NightNight – Privacy Policy

For parents, guardians, and users of the NightNight app

Tobias Munk, sole proprietor (Switzerland)

Effective 17 April 2026

NightNight — Privacy Policy

Effective date: 17 April 2026 Last updated: 17 April 2026 Version: 1.0

1. Introduction

NightNight (“NightNight”, “the app”, “we”, “us”, or “our”) is a mobile application that generates personalised bedtime stories for children aged 3 to 11, using artificial intelligence. NightNight is designed to be operated by a parent or legal guardian; children are only intended as listeners, not as app users.

Protecting children’s privacy is central to how NightNight is built. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and the rights you and your child have. It is written to comply with:

the EU General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection (“FADP”);

the UK General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018, and the ICO’s Age Appropriate Design Code (the “Children’s Code”);

the United States Children’s Online Privacy Protection Act (“COPPA”) and, for California residents, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”); and

Apple’s App Store Review Guidelines, including the Kids Category standards.

If anything in this policy is unclear, please email tobias.munk@night-night.app before using the app.

2. Plain-language summary

We know privacy policies are long. Here is the short version so you know the essentials before you read further:

NightNight is made and operated by Tobias Munk personally, from Switzerland. You can reach us at tobias.munk@night-night.app.

We collect the minimum information needed to let a parent sign in, generate stories, and manage their subscription. A child’s first name can be used once for a trial story without saving anything. If you create a saved child profile, we store only the child’s first name, your chosen story interests/themes, and any pet names you enter.

We never ask for, store, or infer a child’s age, date of birth, birth month, or birth year. Story complexity is chosen by the parent per story, not tied to a recorded age.

Saved child profiles can be created only after you start a paid subscription through Apple.

We do not show advertising, we do not track your child across other apps or websites, and we do not sell or share personal information for cross-context behavioural advertising.

Story generation uses AI services from OpenAI, Anthropic, and ElevenLabs. We take steps to ensure these providers do not use your data to train their models.

Stories and account data are stored in the European Union (AWS Frankfurt, Germany).

You can export or delete your account, child profiles, and generated stories at any time from inside the app. You can also email us to exercise any rights you have under applicable law.

3. Who is the controller of your personal data?

The data controller is:

Tobias Munk, sole proprietor trading as NightNight Aeschrain 14, CH-6318 Walchwil, Switzerland Email: tobias.munk@night-night.app

As a Swiss-based controller we have appointed ourselves as the point of contact for all privacy matters. Because NightNight operates as a sole proprietorship at the date of this policy, you are contracting and dealing with Tobias Munk personally. If this changes (for example, following incorporation into a Swiss GmbH), this policy will be updated and the new controller clearly identified.

For EU/EEA and UK data subjects, Tobias Munk also acts as the contact point for Article 27 GDPR / Article 27 UK GDPR representative matters until a dedicated EU/UK representative is appointed.

4. What information we collect

We collect only the information we need. The table below describes every category of personal data that NightNight processes.

4.1 Information you give us directly

We deliberately do not collect a child’s age, date of birth, birth month, birth year, last name, photo, precise location, contact details, or biometric data. Story complexity is chosen by the parent on a per-story basis and is not saved against the child.

4.2 Information we generate about your use of the app

We do not use third-party advertising networks, we do not build cross-app advertising profiles, and we do not use any SDK that collects device identifiers for advertising purposes (no IDFA collection).

4.3 Information generated by AI services

When you ask NightNight to create a story, the personalisation fields you provide (child’s first name, age, interests, pet names) together with the theme you pick are sent to our AI sub-processors to create the story text and narration. The text output and audio output are then stored in your account so you can replay them. See section 7 for the sub-processors involved and section 8 for international transfer safeguards.

4.4 Information we do not collect

To be explicit, NightNight does not collect or process:

A child’s age, full or partial date of birth (day, month, or year), surname, home address, school, photo, or voice recording;

Microphone input or camera input;

Precise GPS or continuous location;

Contact lists, calendars, photo libraries, or health data;

Any biometric identifier (face, voice print, fingerprint);

Any payment-card or bank-account data (Apple handles this; we never see your card number).

