy Policy
Last updated: 13 May 2026
At TalePop, your family's privacy is not a footnote. It is central to how we build everything. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and the rights you have in relation to it. It applies to parents and guardians who create accounts, and to the child profiles created within those accounts.
TalePop is available to users in Australia, Canada, and the United States. Different legal frameworks apply in each jurisdiction and we address each below.
1. Who We Are
TalePop is an online service operated from Australia. TalePop is the data controller (and where applicable, the organization responsible for personal information) for parent account information and child profile data stored on our platform.
Contact
For all privacy enquiries: info@talepopstories.com
2. Information We Collect
2.1 Parent / Guardian Account Information
- Email address (used for login, account communications, and as the verified parental contact for COPPA purposes)
- Password (hashed; never stored in plaintext)
- Payment information (processed by our payment service provider; we do not store card numbers)
- Subscription tier and billing history
2.2 Child Profile Data
Parents create child profiles to personalise stories. This may include:
- Child's first name or nickname
- Age
- Gender (if provided)
- Interests and hobbies
- Reading level preference
- Names of siblings, friends, and pets (first name or nickname only)
- City and country (optional, used for story setting)
2.3 Child Appearance Data (Sensitive Information)
Parents may optionally provide appearance descriptors for their child, including hair colour, eye colour, and other physical descriptors. These are used to generate illustrations and story descriptions that reflect the child's appearance.
Some appearance descriptors may constitute sensitive information under the Australian Privacy Act 1988 (Cth) and sensitive personal information under applicable Canadian and US privacy laws. The provision of appearance data is entirely optional. Where such data is provided, TalePop relies on explicit consent obtained at account creation and child profile setup. You may omit appearance data entirely without affecting the core functionality of TalePop.
2.4 Generated Content
- Stories generated for each child profile
- Illustrations generated for each story
- Story ratings and feedback (optional)
2.5 Technical Data
- IP address and approximate location (via our hosting infrastructure)
- Browser type and device information
- Pages visited and time spent (aggregated analytics only)
- Error logs for debugging purposes
3. Legal Framework for Collection and Use
3.1 Australia — Privacy Act 1988 (Cth), Australian Privacy Principles
TalePop collects and handles personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We collect only the personal information necessary for the purposes described in this policy (APP 3), we use it only for those purposes or directly related secondary purposes (APP 6), and we take reasonable steps to protect it (APP 11). We notify individuals of the purposes of collection at or before the time of collection (APP 5).
3.2 Canada — PIPEDA and Provincial Laws
TalePop collects, uses, and discloses personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and, where applicable, substantially similar provincial legislation including the Personal Information Protection Act (PIPA) in Alberta and British Columbia, and Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, S.Q. 2021, c. 25) in Quebec.
Under PIPEDA, TalePop adheres to the ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Under Quebec Law 25, we conduct Privacy Impact Assessments (PIAs) for new projects involving personal information, apply data minimisation, and provide enhanced rights to Quebec residents including data portability and the right to de-indexation.
TalePop's Chief Privacy Officer is responsible for the organisation's compliance with these obligations and can be contacted at info@talepopstories.com.
3.3 United States — COPPA and State Privacy Laws
For US users, TalePop complies with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506; 16 C.F.R. Part 312) and, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.). We also comply with applicable state-level privacy and breach notification laws including those of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy legislation.
3.4 Purposes and Legal Grounds
| Processing activity | AU legal ground | CA legal ground | US legal ground |
|---|---|---|---|
| Creating and managing your account | APP 3 — necessary for service provision | PIPEDA — consent; necessary to provide service | Contract performance; legitimate interest |
| Generating personalised stories and illustrations | APP 3 — primary purpose | PIPEDA — identified purpose; consent | Contract; COPPA verifiable parental consent |
| Processing payments | APP 3 — necessary for service provision | PIPEDA — necessary for commercial transaction | Contract performance |
| Sending transactional emails | APP 6 — directly related to primary purpose | PIPEDA; CASL s.6(6) — transactional/relationship message | Contract; CAN-SPAM Act transactional exception |
| Sending marketing emails | APP 3 — express consent (opt-in) | CASL s.6 — express consent required | Express consent (opt-in at registration) |
| Security logs and fraud prevention | APP 3/11 — necessary to protect integrity | PIPEDA — legitimate interest; security safeguard | Legitimate interest |
| Product analytics and improvement | APP 6 — related secondary purpose (de-identified) | PIPEDA — de-identified aggregate data | Legitimate interest (de-identified data only) |
| Processing optional appearance data | APP 3/7 — explicit consent for sensitive information | PIPEDA — express consent for sensitive data | CCPA — explicit consent; COPPA parental consent |
4. Children's Privacy
TalePop is a service for families. Parents and guardians create and manage all accounts. Children do not interact directly with TalePop, do not create accounts, and do not enter information. All personal information about a child is entered by the parent or guardian.
