Privacy Policy
Last updated: 27 April 2026
The short version
- Rosiverse is a parent-account product.Adults sign up and supervise their kids. We don't allow kids to create their own accounts.
- We don't sell your data. No ads, no third-party trackers, no data brokers. Ever.
- We don't train AI models on your data. Your stories, voice clips, and images are yours. We send them to AI providers (like OpenAI) only to generate what you asked for, with training contractually disabled.
- You can delete everything. One tap in the app, or email us.
Who we are
Rosiverse is operated by Cloneforce Pte. Ltd. (“we”, “us”), a Singapore company registered at 33A Pagoda Street, Singapore. You can reach our Data Protection Officer at privacy@rosiverse.com.
Who Rosiverse is for
Rosiverse is built for families with kids ages 4-15, but only adults (18+) can create and own an account. The parent or guardian is the account holder and is responsible for:
- Setting up the account and choosing what their child can do
- Supervising their child while they use Rosiverse
- Deciding what content is appropriate for their child
- Managing the child's data (including deleting it)
We don't knowingly let children sign up directly. If we learn an account was created by a child, we'll close it and delete the data.
What data we collect
| Category | What it is | Why |
|---|---|---|
| Account | Parent's email address, magic-link sign-in tokens | So you can sign in and we can email you about the service |
| Profiles | Profile names you choose (e.g. “Lily”, “Family”) and an AI-generated avatar | So multiple kids can share one account |
| Story content | The text you and your child type or speak, the characters and pages we generate, story titles and captions | So your stories work and you can come back to them |
| Voice clips | If you use voice mode, short audio recordings of what was said | To convert speech to text so the AI can understand it |
| Generated images | The illustrations, comic pages, and covers we make for you | So you can read the books later and share them |
| Technical | IP address, browser/device type, error logs | To keep the service secure and fix bugs |
We do notcollect: real names of children, school information, location more precise than country (from IP), payment details (we don't take payments yet), social media profiles, or contacts.
What we do NOT do
- We do not show ads.
- We do not sell or share your data with advertisers or data brokers.
- We do not use your stories, prompts, or voice clips to train AI models — neither ours nor our providers'.
- We do not build behavioural profiles of your child.
- We do not use third-party analytics or tracking pixels.
- We do not contact your child directly. All communication goes to the parent's email.
How AI providers work with your data
To make stories, we send the text or voice your family creates to AI services we've picked carefully:
- OpenAI(United States) — generates images, transcribes speech, and runs the storytelling assistant. We use OpenAI's API (not ChatGPT). Under their API data usage policy, prompts and outputs are not used to train their models, and they delete inputs after a short retention window.
- fal.ai (United States) — used for some image post-processing (e.g. background removal). Same no-training rule applies.
- Resend (United States) — sends our transactional emails (sign-in links, account messages).
- Supabase (database & file storage) — where your account, stories, and generated images are stored.
- Vercel(United States) — hosts the website you're using.
These transfers leave Singapore. We rely on Standard Contractual Clauses (EU/UK), Singapore PDPA section 26 transfer protections, and each provider's data-processing agreement.
Children's privacy
Because Rosiverse is parent-supervised:
- United States (COPPA)— accounts are owned by the parent. Any data about a child is provided by the parent, who consents to our collection and use of it on the child's behalf. Parents can review, edit, or delete their child's data at any time, and can refuse further collection by deleting the account.
- European Union & United Kingdom (GDPR / UK AADC)— our lawful basis for processing children's data is parental consent given when the parent creates the account, plus contract performance for running the service. We follow the UK Age-Appropriate Design Code: high-privacy defaults, no profiling, no nudge patterns, geolocation off, content moderated for age 4-15.
- Singapore (PDPA) — the parent gives consent on behalf of their child under section 14 of the PDPA.
How long we keep things
- Account & profiles — until you delete them. After deletion, copies disappear from backups within 30 days.
- Stories, characters, images — until you delete the chat or the account.
- Voice clips — kept only while a chat exists, so you can play them back. Deleted with the chat or account.
- Server logs — up to 30 days, then auto-purged.
Your rights
Depending on where you live, you can ask us to:
- See what data we hold about you (access)
- Correct anything that's wrong (rectification)
- Delete your data (erasure / right to be forgotten)
- Export your data in a portable format
- Restrict or object to certain processing
- Withdraw consent at any time (without affecting past lawful processing)
Email privacy@rosiverse.com and we'll handle it within 30 days. Most things you can also do yourself in the app — every chat has a Delete button, profiles can be removed, and the whole account can be deleted by emailing us.
California residents have additional rights under the CCPA/CPRA (including the right to know, delete, and not be discriminated against for exercising rights). We do not sell or share personal information for cross-context behavioural advertising. We do not knowingly process the personal information of California residents under 16 for sale or sharing.
Security
Data is encrypted in transit (HTTPS/TLS) and at rest. Auth uses magic-link emails — no passwords to leak. Generated images are stored in access-controlled buckets behind signed URLs. We don't store payment information.
If we ever have a data breach that risks your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay.
Cookies & local storage
We use only what we need: an authentication cookie set by Supabase to keep you signed in, a profile cookie to remember which family member is active, and your light/dark theme choice in browser localStorage. That's it. No analytics cookies, no advertising cookies.
Changes to this policy
If we change anything material, we'll email account holders before it takes effect and update the “Last updated” date above.
How to reach us
Cloneforce Pte. Ltd.
33A Pagoda Street, Singapore
Email: privacy@rosiverse.com
For EU/UK residents, you also have the right to lodge a complaint with your local data protection supervisory authority.