Privacy Policy

Bellori (“Bellori”, “we”, “our”, “us”) is a family memory and growth-tracking application. We are the data controller responsible for the personal data processed through the Bellori web application and any future mobile applications.

For all data protection enquiries, please contact us at: privacy@bellori.app

Bellori is operated under the laws of England and Wales. We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where our users are based in the European Economic Area (EEA), we also comply with EU GDPR. Where applicable, we comply with the Children's Online Privacy Protection Act (COPPA) for users in the United States.

Account information (parent / guardian):

• Full name and email address (provided at registration or via Google sign-in)
• Profile photo (optional; supplied by Google if you use Google sign-in)
• Password (stored as a one-way hash by Firebase Authentication — we never see your password)
• Parental PIN hash (if you set one; stored as a one-way hash)
• Notification and communication preferences
• Consent record: the date, time, IP address, device details, and version of policies you accepted at signup

Children's information (added by you):

• Child's first name and date of birth
• Child's gender (optional)
• Photos uploaded to the photo album or growth timeline
• Drawings and artwork created or uploaded in the app
• Health records you enter: appointments, vaccinations, measurements, doctor notes, and any uploaded documents (images or PDFs)
• Growth timeline data: height/weight measurements, milestone notes, and composite images
• Clothing and shoe sizes (Sizing feature)
• Star Board data: tasks, rewards, points, and transactions assigned to each child
• AI-generated content: stories, illustrations, audio narrations, and animated drawings created using our AI features

Usage and technical data:

• IP address (captured server-side at consent and sign-in)
• Browser type, operating system, and device identifiers
• Pages visited, features used, and session duration (via Firebase Analytics if enabled)
• Error logs and crash reports

Payment data:

• Subscription status and plan type
• Payment method details are handled entirely by Stripe — we never store card numbers on our servers
• Stripe Customer ID and Subscription ID (for account management)

All children's data — including names, photos, health records, and AI-generated content — is entered by, and stored under, the parent or guardian's account. You are solely responsible for ensuring you have the appropriate authority to store data about the children you add to your account.

Children's photos and images:Photos you upload are stored in Firebase Cloud Storage under your account's private folder. They are not publicly accessible unless you explicitly create a shareable growth timeline link. When you create a shareable link, only the specific growth timeline composite images are made accessible — not the original uploaded photos or any other data.

Health records: Medical and health information is particularly sensitive. This data is stored in encrypted Firebase infrastructure, accessible only to your authenticated account, and is never shared with third parties except as required to deliver the service (e.g., storage infrastructure providers listed in Section 6).

AI processing of children's data: When you use AI features (such as AI story generation or photo animation), the relevant image or prompt data is sent to our AI service providers for processing. See Section 7 for full details. AI providers are prohibited from using your data to train their models under our agreements with them.

COPPA (US users): If you are located in the United States, we comply with the Children's Online Privacy Protection Act. We do not knowingly collect personal information from children under 13 as account holders. If you believe a child under 13 has created an account without parental consent, please contact us at privacy@bellori.app and we will delete the account promptly.

• Account data — necessary to perform the contract with you (provide the Bellori service). Legal basis: contract performance (UK GDPR Article 6(1)(b)).
• Children's data you enter — you provide explicit consent for us to store and process this data when you create your account and add children. Legal basis: consent (UK GDPR Article 6(1)(a)) and legitimate interests in delivering the core service.
• Payment data — required to process subscription payments and comply with financial record-keeping obligations. Legal basis: contract performance and legal obligation (UK GDPR Article 6(1)(c)).
• Usage and technical data — used to operate, secure, and improve the service. Legal basis: legitimate interests (UK GDPR Article 6(1)(f)) — specifically our interest in maintaining a secure and functional service.
• Marketing emails — only sent if you opt in during signup. Legal basis: consent (UK GDPR Article 6(1)(a)). You can withdraw consent at any time by unsubscribing.

Bellori is built on Google Firebase, which is ISO 27001 certified and SOC 2 Type II compliant. Your data is stored in Google's secure cloud infrastructure.

• Firestore (database):All structured data (account, children's records, health data) is stored in Google Cloud Firestore with strict security rules enforced at the database level — only the authenticated account owner can read or write their own data. The subscription field is write-protected and can only be updated by our server.
• Firebase Storage (files): Photos, drawings, audio, animations, and health documents are stored in Firebase Storage. File access is restricted by security rules that verify you are the owner of the file path before allowing any read or write operation. Files are served over HTTPS and are not publicly browsable.
• Firebase Authentication:Passwords are hashed using industry-standard algorithms. We use Firebase Auth's secure session management with server-verified session cookies.
• Server-side API: Sensitive operations (subscription management, consent recording, AI credit deduction) are performed on the server using Firebase Admin SDK — never exposed directly to the client.
• Encryption in transit: All data is transmitted over HTTPS/TLS. We do not support HTTP connections.
• Encryption at rest: All data stored in Firebase (Firestore and Storage) is encrypted at rest by Google.

Breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware, as required by UK GDPR Article 33.

We do not sell your personal data. We only share it with the following service providers who help us operate Bellori, and only to the extent necessary:

• Google Firebase (Google LLC) — authentication, database, and file storage infrastructure. Data may be stored in the United States or European Union data centres. Google is certified under the EU-US Data Privacy Framework. Google Firebase Privacy
• Stripe (Stripe, Inc.) — payment processing and subscription management. Card data is handled directly by Stripe under PCI DSS compliance; we never receive raw card details. Stripe Privacy Policy
• AI service providers — for AI story generation, image processing, audio narration, and animation features. See Section 7 for full details.
• YouTube Data API (Google) — used for the safe video player feature to search for and retrieve child-appropriate video content. No personal data is sent to YouTube beyond standard API request metadata.

We may also disclose your data where required by law, to comply with a court order, or to protect the safety of our users or the public.

Bellori uses the following AI services to power its creative features:

• OpenAI (OpenAI, LLC)— for AI-generated story text and character descriptions. Text prompts (which may include your child's name and general story theme) are sent to OpenAI. No photos are sent for story generation.
• Replicate (Replicate, Inc.) — for AI image generation (story illustrations), photo animation, drawing animation, and background removal. Where images are processed, they are sent to Replicate over an encrypted connection and are not retained beyond the processing request.
• Text-to-speech providers — for AI audio narration of stories. Story text is sent to generate audio files. No personally identifying information beyond the story content is included.

All AI-generated content (stories, images, audio, animations) is clearly the result of AI processing. You retain ownership of the content you create using these tools, subject to the licence terms of the underlying AI providers. See our Terms of Use for full details on AI content ownership.

• Account and children's data: Retained for the lifetime of your account, plus 30 days following account deletion to allow for recovery in case of accidental deletion.
• Photos, drawings, and media files: Retained until you delete them or delete your account. After account deletion, files are permanently removed from storage within 30 days.
• Health records: Retained until you delete them or delete your account. We recommend downloading or exporting health records before account deletion.
• Payment records: Retained for 7 years as required by UK financial record-keeping regulations. This data is held by Stripe.
• Consent records: Retained for the duration of your account plus 7 years, to demonstrate legal compliance.
• Server logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.
• Shareable timeline links: Shareable growth timeline exports remain accessible via their unique URL until you delete the timeline export from your account. Public shares contain only composite images, not original photos or personal data.

Under UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact us at privacy@bellori.app or use our Contact page. We will respond within 30 days.

• Right of access: You can request a copy of all personal data we hold about you and your children.
• Right to rectification: You can correct inaccurate personal data directly within the app (Settings → Profile) or by contacting us.
• Right to erasure (“right to be forgotten”): You can request deletion of your account and all associated data. You can initiate this from the Contact page or by emailing us. We will complete erasure within 30 days.
• Right to data portability: You can request an export of your data in a machine-readable format. Use Settings → Data Export (where available) or contact us.
• Right to restrict processing: You can ask us to restrict processing of your data in certain circumstances.
• Right to object: You can object to processing based on legitimate interests at any time. You can also withdraw marketing consent by unsubscribing from any email we send.
• Rights related to automated decision-making: We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Bellori uses a minimal set of cookies necessary to operate the service:

• Session cookie: A secure, HTTP-only session cookie is used to maintain your authenticated session. This cookie is essential and cannot be disabled without breaking the service.
• Firebase Analytics:We may use Firebase Analytics to understand how features are used. This data is aggregated and does not identify individual users. You can opt out of analytics in your browser by enabling “Do Not Track” or using a browser extension that blocks analytics.

We do not use advertising cookies or sell data to advertising networks. We do not use behavioural tracking or cross-site tracking.

Your data may be transferred to and processed in countries outside the UK and EEA, including the United States, where our infrastructure providers (Google, Stripe, OpenAI, Replicate) operate.

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards including:

• UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
• The EU-US Data Privacy Framework (where applicable)
• Adequacy decisions by the UK or EU authorities

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the change takes effect, or by displaying a prominent notice within the app.

The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of Bellori after the effective date of any change constitutes acceptance of the updated policy.

We maintain a version history of this policy. The version you accepted at signup is recorded in your consent record.

For all privacy-related enquiries, data subject requests, or complaints:

• Email: privacy@bellori.app
• Contact form: bellori.app/contact

We aim to respond to all data-related requests within 30 days. For urgent matters relating to a suspected data breach or child safety, please mark your email “URGENT” and we will respond within 24 hours.