4.1 COPPA — Verifiable Parental Consent (United States)
TalePop is subject to the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 for any purpose other than generating personalised stories for that child as directed by their parent or legal guardian.
TalePop obtains verifiable parental consent through the payment transaction process. A credit or debit card payment by the parent constitutes a monetary transaction that generates a notification to the primary cardholder, which is an FTC-approved method of verifiable parental consent under 16 C.F.R. §312.5(b)(2). The act of completing payment and creating child profiles constitutes verifiable parental consent for TalePop to collect and use the child profile data described in this policy.
An alternative consent mechanism is available for users who cannot use the payment-based method. To request an alternative consent process, please email info@talepopstories.com.
Parents may at any time review, request corrections to, or request deletion of their child's profile and all associated data by contacting us at info@talepopstories.com or through the account settings page.
4.2 Australia — Children's Online Privacy
Australia's Online Safety Act 2021 and the Australian Children's Online Privacy Code (anticipated to come into effect by December 2026 under the Privacy Act 1988) establish obligations for online services likely to be accessed by children. TalePop designs all data handling practices around the best interests of the child as the primary consideration, consistent with the expected requirements of the Australian Children's Online Privacy Code. We will update this policy as the Code is finalised and enacted.
Child data collected by TalePop is not used for profiling beyond personalising the individual child's own stories. We do not profile children for commercial purposes and do not create behavioural databases of children.
4.3 Canada — Children's Consent under PIPEDA and Provincial Law
Under PIPEDA and the guidance of the Office of the Privacy Commissioner of Canada (OPC), the consent of children under 13 years of age requires parental or guardian authorisation to be meaningful. TalePop does not permit children to create accounts directly. All child profiles are created and managed by the parent or guardian, and the parent's account creation and payment transaction constitutes the authorisation for TalePop to collect and process the child's profile information for the purpose of story generation.
For Quebec residents, TalePop complies with the enhanced child privacy requirements under Quebec Law 25, including data minimisation and the prohibition on using children's personal information for commercial profiling purposes.
4.4 Profiling — All Jurisdictions
We use child profile data solely to generate that specific child's personalised stories and illustrations. We do not create cross-child profiles, behavioural databases, or commercial profiles of children. AI personalisation is strictly limited to story and illustration generation for the individual child profile. Child profile data is never used to train AI models or for any analytical purpose beyond delivering the requested story.
5. How We Use Your Information
We use the information we collect to:
- Create and manage your parent account
- Generate personalised stories and illustrations for your child profiles
- Process subscription payments and manage billing
- Send transactional emails including account confirmations, password resets, and subscription receipts
- Send marketing or product update emails (where you have opted in)
- Provide customer support when you contact us
- Detect, investigate, and prevent fraudulent or unauthorised use of the service
- Comply with our legal obligations in Australia, Canada, and the United States
- Improve the quality, reliability, and relevance of story generation (using aggregated, de-identified analytics only)
We do not sell your personal information or your child's personal information to any third party. We do not use your information for targeted advertising. We do not share personal information for cross-context behavioural advertising.
