Privacy Policy
Effective: May 17, 2026
Last updated: May 17, 2026
Policy version: 2026-05-17
1. Who we are
Gingerbread Studios LLC, a Wyoming limited liability company ("we," "us," or "our") operates the Gingerbread™ mobile application (distributed on the App Store as "The Gingerbread App") and this website (the "Services"). This Privacy Policy explains how we collect, use, store, and protect personal information.
Registered address: c/o Northwest Registered Agent LLC, 30 N Gould St Ste N, Sheridan, WY 82801, United States.
For privacy questions or to exercise your rights under any applicable privacy law, email hello@thegingerbreadapp.com. We are the data controller for purposes of the GDPR. We have not appointed a Data Protection Officer; our processing does not meet the GDPR Article 37 thresholds requiring one.
2. What we collect
The Gingerbread mobile app collects:
- Account data: email address, name, date of birth, profile photo, password hash (for email/password accounts), Apple ID (for users signing in with Apple), and your local timezone.
- Family content you create: stories you record or write, voice recordings, names, ages, physical descriptions, and reference photos of family members — including minors when you describe or upload them.
- AI-generated content: illustrations and polished story text our service generates from your inputs.
- Usage data: in-app events and interactions, used to understand which features work well.
- Technical data: device type, operating system version, crash reports, and performance metrics.
- Push tokens: the device token your phone gives us so we can deliver notifications you have opted into.
- Purchase data: transaction identifiers and subscription status from in-app purchases (no card data — see section 4).
The https://thegingerbreadapp.com website collects:
- Email addresses submitted through any sign-up or waitlist form, delivered through our email service provider.
- Aggregate page-view analytics via Vercel Analytics, which does not use cookies and does not identify individual visitors. No cross-site tracking.
3. How we use your information and our legal basis (GDPR)
- To operate your account, deliver stories and illustrations, send transactional emails, and process subscriptions — contract (GDPR Art. 6(1)(b)).
- To generate AI content from your inputs, including content about family members you describe or photograph — consent (GDPR Art. 6(1)(a)). You provide this consent the first time you sign in to a build of the App that includes our consent gate, and again whenever this policy materially changes.
- To monitor service health, fix crashes, and understand product usage — legitimate interest (GDPR Art. 6(1)(f)). You may object at any time by emailing us.
- To meet legal obligations, including responding to lawful requests and preventing fraud or abuse — legal obligation (GDPR Art. 6(1)(c)).
4. Who we share data with
We use the following processors to deliver the Services. Each is bound by their own data-processing agreement (typically auto-incorporated into our agreement with them) and applies appropriate safeguards for any international transfers. We do not sell or rent personal information.
| Processor | Purpose | Region | Retention |
|---|---|---|---|
| OpenAI | Story generation, content moderation | US | Up to 30 days for abuse monitoring (per OpenAI's default API retention) |
| Google (Gemini) | Illustration generation | US | Inputs are not used to train Google's models (paid-tier Gemini API data-use terms); retained per Google AI terms |
| AssemblyAI | Audio transcription | US | Audio is not used to train AssemblyAI's models (paid-plan opt-out confirmed); audio and transcript deleted from AssemblyAI immediately after transcription completes |
| Amazon Web Services | Application hosting and database | US (us-east-1) | Lifetime of account; backups cycled within 35 days of deletion |
| Cloudflare R2 | Storage of illustrations, photos, audio, and exports | Multi-region CDN | Lifetime of account; deleted within 7 days of account deletion |
| Resend | Transactional email | US | 30 days |
| PostHog | Product analytics (user IDs and event names only — no email or other PII) | US | 7 years (PostHog default) |
| Sentry | Crash and error reporting (user ID only; IP and email scrubbed before send) | US | 90 days |
| RevenueCat | In-app subscription and purchase management | US | Lifetime of subscription |
| Apple | Sign in with Apple, In-App Purchase processing | US / per Apple | Per Apple terms |
| Expo | Push notification delivery | US | Lifetime of device registration |
| Vercel Analytics | Anonymous page-view analytics on this website (no cookies, no individual identification) | US | Per Vercel terms |
5. International transfers
If you use Gingerbread from outside the United States, your personal data is transferred to and processed in the United States. We rely on GDPR Article 49(1)(b) — the transfer is necessary for the performance of the contract between you and us (we cannot generate the story you requested without sending your inputs to our AI processors). Our processors apply their own appropriate safeguards (Standard Contractual Clauses and/or EU-US Data Privacy Framework certifications) as described in their data-processing agreements incorporated into their Terms of Service.
6. Content about family members and minors
Gingerbread is designed for adults to record and share stories about their families, which often include children and other relatives. When you describe, name, or upload photos of family members — including minors — you confirm you have the authority to share that information for the purpose of generating stories and illustrations. These details are sent to our AI processors (OpenAI for text, Google Gemini for images, AssemblyAI for transcription) so they can fulfill your request.
Account holders must be at least 13 years old. We do not knowingly create accounts for users under 13. If you believe a minor has created an account, email hello@thegingerbreadapp.com and we will delete the account.
7. Internal data access
Authorized team members may access account data and content for customer support, debugging, quality assurance of AI-generated content, and content-safety review. This access is limited to authorized personnel and conducted under confidentiality.
You can opt out of routine internal data access at any time from Settings → Privacy within the App. When you opt out, your name and email are hidden from internal tools. We retain the ability to review content that has been reported for safety concerns regardless of this setting.
8. Your rights
Subject to applicable law (including the GDPR, the UK GDPR, and the CCPA/CPRA), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data (in-app: Settings → Delete Account)
- Receive a copy of your data in a portable format
- Object to or restrict certain processing
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority in your country of residence
To exercise any of these rights, email hello@thegingerbreadapp.com. We respond within 30 days. We may need to verify that the request comes from the account holder before fulfilling it.
9. Retention
- Account data is retained while your account is active.
- After deletion, account records are removed within 30 days and user-generated content is purged from storage within 7 days.
- Backup copies cycle out within 35 days.
- Crash and error data is retained 90 days.
- OpenAI may retain prompt data up to 30 days for abuse monitoring per its API terms; we cannot shorten this on your behalf at our current scale.
10. California residents (CCPA / CPRA)
The categories of personal information we collect are listed in section 2. In the prior 12 months, we have not sold or shared personal information for cross-context behavioral advertising. California residents have the right to know what personal information we collect, request deletion, correct inaccurate information, opt out of any sale or share (we do not sell or share), and not be discriminated against for exercising any of these rights. To exercise CCPA rights, email hello@thegingerbreadapp.com.
11. Security
Data is encrypted in transit (TLS). Media files in cloud storage are served via short-lived signed URLs that expire quickly. Admin access to user data is logged in an internal audit trail. No system is perfectly secure; if we learn of a breach affecting you, we will notify you as required by applicable law.
12. Cookies and tracking
The Gingerbread mobile App does not use third-party tracking SDKs. The website does not use cookies for tracking purposes; Vercel Analytics collects aggregated, non-identifying page-view data without cookies.
13. Changes to this policy
We may update this Privacy Policy from time to time. The current policy version is shown at the top of this page. When the policy changes materially, we will ask you to review and agree to the updated terms inside the App before you can continue using it.
14. Contact
Questions about this Privacy Policy? Email hello@thegingerbreadapp.com or write to us at the registered address in section 1.