Privacy Policy

My Lullaby is a service that creates personalised bedtime stories and delivers them by email. The service is operated by Vova Lukashov (“My Lullaby”, “we”, “us”), acting as the data controller for the personal data described below.

You can reach us at privacy@mylullaby.eu. A postal address is available on request.

An account is held by a parent or guardian (18 or older). The account holder provides a small amount of information to personalise stories for their child. The service is not directed to children and children do not create accounts or interact with it directly.

• Account data: your email address, preferred language (locale) and time zone.
• Child profile data you enter: the child’s first name, age, favourite animal, favourite colour, chosen story themes, story language and preferred delivery time. We never ask for a child’s contact details.
• Stories we generate for you, so you can re-read them.
• Billing data: your Stripe customer and subscription identifiers and subscription status. We do not see or store your card number — that is handled entirely by Stripe.
• Technical data: minimal server logs needed to operate the service securely.

We deliberately collect as little about a child as possible: a first name and a few preferences, used solely to make a story feel personal. This data is never sold and is never used for advertising or profiling. As the parent or guardian, you may edit or delete a child profile — or your entire account — at any time from your dashboard.

• To provide the service — create stories, deliver them by email, run your subscription and provide support. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
• Marketing emails (only if you opt in) — occasional product news. Legal basis: your consent (Art. 6(1)(a)), which you can withdraw at any time.
• Legal and accounting obligations — keeping records related to payments and tax. Legal basis: legal obligation (Art. 6(1)(c)).
• Security and abuse prevention — keeping the service safe and reliable. Legal basis: our legitimate interests (Art. 6(1)(f)).

We use a small number of trusted processors who handle data on our behalf, under contract and only as needed to run the service:

• Vercel — application hosting and privacy-friendly, cookieless usage analytics.
• Neon — managed PostgreSQL database where your account and profile data is stored.
• Resend — delivery of sign-in links and story emails.
• Stripe — payment processing and subscription management.
• Anthropic, accessed via the Vercel AI Gateway — generates the story text from the profile details you provide.
• TikTok — advertising measurement via the TikTok Pixel, only when you accept our cookie banner.
• Google — advertising measurement via Google Ads conversion tracking, only when you accept our cookie banner.
• Meta — advertising measurement via the Meta Pixel, only when you accept our cookie banner.

We do not sell your personal data to anyone.

Some of these providers are based in the United States. Where personal data is transferred outside the EU/EEA, it is protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

We keep your account, profile and story data for as long as your account is active. When you delete a child profile, its stories are deleted with it; when you delete your account, all associated personal data is removed promptly. Records we are legally required to retain (for example, billing and tax records) are kept only for the period required by law.

Essential and functional cookies keep you signed in and remember your chosen language. Our usage analytics (Vercel Web Analytics) is cookieless and does not track you across other sites.

To measure our advertising we use the TikTok Pixel, the Meta Pixel and Google Ads conversion tracking, which set cookies and may share limited, hashed information (such as a hashed email address) with TikTok, Meta and Google. They load only after you accept our cookie banner. If you decline, no advertising cookies are set and nothing is shared with these providers; you can change your choice anytime by clearing your browser’s site data.

Under the GDPR you have the right to:

• access the personal data we hold about you and receive a copy (portability);
• correct inaccurate data or complete incomplete data;
• erase your data (“right to be forgotten”);
• restrict or object to certain processing;
• withdraw consent to marketing at any time.

You can exercise most of these directly from your dashboard, or by emailing privacy@mylullaby.eu. We aim to respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Spain this is the Agencia Española de Protección de Datos (AEPD, aepd.es) — or the authority in your country of residence.

Data is transmitted over encrypted connections and stored with reputable providers. While no online service can be completely secure, we take reasonable technical and organisational measures to protect your information.

Story emails are part of the service you signed up for. Every story email includes a one-click unsubscribe link that immediately pauses delivery, and you can manage or stop stories anytime from your dashboard. Optional product-news emails are sent only with your consent and can be turned off at any time.

We may update this policy as the service evolves. We will revise the “last updated” date above and, for material changes, notify you by email.

Privacy questions: privacy@mylullaby.eu. General support: support@mylullaby.eu.