Once Upon Elly

Privacy Policy

How Once Upon Elly collects, uses, and protects your information.
Apr 16, 2026

Last updated: April 16, 2026

1. Who We Are

Once Upon Elly ("Once Upon Elly", "we", "us", or "our") is an online service that lets adult users generate personalized, AI-written bedtime stories and companion audio for the children in their care.

The Service is operated by Lucky Code Studio, a registered individual business in the Republic of Korea (Business Registration No. 636-59-00277), based at 76 Keunumul-ro, Mapo-gu, Seoul, Republic of Korea. Our country of tax residence is the Republic of Korea.

For any question about this Policy, email support@onceuponelly.com — we respond within 3 business days.

2. Scope of This Policy

This Privacy Policy applies to the website onceuponelly.com and all subdomains, the account dashboard, the story and audio generation tools, billing flows, and any email we send you in connection with the service (together, the "Service").

This Policy does not apply to third-party websites you reach through outbound links, or to the separate pages of third-party services you connect to (such as a payment provider's own checkout page). Those are governed by their own privacy notices.

3. Information We Collect

We only collect what we need to run the Service, bill you, and improve the product. The categories below are exhaustive — we do not secretly collect anything outside them.

3.1 Account information

When you sign up or sign in:

  • Name (or display name) — for greeting you in the dashboard and on receipts.
  • Email address — for login, account recovery, receipts, and service notifications.
  • Authentication data — sign-in is currently provided via Google OAuth only. We receive a verified email address and account identifier from Google; we never see or store your Google password.
  • Profile preferences — language, notification preferences, and similar.

3.2 Story input data

When you create a story, you may enter information that describes a child, such as:

  • A first name or nickname (you are free to use a pen name — the name is only used inside the generated story and is not independently verified by us).
  • Age or age range.
  • Interests, hobbies, favorite colors, stuffed animals, and similar free-text preferences.
  • Short custom prompts you write (e.g. "a story that helps her not be scared of thunder").

We do not require you to provide a real child's real identity. Using a nickname or fictional placeholder is explicitly supported and does not reduce story quality.

We do not support uploading photographs of children. No facial images, biometric data, or visual likenesses of real children are collected by the Service.

3.3 Generated content

Every story and audio file you create is stored in your account library so you can reopen, re-download, or delete it. These items are visible only to you and our authorized operators, unless you explicitly choose to share them.

3.4 Billing information

When you purchase credits or a subscription, our payment processor (Creem) collects and processes your payment details directly. We do not store full card numbers, CVV codes, or bank account numbers on our servers. We receive and retain only:

  • a payment method token or reference ID returned by the processor,
  • the plan, amount, currency, and timestamp of each successful transaction,
  • the billing email and country (for tax and compliance reasons).

3.5 Technical and usage data

When you use the Service, our servers automatically log:

  • IP address, approximate region, browser, operating system, device type.
  • Timestamps and endpoints visited, for debugging, rate limiting, and abuse prevention.
  • Feature usage counters (e.g. how many stories you've generated this month), to enforce plan limits.

3.6 Cookies and analytics

We use a small number of cookies and similar technologies:

  • Strictly necessary cookies — for login sessions, CSRF protection, and language preference. These cannot be switched off.
  • Optional analytics — we may use Google Analytics or a comparable privacy-friendly analytics provider to understand aggregate traffic patterns. Analytics cookies load only with your consent where local law requires consent (e.g. EU, UK, Korea).

See Section 11 for more.

3.7 Communications

If you email support, respond to a survey, or contact us on social media, we keep a copy of the correspondence so we can help you and improve the Service.

4. How We Use Your Information

We use the information described above strictly for the following purposes:

  1. Delivering the Service — authenticating you, generating stories and audio, saving them to your library, and displaying them back to you.
  2. Billing and subscription management — charging you correctly, issuing receipts, handling refunds, preventing payment fraud, complying with tax law.
  3. Product improvement — aggregated analytics to understand which features work, fix bugs, and reduce latency. Individual stories are not used to train external AI foundation models.
  4. Customer support — responding to your questions or complaints within 3 business days.
  5. Security and abuse prevention — detecting brute-force login attempts, API abuse, content that violates our Acceptable Use Policy, and similar threats.
  6. Legal compliance — responding to valid legal requests, enforcing our Terms of Service, preventing fraud.
  7. Transactional emails — sending you receipts, security alerts, or important service changes. You cannot opt out of strictly transactional email while you hold an active account.
  8. Marketing emails (only with consent) — occasional product updates. You can unsubscribe at any time via the link in every marketing email.

We rely on the following legal bases depending on your jurisdiction:

  • Contract — processing necessary to provide the Service you signed up for.
  • Legitimate interest — product improvement, security, abuse prevention, and internal analytics, balanced against your rights.
  • Consent — optional analytics cookies and marketing email. You may withdraw consent at any time.
  • Legal obligation — accounting, tax, anti-fraud, and response to lawful requests.

6. Children's Data

Once Upon Elly is designed for adult parents, guardians, and other caregivers. The Service is not directed to children under 14 (the minimum age under the Republic of Korea Personal Information Protection Act). In jurisdictions where local law sets a higher minimum age (for example, 16 in parts of the EU, or 13 in the United States under COPPA), the higher local minimum applies.

