Privacy Policy

Company details:

EduCocreation GmbH

Geusenstr. 8

10317 Berlin

E-Mail(s):

Info: hello@nuri-tales.com

Privacy: privacy@nuri-tales.com

Support: support@nuri-tales.com

Telefon: +49 178 400 8667

VAT: DE329214611

DUNS: 343141681

HRB 216114 B / Amtsgericht Charlottenburg

Geschäftsführerin: Annemieke Lais

Overview:

Data captured

Services

Policy: Last updated: 28 April 2026

1. About this privacy notice

This privacy notice explains how EduCocreation GmbH ("Nuri Tales", "we", "us", "our") processes personal data when you use the Nuri Tales service. The service consists of:

the Nuri Tales mobile app for iOS and Android,
the Nuri Tales web app at app.nuri-tales.com, and
our public website at www.nuri-tales.com.

Together these are referred to as the Service.

This notice applies to everyone who interacts with the Service: visitors to the website, parents and caregivers who create an account, and the children whose information parents enter into the app. It does not cover third-party websites you may reach via links from the Service; please consult their own privacy notices.

If you have any questions about this notice or about how we handle your personal data, please contact us at privacy@nuri-tales.com.

2. Controller and contact

The controller for the processing of personal data through the Service within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR) is:

EduCocreation GmbH

Geusenstr. 8

10317 Berlin, Germany

Phone: +49 178 400 8667

Email: hello@nuri-tales.com

Privacy enquiries: privacy@nuri-tales.com

Customer support: support@nuri-tales.com

Geschäftsführerin: Annemieke Lais

Commercial register: HRB 216114 B, Amtsgericht Charlottenburg

VAT ID: DE329214611

2.1 Data Protection Officer

EduCocreation GmbH has not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR or Section 38 BDSG. For all data-protection enquiries please write to privacy@nuri-tales.com or to the postal address above.

3. General principles of data processing

We process personal data only on a lawful basis. Depending on the activity, the legal basis is one of the following:

Article 6(1)(a) GDPR — your consent, for example for marketing email or non-essential cookies. You can withdraw your consent at any time with effect for the future.
Article 6(1)(b) GDPR — performance of a contract, where processing is necessary to provide the Service you have signed up for (account, story generation, subscription, transactional notifications).
Article 6(1)(c) GDPR — compliance with a legal obligation, for example tax-law retention of billing records.
Article 6(1)(f) GDPR — legitimate interests, for example operating the Service securely, preventing fraud and abuse, or diagnosing technical errors. Where we rely on this basis, we have weighed our interests against your fundamental rights and freedoms.

When you describe a difficult moment with your child to generate a story, your description may include information about your child's emotional, behavioural or developmental context, which can constitute a special category of personal data within the meaning of Article 9(1) GDPR. We process this data on the basis of your explicit consent under Article 9(2)(a) GDPR, given when you submit the story request. You can withdraw this consent at any time by deleting the corresponding story or your account; the data is then erased as described in section 10.

We collect personal data only to the extent necessary for the purpose described in each of the sections that follow. We do not sell personal data, and we do not use personal data for any purpose other than the one for which it was collected, unless you have separately consented or we are required to do so by law.

4. When you visit our website

4.1 Server log data

When you load any page on www.nuri-tales.com or app.nuri-tales.com, the following data is automatically transmitted by your browser to our hosting provider and to our backend:

IP address,
date and time of the request,
HTTP method, URL and referrer,
response status,
browser type and version, operating system and language,
session and request identifiers (random UUIDs we generate to correlate logs).

This data is processed on the basis of Article 6(1)(f) GDPR for our legitimate interest in operating the Service securely, defending against attacks and diagnosing errors. The IP address is used only for the duration of the request, in particular for routing responses and for rate-limiting; we do not build profiles from it. Server log data is deleted after 30 days.

4.2 Cookies and similar technologies

A cookie is a small text file that a website stores on your device. Some cookies are required for the Service to function; others are used to measure how the website is used.

The legal basis for storing strictly necessary cookies on your device is § 25(2)(2) TTDSG. The legal basis for storing all other cookies is § 25(1) TTDSG and Article 6(1)(a) GDPR — your consent. Consent is collected when you first open the web app, via a banner, and stored in the cookie nuri_privacy_accepted. You can withdraw consent at any time by clearing your browser's cookies for app.nuri-tales.com.

