Quillow Privacy Policy

Effective Date: March 25, 2026

Last Updated: March 25, 2026

Highstorm Labs LLC ("we," "us," or "our") operates the Quillow mobile application ("the App"). This Privacy Policy explains how we collect, use, store, and protect information when you use the App.

Quillow is a bedtime story app designed for parents. Parents use the App to generate personalized AI stories for their children. The App is not designed for, directed at, or intended to be used by children.

1. Information We Collect

1.1 Account Information

When you sign in with Apple, we receive:

A unique, anonymous identifier assigned by Apple (no email address unless you choose to share it)
An authentication token used to secure your account

We do not receive or store your Apple ID password.

1.2 Family Information You Provide

To generate personalized stories, you provide information about your family. This may include:

Parent information: Names, location, and any additional context you choose to share
Children's information: Names, ages, interests (e.g., "dinosaurs," "space"), and growth areas (e.g., "sharing," "patience")
Pet information: Names, type (via emoji), and descriptive details

All of this information is entered voluntarily by you, the parent. We do not collect information directly from children.

1.3 Story and Content Data

Storybooks ("Worlds"): Names, premises, tags, background descriptions, and cover art you create or generate
Stories: AI-generated story text, titles, synopses, and taglines
Story ratings: Your feedback on generated stories (loved, thumbs up, thumbs down)
Generation preferences: Tone, length, and custom requests you select when generating stories

1.4 Subscription Information

Subscription purchases are processed entirely by Apple through the App Store. We use RevenueCat, a third-party service, to manage subscription status. RevenueCat receives:

An anonymous user identifier (your Supabase account ID)
Subscription entitlement status (active or inactive)

We do not receive or store your payment method, billing address, or other financial information. Apple and RevenueCat handle all payment processing.

1.5 Information We Do Not Collect

We do not use analytics SDKs or tracking frameworks
We do not collect device identifiers for advertising purposes
We do not use cookies or similar tracking technologies
We do not collect location data from your device (any location you provide in your profile is entered manually)
We do not collect usage analytics, crash reports, or behavioral data beyond what Apple provides through its standard App Store analytics (which are anonymized and aggregated)

2. How We Use Your Information

We use the information you provide for the following purposes:

Story generation: Your family information (children's names, ages, interests, growth areas, pet details) and storybook settings are sent to our server to build AI prompts that generate personalized stories.
Account management: Your authentication credentials allow you to sign in, sync data across devices, and manage your account.
Data synchronization: Your family information and stories are synced between your devices and our server so you can access your content from any device signed into your account.
Improving story quality: Your story ratings help us understand which stories work well, but we do not use this data for any purpose other than improving the story generation prompts.

We do not use your information for advertising, marketing to third parties, user profiling, or any purpose unrelated to providing the App's core functionality.

3. How AI Story Generation Works

When you generate a story, the following happens:

Your family profile (children's names, ages, interests, growth areas, pet details), storybook settings, and recent story synopses are sent from our server to OpenAI's API.
OpenAI generates the story text based on these inputs.
The generated story is saved to our server and synced to your device.

What is sent to OpenAI:

Children's first names, ages, interests, and growth areas
Parent names and location (if provided)
Pet names and descriptions
Storybook name, premise, background, and tags
Synopses of recent stories (to avoid repetition)
Your selected tone, length, and any custom request

OpenAI's data handling: OpenAI processes this data to generate stories. Per OpenAI's API data usage policy, data sent through their API is not used to train their models. For details, see OpenAI's API data usage policy.

When you generate cover art for a storybook, the storybook's name, premise, and tags are sent to OpenAI's image generation API. No children's personal information is included in cover art requests.

4. Third-Party Services

We use the following third-party services to operate the App:

Service	Purpose	Data Shared	Privacy Policy
Apple (Sign in with Apple)	Authentication	Anonymous identifier	apple.com/privacy
Supabase	Server infrastructure, database, authentication	All family data, stories, account data	supabase.com/privacy
OpenAI	AI story and cover art generation	Family data, storybook data, story context (as described in Section 3)	openai.com/privacy
RevenueCat	Subscription management	Anonymous user ID, entitlement status	revenuecat.com/privacy
Amazon Web Services (AWS)	Cloud hosting (via Supabase)	All server-side data is hosted on AWS infrastructure	aws.amazon.com/privacy

We do not share your information with any other third parties. We do not sell, rent, or trade your personal information.

