Privacy Policy

Last updated: 10/10/2025

StoryCloud Pty Ltd (“StoryCloud”, “we”, “us”, or “our”) respects your privacy and is committed to protecting the personal information of children, parents, guardians, educators, and early learning centres who use our services. This Privacy Policy explains how we collect, use, store, share, and safeguard personal information when you use our mobile application, website, and associated services (together, the “Services”). By using the Services, you (as a parent, guardian, or authorised educator) consent to the practices described in this Privacy Policy. If you do not agree with this Policy, please discontinue use of the Services.

1. About StoryCloud

StoryCloud is a children’s media and education company founded in Australia. Our Services deliver interactive and values-led stories designed for children aged 2–9. The platform blends immersive entertainment with learning outcomes, accessed through family subscriptions and early learning centres. Because our Services are designed for and used by young children, we take extra care in handling personal information, applying the strictest privacy and safety standards.

We comply with:

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Guidance from the Office of the Australian Information Commissioner (OAIC).

Guidance from the Office of the eSafety Commissioner, including Safety by Design principles.

Sectoral standards such as the Early Years Learning Framework (EYLF) and oversight of the Australian Children’s Education & Care Quality Authority (ACECQA).

Australian Consumer Law (ACL) requirements for fairness and transparency.

We continually review our privacy and safety approach to reflect evolving best practice.StoryCloud is designed so that centre-delivered educational use remains primary; any family engagement features are optional and do not change our privacy commitments or expand the data we collect from children.

1A. Roles and Responsibilities (Centres vs StoryCloud)

StoryCloud acts as the APP entity for personal information handled via the Services. Centres remain responsible for obtaining and recording parental/guardian consent when onboarding children through a centre account and for complying with their obligations under the NQF/NQS and local privacy requirements. Where a centre administrator views a child’s profile/progress, StoryCloud provides access on the centre’s instruction andwithin the parent-approved scope.

2. Definitions

Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, consistent with the Privacy Act 1988 (Cth).

De-identified Information: Information that cannot reasonably be used to identify an individual.

Aggregated Data: Combined, statistical information from multiple users that cannot reasonably identify an individual.

Services: StoryCloud’s mobile application, website, and related digital platforms.

Child Users: Children aged 2–9 who access StoryCloud content through an authorised account.

3. Information We Collect

We follow the principle of data minimisation – only collecting what is necessary to provide and improve our Services.

3.1 Information About Children

We collect only:

First name (for personalisation).

Age (to tailor content to developmental stage).

Usage data – such as listening history, reading progress, and interactions with stories.

We do not collect:

Surnames.

Contact details (address, email, phone).

Photos, audio, or video recordings of the child.

Biometric or health data.

Precise geolocation data.

3.2 Information About Parents/Guardians

When you create an account, subscribe, or contact us, we may collect:

Name and contact details.

Payment information (processed securely by third-party payment providers).

Account login credentials.

Communications with us (e.g., customer support enquiries).

3.3 Information About Educators and Early Learning Centres

When centres onboard children into StoryCloud, we may collect:

Centre contact details.

Names of authorised educators.

Confirmation that parental/guardian consent has been obtained.

3.4 Technical Information

We also collect limited technical information, including:

Device type and operating system.

IP address (for service delivery and security).

App usage analytics (aggregated and anonymised where possible).

Device serial numbers and MDM configuration identifiers used solely to provision, secure, and support the StoryCloud app and Device Bundles. These identifiers are not linked to additional child attributes beyond the parent/centre account relationship needed to provide support.

App-scoped diagnostics only (e.g., crashes, playback errors). We do not monitor activity outside the StoryCloud app, do not scan device photo libraries, emails, messages, or unrelated apps, and do not collect microphone/camera data unless explicitly enabled for a clearly labelled in-app feature.

No advertising IDs or third-party ad trackers are used. Analytics are limited to service improvement.

StoryCloud does not access photos, emails, messages, or any unrelated apps on the device.

4. How We Collect Information

Directly from parents/guardians when creating a child profile or managing an account.

From early learning centres when educators set up accounts on behalf of families (with parental consent).

Automatically through the app as children interact with stories (e.g., usage data). If a centre sets up an account on your behalf, the centre confirms parental consent and provides only the minimum details required (first name and age) to activate the profile.

5. Why We Collect and Use Information

We use personal information only for the following purposes:

To provide, personalise, and improve the StoryCloud experience.

To remember what stories a child has accessed and adapt recommendations.

To enable educators and parents to track learning progress.

To process payments and manage subscriptions.

To communicate with parents, guardians, and centres.

To comply with safety, child-protection, and legal obligations.

To develop new content and technology, using aggregated and anonymised data.

Safety and abuse prevention, including preventing unauthorised access, fraud, or misuse.

No targeted advertising or behavioural profiling of children.

Product research and quality improvement using de-identified and/or aggregated data only.

We never use children’s data for targeted advertising, profiling, or unrelated marketing.

6. Legal Basis for Handling Information

StoryCloud handles information in accordance with the APPs, including but not limited to:

APP 1 – Transparency: This Privacy Policy outlines our approach.

APP 2 – Anonymity: Children are identified only by first name and age.

APP 3 – Collection: We only collect what is reasonably necessary.

APP 5 – Notification: Parents/guardians and centres are notified at collection.

APP 6 – Use & Disclosure: Information is used only for stated purposes.

APP 11 – Security: We safeguard information against misuse and unauthorised access.

