Oscar - bedtime stories
Oscar Stories

Privacy Policy

This Privacy Policy explains how Oscar Stories (the "Application") collects and uses personal data for users in the European Union and European Economic Area under the GDPR. This policy applies to our iOS and Android apps and related services.

HeyQQ GmbH is the data controller and is established in Austria.

Owner and Data Controller

HeyQQ GmbH
FN: 572680b
UID: ATU77744201
FB-Gericht: Handelsgericht Wien
Sitz: 1090 Wien
Wasagasse 23, 1090 Wien, Austria
Geschäftsführer: Dmitrij Rubanov, MA; Mag. Matthias Neumayer, BA

General contact: [email protected]
Privacy contact: [email protected]
App contact: [email protected]

What data we collect

We collect the following categories of personal data when you use the app:

  • Account data: email address and user ID.
  • Story input data: child or character names, ages, interests, preferences, and other descriptive details you provide for story generation.
  • Usage and device data: app opens, sessions, device information, operating system, language, region, diagnostics, and crash data.
  • Purchase data: in-app purchase status and receipts handled by app stores and payment providers.
  • Notification data: device tokens and notification preferences.

"Personal data" means any information that identifies or can identify a natural person, such as name, email address, phone number, age, or device identifiers. We only collect data that is necessary for the services described in this policy or that you choose to provide.

Users are responsible for any third-party personal data (for example, other people’s names) that they obtain, publish, or share through the Application.

Please avoid entering sensitive information in story prompts. We do not sell personal data and do not display third-party ads in the app.

How we use data

We process data for the following purposes:

  • Provide and operate the app on iOS and Android.
  • Generate personalized bedtime stories from the story input data.
  • Authenticate users and manage accounts.
  • Process subscriptions and in-app purchases.
  • Send service messages and, where you opt in, marketing notifications.
  • Analyze usage and improve app performance, stability, and safety.
  • Comply with legal obligations and protect our rights.

We use story input data only to generate stories and to improve story quality. We do not use story input data for advertising or to build marketing profiles.

Automated processing: We do not make decisions with legal or similarly significant effects based solely on automated processing. Automated processing is used solely to generate story content based on your inputs and does not affect your legal rights, access to the Service, pricing, or contractual conditions.

Legal bases (GDPR)

  • Contract: to provide the Service and generate stories you request.
  • Consent: for optional analytics, notifications, and marketing where required.
  • Legitimate interests: Service security, fraud prevention, and service improvement.
  • Legal obligations: accounting, tax, and compliance requirements.

Our legitimate interests include keeping the Service secure, preventing fraud/abuse, and improving reliability. Where processing is based on legitimate interests, you may object (see "Your rights").

Legitimate interest balancing: Where processing is based on legitimate interests, we have conducted a balancing assessment and concluded that our interests are not overridden by the rights and freedoms of users, taking into account the nature of the data processed, reasonable user expectations, the safeguards we apply (such as data minimization, access controls, and retention limits), and the availability of objection rights.

Purpose → data categories → legal basis

  • Account creation & authentication → account data (email, user ID) → contract (provide the Service); in some cases, legitimate interests (security).
  • Story generation → story input data (names, ages, interests, preferences, prompts) → contract (generate stories you request).
  • App functionality & troubleshooting → diagnostics, crash data, system logs → legitimate interests (security and reliability); consent where required (optional analytics/crash reporting settings).
  • Analytics (optional) → usage and device data, analytics events → consent (where required by law/your settings).
  • Push notifications → notification tokens and preferences → consent/permission (device OS permission); contract for essential service messages.
  • Payments/subscriptions → purchase status/entitlements and transaction metadata → contract (provide paid features) and legal obligation (accounting/tax recordkeeping).
  • Support and privacy requests → contact details and message content → legitimate interests (respond to users) and legal obligation (compliance with GDPR requests), as applicable.

Mode and place of processing

Methods of processing

We take appropriate technical and organizational security measures to prevent unauthorized access, disclosure, modification, or destruction of personal data. Processing is carried out using computers and IT-enabled tools, following procedures strictly related to the purposes described in this policy.

In addition to HeyQQ GmbH, data may be accessible to (i) authorized personnel involved in operating the Application (such as administration, customer support, product/engineering, security, legal), and (ii) external parties (service providers) appointed as processors. An updated list of processors can be requested at [email protected].

Place

Data is processed at HeyQQ GmbH’s offices and at the locations of our service providers. Depending on your location and the services used, processing may involve transfers to countries other than your own. Safeguards for international transfers are described below.

