LumiTales — Privacy Policy and Data Protection

Version: 1.4

Effective date: 2 May 2026

Last updated: 2 May 2026

Applicable regulatory framework: Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data (GDPR); Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD); the Children's Online Privacy Protection Act (COPPA, United States) where applicable to users under 13; the Google Play Developer Program Policies, including the Families Policy and the Designed for Families programme to which LumiTales voluntarily adheres; and Google Play's Child Safety Standards Policy with respect to the prevention of Child Sexual Abuse and Exploitation material (CSAE).

Language and prevalence: The original, legally-prevailing version of this Policy is in Spanish — see /es/privacy. This English version is provided as a courtesy translation. In the event of any discrepancy or conflict between language versions, the Spanish version shall prevail (Terms of Service §9.5).

1. Data Controller information


Controller	Jerónimo Repetto (natural person)
Country of residence	Spain
Contact email	lumitales.oficial@gmail.com
Product	LumiTales — children's storytelling mobile application
Data Protection Officer (DPO)	The formal appointment of a DPO under Article 37 GDPR is not required given the current nature, scope and volume of the processing activities. The Controller will handle data-protection enquiries through the contact email shown above.

2. Use model and age positioning

LumiTales is an application primarily directed to children (Children's app audience on Google Play, Designed for Families programme). Minors are the primary recipients and consumers of the content (illustrated stories, narration, ambient audio), while adult holders act as configurators and purchasers of the service: they create the account, configure the profiles of the minors in their care, sign up for the subscription, and supervise the use.

Account holder: must be 18 years of age or older. Only the adult holder signs up, configures profiles, and contracts the subscription.
Child profiles: are created and managed exclusively by the adult holder. They are not independent accounts but entities attached to the adult's account.
Minors cannot register or sign in by themselves. A minor consumes content within the account already configured and supervised by the adult holder.
Data relating to minors: are provided by the adult holder (names, ages, gender, avatar) and not collected directly from the minor. The lawful basis for the processing is the consent of the holder of parental authority or guardianship (Article 8 GDPR; COPPA section 6501(1)).

This architecture satisfies COPPA and the Google Play Families Policy: no personal data is collected directly from the minor, since all information about minors stems from the voluntary act of a verified adult holder. Adherence to the Designed for Families programme reflects the commitment to strict child-privacy and child-safety standards.

Related Terms clause

"Use of LumiTales requires the account holder to be 18 years of age or older. Minors may use the application under the supervision and within the account of their parent or legal guardian, who will create individual profiles for each minor. The application does not allow direct registration by minors."

Parental consent — implicit model by unequivocal act

The consent of the holder of parental authority or guardianship is deemed granted, by an unequivocal act in the sense of Article 4(11) GDPR, at the moment the adult holder creates a child profile within the application. This Policy expressly declares that model and therefore no additional acceptance checkbox is required on screen.

Designed for Families (Google Play) — age-neutral screen

LumiTales is distributed on Google Play under the Designed for Families audience (apps primarily directed to children). Even so, because account creation and subscription contracting are reserved to adults, the first launch — and any subsequent launch while the answer is "I'm a kid" — shows a preliminary screen asking whether the user is an adult or a minor:

"I'm an adult / parent" — the user proceeds to the regular flow (legal acceptance, sign-in, onboarding and the app).
"I'm a kid" — the user is taken to a demo mode that allows reading only the 5 stories published for the current day (next subsection). There is no path from this branch to account creation, sign-in, subscriptions, profile creation or the historical library.

The choice is persisted locally on the device (Hive, key audience_mode). The adult holder can flip it back at any time from the demo banner.

Child Safety Standards — CSAE prohibition

LumiTales takes a zero-tolerance stance against Child Sexual Abuse and Exploitation material (CSAE):

Explicit prohibition in generated content. Any content generation that depicts, promotes or facilitates child sexual abuse or exploitation is strictly forbidden, and the AI models used are configured with prompts, filters and guardrails to prevent it.
Human review prior to publication. Every story, illustration and audio file is editorially reviewed before becoming available to user accounts. The team removes immediately any material that could violate this clause.
In-app reporting mechanism. Every reading screen exposes a visible "Report inappropriate content" button that lets any user — including a minor in demo mode — flag content without leaving the application. Reports are stored in the content_reports collection and are reviewed by the team within 24 business hours; flagged content is removed from the service when the report is founded.
Legal compliance and cooperation. Should confirmed CSAE be detected, LumiTales will follow applicable law and cooperate with competent authorities and with the United States National Center for Missing & Exploited Children (NCMEC) where appropriate.
Designated child-safety contact: lumitales.oficial@gmail.com (handled by the Controller identified in §1).