4.2.1 Strictly necessary cookies

CookiePurposeLifetime

nt_access, nt_refreshKeep you logged in (HttpOnly, Secure, SameSite=Lax)until session end / refresh expiry

nuri_privacy_acceptedRemember that you have acknowledged this privacy notice12 months

nuri_referral_codeApply a referral code at sign-upuntil sign-up

You can disable cookies in your browser settings. If you do, parts of the Service that require login will not work.

4.2.2 Analytics cookie

We use Vercel Analytics, provided by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA), to measure anonymous traffic to our website (page views and Core Web Vitals such as loading time, responsiveness and layout stability). Vercel Analytics sets one cookie:

CookiePurposeLifetime

__vdsiAn opaque session identifier used to deduplicate page viewsuntil the end of the browser session

Vercel Analytics does not collect personal identifiers and is not used for advertising. Processing for our project is configured on Vercel's EU infrastructure.

We do not use Google Analytics, Meta Pixel, advertising trackers, or any cross-site tracking technology.

5. When you use the Nuri Tales app

This section describes how we process personal data when you use the mobile app or the web app at app.nuri-tales.com. Each subsection lists the data we collect, the purpose of processing and the legal basis. The data we hold about you is stored in our database, which is operated by Supabase, Inc. (970 Toa Payoh North #07-04, Singapore 318992) on EU infrastructure (Frankfurt). Supabase acts as our processor under Article 28 GDPR.

Our backend services run on Render Services, Inc. (525 Brannan Street, Suite 300, San Francisco, CA 94107, USA) in Frankfurt. Our web properties run on Vercel Inc. on EU infrastructure.

5.1 Creating an account

To use Nuri Tales you create an account with your email address and a password. Optionally, you can also provide a first name, last name and a profile picture, and choose a language preference and notification preferences. Authentication is handled by Supabase Auth.

Purpose: to create and secure your account, to authenticate you when you log in, and to communicate with you about the Service.
Legal basis: Article 6(1)(b) GDPR (performance of a contract).

We never see your password in plain text; it is stored only as a one-way cryptographic hash. On your device, your authentication tokens are stored in your operating system's secure storage (iOS Keychain, Android Keystore, or HttpOnly cookies on the web).

The Service is intended for adults (parents and caregivers aged 18 or over). We do not knowingly create accounts for minors. You confirm that you are 18 or over by accepting our Terms and Conditions when you sign up.

5.2 Adding a child profile

To generate a personalised story, you add a profile for the child the story is about. A child profile contains:

the child's first name,
age in years (we do not store the date of birth),
gender (optional),
personality traits selected from a list (e.g. "sensitive", "shy at first", "strong-willed"),
interests selected from a list, and an optional free-text field for additional interests,
appearance details (hair colour, eye colour, skin tone) and optional accessibility markers (e.g. glasses, wheelchair, hearing aids), used so that the child appears consistent across illustrations,
up to three "important figures" in the child's life (e.g. a grandparent), given by name and relationship,
a profile picture if you choose to upload one,
the language for stories.
Purpose: to enable us to generate stories that are personal to your child.
Legal basis: Article 6(1)(b) GDPR (performance of the contract). Where the data describes a child's emotional, behavioural or accessibility context, processing additionally rests on Article 9(2)(a) GDPR — your explicit consent, given when you complete the child profile.

Children do not interact with Nuri Tales directly. We process information about a child only because you, the parent or caregiver, have entered it. You are responsible for the accuracy of the data and for ensuring that you are entitled to provide it. You can edit or delete a child profile at any time in the app.

5.3 Creating a personalised story

When you ask Nuri Tales to create a story about a difficult moment with your child, you provide a free-text description of the situation ("what happened") and you select an emotional theme. On Android, you may dictate the description by voice (see section 5.10).

We send the situation description, your selected emotional theme, and the relevant child profile to our AI partner Anthropic, PBC (548 Market Street PMB 90375, San Francisco, CA 94104, USA), which produces a behavioural analysis and a draft of the story narrative using its Claude model. The narrative, together with character descriptions, is then sent to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), which generates the illustrations using its Imagen and Gemini models. We store the analysis, the story text and the illustrations in your account.

Purpose: to generate the personalised story you have requested.
Legal basis: Article 6(1)(b) GDPR (performance of the contract). For any sensitive information that the situation description may contain, the additional basis is Article 9(2)(a) GDPR — your explicit consent, given when you submit the story request.

Anthropic and Google process this data exclusively as our processors under Article 28 GDPR. They are contractually obliged not to use your data to train their models. Both providers are based in the United States; transfers are safeguarded by the EU Standard Contractual Clauses adopted by the European Commission.