Service providers and infrastructure

We use trusted service providers to operate the Application:

  • Server hosting: Railway (Railway Corp). Privacy contact: [email protected].
  • Database and storage: Firebase (Cloud Firestore, Cloud Storage) - where your personal data is stored (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
  • Authentication: Firebase Authentication, Sign in with Apple.
  • Analytics and diagnostics: Firebase Analytics, Mixpanel, Crashlytics, Firebase Performance Monitoring. Mixpanel, Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA. Mixpanel’s EU data protection representative: MIXPANEL S.L., Avenida Diagonal, 442 - P. 3 PTA. 1, 08037 Barcelona, Spain.
  • Error monitoring: Sentry.
  • Push notifications: OneSignal and Firebase Cloud Messaging (OneSignal, Inc., 201 S. B Street, Suite 200, San Mateo, CA 94401, USA).
  • Payments and subscriptions: Apple App Store, Google Play, RevenueCat.
  • AI inference: OpenAI, Mistral, and custom models via cortecs.ai inference (OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland; Mistral AI, 15 Rue des Halles, 75001 Paris, France; Cortecs GmbH, Althanstraße 4, Floor 6, 1090 Vienna, Austria).

These providers act as data processors and only process data on our instructions and under applicable data protection agreements.

Purposes of processing (overview)

We process personal data to provide the Service, comply with legal obligations, respond to enforcement requests, protect our rights and interests (or those of users or third parties), and detect malicious or fraudulent activity. This includes:

  • Handling payments and subscriptions (app stores and RevenueCat).
  • Hosting and backend infrastructure (Railway, Firebase).
  • Managing contacts and sending messages/notifications (OneSignal, Firebase Cloud Messaging).
  • Analytics and product improvement (Firebase Analytics, Mixpanel).
  • Registration and authentication (Firebase Authentication, Sign in with Apple).
  • Infrastructure monitoring and troubleshooting (Crashlytics, Firebase Performance Monitoring, Sentry).
  • AI story generation (OpenAI, Mistral, and cortecs.ai inference).

We do not run third-party advertising in the app and do not use your story input data for advertising or marketing profiling.

AI story generation and model providers

To generate stories, we send story input data (such as character names, ages, interests, and your prompts) to our AI inference providers (OpenAI, Mistral, and/or cortecs.ai inference) and receive the generated story back.

We configure providers to process data only on our instructions under applicable data processing agreements. Where the provider offers controls to disable model training and limit retention, we enable those controls for our use. If a specific provider or route does not offer such controls, we minimize the data shared and apply safeguards (such as encryption and access controls). You can request more details about the specific data flows and processors used for your account at [email protected].

Disclosure to third parties

We share personal data only with processors and partners that are needed to provide the app, such as hosting, authentication, analytics, notifications, payments, and AI inference. We do not disclose personal data to third parties for their own marketing purposes. Data is shared based on the GDPR, in particular to perform our contract with you or with your consent.

The typical categories of recipients are:

  • Service providers/processors (hosting, database, analytics, notifications, payments, AI inference).
  • Professional advisors (e.g., legal, auditors) where necessary.
  • Public authorities (courts, law enforcement, regulators) only where we are legally required to disclose data.
  • Business transferees (if we are involved in a merger, acquisition, or asset sale), subject to confidentiality and applicable law.

International transfers

Some providers may process data outside the EU/EEA (for example in the United States). When we transfer personal data internationally, we use one or more of the following mechanisms, depending on the provider and data flow:

  • European Commission adequacy decisions (Article 45 GDPR), where applicable to the destination country.
  • EU Standard Contractual Clauses (Article 46(2)(c) GDPR), and where needed, additional contractual and technical safeguards.
  • The EU–U.S. Data Privacy Framework (where the relevant provider is certified), where applicable, combined with other safeguards as appropriate.

We conduct transfer impact assessments and apply supplementary measures as appropriate, including encryption in transit and at rest, access controls, minimization of data shared, role-based access, and logging.