Demo mode for minors — no data collection

The demo mode reachable via "I'm a kid" exposes the 5 public-catalog stories for the current date and nothing more. In this mode the app operates fully anonymously:

No Firebase Auth call is made. The minor never obtains a UID, is never asked for an email, and is never shown the sign-in screen. There is therefore no identifier attributable to the user within the meaning of Article 4(1) GDPR.
No reading sessions are recorded. The users/{uid}/reading_sessions collection is unreachable without a UID and the corresponding client function silently no-ops when it detects no authenticated session.
No Firebase Analytics events are sent. The SDK is initialised in the disabled state at every app start and only re-enabled when the user selects "I'm an adult", so no event ever leaves the device during the child branch.
Favorites, ratings and subscription plans are unavailable. The repositories involved silently reject any attempt when there is no UID.
Images and audio are served from Google Cloud Storage via public URLs, the same as for any anonymous internet visitor. Read access to the Firestore document holding the 5 stories (daily_library/{date}) is publicly open for this purpose; that document contains no PII whatsoever, only the day's catalogue.

This architecture ensures that LumiTales does not collect personal information from minors within the meaning of Article 8 GDPR or the US Children's Online Privacy Protection Act during demo mode. The sole processing operation in that branch is the client-side read of the day's public catalogue, which contains no personal data.

Telemetry off by default

As a direct consequence of being positioned as a Children's app within Google Play's Designed for Families programme, Firebase Analytics is initialized in the disabled state at every app start and is only enabled when the device has audience_mode = adult persisted locally. Telemetry on the "I'm a kid" branch is therefore technically impossible: there is no authenticated session and the SDK drops events on-device before any transmission.

Device identifiers not transmitted

In line with Google Play's requirements for apps with a child audience, LumiTales does not request or transmit the following identifiers: AAID (advertising ID — the com.google.android.gms.permission.AD_ID permission is explicitly removed from the AndroidManifest.xml), SIM serial number, IMEI, IMSI, BSSID, MAC, SSID or phone number. Precise location and Bluetooth are not requested either, and no third-party SDKs that are not approved for use in services directed to children are included in the application.

3. Data we collect

3.1 Account data (about the adult)

Field	Source	Purpose
Email	Google Sign-In	User identification
Auth UID	Firebase Auth	Internal identification
Display name and profile picture	Google (optional)	Show in UI
App language	User selection / OS	Localise the experience
Last activity date	System	Sync the correct day's content

3.2 Child profiles (provided by the adult)

Field	Type	Required
Name / nickname	Text	Yes
Gender (M/F)	Selection	Yes (for grammatical agreement in stories)
Preset avatar	Selection	Yes
Profile colour	Selection	Yes
Date of birth OR age	Numeric	No — optional, either of them
Reader settings (font, size, dyslexia font, mute)	Toggles / sliders	No

UX note: the app accepts either a date of birth (which then derives and locks the age) or the age directly. If the adult fills in neither, both stay empty. This is a deliberate data minimisation choice — we ask for the minimum and leave the rest to the user's discretion.

3.3 Usage data

Field	Storage	Purpose
Reading sessions (story identifier, duration, completed, date and time)	Server + device	History, streak, eligibility to rate
Favorites (story identifier, title, date, language)	Server + device	"Favorites" feature
Ratings (1-5 stars, optional tags)	Server	Product improvement, anonymous aggregates
Reading schedule (days, time)	Server	Local reminders

3.4 Subscription data

Tier (trial / premium / expired): managed by RevenueCat.
Receipt / proof of purchase: validated by RevenueCat.
Payment data (card, etc.): processed directly by Apple App Store or Google Play. LumiTales never has access to payment data.