5.4 Stories, illustrations and reflection materials

The output of section 5.3 is stored in your account so that you can read it again at any time. This includes the story text, the illustrations, character reference portraits, parent-companion notes, reflection prompts and — for premium subscribers — coloring pages, panoramic illustrations and reflection cards.

Purpose: to deliver and persist the content you have requested.
Legal basis: Article 6(1)(b) GDPR.

You can delete an individual story at any time. When you delete your account, all stories, illustrations and reflection materials are deleted (see section 10).

5.5 Subscriptions and in-app purchases

Nuri Tales offers a free tier and a paid premium subscription. Subscriptions are sold and billed by:

Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland — for users on iOS,
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland — for users on Android,
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland — when you manage your subscription through the customer portal of our subscription management partner.

Apple, Google and Stripe receive your payment instrument and billing data. We never receive your card number, IBAN or billing address.

We use RevenueCat, Inc. (1209 California Street, San Francisco, CA 94109, USA) as a processor to receive subscription events from Apple, Google and Stripe and to keep your entitlement state up to date. We send RevenueCat your account identifier (a UUID) and the subscription package you select; we receive the entitlement state, renewal and expiry dates and event identifiers. Transfers to RevenueCat are safeguarded by the EU Standard Contractual Clauses.

Purpose: to fulfil the paid subscription you have signed up for.
Legal basis: Article 6(1)(b) GDPR (performance of the contract) and, for the retention of billing records, Article 6(1)(c) GDPR in conjunction with § 257 HGB and § 147 AO.

5.6 Push notifications

If you allow it on your device, we send push notifications to inform you when your story is ready, when your subscription changes or when a referral has been credited. To deliver them we store a per-device push token, the platform (iOS or Android) and an optional friendly device name.

Notifications are delivered via the Expo Push Service, provided by 650 Industries, Inc. (650 Castro Street #120-227, Mountain View, CA 94041, USA), and from there onwards by Apple's Push Notification Service (Apple Distribution International Ltd., Ireland) and Google's Firebase Cloud Messaging (Google Ireland Ltd., Ireland). The body of a notification can include the child's first name and the story title.

Purpose: to inform you about events related to your account.
Legal basis: Article 6(1)(b) GDPR (performance of the contract). You can withdraw your permission for push notifications at any time in your device settings.

Transfers to the Expo Push Service are safeguarded by the EU Standard Contractual Clauses.

5.7 Transactional emails

We send you transactional emails when:

a story is ready,
your subscription changes (renewal, cancellation, expiry),
a referral has been credited.

Transactional emails are sent via Resend, Inc. (2261 Market Street #4203, San Francisco, CA 94114, USA), which acts as our processor. Resend receives your email address, the subject and the message body, which can include the child's first name and the story title.

Purpose: to inform you about events related to your account that you cannot otherwise track.
Legal basis: Article 6(1)(b) GDPR.

Transfers to Resend are safeguarded by the EU Standard Contractual Clauses.

5.8 Newsletter

If you sign up for the Nuri Tales newsletter, we use your email address and (if provided) your first name to send you periodic emails about Nuri Tales features, content and offers. We use a double opt-in process: after you submit your email address, we send you a confirmation email containing a link that you must click to activate the subscription. We log the date, time and IP address of both your request and your confirmation in order to demonstrate consent under § 7(2) Nr. 3 UWG.

Purpose: to inform you about Nuri Tales news and offers.
Legal basis: Article 6(1)(a) GDPR — your consent.

You can withdraw your consent at any time by clicking the unsubscribe link in any newsletter email or by writing to privacy@nuri-tales.com. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

The newsletter is sent via Resend (see section 5.7).

5.9 Feedback and issue reports

You can rate a story (1–5 stars), provide free-text feedback on the story and your child's response, and report issues with a story (visual glitch, inappropriate content, factual error, etc.). When you submit feedback or a report, we store the rating, your free-text comments, the story to which they relate, and the timestamp.

We additionally ask whether you would like to be contacted for a research interview. This is an explicit opt-in; we will only contact you if you have actively chosen this option.

Purpose: to improve the Service, to respond to issues, and to invite you to research interviews if you have opted in.
Legal basis: Article 6(1)(b) GDPR for the feedback as part of the Service; Article 6(1)(a) GDPR for the research-interview opt-in.