5. Children's Privacy and COPPA Compliance

5.1 The App Is for Parents

Quillow is designed for and marketed to parents and guardians. The App is not directed at children under 13 (or under 16 in certain jurisdictions). Children are not intended to create accounts, sign in, or operate the App.

5.2 Children's Information Collected from Parents

We recognize that the App collects personal information about children, as entered by their parent or guardian. This includes children's first names, ages, interests, and growth areas. This information is provided voluntarily by the parent for the sole purpose of generating personalized bedtime stories.

Under the Children's Online Privacy Protection Act (COPPA), a parent providing their own child's information in an app designed for parental use constitutes verifiable parental consent. By entering your children's information into the App, you consent to its collection, use, and processing as described in this Privacy Policy.

5.3 Parental Rights

As a parent, you have the right to:

Review your children's information at any time within the App (it is always visible in your profile)
Edit or delete any of your children's information at any time within the App
Delete your entire account and all associated data, including all children's information, from within the App (see Section 8)
Refuse further collection by deleting your account or removing your children's profiles

If you believe we have collected information from a child without appropriate parental involvement, please contact us immediately at support@highstormlabs.com and we will delete that information.

5.4 No Direct Contact with Children

We do not contact children. We do not use children's information to market to children. The only use of children's information is to generate stories that the parent reads to the child.

6. Data Storage and Security

6.1 Where Your Data Is Stored

On your device: Your data is stored locally in an encrypted SQLite database on your iPhone.
On our servers: Your data is synced to a Supabase Postgres database hosted on Amazon Web Services (AWS) infrastructure. Our Supabase project is hosted in the United States.
Cover art images are stored in Supabase Storage (also hosted on AWS).

6.2 How Your Data Is Protected

All communication between the App and our servers uses HTTPS/TLS encryption in transit.
Authentication is handled through Supabase Auth with JSON Web Tokens (JWTs). Every server request is authenticated and scoped to your user account.
Server-side database operations are scoped to your authenticated user ID, preventing access to other users' data.
API keys for AI services are stored on the server only and are never included in the App binary on your device.
Your Supabase authentication session is stored securely in your device's Keychain.

6.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable law.

7. Data Retention

Active accounts: We retain your data for as long as your account is active. Your family information, storybooks, and stories are kept so you can access them across devices and over time.
Generated stories: Stories are retained indefinitely within your account unless you delete them.
Deleted content: When you delete a story, storybook, child, or pet within the App, it is deleted from both your device and our servers during the next sync.
Account deletion: When you delete your account (see Section 8), all data is permanently deleted from our servers, including your profile, family information, storybooks, stories, and cover art. An audit log entry recording only the deletion event (user ID and timestamp) is retained for legal compliance.

8. Account Deletion

You can delete your account and all associated data directly within the App:

Open the App and tap your profile icon
Scroll to the bottom and tap "Delete Account"
Confirm the deletion

This will:

Delete your Supabase authentication account
Delete all server-side data (profile, children, pets, storybooks, stories, cover art) via cascading deletion
The local database on your device is cleared

Account deletion is permanent and cannot be undone.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your information (available directly in the App)
Portability: Request your data in a portable format
Objection: Object to certain processing of your information

To exercise any of these rights, contact us at support@highstormlabs.com. We will respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of your personal information (we do not sell personal information)
Non-discrimination for exercising your privacy rights

European Economic Area / UK (GDPR)

If you are in the EEA or UK, our legal basis for processing your personal information is:

Consent: You consent to the collection of your children's information by voluntarily entering it
Contract: Processing is necessary to provide the service you have requested (story generation)
Legitimate interest: Account security and fraud prevention

10. International Data Transfers

Your data is processed and stored in the United States. If you are using the App from outside the United States, your information will be transferred to and processed in the United States. By using the App, you consent to this transfer.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy within the App
Updating the "Last Updated" date at the top of this policy

Your continued use of the App after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, contact us:

Highstorm Labs LLC
Portland, Oregon
Email: support@highstormlabs.com

If you believe we have not addressed your concern satisfactorily, you may have the right to file a complaint with your local data protection authority.