3.5 Technical data

Installed application version
Device locale
Device model and operating-system version
IP address (briefly recorded in Cloud Functions logs; see retention)

3.6 Microphone data — Magical Reading ⭐

When the user enables the "Magical Reading" feature:

Audio is processed exclusively on-device through the operating system's native speech recogniser (Apple SFSpeechRecognizer / Android SpeechRecognizer).
Audio is NEVER transmitted to LumiTales servers or any third party.
Audio is NOT stored after processing.
It is used solely to detect the trigger phrase of each scene and play the corresponding sound effect.
The user must enable the feature explicitly from Settings and grant the microphone permission to the operating system.
The user can disable the feature at any time.

3.7 Push notifications (planned, not active yet)

When the remote notifications system is activated:

FCM token (anonymous device identifier): stored in Firebase to send reading reminders.
Automatically invalidated when the app is uninstalled.

3.8 Analytics (Firebase Analytics)

Events collected:

first_open, session_start, screen_view, user_engagement, login, app_remove (Firebase standard)
story_read (custom — full reading of a story)

Data attached to each event:

Device model, OS version, app version
Country (derived from IP, not the full IP)
Locale
Persistent pseudonym (Firebase Instance ID — not direct PII)

Opt-out: the user can disable analytics from Settings (the "Share anonymous usage data" toggle). When disabled, the Firebase Analytics SDK stops sending events.

3.9 Crashlytics (planned, not active yet)

When activated:

Error stack traces
Device model, OS version
App version
No personal data in the reports

4. Third-party processors (with whom we share data)

Provider	Country	Data received	Purpose	Legal mechanism
Google LLC — Firebase (Auth, Firestore, Storage, Cloud Functions, Analytics, FCM)	USA	Email, UID, profiles, sessions, ratings, favorites, analytics events, IPs (logs)	Backend + analytics	EU-U.S. Data Privacy Framework (certified)
RevenueCat Inc.	USA	UID + subscription data (NOT the card)	In-app purchase validation	EU-U.S. Data Privacy Framework (certified)
Apple App Store / Google Play	USA	Payment data	Payment processing	T&Cs of the respective platform
OpenAI Inc.	USA	Generation prompts + dictionary long-press words only. No PII.	Story generation, translation, validation, dictionary lookups	Standard Contractual Clauses (SCCs)
Google AI Studio (Gemini)	USA	Generation prompts only. No PII.	Story generation, QA, VCS	EU-U.S. Data Privacy Framework (Google)
ElevenLabs Inc.	USA	Short SFX prompts only. No PII.	Sound generation	Standard Contractual Clauses (SCCs)
Apple Speech / Google SpeechRecognizer	On-device processing on the user's own device	Microphone audio	On-device STT	No international transfer — the data does not leave the device

External links (not our processors)

Google Search (via the dictionary's "Search on Google" button): opens the user's browser with the query. Once outside LumiTales, Google's terms apply.

Future processors (planned)

Veo3 / video generator (when integrated): this table will be updated with its transfer mechanism and shared data.

5. Data retention (Path A — "while you are a user")

Category	Retention
Account data + profiles + favorites + ratings + sessions + schedule	While the account exists. Erased / anonymised within ≤30 days after a deletion request.
Subscription invoices	5 years (AEAT obligation — Spanish tax law). Only the legally required minimum is kept (transaction + amount).
Firestore backups	+90 extra days after active deletion (Google's natural rotation)
Firebase Analytics	14 months (GA4 default) — aggregated, not individual data
Cloud Functions logs (IPs)	30 days
Crashlytics (when activated)	90 days
FCM tokens (when activated)	While the app is installed (invalidated on uninstall)
Opaque hash of authentication-provider identifiers (free-trial abuse prevention)	For as long as LumiTales operates the service. This is an irreversible identifier (HMAC-SHA256 with a secret key) that does not allow the user to be re-identified and therefore does not constitute personal data within the meaning of Art. 4(1) GDPR. Rotating the secret key extinguishes every existing entry.