5.10 Voice input

On the screen where you describe a difficult moment with your child, you may dictate the description by voice. On iOS, transcription is performed entirely on your device by Apple's on-device speech recogniser. On Android, depending on your device and language, transcription may be performed on-device or by Google's cloud speech service (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland). The audio is not stored by Nuri Tales; we receive only the resulting text.

Purpose: to allow you to enter the situation description by voice instead of typing.
Legal basis: Article 6(1)(b) GDPR (performance of the contract; you initiate the dictation).

5.11 Crash and performance monitoring

To diagnose errors and improve reliability, we use Sentry, provided by Functional Software, Inc. d/b/a Sentry (45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA). Sentry receives an event whenever the Service encounters an unhandled error; the event contains the error type, the stack trace, the route at which the error occurred, the response status, a request identifier and a release version. On our backend services and on our website we strip identifying request fields (auth tokens, cookies, headers, names, email addresses, situation descriptions, child appearance details) before the event is transmitted.

From the mobile app, the error event additionally includes your account identifier (a UUID) and email address, so that we can locate the case if you contact support.

Purpose: to operate the Service reliably and to diagnose errors.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in providing a stable and secure Service.

We use Sentry on its EU SaaS instance; events are stored in the European Union. You can object to this processing at any time by writing to privacy@nuri-tales.com.

5.12 Anonymous product analytics

To understand how the Service is used and to improve it, we use PostHog, provided by PostHog Inc. (2261 Market Street #4008, San Francisco, CA 94114, USA). We have configured PostHog to run without cookies and without persistent identifiers:

no cookies are set in your browser,
no entry is written to your browser's local storage,
on the mobile app, no entry is written to the app's local storage,
a session identifier is generated only in working memory and is discarded when you close the browser tab or the app,
IP addresses are not stored,
analytics events are not linked to your account.

The events we collect describe how the Service is used in aggregate — for example, which screens are opened, which features are used and where errors are encountered. Events do not contain story content, child profile data, situation descriptions or any other content you provide.

Purpose: to understand product usage and to improve the Service.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in measuring product usage anonymously and improving the Service. Because no information is stored on your device, no consent is required under § 25 TTDSG.

Processing takes place on PostHog's EU cloud instance (hosted in Frankfurt, Germany). Where transfer outside the EEA is necessary (e.g. for support by PostHog staff in the United States), it is safeguarded by the EU Standard Contractual Clauses. You can object to this processing at any time by writing to privacy@nuri-tales.com.

5.13 Customer support

When you contact us at support@nuri-tales.com or privacy@nuri-tales.com, we receive your email address and the contents of your message. We use this information to respond to you and to keep a record of the request.

Purpose: to handle customer enquiries and complaints.
Legal basis: Article 6(1)(b) GDPR where the request relates to the contract; Article 6(1)(f) GDPR where it does not.

We retain support correspondence for 24 months after the last reply, and longer if required for legal obligations or to defend legal claims.

5.14 Internal operational notifications

For operational visibility, our internal team receives certain notifications in our Slack workspace. Slack is provided by Slack Technologies, LLC, a Salesforce company (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA). The notifications can include your account identifier and — on "story complete" and "referral" events — the child's first name and the story title; on account-deletion events, the parent's email address. Access to these notifications is restricted to staff members with an operational need.

Purpose: internal operations, safeguarding and incident response.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in operating and supporting the Service.

Transfers to Slack are safeguarded by the EU Standard Contractual Clauses.

6. Required provision of personal data

Some personal data is required to use the Service:

email address and password — without these you cannot create an account,
at least one child profile (with the child's first name and age) — without this we cannot generate a story for you,
payment data, collected by Apple, Google or Stripe — for paid subscriptions.

Other data is optional: profile pictures, last name, custom interests, important figures, accessibility markers, voice input, newsletter subscription, push notifications, research-interview opt-in. Not providing optional data does not affect your access to the core Service.

7. Categories of recipients

Within EduCocreation GmbH, only those staff members whose role requires it have access to your personal data, and only to the extent necessary.

In addition, the following categories of external recipients receive personal data on our behalf as processors under Article 28 GDPR or, where indicated, as independent controllers:

Hosting and infrastructure providers — Supabase (database, authentication, file storage), Render (backend hosting) and Vercel (web hosting and anonymous analytics), all on EU infrastructure.
Artificial intelligence providers — Anthropic (Claude, for behavioural analysis and story generation) and Google (Gemini and Imagen, for illustrations; Google Speech, for Android voice input fallback).
Subscription and payment providers — Apple, Google and Stripe (as independent controllers in respect of payment processing) and RevenueCat (entitlement management on our behalf).
Communication providers — the Expo Push Service together with Apple's and Google's downstream push services (push notifications), and Resend (transactional emails and newsletter).
Operational tools — Sentry (error monitoring), PostHog (anonymous product analytics) and Slack (internal team notifications).
Public authorities, courts and legal advisors — where we are obliged or permitted by law to disclose personal data.

