What we collect. What we don’t.

What we collect.

We collect what we need to run the studio. Nothing more.

From the parent account

• Your email address (so you can sign in, receive approval prompts, and reach support)
• Your purchase history (which tracks, which add-ons, when)
• Card details are processed by Stripe — we never store card numbers
• The household’s rough timezone (to time daily caps and approval emails sensibly)

For each kid profile

• The name the parent or kid picked for the profile (we recommend a first name only)
• An age band (6–8, 9–11, 12+) to tune the studio difficulty
• A profile color or avatar (kid-picked, no upload required)
• The hashed kid PIN (see below — the plaintext never reaches us)
• The G or PG-13 safety rating you set

From the studio itself

• The project files the kid creates (scenes, characters, code, copy, art — whatever the track produces)
• The wizard drafts the kid runs and the keep / revise / undo decisions they make
• Their badge and XP progression (so it persists across devices)
• Approval-queue records (when something was requested, approved, denied)
• Deploy history (which versions of which projects are live at which URLs)

If you use the managed Co-Pilot AI add-on

• The project context and prompts that get sent to the configured AI provider
• The AI’s response, so we can show it to the kid and store it in the project history
• Token counts and rate-limit data so we can show your monthly budget

If you bring your own AI subscription, your credentials sit in the studio settings and the prompts go directly to your provider — we relay them, we don’t persist them beyond what we need to show your kid the response in-session.

What we do not collect.

• No kid email address. No kid logs in with a Google or Apple account. The kid sign-in is a PIN on the parent’s account.
• No third-party login. No Facebook, no Google, no school SSO. Parent sign-in is passwordless magic-link via email.
• No advertising trackers. No third-party ad pixels. We don’t run banner ads in the product or on this website.
• No analytics on kid usage. We instrument the product for billing and reliability, not for ad-tech profiling. We do not build advertising profiles on any user, ever.
• No sale of data. We will not sell, license, or rent your data to a third party for any purpose. Full stop.
• No location data beyond a rough timezone. We don’t ask for and don’t collect GPS, addresses, or precise location signals.
• No SMS or phone number. We don’t collect a phone number and we don’t send SMS.

How kid PINs are handled.

When a parent or kid picks the four-digit PIN, the studio runs SHA-256 with a per-account salt in the browser. Only the hashed result is sent to our servers. The plain digits never touch our network, never sit in a log, never live on disk anywhere we control.

On sign-in, the studio takes the digits the kid types, salts them the same way in the browser, hashes them, and compares the result to the stored hash. We never have to know the original PIN to authenticate the kid.

If a kid forgets their PIN, the parent resets it from the dashboard (which writes a new salt + hash — not a hint, not a recovery of the old one).

Where projects live.

Your kid’s project files sit in object storage with per-account isolation. Each household account has its own bucket; the studio cannot reach other households’ files. The bucket is private by default — not listed publicly, not indexed, not searchable.

Backups are encrypted at rest and kept for the standard retention window required to recover from accidents (30 days). Operationally, only on-call engineering staff can access the underlying storage, and only for incident response — never to read project content for any other purpose.

The public-URL architecture.

When a kid publishes a project (and you approve), we mint a public URL at a Tell and Show subdomain — something like achilles.theos-games.tellandshow.ai. This is the address you can share.

The public host is structurally separate from the authoring bucket. The authoring bucket is private and never directly reachable from the public internet; publishing copies the relevant files into the public host. This means an authoring-bucket misconfiguration cannot leak the kid’s in-progress work, and a published-page link cannot be reverse-engineered into a path that walks the kid’s drafts.

Published URLs are not randomized to be unguessable; they include the kid’s chosen project name and a stable handle. The reason is share-ability — we want grandparents to be able to type the URL from a screenshot. If you want a URL that is hard to find, pick a project name that is hard to find.

You can unpublish any URL from your dashboard at any time. Unpublishing removes the copy from the public host within a few minutes. You can also ask us to remove a URL by emailing hello@tellandshow.ai.

Service providers we use.

We use a small set of named service providers. Each appears here so you can read their own posture if you want.

• Stripe — payment processing. They hold your card data; we don’t.
• Vercel — site hosting and serverless functions.
• Cloudflare — CDN, edge KV storage for safety logs, and DDoS protection for the public-host network.
• Cloud object storage — for authoring buckets and backups.
• Anthropic and / or OpenAI — AI providers used by the managed Co-Pilot add-on. The provider receives prompts and project context to produce responses; the provider is contractually prevented from training on your kid’s data.
• Cal.com — if you book a parent call, the scheduling details (your name, email, and chosen slot) go to Cal.com.
• An email-delivery provider for sign-in links, approval prompts, and safety alerts.

We do not use marketing, ad-tech, behavioral, fingerprinting, or analytics providers beyond what is necessary for billing and reliability.

COPPA and GDPR posture.

Tell and Show is built for kids under 13 with a parent account holder. The parent is the COPPA-required verifiable consenter; we do not collect personal information directly from a kid before the parent has made the account, paid, and explicitly created the kid profile.

For GDPR-regulated households, we treat the parent as the data subject for the parent account and as the lawful representative for the kid profile. You have the right to access, correct, port, or delete the data we hold on you and on your kid’s profile. See the deletion / export section below for how.

The plain-language summary at /coppa walks through our COPPA mechanics specifically: how parent consent is verified, what we collect from a kid (project content the kid types into the studio after parent setup), and how a parent revokes consent.

Deletion and export.

You can ask us to delete or export your data at any time, for any reason, with no friction.

To delete

Email hello@tellandshow.ai from the address on your parent account. Within seven business days we will:

• Delete every kid profile and its associated projects, drafts, and history
• Remove any public URLs your household has minted
• Erase your parent-account record
• Erase your safety-log entries

We retain purchase records as required by tax and accounting law (typically seven years). Those records are isolated from operational systems and never used for product analytics.

To export

Email hello@tellandshow.ai from your parent account address. We will package your account record, every kid profile, every project, the approval history, and the safety log as a downloadable archive within seven business days.

How to reach us.

For anything privacy-related — questions, deletion requests, export requests, or just to push us on a posture you disagree with — email hello@tellandshow.ai. A real person reads every privacy email.

If you prefer paper or want to read the full legal version with the standard data-subject-rights boilerplate, that lives at /privacy.