Privacy Policy

Last updated: June 28, 2026

The short version

Glimmo makes personalized, narrated bedtime stories for children. We built it to be careful with your family’s data from day one. In plain terms:

• We don’t run ads and we don’t allow behavioral advertising or ad-tracking inside the app.
• We never sell your data — or your child’s — to anyone, and we don’t share it for others’ marketing.
• We minimize what we collect. We ask for a child’s first name and birth year (not a full date of birth), and we never store photos of your child.
• A parent is always in control — you set up profiles, and you can export or delete your family’s data at any time.
• Stories are generated and safety-filtered, not scraped from the open web.

This page explains the details. If anything is unclear, email us at lumkastories@gmail.com.

Who we are

Glimmo (“Glimmo,” “we,” “us,” or “our”) provides the Glimmo mobile application and the website at glimmo.app. For the purposes of the EU/UK GDPR, we are the data controller for the information described in this policy. Our service is offered to parents and guardians worldwide, and is intended to be set up and managed by an adult on a child’s behalf.

Information we collect

We collect only what we need to create and narrate stories, run accounts, and keep the service safe.

Account information (provided by the parent)

• Your email address and authentication credentials, used to create and secure your account.
• Basic account settings, such as your preferred app and story languages.

Child profile information (entered by the parent)

• The child’s first name (or a nickname you choose).
• Birth year only — used to tune reading level and age-appropriate content. We deliberately do not collect a full date of birth.
• The child’s story language, interests, and reading level.
• A “build-your-hero” avatar assembled from cosmetic options you pick (skin tone, hair, outfit, and so on). This is a set of style choices — never a photo of your child.

Story and usage content

• The stories generated for your child, including text, illustrations, and narration audio, and the choices made while reading them.
• Story prompts and preferences you provide when creating a story.
• If you choose to publish a story to our community “Explore” area (an optional, opt-in action), the version you publish after it passes our de-identification and safety review.

Purchase information

• Subscriptions and one-time purchases are processed by the Apple App Store and Google Play, and managed through our payments provider RevenueCat. We receive your subscription and entitlement status (for example, whether you have an active plan) but we do not collect or store your full payment-card details.

Technical and diagnostic information

• Limited device and app information (such as app version, device type, and language) needed to operate the service.
• Basic logs and error reports used to keep the app reliable and secure. We do not use third-party advertising or cross-app tracking SDKs.

Children’s data & parental consent

Glimmo is designed to be operated by a parent or guardian. We treat children’s information with extra care and aim to comply with the U.S. Children’s Online Privacy Protection Act (COPPA), the GDPR provisions for children (“GDPR-K”), and similar laws worldwide.

• Parent-controlled setup. Account creation, profile setup, and purchases sit behind an adult. Sensitive actions are protected by a parental gate.
• Data minimization. We collect the least information necessary to personalize a story — a first name, a birth year, interests, and reading level. We do not collect children’s photos, precise location, or contact details.
• No behavioral advertising. We never use children’s data to target ads, and we don’t allow ad networks to do so through our service.
• No voice biometrics in this version. Stories are narrated with stock voices. We do not collect a child’s (or parent’s) voice recordings, and there is no voice-cloning feature in the current release.
• Parental rights. As a parent, you can review, export, or delete your child’s information at any time, and you can withdraw consent by deleting the profile or account.

If you believe a child has provided us information without a parent’s involvement, contact us at lumkastories@gmail.com and we will delete it.

How we use information

We use the information above only to:

• Generate personalized, age-appropriate, illustrated, and narrated stories where your child is the hero.
• Create and secure your account and remember your preferences across devices.
• Apply our two-layer content-safety checks to keep stories child-safe.
• Process subscriptions and apply your plan’s story allowance.
• Operate, troubleshoot, and improve the service, and prevent abuse.
• Comply with legal obligations and enforce our terms.

We do not use your or your child’s information for advertising, profiling for marketing, or sale to third parties.

Legal bases for processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the app, create stories, and run your account.
• Consent — the parent’s consent to set up a child’s profile and create personalized content, and for optional actions like publishing to Explore. You can withdraw consent at any time.
• Legitimate interests — keeping the service secure, reliable, and free of abuse, balanced against your rights.
• Legal obligation — where we must retain or disclose information to comply with the law.

How information is shared

We share information only with service providers (“processors”) who help us run Glimmo, under contracts that require them to protect it and use it only on our instructions. We do not sell personal information, and we do not share it for third-party advertising.

We may disclose information:

• To the infrastructure and AI providers listed in the next section, strictly to deliver the service.
• To comply with the law, a valid legal request, or to protect the rights, safety, and security of users and the public.
• In connection with a merger, acquisition, or sale of assets — in which case we will notify you and this policy will continue to apply to your information.

AI generation & service providers

To create a story, the prompts and profile details needed for that story are sent to the providers below, which process the content to return the generated result. We send only what is necessary, and these providers act as our processors.

• Supabase — database, authentication, and file storage for accounts, profiles, and generated stories.
• Railway — hosting for our story-generation worker.
• Google (Gemini models) — generates story text and illustrations.
• ElevenLabs — generates narration audio with stock voices.
• RevenueCat, with the Apple App Store and Google Play — subscription and purchase processing.
• Vercel — hosting for this website.

We choose providers that do not use your content to train their general models for their own purposes where that option is available to us, and we limit what we send to the minimum needed to generate your story.

Data retention

We keep account and profile information for as long as your account is active. Generated stories are retained so you and your child can re-read them, until you delete them or your account. When you delete a profile, story, or account, we delete or de-identify the associated personal information from our active systems, and remove it from backups within a reasonable period. We may retain limited records where required for legal, security, or accounting reasons.

How we protect your information

• Isolation at the database layer. Each family’s data is protected by row-level security so that one account cannot access another’s.
• Encryption in transit for data moving between the app, our backend, and our providers.
• No AI provider keys in the app. All generation runs through our backend, never directly from your device.
• Content safety. Parent input is filtered before generation, and generated output is filtered before it reaches a child.

No system is perfectly secure, but we work to protect your information using safeguards appropriate to its sensitivity.

Your rights & choices

Depending on where you live, you may have rights to access, correct, export, delete, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. Parents may exercise these rights on behalf of their child.

• Access & export. Request a copy of your family’s data.
• Correct. Update a profile’s details directly in the app.
• Delete. Delete a story, a child profile, or your entire account from the app, or by contacting us.
• Withdraw consent. Deleting a profile or account withdraws consent for that data.

To make a request, email lumkastories@gmail.com. We will respond within the time required by applicable law. You also have the right to lodge a complaint with your local data protection authority. We will not discriminate against you for exercising any of these rights.

International data transfers

Glimmo is operated globally and our providers may process information in the United States and other countries. Where we transfer personal information across borders, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, to protect it in line with this policy and applicable law.

Changes to this policy

We may update this policy as the service evolves or the law changes. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the app. Your continued use of Glimmoafter an update means you accept the revised policy.

Contact us

Questions, requests, or concerns about your privacy? We’re a small team and we read every message.

Email: lumkastories@gmail.com