Privacy Policy
Last updated: 21 April 2026
This Policy explains how HeroKidStory processes personal data when you use our services. The data controller and contact details are set out below.
1. Scope and legal framework
This Privacy Policy describes how HeroKidStory ("we", "us", "our") processes personal data when you access or use our website and related digital services. It is designed to align with the Turkish Personal Data Protection Law No. 6698 ("KVKK") for users in Türkiye, the UK General Data Protection Regulation and EU GDPR for users in the United Kingdom and European Economic Area, and with COPPA-aligned practices for child-related data where U.S. law applies.
| Data controller | Cüneyt Medetoğlu |
| Legal form | Şahıs İşletmesi |
| Registered / postal address | Atatürk Mah. Merkez İsimsiz91 Sk. Dema İnş B Blok No: 4/1 İç Kapı No: 3 Merkez / Tunceli, Türkiye |
| Contact email | info@herokidstory.com |
| Website | https://herokidstory.com |
The service produces personalized content for children aged approximately 2–10, but the platform may only be used by parents or legal guardians aged 18 or over. Children cannot create accounts.
We do not have an establishment in the United Kingdom or the European Economic Area and have not appointed a representative in the Union under Article 27 GDPR. If you are in the EEA or UK, you may exercise your rights by contacting the data controller at the email and postal address above, and you may lodge a complaint with your local supervisory authority.
2. Categories of personal data
2.1 Account and profile (parent / user)
| Email address | Registration or Google OAuth — authentication, notices |
| Password | Stored only as a one-way hash (bcrypt); never in plain text |
| Name | Profile, billing and invoicing |
| Profile image | Optional; may be imported via OAuth |
| Preferences | Language, theme, kid mode, etc. |
2.2 Child character information
Entered solely by a parent or guardian on the child's behalf.
| Name | Used in the narrative |
| Age | Age-appropriate content |
| Gender | Character depiction |
| Hair and eye colour | Illustration parameters |
| AI-generated character description | Consistent visual style |
Reference photograph
2.3 Orders, billing and delivery
| Billing name and address | Invoicing and accounting |
| Delivery address | Printed product fulfilment where applicable |
| Order contents and amount | Order management |
| Payment reference | Transaction reference from the payment processor |
Card numbers, expiry dates and security codes are never processed or stored on HeroKidStory servers. Payments for customers using our Turkish checkout flows are processed by Iyzico A.Ş. (BDDK-licensed). International card payments are processed by Stripe, Inc. and its affiliates in a PCI-DSS compliant environment; card data is tokenised or handled entirely on Stripe's systems.
2.4 Technical data collected automatically
| IP address | Security and currency / region detection |
| Browser and device data | Compatibility and security |
| Session data | Authentication (NextAuth) |
| Cookies | As described in the Cookie Policy |
| Error and security logs | Troubleshooting and abuse prevention |
3. Purposes and legal bases
| Account administration | Performance of a contract (GDPR Art. 6(1)(b)) |
| Personalized book production | Explicit consent — including AI processing and transfers (Art. 6(1)(a), Art. 9(2)(a) where applicable) |
| Orders, invoices and delivery | Contract and legal obligation (Art. 6(1)(b)(c)) |
| Payment collection | Transmission to payment processors — contract |
| Notifications | Contract or legitimate interests |
| Fraud prevention and security | Legitimate interests (Art. 6(1)(f)) |
| Tax and accounting records | Legal obligation |
We do not perform solely automated decision-making, including profiling, that produces legal or similarly significant effects concerning you.
4. Recipients and disclosures
We share personal data only with selected processors where necessary to provide the service and in proportion to that need. We do not sell personal data.