6. Lawful bases for processing (GDPR Art. 6)

Activity	Lawful basis	Justification
Authentication + user profile	Performance of contract (6.1.b)	Without email / UID we cannot deliver the service the user signed up for
Child profiles + favorites + reading schedule	Performance of contract	Core product features
Subscription + invoices	Performance of contract + legal obligation (6.1.b + 6.1.c)	Charging = contract; 5-year retention = AEAT obligation
Reading sessions + ratings	Performance of contract	The user wants their history, streak, etc.
Firebase Analytics	Legitimate interest (6.1.f)	Product improvement. Opt-out via toggle in Settings.
Crashlytics (when activated)	Legitimate interest	Bug fixing. Opt-out via toggle.
Cloud Functions logs	Legitimate interest	Security and debugging. Short retention.
Microphone — Magical Reading	Explicit consent (6.1.a + Art. 9 sensitive data)	Voice can be biometric data. In-app toggle + OS permission = double consent.
Push notifications (when activated)	Consent	Explicit OS permission + in-app opt-in
Cultural filter	Performance of contract	Tailoring the service to the user
Children's data	Parental consent (Art. 8)	The parent / guardian consents by creating the profile — implicit model attached to the act of creation
Free-trial abuse prevention	Legitimate interest (6.1.f)	We retain an opaque, irreversible identifier (HMAC-SHA256 with a secret key) derived from the authentication provider the user signed in with (Google Sign-In / Apple Sign-In) for as long as we keep the service open, with the sole purpose of preventing the same provider account from repeatedly obtaining the free trial period after requesting deletion. This identifier does not allow the user to be re-identified and does not contain personal data within the meaning of Art. 4(1) GDPR.

7. Your rights (GDPR Art. 15-22)

You may exercise the following rights at any time:

Right	How to exercise it
Access (Art. 15) — knowing what data we hold about you	Email `lumitales.oficial@gmail.com` — answered within ≤30 days with a structured export
Rectification (Art. 16) — correcting data	Self-service from Settings (profile, schedule, etc.); the rest by email
Erasure (Art. 17) — deleting your account and data	"Delete my account" button inside Settings → automatic deletion within ≤30 days. After deletion we retain only an opaque, irreversible hash of the identifier that the authentication provider (Google/Apple) assigned to the account. This hash is non-personal under GDPR (it cannot be used to re-identify the user and is computed with a secret key that is not published) and is used solely to prevent free-trial abuse via repeated account creation.
Restriction (Art. 18) — pausing processing	Email
Portability (Art. 20) — structured export	Email — the controller generates the JSON manually
Object (Art. 21) — opting out of legitimate-interest processing	Analytics toggle in Settings (no email needed)
Withdraw consent (Art. 7)	Corresponding toggles (mic, notifications) or email
No automated decisions (Art. 22)	N/A — we do not perform automated profiling with legal effects

Right to lodge a complaint

If you believe LumiTales has not handled your data appropriately, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD):

https://www.aepd.es

8. International transfers

Some of the providers we rely on to deliver the service are based in the United States. Personal-data transfers to those providers are made under the following legal mechanisms:

Google LLC (Firebase, Cloud Functions, Cloud Storage, Analytics) and RevenueCat Inc.: certified under the EU-U.S. Data Privacy Framework.
OpenAI Inc. and ElevenLabs Inc.: under Standard Contractual Clauses (SCCs) approved by the European Commission.

For microphone data processed locally by the device's OS (Apple / Google), there is no international transfer because the data does not leave the user's device.

9. Cookies and equivalent mobile technologies

LumiTales is a native mobile application and does not use HTTP cookies. We use the following equivalent technologies:

Local on-device storage: keeps user preferences, the cache of downloaded stories and the last-activity date. This data remains on the device and is not transmitted to our servers.
Firebase Instance ID: a pseudonymous identifier assigned by Google to the device, used by Firebase Analytics and Firebase Auth. This identifier does not contain direct personal information but allows associating analytics events with the same device. The user can reset it by clearing the app's data from the OS settings, or by disabling analytics from LumiTales' Settings.
We do not use advertising identifiers (Apple IDFA / Google Advertising ID) and we do not participate in third-party ad networks. For this reason, on iOS the app does not show the App Tracking Transparency prompt — it is not required.

10. Communications with the user

LumiTales may send you the following communications:

10.1 Transactional communications (necessary to deliver the service)

These do not require additional consent beyond using the service:

Local reminders about the reading schedule you have configured in the app.
Subscription notifications, including:
- Automatic monthly or yearly renewal (the subscription renews itself at the end of each period unless cancelled in advance).
- Cancellation: if you cancel your subscription, you keep Premium access until the end of the paid period.
- Free-trial expiration.
Confirmations of changes to your account (deletion, etc.).
Relevant specific notices that directly affect the user or the platform (security incidents, important service changes).