Data retention

We retain personal data only as long as needed for the purposes described above. Typical retention rules:

  • Account data (email, user ID): for as long as your account is active. After account deletion, we delete or anonymize within 30 days where feasible; backup copies may persist up to 90 days. Backup retention is necessary to ensure service continuity and disaster recovery and is subject to access restrictions.
  • Story input data (names, ages, interests, and other story details): stored to generate stories and, if you choose, to keep your story history. You can request deletion at any time; after deletion, we remove it from active systems and it may persist in backups up to 90 days.
  • Diagnostics and security logs (crash reports, performance data, system logs): typically 90 days, unless needed longer for security investigations or to comply with legal obligations.
  • Analytics events (app usage statistics): typically up to 14 months (or shorter if configured), then deleted or aggregated.
  • Notification data (push tokens and related identifiers): until you disable notifications, uninstall the app, or the token expires/inactivates (typically up to 12 months of inactivity).
  • Purchase/subscription records: we receive limited purchase status/entitlement data via providers. Where we must keep records for accounting and tax purposes, we retain the required records for up to 10 years (Austrian statutory retention periods may apply).
  • Support communications (emails to support/privacy): typically up to 24 months to resolve inquiries and maintain an audit trail, unless a longer retention is required by law.

Where retention is based on consent, you can withdraw consent at any time (see "Consent and settings"). Some data may be retained longer if required by law or to establish, exercise, or defend legal claims.

Children’s privacy

Oscar Stories is designed for parents or guardians to create bedtime stories for children. We do not knowingly collect personal data directly from children without parental involvement. By providing story input data relating to children (such as names, ages, or interests), you confirm that you are the parent or legal guardian of the child, or that you otherwise have the right to provide such personal data for the purpose of story generation. If you believe a child has provided personal data without appropriate consent, please contact us to delete it.

Your rights (EU/EEA)

You have the right to:

  • Access, correct, or delete your personal data.
  • Restrict or object to certain processing.
  • Withdraw consent at any time.
  • Receive your data in a portable format.
  • Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (we do not carry out such processing).
  • Lodge a complaint with your local data protection authority.

To exercise your rights, contact [email protected].

Requests are free of charge and we respond as early as possible and in any case within one month, as required by law.

If you believe that our processing violates data protection law, you can also lodge a complaint with your supervisory authority. In Austria, the competent authority is the Austrian Data Protection Authority (Datenschutzbehörde).

Security

We apply technical and organizational measures to protect personal data. No system is perfectly secure, but we work to safeguard data against unauthorized access, loss, or misuse.

Despite these safeguards, information transmitted over the internet can never be fully secure, and we cannot guarantee the security of data transmitted through networks or third-party services outside our control.

Data breaches

If a personal data breach occurs, we will assess it and, where required by law, notify the relevant supervisory authority and affected users without undue delay.

System logs and maintenance

For operation and maintenance purposes, the Application and our service providers may collect system logs and technical data (for example, IP address, timestamps, device information, and diagnostic events) to keep the Service secure and reliable.

Legal action and enforcement requests

We may use personal data for legal purposes (for example, to establish, exercise, or defend legal claims). We may also be required to disclose personal data upon request by public authorities, courts, or law enforcement, where legally required.

Consent and settings

Where required by applicable law, we ask for your consent before enabling optional analytics or marketing communications. Optional analytics tools (such as Firebase Analytics and Mixpanel) are only activated after you provide consent, where required by applicable law; until then, they remain disabled or operate in a privacy-preserving mode. You can withdraw consent at any time by adjusting your device settings or by contacting us. Opt-out options are also available in the app's notification settings.

Push notifications can typically be disabled via your device settings. You may also be able to limit the use of device identifiers (including advertising identifiers) via your operating system settings. We do not use third-party advertising in the app.

Mobile identifiers, tracking, and permissions

No IDFA / GAID: We do not access or use Apple’s Identifier for Advertisers (IDFA) or Google’s Advertising ID (GAID) for advertising, cross‑app tracking, or profiling, and we do not display third‑party ads in the app.

Permissions: The app may request permissions such as push notifications. If, in the future, we introduce features that require additional permissions (for example, photos/storage or microphone), we will request permission in-app and update this policy accordingly.

Opting out of analytics: If you opt out of optional analytics (where offered), the core app functionality (story generation and access to your account) will continue to work, but we may have less information to improve performance and fix issues.

How to delete your data

You can request deletion by emailing [email protected]. If your app version includes an in‑app deletion option, you can typically find it under Settings (e.g., "Delete account" or "Delete story history"). Deletion generally removes your account and story history from active systems; we may retain limited data that we are legally required to keep (for example, accounting records related to purchases).

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date.

Effective date: January 27, 2026

Additional information on request

This section does not replace the information provided above but offers additional detail on request. If you would like more details about our processing activities, you can contact us at [email protected].

We may use additional service providers (for example, for email delivery or customer support) depending on how the Service is configured. Where applicable, we will update this policy and/or provide an updated list of processors on request.