This policy explains what information Storytime collects, how it is used, and what choices you have. It is written to be read by a parent or guardian in plain English. If anything here is unclear, please write to us at [email protected].
Who we are
Storytime is a children's storybook app made by BEK SERVICE LTD, a company registered in England and Wales.
- Email: [email protected]
- Postal address: 20-22 Wenlock Road, London, N1 7GU, United Kingdom
- Data controller for the purposes of the UK GDPR and EU GDPR: BEK SERVICE LTD
What data we collect in version 1.0
By default, none. Storytime ships with analytics turned off. If you leave it off (the default), the app does not:
- collect any personal information (name, email, address, phone number, date of birth, photo);
- ask you or your child to create an account, sign in, or enter any identifier;
- contact any server owned or operated by us;
- contain advertising or advertising SDKs;
- read or transmit contacts, calendars, photos, location, the microphone or the camera;
- use tracking identifiers such as IDFA (iOS Advertising Identifier) or Android AAID;
- set tracking cookies or web-based fingerprints;
- share, sell, or rent any information to anyone.
Story text, pictures, and audio narration are bundled inside the app and play back from the device's own storage. With analytics off, your child can use Storytime with Wi-Fi and mobile data switched off and the experience is identical.
Optional analytics (off by default)
In Settings → Privacy, a toggle labelled "Help improve Storytime" lets you opt in to anonymous product-usage analytics. If and only if you switch this on, Storytime records a small number of pseudonymous events through Firebase Analytics (a Google service), specifically:
- which stories are opened (story id — not title);
- which language is selected;
- aggregate session counts that Firebase generates automatically (
session_start,first_open,screen_view).
What is not collected under any circumstances:
- no name, no email, no age, no account identifier;
- no device advertising identifier (we do not request IDFA on iOS or AAID on Android);
- no GPS or city-level location;
- no story text, audio, or reading progress beyond the event names above.
Technically, Firebase generates a "Firebase Installation ID" which is a random string per install of the app. It is not tied to your Apple ID or Google account and is not linked to any advertising network. If you uninstall the app, that ID is gone. If you switch the toggle off, Firebase stops collecting.
Data flows to a Google Cloud Firebase project owned by BEK Service LTD (project id storytime-2026, region europe-west). Retention: 14 months (Google's default for children's-audience apps), after which Google automatically deletes the records. You can request earlier deletion by emailing [email protected].
We never sell or share this analytics data, and it is never combined with data from other apps or websites to profile your child.
Third parties
There is one third-party SDK in the app: Google's Firebase Analytics (see section above), and it is dormant until you opt in. No other third-party SDKs collect data.
The other external components in version 1.0 are Microsoft's .NET MAUI runtime and the CommunityToolkit.Maui library, which provide the user-interface plumbing and do not phone home.
- Apple App Store and Google Play Store operate the stores the app is distributed through. When you download the app, those platforms may record the download against your Apple ID or Google account. We receive only aggregate, anonymous download counts — we never see who downloaded the app.
- Apple and Google may collect anonymous crash reports at the operating-system level if you have opted in to "Share iPhone Analytics" (iOS) or "Usage and diagnostics" (Android). Those reports go to the platform vendor, not to us. If Apple or Google chooses to forward us an aggregate summary, it does not identify any individual user.
- We do not embed any social media buttons, share widgets, or login-with-Google/Apple flows in version 1.0.
Children under 13 (COPPA)
Storytime is directed to children. The United States Children's Online Privacy Protection Act (COPPA) applies. Because version 1.0 collects no personal information from anyone — children, parents, or any other user — we do not trigger COPPA's verifiable-parental-consent requirement.
Specifically:
- We do not knowingly collect personal information from children under 13.
- We do not use behavioural advertising, retargeting, or any kind of profile-building.
- We do not enable children to communicate with other users (there is no chat, no forums, no user-generated content, no social features).
- We do not show third-party advertising.
