Legal

Privacy Policy

Legendary Tales Club, last updated June 1, 2026

1. Who we are

Legendary Tales Club is a brand of Legacy Vantage LLC, a company incorporated in Tennessee, USA ("we", "us", "our"). Legendary Tales Club is a subscription service that generates and delivers personalised bedtime stories to parents by email. Our service is directed at parents and guardians ("you"), not at children directly.

For the purpose of UK and EU data protection law, we are the data controller. For questions about this policy, contact us at: privacy@legendarytales.club

2. What data we collect and why

2.1 Account data

When you sign up, we collect your email address. You sign in via email magic link through Supabase; no password is created or stored. We use this to create and manage your account, authenticate you, and deliver your stories.

Legal basis (GDPR): Performance of a contract.

2.2 Child profile data

To generate personalised stories, you provide us with information about your child or children: first name, age, interests, and optional details such as a pet's name, a best friend's name, or a favourite character. You may also provide a date of birth for future features (the Memory Book add-on). You are not required to provide a child's real name; a nickname or made-up name works just as well.

This information is used solely to build the prompt we send to our AI story generation service. It is not used for advertising, profiling, or any purpose other than generating your stories.

Legal basis (GDPR): Performance of a contract; legitimate interest in providing a personalised service.

COPPA notice (US users): Legendary Tales Club is directed at parents and guardians, not at children. We do not knowingly collect personal information directly from children under 13. All child profile data is submitted by a parent or guardian on behalf of their child and is used only to generate stories for that child. If you believe your child has submitted information to us directly, contact us at privacy@legendarytales.club and we will delete it promptly.

2.3 Delivery preferences

We store your chosen daily delivery time and timezone, and your selected story mode (combined or separate). This is used to schedule story generation and dispatch.

Legal basis (GDPR): Performance of a contract.

2.4 Payment data

We collect billing information through Stripe. We do not store your card number, CVV, or full payment details on our servers. Stripe processes and stores payment data on our behalf and is PCI-DSS compliant. We retain Stripe customer IDs, plan type, and subscription status to manage your account.

Legal basis (GDPR): Performance of a contract; legal obligation (for invoicing and tax records).

2.5 Story history

We store a log of stories we have sent you, including the generated content. This is used to enforce variety (avoiding repeated themes) and to support future features such as a story archive. Stories are associated with your account and are deleted when you close your account.

Legal basis (GDPR): Legitimate interest in providing a quality service.

2.6 Analytics and usage data

We use the following tools to understand how our service is used and to improve it:

  • Google Analytics 4 (GA4) and Google Tag Manager: when analytics is enabled, collect anonymised usage data such as pages visited, session duration, and general location (country/region). IP addresses are anonymised. We do not send child names, email addresses, story text, prompts, or other freeform personal data to GA4/GTM.
  • Cloudflare Analytics / Cloudflare Insights: collect aggregated traffic data at the network layer. Cloudflare does not use your data for advertising. No cookies are set by Cloudflare Analytics.

GA4 and Google Tag Manager may use cookies when analytics is enabled. We do not currently show a cookie banner on the site; analytics can be disabled centrally without changing the rest of the product.

Legal basis (GDPR): Consent where required for analytics cookies; legitimate interest for privacy-safe, aggregated analytics.

2.7 Email delivery data

We use Resend to send story emails and transactional messages (magic-link sign-in, billing notices). Resend logs delivery events (sent, delivered, bounced, opened) to help us monitor deliverability. These logs are associated with your email address.

Legal basis (GDPR): Performance of a contract; legitimate interest in ensuring reliable delivery.

3. Who we share data with

We share data only with the third-party processors necessary to operate the service:

Processor Purpose Data shared
Anthropic (Claude API) AI story generation Child profile details (name, age, interests, extras) submitted per generation request. Anthropic's API is not used to train models on your data by default; see Anthropic's privacy policy for details.
Stripe Payment processing Email, billing details, subscription status
Resend Email delivery Your email address, story content, delivery events
Google (GA4, GTM) Analytics Anonymised usage data, cookies
Cloudflare Hosting, CDN, analytics IP address (processed at edge, not stored by us), aggregated traffic data
Supabase Authentication Your email address, used to send magic-link sign-in emails. No password is stored.

We do not sell your data. We do not share your data with advertisers. We do not share child profile data with any party except as described above.

4. Cookies

We use the following cookies:

Cookie Provider Purpose Duration
Session cookie Legendary Tales Club Keeps you logged in Session
_ga, _ga_* Google Analytics Usage analytics Up to 2 years
_gtm_* Google Tag Manager Tag management Session

If you limit analytics cookies through your browser or a future consent preference, the service continues to work normally.

5. Data retention

Data type Retention period
Account and profile data Until account deletion, plus 30 days
Stories Until account deletion, plus 30 days
Payment records 7 years (legal/tax obligation)
Analytics data Per Google's retention settings (default 14 months for GA4)
Email delivery logs 90 days

6. International data transfers

Legacy Vantage LLC is based in Tennessee, USA. If you are located in the UK or EEA, your personal data is transferred to the United States when you use our service. We rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as the legal mechanism for those transfers. Our third-party processors (Google, Anthropic, Stripe, Resend, Supabase) maintain their own transfer mechanisms; links to their privacy policies are available on request.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Restrict or object to certain processing
  • Portability: receive your data in a machine-readable format
  • Withdraw consent at any time for consent-based processing (for example, future analytics cookie preferences)
California residents (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@legendarytales.club.

To exercise any of these rights, email privacy@legendarytales.club. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

If you are in the UK or EU and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (in the UK: the ICO at ico.org.uk).

8. Security

We use industry-standard measures to protect your data: HTTPS everywhere, environment-level secrets management (no plaintext keys in code), and access controls limiting who can query production data. Authentication uses Supabase magic links; no passwords are stored. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at privacy@legendarytales.club.

9. Children's privacy

We designed Legendary Tales Club specifically so that children do not interact with our service and have no need to create accounts or submit data themselves. The service is used by parents on behalf of their children.

The child profile data you submit (name, age, interests) is:

  • Used only to generate stories
  • Not used to build advertising profiles
  • Not shared with third parties except for the purpose of generating the story (Anthropic's API)
  • Not linked to any persistent identifier for the child

If your child is old enough to use a phone or computer, please ensure they do not attempt to create their own Legendary Tales Club account.

10. Changes to this policy

We may update this policy as our service evolves or as legal requirements change. If we make material changes (for example, a new category of data or a new third-party processor), we will notify you by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Legendary Tales Club, a brand of Legacy Vantage LLC

Tennessee, USA

Email: privacy@legendarytales.club

Web: legacy-vantage.com

For EU/UK users: if you have a data protection concern we have not resolved, you may contact your national data protection authority.