  • No one below the applicable minimum age may create an account.
  • Story input fields (a name, age, favorite animal) may describe a child, but this information is provided by the adult account holder, not by the child directly. Pen names or fictional details are fully supported.
  • We do not knowingly collect identifiers, contact information, or photographs of children.
  • If we become aware that we have collected information directly from a child without verified parental consent, we will delete it promptly.
  • If you are a parent or guardian and believe your child has provided information to us, please contact support@onceuponelly.com and we will delete it within 3 business days.

We do not sell or share information about minors, and we do not use any information a parent provides about a child to train external AI models.

7. Third-Party Service Providers (Subprocessors)

To run the Service we rely on a small number of carefully selected providers. Each receives only the information it needs, and each is bound by a data processing agreement or equivalent contractual safeguards.

CategoryPurposeData shared
Hosting and edge networkServing the site and protecting it from attacksIP, request metadata
Object storageStoring generated audio files and PDFsGenerated content, user ID
Payment processor (Creem)Processing subscriptions, credit purchases, refundsBilling email, country, plan, amount
Transactional email providerSending receipts, password resets, and service notificationsEmail address, message content
Third-party AI model providersGenerating story text and audio based on your promptsPrompt content only; no account identifiers are included in the request
Authentication (Google OAuth)Verifying your email address when you use "Sign in with Google"Verified email, account ID returned by Google
Analytics (optional)Aggregate traffic analytics (loaded only with consent where required)Truncated IP, device, pageviews

For security, competitive, and commercial-confidentiality reasons we do not publicly list the specific vendors behind each category, but we maintain a current internal register and contractual safeguards with each of them. If you require the current list for a formal compliance or legal request (for example, under GDPR Article 28 or CCPA), email support@onceuponelly.com and we will provide it under a suitable confidentiality agreement.

8. International Data Transfers

Our servers and those of our providers are located in multiple regions worldwide. If you use Once Upon Elly from outside the Republic of Korea, your information will be transferred to and processed in other countries.

Where such transfers involve personal data from the EEA, UK, Korea, Japan, or other jurisdictions that restrict cross-border transfer, we rely on standard contractual clauses, local adequacy decisions, or other safeguards permitted by applicable law.

9. Data Retention

  • Account data — retained while your account is active. If you delete your account, we delete or irreversibly anonymize your personal data within 30 days, except where we are required to keep limited records for tax, anti-fraud, or other legal reasons (typically up to 5 years for transaction receipts under Korean tax law).
  • Generated stories and audio — retained in your library until you delete them, or until 30 days after you close your account.
  • Server logs — retained for up to 90 days for security and debugging, then deleted or anonymized.
  • Billing records — retained as long as required by applicable tax and accounting law.
  • Marketing email list — retained until you unsubscribe.

10. Your Rights

Regardless of where you live, you may email support@onceuponelly.com to exercise any applicable privacy right. We verify the request, acknowledge it within 3 business days, and complete it within the statutory window (usually 30 days).

Below is a non-exhaustive summary of rights recognized by some of the main jurisdictions we serve. If your country or region is not listed, we will honour equivalent rights granted by your local law.

10.1 European Economic Area / United Kingdom (GDPR / UK GDPR)

  • Access, rectification, erasure, restriction of processing, portability, and objection.
  • Right to withdraw consent for processing based on consent.
  • Right to lodge a complaint with your national Data Protection Authority.

10.2 United States — California (CCPA / CPRA) and other state laws

  • Right to know what personal information we hold.
  • Right to delete and to correct inaccurate personal information.
  • Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioural advertising).
  • Right to non-discrimination for exercising these rights.
  • Comparable rights are also recognized for residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with applicable consumer-privacy laws.

10.3 Japan (APPI / 個人情報保護法)

  • Right to be informed of the purposes of use.
  • Right of disclosure, correction, suspension of use, and deletion of your personal information.
  • Right to opt out of third-party provision where applicable.

10.4 Republic of Korea (PIPA / 개인정보 보호법)

  • Right of access, correction, deletion, and suspension of processing of your personal information.
  • Right to lodge a complaint with the Personal Information Protection Commission (PIPC) or KISA (Korea Internet & Security Agency).

10.5 Other jurisdictions

  • We will honour equivalent rights granted under applicable local law (including, for example, Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, Singapore's PDPA, and Switzerland's FADP).

11. Cookies

We use three categories of cookies:

  • Strictly necessary — login session, CSRF token, language. Always on.
  • Preferences — theme, last-used story style. Always on.
  • Analytics — Google Analytics or similar. Loaded only after you consent via our cookie notice, where local law requires consent.

You can clear cookies at any time in your browser settings. Disabling strictly necessary cookies will break login.

12. Security

We take reasonable technical and organizational measures to protect your information, including:

  • Encryption in transit (HTTPS/TLS) for all connections.
  • Encryption at rest for sensitive fields.
  • Hashed passwords (we never store raw passwords).
  • Principle of least privilege for internal access.
  • Rate limiting, audit logs, and regular dependency updates.

No online service is 100% secure. If a data breach affects you, we will notify you without undue delay, as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page with an updated "Last updated" date, and for significant changes affecting your rights we will also email the address on your account.

Continuing to use the Service after an update means you accept the revised Policy.

14. Contact

Questions, requests, or complaints about this Policy:

Email: support@onceuponelly.com

We respond to every privacy-related inquiry within 3 business days.