4.1 Payment processors
| Iyzico A.Ş. (Türkiye) | Identity and billing data, transaction amount |
| Stripe, Inc. and affiliates | International card payments — card data is not sent to our servers |
4.2 Hosting and content delivery
| Amazon Web Services (AWS) | Application and database hosting (e.g. US regions) |
| Amazon S3 | Generated images and PDFs — original reference photos are not stored |
| Vercel Inc. | CDN and request logs |
4.3 AI and audio
| OpenAI | Temporary reference image and text parameters for illustration and text generation |
| Google (Gemini) | Temporary text processing for text-to-speech |
OpenAI API use
4.4 Authentication and email
| Google LLC / Meta Platforms, Inc. | Elements required for the OAuth method you choose |
| Resend (or similar provider) | Transactional email |
4.5 International transfers
Some processors are located outside your country of residence (including the United States). Transfers rely, as applicable, on your explicit consent (notably for AI processing), performance of the contract, our agreements with processors, and EU Standard Contractual Clauses or other safeguards recognised under GDPR Chapter V. For cookie details, see our Cookie Policy.
4.6 Public authorities
We may disclose data where required by applicable law or by a competent court or administrative order.
5. Retention
| Account and profile | While the account exists; deleted immediately on account deletion |
| Characters and book content | Until you delete them or close the account |
| Reference photograph | Deleted automatically after production completes |
| Order and invoice records | Ten years where required by Turkish tax law (VUK Art. 253) |
| IP and security logs | Typically 90 days |
| Production and cost logs | Typically one year |
| Email correspondence logs | Typically three years |
After account deletion, minimum invoice and order data (e.g. name, address, amount, date) may be retained to meet tax and accounting obligations.
6. Children, consent and age
6.1 Data minimisation for photos
We do not archive or keep a gallery of the child's reference photo: it is used only during the production session to generate illustrations, then the original file is permanently deleted. What remains is the AI-generated cartoon illustration, not the real photograph — a deliberate minimisation measure.
6.2 Parental consent (illustrative wording)
Before processing a child's data and transferring it for AI illustration, we present wording along the following lines:
"I understand that my child's photo and information will be transferred temporarily to an AI service provider to generate a personalized storybook, and that the original photo will be deleted after production."
6.3 Registration age and COPPA
You must confirm that you are at least 18 years old when registering. Processing of data relating to children under 13 in the United States is based on verifiable parental consent; deletion requests may be sent to info@herokidstory.com.
6.4 EU / UK children
Under GDPR, parental authorisation is required for children below the digital consent age in your member state (commonly 16, or lower if provided by local law). We collect this at character creation.
7. Your rights and how to exercise them
7.1 GDPR (EEA and UK users)
- Access, rectification, erasure, restriction, data portability
- Object to processing based on legitimate interests; withdraw consent at any time where processing is consent-based
- Lodge a complaint with your supervisory authority
7.2 KVKK (users in Türkiye)
If you are habitually resident in the Republic of Türkiye, Articles 10 and 11 of Law No. 6698 grant you rights including information, access, correction, deletion where conditions are met, and the right to complain to the Turkish Personal Data Protection Authority. Submit requests to info@herokidstory.com with the subject line "KVKK / GDPR Request". We respond without undue delay and in any event within the statutory period (including, for KVKK applications, up to thirty days where applicable).
7.3 Account deletion
Go to Dashboard → Settings → Account and use the Delete account control. When deletion completes, account data, books, characters and stored deliverables are removed immediately, subject to retention of minimum invoice and order records as required by law.
7.4 Identity verification
To protect your privacy, we may request reasonable additional information to verify your identity before fulfilling rights requests.
8. Security
- TLS (HTTPS) in transit; encryption and access controls at rest where appropriate
- Passwords stored using one-way hashing
- Card data processed only by certified payment providers
- Staff and vendor access on a least-privilege basis; written processor commitments
In the event of a personal data breach, we will notify supervisory authorities within statutory timeframes (including, under GDPR, without undue delay and where feasible within 72 hours of becoming aware) and will inform affected individuals when required by law, in particular where the breach is likely to result in a high risk to rights and freedoms.
9. Cookies
See our Cookie Policy for categories, purposes and your choices.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be reflected in the "Last updated" date and, where appropriate, notified by email or in-product notice. Where the law requires fresh consent, we will obtain it separately.
11. Contact
| info@herokidstory.com | |
| Postal address | Atatürk Mah. Merkez İsimsiz91 Sk. Dema İnş B Blok No: 4/1 İç Kapı No: 3 Merkez / Tunceli, Türkiye |