10.2 Marketing communications

LumiTales NEVER sends promotional emails, newsletters or email advertising. Email is reserved exclusively for matters that directly affect the user.

In the future, LumiTales may send push notifications to announce new features or special product events. These communications:

Will be off by default (opt-in model).
Can be turned on or off at any time from Settings.
Will not include third-party advertising.

11. Acceptance of this policy and updates

11.1 When acceptance is requested

After signing in for the first time with your Google account, before you can access the application's main screen, you will see a screen showing a summary of this Privacy Policy and the Terms of Service. To continue using LumiTales you must confirm via a single combined checkbox that you have read and accept both documents. Without that confirmation you will not be able to access the service.

Links to the full version of each document are visible on that screen and remain accessible at any time from Settings → "Privacy Policy" / "Terms of Service".

11.2 Updates to this policy

When we make changes to this Policy, the treatment depends on the nature of the change:

Material changes (new processor, new data category, new lawful basis, new purpose): we will notify you via an in-app banner on the next start. You will need to accept the new version to continue using LumiTales.
Non-material changes (wording fixes, clarity improvements, date refresh): the new version is published silently. The current version can always be reviewed from Settings.

11.3 Acceptance record

For each user and each accepted version we securely retain:

On the device itself: the last accepted version, used to determine when a re-acceptance notice should be shown.
On our servers: an immutable record containing the date and time of acceptance, the accepted versions of the Privacy Policy and the Terms of Service, the language of the version read and the platform of the device from which acceptance took place.

This record allows us to demonstrate at any time which version of the document each user accepted and when, in accordance with Article 7.1 GDPR.

12. Where you can find this policy

12.1 Public URL

The current version of this Policy is always available at the following public URLs:

Spanish version (the Controller's official language): https://lumitales.net/es/privacy
English version (courtesy translation): https://lumitales.net/en/privacy

12.2 Inside the application

Settings → Privacy Policy — opens the current version.
Settings → Terms of Service — opens the twin document.

13. Version history of this document

Version	Date	Changes
1.0	27 April 2026	Initial public version.
1.1	27 April 2026	Adds in §5 the retention of an opaque hash of authentication-provider identifiers after deletion, in §6 the corresponding lawful basis (legitimate interest — free-trial abuse prevention) and clarifies in §7 the scope of the right to erasure with respect to that hash. Non-material change: does not introduce a new category of personal data (the hash is anonymous within the meaning of Art. 4(1) GDPR), it merely formalises an anti-fraud practice.
1.2	1 May 2026	Adds in §2 the explicit declaration of Mixed Audience on Google Play, the first-launch age-neutral screen, the off-by-default initialization of Firebase Analytics, and the enumeration of device identifiers not transmitted as required by the Families Policy. Also mentions the new feedback tags `inappropriate_images` and `inappropriate_text` that allow the user to flag potentially unsuitable AI-generated content, in line with Google Play's "AI-generated content" guidance. Non-material change: introduces no new category of personal data — the tags are stored as part of the existing rating that the adult holder voluntarily submits.
1.3	1 May 2026	Documents in §2 the demo mode reachable via the "I'm a kid" branch of the age-neutral screen: read-only access to the 5 stories of the current day, with no account, no identifier collection, no reading sessions, no Firebase Analytics, no favorites and no ratings. Non-material change: ratifies a more privacy-restrictive practice than version 1.2 (where the child branch did not expose any content), but adds no category of personal data — the demo branch collects none.
1.4	2 May 2026	Age-positioning pivot: §2 is reformulated to recognise minors as primary content recipients (instead of "not direct users"), aligning the Policy with the actual product and with adherence to Google Play's Designed for Families programme. A new Child Safety Standards subsection is added: it (i) explicitly prohibits CSAE in generated content, (ii) describes the human-review process prior to publication, (iii) introduces the new inappropriate-content report button available on every reading screen, writing to the `content_reports` collection, and (iv) designates a child-safety contact. Non-material change with respect to personal-data collection — the substantive privacy stance is unchanged; the pre-existing practice is formalised to satisfy Google Play's Child Safety Standards Policy.