If you believe we have inadvertently collected information from a child, please email [email protected] and we will investigate and act immediately. Because nothing is transmitted off-device in version 1.0, the most likely answer is "there is nothing to delete", but we will check anyway and confirm in writing.
Parental controls
Storytime includes a parental gate: a short math puzzle that an adult must solve to reach any screen that leaves the reading experience. In version 1.0 this gate protects:
- links that open in a web browser outside the app (for example, links to this policy or to our contact email);
- settings that affect the experience;
- the future "restore purchases" and "manage subscription" flows described below, which do not appear in version 1.0 but are reserved in the UI.
The gate is refreshed on every launch so a child cannot simply remember the answer from a previous session.
Children in the EU and UK (GDPR-K, UK GDPR)
The same substance as the COPPA section applies under the EU General Data Protection Regulation and the UK GDPR.
- Legal basis for processing: not applicable — version 1.0 performs no processing of personal data.
- Data subject rights (access, rectification, erasure, restriction, portability, objection): you always have these rights. In version 1.0 they resolve immediately because there is nothing stored to access, rectify, or erase. If you write to us anyway we will confirm this in writing within 30 days.
- International transfers: none — there is no transfer because there is no collection.
- Automated decision-making / profiling: none.
- Right to lodge a complaint with a supervisory authority: UK users may contact the Information Commissioner's Office. EU users may contact their national data protection authority.
Future paid subscriptions (reserved for version 1.1 — not applicable until 1.1)
We plan to add paid story packs in a future release (version 1.1 and later). When that happens, this policy will be updated in advance, the app's store listings will be updated, and a new effective date will appear at the top. The changes are summarised here so that you know what to expect.
In version 1.1 and later, if and only if you choose to subscribe, the app will send a small amount of data to our server in order to verify that you are entitled to the paid content:
- Apple devices: the
originalTransactionIdfrom Apple's StoreKit — an opaque number issued by Apple that identifies the purchase, not you. - Android devices: the
purchaseTokenfrom Google Play Billing — an opaque string issued by Google that identifies the purchase, not you. - Device integrity token: an attestation produced by Apple App Attest (iOS / macOS / tvOS) or Google Play Integrity (Android). This proves the request comes from a genuine, unmodified copy of our app on a genuine device. The token does not contain any personal identifier.
We will not collect your name, your email, your postal address, your phone number, your child's name or date of birth, your device's advertising ID, your precise location, or any reading history. The identifiers we do collect are opaque — they identify the purchase to Apple or Google, not you to us.
We will retain these identifiers for the duration of your subscription plus 30 days, after which they are deleted from our servers. We need the 30-day tail to honour refunds, handle billing disputes, and comply with tax-record requirements.
We will never sell or rent this information. We will never use it for advertising. The only recipients will be:
- Apple or Google, so we can verify the receipt with them;
- Cloudflare Inc., which operates the infrastructure the verification traffic passes through (under a standard data-processing agreement).
Until version 1.1 ships, none of the above applies. Nothing is sent anywhere.
Security
Version 1.0 stores nothing that needs protecting, because it collects nothing. The app is code-signed by Apple or Google and distributed through the official stores; updates are delivered the same way.
For version 1.1's subscription data flow, we use HTTPS with certificate pinning, App Attest or Play Integrity on every authenticated call, short-lived JWTs bound to a specific device, AES-256-GCM for content, and per-user key wrapping. In short: even the receipt data we do process is encrypted in transit and kept to the minimum needed to unlock the content you paid for.
Changes to this policy
If we change this policy, we will update the "Effective date" at the top. Material changes (for example the launch of version 1.1's subscription) will be announced in the app's store listing release notes so you have a chance to read them before updating.
Contact
For any privacy question, data-subject-rights request, or COPPA enquiry:
BEK SERVICE LTD
20-22 Wenlock Road, London, N1 7GU, United Kingdom
Email: [email protected]
We aim to reply within a few working days and in any event within the 30-day window required by GDPR.