1. Who We Are
BellaBear is operated by Simple Tech, LLC d/b/a BellaBear, a Pennsylvania limited liability company. For privacy inquiries, contact us at privacy@bellabear.co.
2. COPPA Compliance — Children's Privacy
BellaBear is a service directed at parents and guardians of children. Children do not interact with BellaBear directly. All account creation, data entry, and service interaction is performed by the parent or guardian.
- Allow children to create accounts
- Collect information directly from children
- Use children's data for advertising or marketing
- Share children's data with third parties for their own purposes
- Use children's data to train AI models
2.1 Information We Collect About Children (From Parents)
| Data Type | What We Collect | Why | Retention |
|---|---|---|---|
| Bear Persona | Character name, favorite animal, favorite color, interests | To personalize stories | Until account deletion or parent request |
| Age Range | Age bracket (2-4, 5-6, 7-8) — not exact birthdate | To set story complexity level | Until account deletion |
| Daily Events | "What happened today" text (Starlight/Dreamland tiers only) | To create recap stories | Deleted after 7 days |
We do NOT collect: children's real names (Bear Personas are used instead), exact birthdates, photos, location data, or any biometric data from children.
2.2 Verifiable Parental Consent
Before we collect any information about your child, we require verifiable parental consent. We use the following methods:
- Credit card verification: A small temporary charge (immediately refunded) to verify the subscribing adult's identity
- Signed consent form: Electronic signature on our consent agreement during account creation
You may review, update, or delete all information about your child at any time by visiting your account settings or emailing privacy@bellabear.co.
3. Information We Collect From Adults
| Data Type | What We Collect | Why | Retention |
|---|---|---|---|
| Account Info | Email address, name | Account management, communications | Until account deletion |
| Payment Info | Processed by Stripe — we never see or store card numbers | Subscription billing | Managed by Stripe |
| Voice Recordings | Audio recording of parent/guardian reading (5-10 minutes) | To create a voice model for story narration | See Section 4 |
4. Voice Data — Special Protections
Voice recordings are biometric data. We treat them with the highest level of care.
- Voice recordings are uploaded directly to encrypted cloud storage (Azure Blob Storage with AES-256 encryption at rest)
- Voice recordings are never stored on local servers
- Voice cloning is performed by our TTS provider (Fish Audio) under a Data Processing Agreement
- Each voice clone requires explicit, signed consent from the voice owner (parents cannot consent on behalf of other adults like grandparents)
- You can request deletion of your voice recording and voice model at any time
- Upon deletion request, voice data is permanently removed within 30 days from all systems
4.1 Voice Consent Requirements
Before recording any voice, we require:
- Written electronic consent specifying how the voice will be used
- Acknowledgment that voice data will be processed by Fish Audio (our TTS provider)
- Acknowledgment of the right to revoke consent and delete voice data at any time
Grandparent/family member voices (Dreamland tier): Each person whose voice is recorded must provide their own consent. The subscribing parent cannot consent on behalf of other adults.
5. How We Use AI and Voice Technology
BellaBear uses artificial intelligence and voice synthesis technology to create personalized bedtime stories:
- Story generation: We use AI language models (Anthropic Claude) to generate unique story text based on your child's Bear Persona. Story prompts contain only the Bear Persona details (character name, favorite animal, interests) — never your child's real name or identifying information.
- Voice narration: We use voice synthesis technology (Fish Audio) to narrate stories using a voice model created from the parent's recording.
- Content safety: Every AI-generated story passes through our content safety pipeline before delivery, including keyword filtering, tone analysis, and age-appropriateness checks.
6. Third-Party Service Providers
We share data with the following service providers, each under a Data Processing Agreement:
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude API) | Story text generation | Bear Persona details only (no real names, no voice data) |
| Fish Audio | Voice cloning and text-to-speech | Voice recordings, story text for narration |
| Microsoft Azure | Cloud storage for audio files | Voice recordings, generated story audio |
| Stripe | Payment processing | Email, payment method (handled by Stripe) |
| Cloudflare | Website hosting and CDN | Standard web traffic data |
We do not sell, rent, or share personal information with third parties for their own marketing purposes.
7. Data Retention and Deletion
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Bear Persona details | Until account deletion or parent request |
| "What happened today" entries | 7 days, then automatically deleted |
| Generated story text | 90 days, then automatically deleted |
| Generated story audio | 90 days, then automatically deleted |
| Voice recordings | Until consent revocation or account deletion |
| Voice models | Until consent revocation or account deletion |
| Consent records | 3 years after account deletion (legal requirement) |
| Payment records | Managed by Stripe per their retention policy |
To request deletion of any data, email privacy@bellabear.co or use the "Delete My Data" option in account settings.
8. Your Rights
As a parent or guardian, you have the right to:
- Review all information we hold about your child
- Update or correct any information
- Delete your child's information, your voice data, or your entire account
- Revoke consent for voice cloning at any time
- Refuse further collection of information about your child
- Export your data in a machine-readable format
To exercise any of these rights, email privacy@bellabear.co. We will respond within 30 days.
9. Data Security
We implement the following security measures:
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit for all data transfers
- Role-based access controls with principle of least privilege
- Regular security reviews and dependency updates
- Voice recordings uploaded directly to encrypted cloud storage (never stored on local servers)
- API keys stored in environment variables, never in code
10. Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Notify affected users within 72 hours via email
- Notify the FTC and applicable state authorities as required by law
- Provide details of what data was affected and recommended protective actions
11. State-Specific Rights
Illinois residents (BIPA): We maintain a publicly available biometric data retention and destruction policy. Voice recordings (biometric data) are retained only as long as consent is active or the account exists, and are destroyed within 30 days of a deletion request.
California residents (CPRA): You have additional rights under the California Consumer Privacy Act, including the right to know what data we collect, the right to delete, and the right to opt out of data sales. We do not sell personal information.
12. International Users
BellaBear is currently available in the United States only. If we expand internationally, we will update this policy to comply with applicable laws including GDPR.
13. Changes to This Policy
We will notify you of material changes to this privacy policy via email at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact Us
For privacy inquiries, data requests, or concerns:
- Email: privacy@bellabear.co
- Mail: Simple Tech, LLC, Attn: Privacy, Pennsylvania