APP 12–13 – Access & Correction: Parents/guardians may access or correct their child’s information at any time.

We do not rely on automated decision-making to make decisions about a child. Recommendations are rule-based and/or editorially curated and may use de-identifiedusage patterns.

7. Parental Consent and Rights

Because our Services are designed for children under 13, we require parental or guardian consent for all data collection.

Consent at Signup:Parents provide their child’s first name and age directly, or early learning centres confirm parental consent.

Access & Correction: Parents can request access to, correction of, or deletion of their child’s information at any time.

Withdrawal of Consent:Parents may withdraw consent by deleting their child’s profile or unsubscribing.

Probability:Parents can request an export of their child’s usage data in a commonly used format prior to deletion.

Centre-managed requests:Where access occurs via a centre, you may submit access/correction/deletion requests to either the centre or StoryCloud; we will coordinate to ensure a single, timely response.

If you believe your child’s data has been collected without proper consent, please contact us immediately.

8. Sharing and Disclosure of Information

We do not sell or rent personal information. We disclose information only when necessary:

Service Providers: Trusted third-party providers (e.g., cloud hosting, payment processors). All providers are bound by strict security standards.

Early Learning Centres: Authorised educators may view a child’s profile and progress data when the Service is used through a centre.

Legal & Safety: We may disclose information to comply with law, regulation, or to protect safety.

Corporate Transactions: If StoryCloud undergoes a merger or acquisition, personal information will remain protected and parents notified.

Law enforcement or regulatory requests: where disclosure is required by law (e.g., valid subpoena, court order).

Service-provider transparency: We maintain a current list of key sub-processors (hosting, analytics, payments) available on request or via our website, and require written privacy and security commitments from all vendors.

9. Data Storage, Retention, and Security

We implement strict security measures, including:

Encryption of data in transit (SSL/TLS) and at rest.

Secure storage on servers located in Australia.

Role-based access controls to restrict staff access.

Regular penetration testing and monitoring.

Employee training on privacy and child data handling.

Retention:

Active accounts: retained for service delivery.

Closed accounts: personal information is deleted or de-identifiedwithin 30 days, unless retention is required by law.

Backups: overwritten and purged on rolling cycles, with a maximum residual of 90 days post-deletion.

Financial/transaction records: retained up to 7 years for tax and regulatory compliance.

Device identifiers (MDM): removed or de-linked from the account within 30 days after device return or account closure.

Device information (such as serial numbers and MDM configurations) is stored securely and used only to provide support, security updates, and MDM services. Device-related data is treated with the same protections as all other StoryCloud data.

10. Data Breach Response

StoryCloud complies with the Notifiable Data Breaches (NDB) scheme. In the event of a data breach likely to result in serious harm:

We will promptly assess the breach in good faith.

Notify affected individuals and the OAIC where the NDB scheme requires notification.

Provide guidance on steps families can take to protect themselves.

11. Children’s Online Safety

Aligned with the eSafety Commissioner’s Safety by Design framework, we ensure:

No public chat or user-to-user messaging.

No sharing of personal information between children.

No third-party advertising or tracking.

Age-appropriate, child-friendly interfaces.

Regular content review to ensure developmental suitability.

StoryCloud is designed for educator-guided and/or parent-guided use;supervision remains essential.

12. Cookies and Analytics

Our Services may use strictly necessary and performance-related cookies or SDKs (e.g., Firebase analytics) to help us understand usage and improve quality.

We do not use cookies for advertising.

You can adjust analytics preferences via device settings or in-app privacy controls where available; disabling strictly necessary telemetry may impact service quality.

Where SDKs (e.g., Firebase) are used, IP addresses are truncated or de-identified where feasible, and no advertising features are enabled.

13. International Considerations

StoryCloud currently stores and processes data in Australia. We do not transfer children’s personal information overseas unless strictly necessary and with safeguards that meet APP 8. If international transfers are required in the future, we will:

Ensure compliance with APP 8 (cross-border disclosure).

Update this Policy to reflect applicable overseas requirements (e.g., COPPA in the US, GDPR-K in the EU).

Notify parents and centres before transfers occur.

14. Your Rights

Under the Privacy Act, parents, guardians, and educators have the right to:

Request access to the personal information we hold.

Request correction of inaccurate or incomplete information.

Request deletion of information.

Request a copy/export of their child’s usage data before deletion.

Make complaints to StoryCloud or directly to the OAIC.

We aim to respond to access/correction/deletion requests within 30 days and will inform you if additional time is reasonably required.

15. Complaints and Contact

If you have questions, concerns, or complaints about our handling of personal information, please use the contact channels listed on our website. We will acknowledge all complaints within 7 business daysand aim to resolve them within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

15A. Children’s Data Specific Protections

No social features: Children cannot message or publicly post content.

No third-party ads or tracking: We do not use advertising IDs or third-party ad technology.

Camera/microphone: Disabled by default and only activated with a clear, one-time permission prompt for features that need them; content remains local unless you choose to share it.

Deletion at scale: If a centre terminates access, children’s profiles linked to that centre are deleted or de-identified within the standard retention windows unless a family subscription continues the account.

Age-appropriate design: Interfaces are simplified, minimise data entry, and avoid persuasive design aimed at children.

16. Updates to This Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements, or services. Material changes include introducing new child-data types, enabling camera/microphone features by default, or onboarding new classes of service providers; we will provide clear notice (email, in-app notification, or website notice) in such cases.