5. Why we use your data and the lawful basis

Under the GDPR and UK GDPR we must tell you our legal basis for every processing purpose.

We do not use personal data for marketing without your separate, explicit opt-in. At the date of this policy, NightNight sends only service/transactional email (for example, password resets or subscription receipts). If we later introduce optional marketing email, we will ask for a separate opt-in in line with GDPR Article 6(1)(a) and the ePrivacy Directive.

When we process information about a child under the age of consent (16 in most of the EU, 13 in the UK and USA, down to 13 in some EU member states depending on national law), we rely on parental consent and contract performance as set out in sections 9 and 10 below.

6. How the app uses artificial intelligence

NightNight is an AI-powered app. All stories are generated automatically — no human reads or listens to your prompts in the ordinary course of using the app. To be transparent:

Text generation uses large language models from OpenAI and/or Anthropic.

Voice narration uses text-to-speech from ElevenLabs using a fixed set of pre-selected voices. No voice cloning is performed, and no microphone input from you or your child is ever captured or transmitted.

The story prompt we send to these providers includes your personalisation fields (first name, age, interests, pet names) and your chosen theme; it does not include your email address, account identifier, subscription details, or device identifiers beyond what is required to make the API call.

We enable each provider’s “zero-retention” / “no-training” data setting where such a setting exists, so your content is not used to train their models. Where a provider processes content in transit only and discards it after returning a response, we rely on that contract term. See section 7 for the current provider list and links to their policies.

AI models can occasionally produce inaccurate, unexpected, or unsuitable content. Generated stories should be previewed by an adult before being played to a child. If you see a problem, email us at tobias.munk@night-night.app so we can investigate.

7. Who we share data with (sub-processors)

We share personal data only with the service providers below, each of which acts as our processor on our behalf under a written data-processing agreement. We do not sell personal data and we do not share personal data with third parties for their own marketing or advertising purposes.

We keep an up-to-date list of sub-processors and will update this section in advance of any new addition. If you email us we will confirm the current list.

8. International transfers

Your personal data is primarily stored within the European Union (AWS Frankfurt, Germany) or within Switzerland. However, some of our AI sub-processors are based in the United States, which means your personalisation inputs and the resulting story outputs may be transferred outside the EEA, UK, or Switzerland.

For each such transfer we rely on one or more of the following:

the European Commission’s Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum;

the Swiss Federal Data Protection and Information Commissioner’s approved SCCs for Swiss-origin data;

the EU–US Data Privacy Framework, the UK Extension, and the Swiss–US Data Privacy Framework where a provider is self-certified under them;

a documented transfer impact assessment for each sub-processor to check the destination country’s surveillance laws and the technical and contractual measures in place.

If you would like a copy of the SCCs or our transfer impact assessment, email us.

9. Children’s privacy

NightNight is not directed at children. It is designed to be operated by a parent or legal guardian. Children appear only as subjects of personalisation (their first name, age, interests, and pet names) and as listeners of the resulting stories. Despite this parent-facing design, the app is built to comply with the strictest applicable children’s privacy rules.

9.1 Before registration — trial story

Before you create an account, NightNight lets a parent generate one trial story. For that trial you may enter a child’s first name, which is used only to personalise the single story and is not saved: the first name is discarded at the end of the trial and is not linked to any persistent profile, account, or device identifier. No other child data is collected during the trial.

9.2 After subscription — saved child profiles

A saved child profile (first name, story interests/themes, pet names) can be created and stored only after you start an active paid subscription via Apple. Starting an Apple subscription requires a credit or debit card on file with Apple — an action that, under the United States Federal Trade Commission’s COPPA guidance, constitutes verifiable parental consent. The same step gives us objective evidence in the EU, UK, and Switzerland that an adult is responsible for the account.

NightNight does not ask for or store a child’s age. Story complexity can be chosen by the parent per story.