6. Third-Party Service Providers and Data Processors
TalePop engages trusted third-party service providers to operate the platform. We do not disclose the identity of our technology providers publicly in order to protect our proprietary systems. The categories of providers we use, and the purposes for which data is shared, are set out below. All service providers are engaged under written agreements that contractually restrict their use of personal information to the specified purpose and prohibit secondary use, including use for AI model training, profiling, or advertising.
| Category | Location | Purpose | Child data shared |
|---|---|---|---|
| Cloud database and authentication provider | Australia | Stores all account data, child profiles, and generated stories; manages user authentication | Parent account, child profiles (name, age, gender, interests, appearance descriptors, generated stories) |
| AI text generation provider | United States | Generates personalised story narrative based on the child's profile | Child's name, age, gender, interests, reading level, and optionally appearance descriptors, sibling names, friend names, pet name, city, and country, as entered by the parent |
| AI image generation provider | United States | Generates illustrations for each story page | Image description prompts derived from the child profile and story content, including appearance descriptors and scene descriptions |
| Payment processing provider | United States | Processes subscription and one-time payments | Parent email address and payment details only. No child profile data is shared with our payment provider. |
| Cloud hosting and infrastructure provider | United States | Hosts the TalePop web application and serves content to users | Web traffic logs (IP address, request metadata) only. No structured child profile data. |
Child profile data transmitted to our AI service providers is used solely to generate the requested story and illustrations for that child. We have confirmed that our AI service providers do not use personal data submitted through their APIs to train AI models without explicit opt-in consent, and no such opt-in is enabled for TalePop. Our data processing agreements with all third-party providers contractually prohibit secondary use of child profile data, including model training, profiling, or any other use beyond generating the requested output.
7. International Data Transfers
7a. Australia — Transfers to the United States
Under Australian Privacy Principle 8 (APP 8) of the Privacy Act 1988 (Cth), before disclosing personal information to overseas recipients, TalePop takes reasonable steps to ensure those recipients handle the information consistently with the Australian Privacy Principles. The United States does not have a law substantially similar to Australia's Privacy Act.
TalePop relies on contractual protections, specifically data processing agreements with each US-based service provider, as the mechanism to ensure equivalent protection consistent with APP 8.
By using TalePop and creating child profiles, you acknowledge that personal information may be disclosed to US-based providers that are not required to comply with the Australian Privacy Principles, and that you may have limited recourse under Australian law if such a provider mishandles your information. This acknowledgement is recorded as part of your account creation.
7b. Canada — Transfers to the United States and Australia
Under PIPEDA, organisations may transfer personal information to service providers in other countries for processing, provided those providers offer a comparable level of protection. TalePop transfers Canadian users' personal information to service providers located in Australia and the United States.
TalePop takes contractual measures, including data processing agreements with all service providers, to ensure that personal information transferred outside Canada is protected to a standard comparable to that required by PIPEDA. These agreements restrict service providers' use of personal information to the specified purposes and require appropriate security safeguards.
Canadian users are advised that personal information transferred to service providers in the United States and Australia may be subject to access by authorities in those countries under their applicable laws. By creating an account and child profiles, you acknowledge this transfer and consent to it for the purposes of receiving the TalePop service.
For Quebec residents, this cross-border transfer has been assessed under Quebec Law 25. A Privacy Impact Assessment in respect of cross-border data flows is available on request by emailing info@talepopstories.com.
7c. All Regions — Security of Transfers
All personal data is transmitted between your browser, our servers, and our service providers using TLS encryption (HTTPS). All stored data is encrypted at rest. Generated illustrations are stored and served over encrypted connections.
8. Data Retention
We retain your data only for as long as necessary to provide the service and meet our legal obligations.
| Data type | Retention period |
|---|---|
| Parent account and email address | Duration of account, plus 30 days after account deletion |
| Child profile data | Duration of account; 7 days after individual profile deletion; or 30 days after account deletion, whichever is sooner |
| Generated stories and illustrations | Duration of account, plus 30 days after account deletion |
| Payment records | 7 years from the date of transaction (required under Australian taxation law and comparable Canadian record-keeping obligations) |
| Parental consent records (COPPA) | Duration of account, plus 7 years after account closure |
| Breach of security safeguards records (PIPEDA Canada) | 24 months from the date of the breach (as required by the Breach of Security Safeguards Regulations, SOR/2018-64) |
| Story feedback and ratings | 2 years from submission, or until account deletion, whichever is earlier |
| Security and access logs | 90 days |
When retention periods expire, data is securely deleted or de-identified using industry-standard methods. De-identified data (from which all personal identifiers have been permanently removed) may be retained for longer periods for aggregate analytics and service improvement purposes.
