Your Family's Privacy, Taken Seriously

HeroKid is built for families. Protecting children's data is our highest priority. This policy explains what we collect, how we use it, and your rights as a parent or guardian.

Last updated: March 2026

1. Introduction

HeroKid ("we", "us", "our") is an AI-powered storytelling app designed for children ages 5–12, operated under parental supervision. We comply with the Children's Online Privacy Protection Act (COPPA) and applicable data protection laws. Only a parent or legal guardian may create an account and manage child profiles.

2. Information we collect

From parents (account holders)

Email address (required for account creation)
Information you choose to provide when contacting support or managing your account
IP address at the time of parental consent (for verification records)
Payment information (processed securely by Apple, Google, or Stripe — we do not store card details)
Credit balance and transaction history

From children (provided by the parent)

Child's name and display name
Age or birth month and year
Gender
Interests, personality traits, and favorite story themes
Preferred language and art style

We do not collect information directly from children. All child data is entered and managed by the parent.

Photos

Portrait and full-body photos uploaded for avatar and pet companion creation
Photos are processed by Google's AI services and automatically deleted within 48 hours
Only the generated cartoon avatars are retained — source photos are never kept
A full deletion audit trail is maintained for compliance

Automatically collected

Technical request and security data needed to operate and protect the service
Diagnostic and reliability data used to investigate failures and maintain service availability
Rate-limiting and abuse-prevention counters used to protect the service

3. How we use your information

Generate personalized stories using your child's name, age, interests, and personality
Create cartoon avatars and pet companions from uploaded photos
Process in-app credit purchases through Apple App Store, Google Play, or Stripe
Moderate content safety using AI-powered filtering and human review
Improve the service using anonymized, aggregated usage data
Send essential account emails (consent confirmation, account deletion notices)

We never sell personal data. We never use your data for advertising.

4. Third-party service providers

We use the following service providers to operate HeroKid. All act as service providers on our behalf — not as independent data controllers. They process data solely under our instructions.

Provider	Purpose	Data retention
Google (Gemini API)	Story generation & avatar creation	Transient (API call duration only)
Google (Cloud Vision)	Photo safety validation	Transient (API call duration only)
Supabase	Database & file storage	Until account deletion
Vercel	Web hosting	Per Vercel retention policy
Upstash	Rate limiting	TTL-based (minutes to hours)
Apple / Google / Stripe	Payment processing	Per processor policy

What data each service receives: For story generation, Google Gemini receives the child’s first name, age group, personality traits, adventure template, and pet companion details (name, type, personality, role). For avatar and pet image generation, Google Gemini Image receives uploaded reference photos (portrait and full-body). For story scene images, Google Gemini Image receives scene prompts along with avatar and pet reference images. For photo safety screening and pet-type detection, Google Cloud Vision receives uploaded photos. Generated images are also screened for safety before delivery. All data is processed transiently during the API call.

Google does not use customer data sent through paid API tiers to train its AI models.

5. Parental rights and controls

As a parent or guardian, you have the following rights under COPPA and applicable privacy laws:

Review your data: Request a copy of all information we hold about your family by emailing hello@herokid.app. We will respond within 30 days.
Delete your data: Request account deletion from Settings in the app. A 30-day grace period allows you to cancel. After the grace period, all data is permanently and irreversibly deleted.
Revoke consent: Use the one-click revoke link in your consent confirmation email (valid for 7 days), or request account deletion at any time.
Restrict processing: Contact us to limit specific uses of your data.

6. Data retention

Source photos: Automatically deleted within 48 hours of upload (enforced by an hourly automated process with a full audit trail)
Generated avatars and stories: Retained until the parent deletes the child profile or account
Account data: Retained while the account is active
After account deletion: 30-day cancellation window, then permanent removal of all associated data (children, stories, avatars, pets, payment records, audit logs)

7. Data security

We implement industry-standard security measures to protect your data:

Authentication managed by Supabase Auth with secure session handling
Rate limiting on all API endpoints to prevent abuse
Multi-layered content safety pipeline combining AI moderation with human review
Comprehensive audit logging for all sensitive operations (consent, deletion, data access)
All data transmitted over HTTPS

8. Children's privacy (COPPA)

We do not collect personal information directly from children. All child data is entered and managed exclusively by a parent or legal guardian.
Verifiable parental consent is required before any child profile can be created. We record the parent's consent status, timestamp, and verification details before enabling child creation features.
We do not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.
HeroKid has no social features, public profiles, chat, or child-to-child communication of any kind.
We do not share children's personal information with third parties except as described in Section 4 (service providers acting on our behalf).

9. Updates to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email before the changes take effect. Continued use of HeroKid after notification constitutes acceptance of the updated policy.

10. Contact us

If you have questions about this privacy policy, want to review or delete your data, or need to revoke consent, email us at hello@herokid.app.

Back to Home