Back to home

Privacy Policy

Last updated: May 1, 2026

Keoma ("we", "us", or "our") operates the Keoma website and service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information and the information of your children when you use our Service. We are committed to protecting the privacy of children and families. Please read this policy carefully.

1. Data Controller

The data controller responsible for your personal data is: Kevin Jamolli, 1009 Pully, Switzerland. Contact: contact@keoma.app.

2. Information We Collect

Parent/Guardian Account Information

  • Email address (required for account creation)
  • Password (stored securely hashed; or Google OAuth credentials managed by Google)
  • Family name (chosen during onboarding)
  • Parent PIN (stored as a secure hash, used for child-lock features)

Children's Information

  • Child's first name
  • Child's date of birth (used to tailor age-appropriate content)
  • Preferred listening language
  • Listening history and story preferences (which stories were played, progress, completion)

Voice Data

  • Audio recordings provided voluntarily by parents/guardians for voice cloning (the narrator voice feature). Children do not record voice samples.
  • Voice model identifiers generated by our text-to-speech provider based on your audio sample.

Usage and Technical Data

  • Story creation inputs (selected characters, worlds, moods, lessons)
  • Subscription and billing identifiers (managed by Stripe; we do not store full credit card numbers)
  • Cookies and local storage data as described in our Cookie Policy

3. Legal Basis for Processing (GDPR)

  • Contractual necessity — to provide the Service you signed up for (Art. 6(1)(b) GDPR)
  • Consent — for voice cloning, processing children's data, and optional features (Art. 6(1)(a) GDPR)
  • Legitimate interest — for security, fraud prevention, and service improvement, balanced against your rights (Art. 6(1)(f) GDPR)
  • Legal obligation — to comply with applicable laws including tax and accounting requirements (Art. 6(1)(c) GDPR)

4. Children's Privacy (COPPA & GDPR Art. 8)

Keoma is designed for families. Only parents or legal guardians may create accounts. We do not knowingly collect personal information directly from children under 13 (US) or under the digital age of consent in their country (typically 13–16 in the EU) without verifiable parental consent.

Parental consent is obtained through our account architecture: only an authenticated parent/guardian can create child profiles and provide children's information. Parents control all data about their children and can review, modify, or delete it at any time from the Settings page.

We do not serve behavioral advertising to children. We do not sell children's personal information. We do not condition a child's participation on disclosing more information than is reasonably necessary.

If you believe we have inadvertently collected information from a child without proper parental consent, please contact us immediately and we will delete it.

5. Third-Party Service Providers

We share data with the following categories of service providers, solely to operate the Service:

  • ElevenLabs (text-to-speech and voice cloning) — receives story text and, for voice cloning, parent-submitted audio samples. Based in the US.
  • OpenAI / Anthropic (AI story generation) — receives story creation parameters (characters, worlds, moods). No personally identifiable child data is sent. Based in the US.
  • Stripe (payment processing) — receives billing information for paid subscriptions. We do not store payment card details. Based in the US with EU entities.
  • Google (OAuth authentication and web fonts) — processes authentication data if you choose to sign in with Google. Based in the US.
  • Supabase (hosting, database, authentication, file storage) — hosts our infrastructure and stores encrypted data. Servers located in the EU.

6. International Data Transfers

Some of our service providers are based in the United States. When personal data is transferred outside Switzerland or the European Economic Area (EEA), we ensure appropriate safeguards are in place, including the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision. Switzerland is recognized by the European Commission as providing an adequate level of data protection. You may request a copy of the relevant safeguards by contacting us.

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account data — retained while your account is active and for 30 days after deletion to allow recovery.
  • Children's profiles — deleted immediately when removed by the parent or upon account deletion.
  • Voice samples — stored while the voice clone is active; deleted within 30 days of removal by the parent.
  • Payment records — retained for up to 7 years as required by tax and accounting regulations.

8. Your Rights

For EU/EEA Residents (GDPR)

  • Right of access — obtain a copy of your personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to restriction — limit how we process your data
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing

For California Residents (CCPA/CPRA)

  • Right to know — what personal information we collect, use, and disclose
  • Right to delete — request deletion of your personal information
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights. We do not sell personal information.

For Parents (COPPA)

As a parent or legal guardian, you have the right to: review personal information collected from your child; request deletion of your child's data; refuse further collection of your child's data. To exercise these rights, use the in-app Settings or contact us directly.

9. Cookies

We use strictly necessary and functional cookies to operate the Service. We do not use advertising or tracking cookies. For full details, please see our Cookie Policy.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest, secure password hashing, row-level security in our database, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting children's data, we will seek renewed parental consent where required by law. We encourage you to review this page periodically.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: contact@keoma.app or write to: Kevin Jamolli, 1009 Pully, Switzerland.

If you are in Switzerland, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). If you are in the EU/EEA, you have the right to lodge a complaint with your local Data Protection Authority (DPA).