By starting a subscription and creating a child profile you confirm that:

you are the parent or legal guardian of the child whose details you enter;

you are at least 18 years old; and

you consent, on your own behalf and on behalf of your child, to the processing described in this policy.

9.3 What we do to protect children

Data minimisation. We collect no more about a child than is needed to personalise stories. No age, no date of birth, no last name, no photo, no location, no voice.

No profiling. We do not build behavioural profiles of children, we do not infer characteristics beyond the fields you enter, and we do not pass child data to advertising networks or analytics providers that use it for profiling.

No advertising. NightNight contains no advertising of any kind.

No open communications. Children cannot contact other users through the app. Stories can be shared only by the parent using a private family link, not a public feed.

Parental gate. Access to subscription, settings, account deletion, and external links is protected by a parental gate using Face ID / Touch ID (or the device passcode if biometrics are unavailable).

Retention limited to what is necessary — see section 11.

Default privacy. Privacy-protective settings are the default. Any feature that reduces privacy is opt-in and behind the parental gate.

9.4 Parental rights

As the parent or guardian of a child whose personal data is processed by NightNight, you can at any time:

review the child’s profile and the stories generated for them inside the app;

edit or delete the child’s profile inside the app;

export the child’s data (section 12);

withdraw your consent by deleting the child’s profile or the whole account; and

email us at tobias.munk@night-night.app to raise any concern.

If we learn that a child profile was created by someone who is not the parent or legal guardian, we will delete it as soon as we can verify this.

9.5 COPPA-specific notice (United States)

For users in the United States, NightNight is designed to comply with the COPPA Rule (16 C.F.R. Part 312). In summary:

We do not ask for, collect, or store the age, date of birth, birth month, or birth year of any child. We therefore do not have actual knowledge that any particular user whose information we process is under 13. Because NightNight’s subject matter may appeal to children, we nevertheless treat the service as one that could be directed to children and apply child-appropriate safeguards across the board.

Where we do process information that may relate to a child (first name, story interests/themes, pet names), we do so only after the adult account holder has started an active paid subscription through Apple. Apple’s credit-card-on-file step provides additional adult-in-charge verification, consistent with the Federal Trade Commission’s guidance on verifiable parental consent.

Parents can review the information we have about their family, request its deletion, refuse further collection, and revoke consent at any time by using the in-app controls or by emailing tobias.munk@night-night.app.

We do not condition a child’s participation in any activity on the provision of more personal information than is reasonably necessary.

The information we process about a child is used only to provide the NightNight service and is shared only with the processors listed in section 7.

9.6 ICO Children’s Code (United Kingdom)

For UK users, NightNight is built around the fifteen standards of the Age Appropriate Design Code, including best-interests-of-the-child, data minimisation, default privacy, no detrimental use of data, and transparency in language a child can understand. The parent-facing summary above is the child-facing summary for this purpose because children do not directly interact with the app; if that changes, we will publish a child-friendly version.

10. Parental consent and age of digital consent

Under Article 8 GDPR, information-society services offered directly to a child require parental consent below a certain age (16 in most EU states, lowered to 13, 14, or 15 in some; 13 in the UK; 13 in the United States under COPPA).

NightNight is operated by an adult account holder who agrees to this policy on behalf of any child whose details they enter. Because we never ask for or store the age, date of birth, birth month, or birth year of a child, we do not process age data for which a per-child Article 8 consent would need to be verified. Where information you enter relates to a child in your care, the account holder acts as the parent or guardian providing the contextual consent for that processing. If we learn that an account holder is not an adult, we will delete the account.

11. How long we keep your data

Trial-story first names are discarded within 24 hours of the trial ending.

12. Your rights

You have the following rights in relation to your personal data. Most of them can be exercised directly from the in-app Privacy & Data screen; all of them can be exercised by emailing tobias.munk@night-night.app.

Access — get a copy of the personal data we hold about you or your child.

Rectification — correct inaccurate or incomplete data.

Erasure / deletion — ask us to delete your account and associated child profiles and stories.

Restriction — ask us to stop processing in certain cases.