9. Data Breach Notification
TalePop has implemented technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, and destruction. In the event of a data breach that may result in risk of harm, we will take the following steps:
Australia: In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), we will notify the Office of the Australian Information Commissioner (OAIC) and all affected account holders as soon as practicable, and no later than 30 days after becoming aware that an eligible data breach has occurred or is likely to have occurred. Our notification will include a description of the breach, the type of personal information involved, and the steps we are taking in response.
Canada: In accordance with the Breach of Security Safeguards Regulations under PIPEDA (SOR/2018-64), if a breach of security safeguards involving personal information creates a real risk of significant harm to an individual, we will report the breach to the Privacy Commissioner of Canada and notify all affected individuals as soon as feasible. We maintain records of all security breaches for a minimum of 24 months from the date of the breach, regardless of whether they create a real risk of significant harm. Factors we assess in determining real risk of significant harm include the sensitivity of the information, the probability of misuse, and the number of individuals affected.
United States: We comply with all applicable US federal and state data breach notification laws. For California residents, we provide notice in accordance with the California Consumer Privacy Act (Cal. Civ. Code § 1798.150) and the California Civil Code § 1798.82 (California Data Breach Notification Act). For residents of other states, we comply with applicable state breach notification statutes. Where federal law applies (including with respect to COPPA), we notify the Federal Trade Commission as required.
10. Your Privacy Rights
Depending on your jurisdiction, you have the following rights in relation to your personal information and the child profile data you have provided. To exercise any right, contact us at info@talepopstories.com. We will respond within 30 days (Australia / Canada) or 45 days (US / CCPA).
| Right | Jurisdiction |
|---|---|
| Access your personal data — request a copy of the personal information we hold about you and your child profiles | AU: APP 12 | CA: PIPEDA Principle 9 | US-CA: CCPA Right to Know |
| Correct inaccurate data — request correction of personal information that is inaccurate or incomplete | AU: APP 13 | CA: PIPEDA Principle 9 | US-CA: CCPA Right to Correct |
| Delete your account and all associated data — including all child profiles, generated stories, and account information (subject to retention obligations for payment records) | AU: APP 11 | CA: PIPEDA; Quebec Law 25 | US-CA: CCPA Right to Delete | COPPA: parental right to deletion |
| Data portability — receive a copy of your generated stories in a portable format | CA: Quebec Law 25 right to portability | US-CA: CCPA |
| De-indexation / withdrawal of consent — withdraw consent for processing at any time where consent is the legal basis (does not affect lawfulness of prior processing) | AU / CA / US |
| Limit use of sensitive personal information — including appearance data | US-CA: CCPA | CA: PIPEDA; Quebec Law 25 |
| Non-discrimination — you will not be penalised or offered a reduced level of service for exercising your privacy rights | US-CA: CCPA | AU: APP | CA: PIPEDA |
| Lodge a complaint — escalate unresolved concerns to the relevant supervisory authority | AU: OAIC | CA: OPC / provincial commissioners | US: FTC / state AGs |
California Residents
We do not sell your personal information or your child's personal information. We do not share personal information for cross-context behavioural advertising. You have the right to opt out of any future sale or sharing. To submit a CCPA request, please email info@talepopstories.com with the subject line “CCPA Privacy Request.”
Quebec Residents
Quebec residents have additional rights under Law 25, including the right to data portability (in a structured, commonly used, and technological format), the right to de-indexation (removal of publicly available personal information), and the right to request that personal information not be communicated outside Quebec where adequate protection cannot be ensured. To exercise these rights, contact info@talepopstories.com.
Supervisory Authorities
If you are not satisfied with our response to a privacy request or concern, you may contact the relevant authority:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- Canada (federal): Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
- Canada (Quebec): Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
- United States: Federal Trade Commission (FTC) — ftc.gov, or your state Attorney General's office
We encourage you to contact us first so we can address your concern before escalation.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where the changes are significant, notify you by email to your registered account address.
Your continued use of TalePop after a policy update constitutes acceptance of the updated policy. If you do not agree with a material change, you may close your account at any time through the account settings page.
13. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact us:
- General enquiries: info@talepopstories.com
- Privacy and data requests (access, correction, deletion, CCPA, portability, de-indexation): info@talepopstories.com — we respond within 30 days (AU / CA) or 45 days (US / CCPA)
- COPPA parental requests (review, correction, or deletion of child data): info@talepopstories.com