Privacy Policy
Last updated: May 21, 2026
This Privacy Policy describes how Gaman Lab (" Company", " we", " us", or " our") collects, uses, and shares information when you use https://edustories.ai and https://app.edustories.ai(collectively, the " Services").
Please read this policy carefully. By using the Services, you agree to the practices described here.
1. Information We Collect
1.1 Information You Provide Directly
- Account data: name, email address, password when you register.
- Story content: when you create a social story you provide the name, age range, and gender of the child the story is written for, along with the situation, goal, interests, and characters. This information is used solely to generate the story and is stored in your account.
- Payment data: payment is processed by Stripe, Inc. We store only the last four digits of your card, card type, and your Stripe customer ID. We never receive or store your full card number.
- Communications: emails or messages you send to us.
1.2 Information Collected Automatically
- Usage data: pages viewed, in-product actions (such as story-wizard steps, story generation, editing and sharing), the referring website or channel, timestamps, and session duration. This is collected through our own first-party, cookieless analytics.
- Approximate location: an approximate country derived from your IP address. Your IP address is used only momentarily on our servers to derive this country and to generate a daily-rotating, non-reversible anonymous identifier, and is then discarded — we do not store your IP address for analytics.
- Device data: device type (mobile, desktop, tablet) and language preferences.
- Cookies and local storage: we use only essential, first-party cookies strictly necessary for the Services to function (authentication session and CSRF security token) and a small amount of anonymous, first-party browser storage for our cookieless analytics. We do not use advertising or third-party tracking cookies. See Section 10 for the full list.
- Advertising identifiers: if you arrive from an online advertisement, we may record the campaign parameters contained in the link (UTM tags and click identifiers such as Google gclid or Meta fbclid ) to measure campaign effectiveness. This data remains first-party; should we in future transmit conversion data to advertising platforms (e.g. Google or Meta), we will request your consent where required.
1.3 Information from Third Parties
We may receive limited information from payment processors (Stripe) confirming the status of a transaction.
2. How We Use Your Information
| Purpose | Legal basis (EU/UK GDPR) |
|---|---|
| Provide and operate the Services (account management, story generation, payment processing) | Performance of a contract |
| Send transactional emails (order confirmations, payment failures) | Performance of a contract |
| Send newsletter and marketing emails (only if you opted in) | Consent |
| Analyse usage and improve the Services (first-party, cookieless analytics — no tracking cookies, no stored IP address) | Legitimate interests |
| Measure the effectiveness of our advertising campaigns (UTM tags and click identifiers) | Legitimate interests |
| Prevent fraud and abuse | Legitimate interests |
| Comply with legal obligations | Legal obligation |
3. Data About Children
EduStories is designed for use by adults — parents, educators, therapists, and other professionals — who create social stories intended for children or individuals with special educational needs. Registered users must be 18 years of age or older.
When you use the story-creation tool, you may provide information about a child (such as a first name, age range, gender, and personal situation). This information is processed solely to generate the requested story and is stored in your account under your control. You are responsible for ensuring that you have the appropriate authority or parental/guardian consent to submit information about any individual, particularly minors.
We do not knowingly register users under the age of 18. If we become aware that a minor has created an account, we will delete it promptly.
4. AI-Generated Content
Story text and images are generated by artificial intelligence. We use third-party AI models accessed via Replicate(replicate.com). When you create a story, the inputs you provide (situation, goal, characters, etc.) are sent to Replicate's API and processed by these models.
Replicate's privacy policy is available at replicate.com/privacy.
AI outputs may contain inaccuracies, hallucinations, or inappropriate content. Stories generated by EduStories are not a substitute for professional medical, therapeutic, psychological, or educational advice.
5. How We Share Your Information
We do not sell your personal data. We share information only in the following circumstances:
- Stripe – for payment processing. stripe.com/privacy
- Replicate – for AI story and image generation, as described in Section 4. replicate.com/privacy
- Mailchimp (Intuit) – for newsletter delivery, only if you have opted in. mailchimp.com/legal/privacy
- Legal requirements: if required by law, court order, or governmental authority.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the successor honouring this policy.
Our usage analytics are processed in-house (first-party) and are not shared with third-party analytics providers. We no longer use Google Analytics or Microsoft Clarity.
6. Data Retention
We retain your account data for as long as your account is active. When you delete your account, your personal data and stories are permanently deleted from our active databases, and the anonymous analytics events linked to your account are deleted as well. Aggregated, non-identifying analytics events are automatically deleted after approximately 18 months. Backups may retain data for a limited additional period before being overwritten. Data shared with third-party processors (Stripe, Mailchimp) is also removed as part of the deletion process.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate data.
- Erasure ("right to be forgotten"): request deletion of your data. You can delete your account directly from your profile settings.
- Portability: receive your data in a machine-readable format. Contact us at info@edustories.ai to request a data export.
- Restriction: ask us to limit processing while a dispute is resolved.
- Objection: object to processing based on legitimate interests, including our first-party analytics.
- Withdraw consent: you can unsubscribe from the newsletter at any time via the link in any email or from your profile settings. Our analytics is anonymous and cookieless, so no cookie consent is required; if you wish to opt out of analytics, contact us at info@edustories.ai.
To exercise any of these rights, contact us at info@edustories.ai. EU/UK users may also lodge a complaint with their local data protection authority.
8. International Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (Stripe, Replicate, Mailchimp). These transfers are made under appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.
9. Security
We implement industry-standard security measures including HTTPS encryption, hashed passwords, and access controls. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.
10. Cookies and Local Storage
We do not use advertising or third-party tracking cookies, and no cookie-consent banner is required. We use only the strictly necessary or anonymous, first-party technologies listed below.
| Name / type | Purpose | Storage & duration |
|---|---|---|
| Session cookie | Keeps you authenticated and maintains your session while you use the app. | First-party cookie; expires at the end of the session. |
| XSRF-TOKEN | Protects forms and requests against cross-site request forgery (CSRF). | First-party cookie; session. |
| "Remember me" cookie | Set only if you select "remember me" at login, to keep you signed in. | First-party cookie; up to a few weeks. |
| es_sid | Anonymous identifier for the current visit, used by our cookieless analytics. | Browser sessionStorage; deleted when you close the tab. |
| es_utm, es_click | Marketing campaign attribution for the current visit (UTM parameters and advertising click identifiers). | Browser sessionStorage; deleted when you close the tab. |
| es_optout | Remembers your choice to opt out of analytics, if you set it. | Browser localStorage; until you clear it. |
| __stripe_mid, __stripe_sid (Stripe) | Fraud prevention during payment. Set by Stripe when a payment needs to be confirmed (e.g. 3-D Secure / Strong Customer Authentication). Strictly necessary. | First-party cookies set by Stripe; __stripe_sid ~30 minutes, __stripe_mid ~1 year. |
Because these technologies are strictly necessary or anonymous, your consent is not required. You can delete cookies and local storage at any time through your browser settings. When you make a payment you are redirected to Stripe's hosted checkout page, where Stripe may set additional cookies governed by Stripe's privacy policy.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting the updated policy with a new "Last updated" date. Continued use of the Services after changes constitutes acceptance.
12. Contact Us
Gaman Lab
Mgarr, MGR1021, Malta
Email: info@edustories.ai
