Privacy Policy

We collect the following categories of information when you use Vyspra:

• Account information — your email address and display name when you create an account.
• Child information — your child's first name, age range, and a photo you upload to create their personalized character. We do not collect your child's full name, date of birth, or any government-issued identifiers.
• Story preferences — educational themes, storytelling styles, and character traits you select during story creation. These are stored to personalize your experience.
• Payment information — payment transactions are processed by Stripe. We do not store your credit card number or banking details. We retain a Stripe customer ID linked to your account for billing management.
• Usage data — basic logs of actions taken within the app (story creation, video generation) used for debugging and service improvement.

Photos you upload are used solely to generate a cartoon illustration of your child — the character who stars in their stories.

• Photos are analyzed by a Gemini vision model to evaluate quality before processing. Only photos that pass quality checks are used for cartoon generation.
• The original photo is passed to the AI image model to produce a cartoon likeness. Original photos are deleted from our servers after cartoon generation is complete. We do not retain your original photos.
• The generated cartoon illustration is retained in your account so it can be used across multiple stories without re-uploading the original photo.
• Photos and cartoon images are stored in encrypted cloud storage (Supabase Storage) with access restricted to your account. No one else can view your child's images.
• We do not use photos to train AI models, share them with third parties for advertising, or use them for any purpose other than story creation.

Vyspra is built on a pipeline of specialized AI services. We share only the minimum data necessary with each provider:

• OpenRouter / Gemini — receives story prompts and character descriptions to generate storylines and story text. No personal identifiers are included in LLM requests.
• RunPod (Qwen3-TTS) — receives the story narration text and a voice sample (if you provide one for voice cloning) to synthesize audio. Voice samples are used only for that story's narration.
• RunPod (Scene Render) — receives generated scene images to produce scene video clips with camera motion. No personal data is included.
• Stripe — processes all payment transactions. Stripe is PCI-DSS compliant. We share your email and a customer reference with Stripe for billing purposes. Stripe's privacy policy applies to payment data.
• Supabase — our database and file storage provider. All account data, story data, and generated assets are stored on our self-hosted Supabase instance. Data is not shared with Supabase's cloud analytics or third parties.

Each third-party provider is contractually bound to use data only for the purpose we provide it and not to retain or repurpose it.

• Account data (email, preferences) is retained for as long as your account is active.
• Child photos are deleted from our servers immediately after the cartoon illustration is generated. We do not retain originals.
• Generated content (story text, cartoon illustrations, narration audio, cinematic storybook video) is retained in your account until you delete it or delete your account.
• Payment records are retained for the period required by applicable financial regulations (typically 7 years), even after account deletion.
• Account deletion — you may delete your account at any time from the account settings page. Upon deletion, all story content, character profiles, and personal data are permanently removed, subject to legal retention requirements above.

Vyspra is designed as a tool for parents and guardians to create stories about their children — not a platform children use directly.

• All accounts are created and managed by adults (parents or guardians aged 18+).
• We do not knowingly collect personal data directly from children under 13. If you believe a child under 13 has created an account without parental consent, please contact us immediately at hello@vyspra.com.
• Child data we do store (first name, age range, cartoon likeness) is provided by the parent or guardian and is governed by the parent's account privacy settings.
• Multiple guardians may be linked to the same child character via invite links. Each guardian manages their own stories; the child's profile data is shared only among linked guardians.
• Full COPPA compliance features (verifiable parental consent flow, enhanced data minimization) are planned for a future release. We currently operate under the understanding that all accounts are adult-controlled.

We use a minimal set of cookies and browser storage:

• Essential cookies — required for authentication sessions (Supabase auth tokens). These cannot be disabled without breaking login functionality.
• Preference storage (localStorage) — we store your cookie consent choice, preferred AI model, and similar UI preferences in your browser's local storage. This data never leaves your device.
• Optional analytics cookies — if you accept analytics cookies via our consent banner, we may collect aggregated usage data to understand how the service is used and improve it. You can withdraw consent at any time (see Manage Cookie Preferences below).
• We do not use tracking cookies for advertising, behavioral profiling, or cross-site tracking.

Depending on your location, you may have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right of correction — request that inaccurate data be corrected.
• Right of deletion — request deletion of your personal data. You can also delete your account directly from the app.
• Right to withdraw consent — for data processing based on consent (such as optional analytics), you may withdraw consent at any time without affecting prior processing.
• Right to data portability — request your data in a machine-readable format.

To exercise any of these rights, email us at hello@vyspra.com. We will respond within 30 days.

• All data is transmitted over HTTPS with TLS encryption.
• Authentication is handled by Supabase Auth with secure session tokens. Passwords are hashed using industry-standard algorithms and never stored in plaintext.
• Access controls ensure that each user can only access their own data. Strict Row Level Security (RLS) policies are enforced at the database layer for every table.
• Generated files (images, audio, video) are stored in private Supabase Storage buckets accessible only via authenticated signed URLs with short expiry times.
• Despite these measures, no system is completely secure. We encourage you to use a strong, unique password and to notify us immediately at hello@vyspra.com if you suspect unauthorized access to your account.

We may update this Privacy Policy from time to time as our service evolves or legal requirements change. The "Last updated" date at the top of this page reflects the date of the most recent revision.

For material changes that significantly affect how we process your data, we will notify you via email or a prominent in-app notice at least 14 days before the change takes effect. Continued use of Vyspra after the effective date constitutes acceptance of the revised policy.

You can change your cookie preferences at any time. Clicking the button below will re-open the cookie consent banner so you can update your choice.

Note that essential cookies required for authentication cannot be disabled. Only optional analytics cookies are controlled by your preference.

If you have questions about this Privacy Policy, your personal data, or your rights, please contact us:

• Email: hello@vyspra.com

We aim to respond to all enquiries within 5 business days.