We have signed a data processing agreement under Article 28 GDPR with each of our processors.

8. Transfer to third countries

Our infrastructure for hosting, database, authentication, file storage, error monitoring and web analytics is operated in the European Union. Where personal data is nevertheless transferred to a country outside the European Economic Area — in particular to the United States, where Anthropic, Google LLC, PostHog, RevenueCat, Resend, Sentry, Slack and the Expo Push Service have their headquarters — the transfer is safeguarded by the Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR.

We have additionally assessed each transfer for any local laws that could undermine the level of protection guaranteed by the Clauses, and have agreed appropriate supplementary measures with our processors where required.

9. Security

We use technical and organisational measures appropriate to the risk to protect your personal data against unauthorised access, alteration, loss and destruction. These measures include:

TLS encryption of all traffic between your device and our servers,
encryption of personal data at rest in our database and file storage,
isolation of authentication credentials — passwords are stored only as one-way hashes; access tokens are stored on your device in the operating system's secure storage,
access controls and the principle of least privilege for our staff and our processors,
regular security reviews of our code, dependencies and infrastructure,
documented incident response procedures.

We continuously review and improve our security measures in line with the state of the art.

10. Storage period

We keep personal data only for as long as is necessary for the purposes for which it was collected, or as long as we are required to keep it by law.

DataStorage period

Account, child profiles, stories, behavioural analyses, illustrations, reflection materials, feedbackUntil you delete the relevant item. Account deletion: 15-day grace period during which the account is suspended and you can restore it by signing in; after the grace period your data is erased and residual copies in our backups are overwritten in the normal course (typically within 30 days).

Server access logs30 days

Sentry error events90 days

Notification audit log12 months

Customer support correspondence24 months after the last reply

Internal admin-action audit log24 months

Newsletter subscription recordsuntil you unsubscribe; consent records retained for proof under § 7 UWG for 3 years thereafter

Invoices, RevenueCat events and other billing-relevant records10 years (§ 257 HGB, § 147 AO)

To delete your account, use the Delete account function in the app, or write to privacy@nuri-tales.com if that function is not available to you. We will erase your data in accordance with the table above.

11. Your rights

You have the following rights with regard to the personal data we hold about you:

Right of access (Article 15 GDPR) — to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data and information about how it is processed.
Right to rectification (Article 16 GDPR) — to have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17 GDPR) — to have your personal data deleted, in particular when it is no longer necessary for the purposes for which it was collected.
Right to restriction of processing (Article 18 GDPR) — to require us to limit processing in defined circumstances.
Right to data portability (Article 20 GDPR) — to receive your personal data in a structured, commonly used and machine-readable format, or to have it transmitted to another controller.
Right to object (Article 21 GDPR) — to object on grounds relating to your particular situation to processing carried out on the basis of Article 6(1)(f) GDPR.
Right to withdraw consent (Article 7(3) GDPR) — to withdraw consent at any time where processing is based on Article 6(1)(a) or 9(2)(a) GDPR. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@nuri-tales.com. We will respond to your request without undue delay and at the latest within one month.

You also have the right to lodge a complaint with a supervisory authority (Article 77 GDPR). The supervisory authority competent for EduCocreation GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219

10969 Berlin, Germany

Email: mailbox@datenschutz-berlin.de

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work.

12. Automated decision-making, including profiling

Nuri Tales uses artificial intelligence (Anthropic's Claude and Google's Imagen and Gemini) to generate the personalised stories, illustrations and parent guidance you ask for. The AI does not make decisions that produce legal effects concerning you or that significantly affect you within the meaning of Article 22(1) GDPR. The AI generates content that you, the parent, choose how to use; it does not decide your subscription tier, whether you may use the Service, or any other matter affecting your rights or legal status.

We do not carry out profiling within the meaning of Article 4(4) GDPR.

13. Changes to this notice

We may update this privacy notice from time to time, for example to reflect changes to the Service, to our processors or to applicable law. The version date at the top of this notice indicates when it was last revised. If we make changes that materially affect how we process your personal data, we will notify you in advance by email and / or in the app.