Objection — object to processing based on legitimate interests.

Portability — receive a machine-readable copy of the data you provided.

Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

Not be subject to solely automated decisions that produce legal or similarly significant effects — NightNight does not take such decisions.

Complain to a supervisory authority — you can complain to any competent data protection authority (see section 15 for country-specific contacts).

We will respond within one month for EU/UK requests, and within the statutory period for other jurisdictions. If your request is complex we may extend that deadline by up to two months and will tell you why.

13. Security

We protect your data with measures that are appropriate to the risk, including:

transport encryption (TLS 1.2+) for all data in transit;

encryption at rest for all stored data;

principle-of-least-privilege access controls, with multi-factor authentication for the operator;

regular dependency updates and vulnerability scanning;

regional data residency in the EU (AWS Frankfurt);

separation of child personalisation data from billing data;

minimisation of identifiers sent to AI providers.

No system is completely secure. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authorities and affected users in line with Articles 33 and 34 GDPR.

14. Cookies and similar technologies

NightNight is a native mobile app and does not use cookies. We do use essential local storage on your device (for login session and cached stories). We do not use analytics SDKs that set cross-app identifiers, and we do not use software development kits that track you across other apps or websites.

15. Jurisdiction-specific disclosures

15.1 Users in the European Economic Area and Switzerland

Controller: Tobias Munk, Aeschrain 14, CH-6318 Walchwil, Switzerland.

Lead supervisory authority (Switzerland): the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — https://www.edoeb.admin.ch.

Supervisory authority in your country: you may also lodge a complaint with the data-protection authority of your own EEA member state.

EU representative (Article 27 GDPR): not currently required because our processing is not likely to result in a risk to the rights and freedoms of data subjects on a large scale. If this changes, we will appoint and publish an EU representative.

Data Protection Officer: not required under Article 37 GDPR for our current processing. You can reach the controller directly at tobias.munk@night-night.app.

15.2 Users in the United Kingdom

Supervisory authority: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — https://ico.org.uk.

UK representative (Article 27 UK GDPR): not currently appointed for the same reason as above. We will publish one here if required.

We comply with the ICO’s Age Appropriate Design Code as described in section 9.

15.3 Users in the United States

COPPA operator: Tobias Munk, as identified above, is the COPPA operator for NightNight.

Parental rights under COPPA are described in section 9.5 and may be exercised at any time by emailing tobias.munk@night-night.app.

California (CCPA / CPRA)

Categories of personal information we collected in the last 12 months: identifiers (email, account ID, Apple transaction ID); customer records (parent name, child first name, child story interests/themes, pet names); internet or other electronic network activity (app usage counters, diagnostic logs); inferences: none. We did not collect any age, date-of-birth, or precise-geolocation data.

Sources: directly from you.

Purposes: as listed in section 5.

Categories disclosed to service providers: the same categories, disclosed only to the sub-processors listed in section 7, under written service-provider terms.

Sale or sharing of personal information for cross-context behavioural advertising: No. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months. We do not have actual knowledge of selling or sharing the personal information of consumers under the age of 16.

Consumer rights: You have the right to know, delete, correct, and request portability of your personal information, and to limit the use of sensitive personal information. We do not discriminate against you for exercising these rights. Exercise them by emailing tobias.munk@night-night.app.

Authorised agent: You may designate an authorised agent to make requests on your behalf. We will verify the agent’s authority.

Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and port their personal information. Please email us to exercise them.

16. Changes to this policy

We may update this policy from time to time. When we make a material change, we will:

update the “Last updated” date at the top;

notify you in the app; and, for substantive changes,

ask for fresh consent where this is required by law.

The current version is always available inside the app and at the public URL linked from our App Store listing.

17. How to contact us

For any privacy question, rights request, or complaint:

Email: tobias.munk@night-night.app Post: Tobias Munk, Aeschrain 14, CH-6318 Walchwil, Switzerland

We will acknowledge your message within 5 working days and give you a substantive answer within the deadlines set out in section 12.

End of Privacy Policy.