Privacy Policy

LittleCards is a tool for adults (typically parents, guardians, and educators) to create and share educational content for the children in their care. The Service is not directed at children under 18. Account holders must be at least 18 years old, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@littlecards.app so we can delete it.

Account information. When you register, we receive your email address, a password hash (if you use email/password), or basic profile information from Google (name and email) if you sign in with Google. You may optionally add a display name.

Content you create. We store the card sets, card titles, descriptions, uploaded or AI-generated images, and audio files that you create or publish. If you publish content to the public library, it becomes visible to other users of the Service.

Prompts you submit for AI generation. When you ask the Service to generate an image, description, or audio clip, we transmit your prompt and related metadata to our AI model provider(s) for processing, and we store the generated output in your account.

Payment information. If you subscribe to a paid plan, our third-party payment provider collects the payment details (card number, billing address, and similar) directly. We do not see or store your full card number. We receive limited metadata such as a customer identifier, subscription status, the plan you purchased, the last four digits / card brand (where available), and the billing period.

Usage and device information. Like most online services, our infrastructure automatically records request logs, including IP address, user agent, and basic request metadata. We may also record moderation events (for example, when a published card set is flagged) and operational telemetry used to detect errors and abuse.

Cookies and similar technologies. We use a small number of strictly-necessary cookies to keep you signed in and to maintain your session. We do not use advertising cookies.

We use the information described above to:

• operate, maintain, and improve the Service;
• create and manage your account, authenticate you, and provide customer support;
• process your prompts through AI model providers and return the generated output to you;
• process subscriptions and manage billing through our payment provider;
• moderate published content, detect abuse, and enforce our Terms of Service;
• send you service-related communications (receipts, security alerts, changes to these policies) and, with your permission, product updates;
• comply with legal obligations and respond to lawful requests.

If you are located in the European Economic Area or the United Kingdom, we process your personal information under the following legal bases:

• Contract — to provide the Service you have signed up for (for example, creating card sets, processing subscription payments).
• Legitimate interests — to secure the Service, prevent abuse, improve reliability, and operate our business, where those interests are not overridden by your rights.
• Consent — where required (for example, for certain marketing communications). You may withdraw consent at any time.
• Legal obligation — to comply with applicable law.

We do not sell your personal information. We share it only with service providers that help us run the Service, each under a written agreement that restricts their use of the data:

• Supabase — our database, authentication, and storage provider. Hosts user profiles, card content, and uploaded or generated media.
• Google (OAuth & AI) — identity provider when you sign in with Google, and the AI model provider that generates images, text, and audio from your prompts. Prompts and related metadata are sent to Google's APIs for processing. See Google's privacy policy for details on how they handle data submitted to their APIs.
• Payment provider — a regulated payment processor (currently Paddle, acting as merchant of record on our behalf). They collect and process card details directly and share only limited transaction metadata with us.
• Hosting and observability — our application-hosting provider (e.g., Vercel) and error-logging tools process request logs and performance telemetry.

We may also share information if required by law, to respond to valid legal process, to enforce our Terms, to protect our rights and the safety of users, or in connection with a business transfer (with appropriate continuity of protections).

Our service providers may process your information in countries other than your own, including the United States. Where required by law, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) to protect your information during international transfers.

We keep your account information and Content for as long as your account is active. If you delete your account, we delete or anonymize your personal information within a reasonable period, except where we are required to retain it (for example, for tax and accounting records related to payments, typically for up to seven years). Operational logs are retained for a shorter period, usually no more than 90 days.

Depending on where you live, you may have rights to:

• access the personal information we hold about you;
• correct inaccurate information;
• delete your account and associated personal information (subject to legal retention obligations);
• object to or restrict certain processing, or request that we port your information to another service;
• withdraw any consent you have given, without affecting the lawfulness of processing carried out before withdrawal;
• lodge a complaint with your local data-protection authority.

California residents have additional rights under the California Consumer Privacy Act / CPRA, including the right to know, delete, and opt out of “sale” or “sharing” of personal information. We do not sell personal information and do not share it for cross-context behavioural advertising.

To exercise any of these rights, email us at support@littlecards.app. We may need to verify your identity before acting on a request.

We apply reasonable technical and organizational measures to protect your information, including transport encryption (HTTPS), hashed passwords, scoped access to production data, and role-segregated access to our infrastructure. No service is 100% secure; if we become aware of a security incident affecting your personal information, we will notify you and any applicable regulator as required by law.

The Service is not intended for use by children under 18. We do not knowingly collect personal information from children. Content created on the platform is intended for use by adults (parents, guardians, and educators) with the children in their care, and those adults are responsible for how that content is shared with children. If you believe we have inadvertently collected personal information from a child, please contact us and we will delete it.

We may update this Policy from time to time to reflect changes in our practices or applicable law. When we make material changes we will update the “Last updated” date above and, where appropriate, provide additional notice (for example, an in-app banner or email). Your continued use of the Service after changes become effective constitutes your acceptance of the updated Policy.

If you have any questions about this Policy or our data practices, please email support@littlecards.app.