Privacy Policy

1. Who This Policy Is For

This Policy is intended for:

• adults (parents, legal guardians, caregivers) who create an account and use Mishami,
• visitors to our website and landing pages.

Children do not create accounts and should not directly enter information into the Service. Mishami is a parent-led tool.

2. Types of Data We Collect

We collect and process the following categories of data.

2.1. Data you provide directly

When you create an account or use the Service, you may provide:

• Email address (required to create an account and log in)
• Password (or other login credential)
• Text you type into the Service, including:
  • your child's first name or nickname,
  • age,
  • gender,
  • favourite characters or interests,
  • a description of emotional situations (for example: tantrums, fears, jealousy, school worries),
  • optional feedback (likes/dislikes for stories).

We recommend using a nickname instead of your child's full legal name.

2.2. Data generated through your use of the Service

When you use Mishami, we generate and store:

• Generated Stories and Parent Cards linked to your account,
• Logs of which stories were created, when they were created, and basic usage history,
• Simple interaction data, such as whether you marked a story as helpful.

2.3. Payment and billing data

When you purchase a paid plan, payments are processed by Stripe. We do not collect or store sensitive payment card details (such as full card numbers or CVC). We may receive and store from Stripe:

• a payment method ID or token,
• transaction ID,
• subscription or plan type,
• payment status and timestamps,
• currency and amount.

2.4. Technical and usage data

When you visit our website or use the Service, we may automatically collect:

• IP address (in truncated or pseudonymised form where possible),
• browser type and version,
• device type and operating system,
• general location (country/city level, derived from IP),
• pages visited, buttons clicked, time spent on pages, error logs.

This is collected through:

• our own server logs, and
• analytics tools such as Google Analytics 4 (GA4), which use cookies and similar technologies.

3. Why We Process Your Data (Purposes & Legal Bases)

We process personal data only when we have a valid legal basis under GDPR. Depending on the context, this may be:

• performance of a contract,
• legitimate interests, or
• your consent (especially for analytics cookies in the EU).

3.1. To provide and maintain the Service

• Creating and managing your account,
• Generating Stories and Parent Cards based on your inputs,
• Saving your history so you can revisit previous stories,
• Handling free and paid plans.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

3.2. To process payments

• Managing free tiers, story packs, and subscriptions,
• Processing payments via Stripe,
• Handling billing issues, refunds (where applicable), and fraud prevention.

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and our legitimate interests in secure payment processing (Article 6(1)(f) GDPR).

3.3. To provide support and communicate with you

• Responding to your support requests,
• Sending transactional emails (for example: account confirmation, security alerts, billing notifications).

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and our legitimate interests in providing effective customer support (Article 6(1)(f) GDPR).

3.4. To improve and protect the Service

• Monitoring performance and stability,
• Debugging and preventing abuse or misuse,
• Analysing aggregated usage patterns to improve features and content quality.

Legal basis: our legitimate interests in operating, improving, and securing the Service (Article 6(1)(f) GDPR). Wherever possible, we use anonymised or aggregated data.

3.5. Analytics and cookies

• Understanding how users find and use our website,
• Measuring which sections are most useful,
• Improving our landing pages and onboarding flows.

In the EU/EEA, non-essential analytics cookies (for example GA4) are used only with your consent via a cookie banner or similar mechanism.

Legal basis: your consent (Article 6(1)(a) GDPR and ePrivacy rules). You can withdraw your consent at any time through your browser/cookie settings or our cookie tools.

3.6. Legal and compliance

• Complying with obligations under applicable laws (for example, tax and accounting rules),
• Responding to lawful requests from public authorities, where required,
• Enforcing our Terms of Use.

Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR) and our legitimate interests in protecting our rights (Article 6(1)(f) GDPR).

4. How We Use Data About Children

4.1. Data about children is entered only by adults (parents/guardians). Children do not create accounts or provide information directly.

4.2. We strongly encourage you to minimise identifiable data about children and use nicknames instead of full legal names.

4.3. We use the child-related data you provide only for:

• personalising Stories and Parent Cards for your family,
• supporting you in everyday emotional conversations with your child,
• improving content quality in anonymised or aggregated form.

4.4. We do not use child-related data for targeted advertising, and we do not sell personal data to third parties.

5. Cookies and Tracking Technologies

5.1. What cookies we use

We use:

• Strictly necessary cookies: required for basic functionality of the site (for example, keeping you logged in, security). These cannot be switched off in our systems.
• Analytics cookies: used to understand how visitors interact with our pages (for example, Google Analytics 4).

We do not use marketing or retargeting cookies in the MVP (no Meta pixels, no ad-retargeting scripts).

5.2. Consent and control

In the EU/EEA, we request your consent before placing non-essential analytics cookies. You can:

• accept or reject analytics cookies via our cookie banner (when implemented),
• change your browser settings to block or delete cookies.

If you disable some cookies, parts of the Service may not function optimally.

6. How We Share Your Data

We do not sell your personal data. We share data only with trusted service providers, and only as necessary to run the Service.

6.1. Service providers (processors)

We may share your data with:

• Hosting and infrastructure providers (for example, Cloudflare and similar services) to deliver fast and secure access to the Service,
• Payment processors (Stripe) to handle payments and subscriptions,
• Analytics providers (Google Analytics 4) to understand how our website is used,
• Email delivery providers (for example, transactional email services) to send account and billing messages.

These providers may process personal data on our behalf and only under written contracts that require them to protect your data and follow our instructions.

6.2. Legal and safety reasons

We may disclose information where we believe it is necessary:

• to comply with applicable laws or respond to valid legal requests,
• to protect our rights, security, or property,
• to protect users or the public from harm, as required by law.

6.3. Business transfers

If we are involved in a reorganisation, merger, acquisition, or sale of part or all of our business, your data may be transferred as part of that transaction, in accordance with applicable law. We will take reasonable steps to notify you and ensure that the new entity continues to honour this Privacy Policy or provides an equivalent level of protection.

7. International Data Transfers

7.1. Our infrastructure and some of our service providers may be located outside your country, including in the United States.

7.2. If you are located in the EU/EEA or the UK, this may mean that your personal data is transferred to countries that do not provide the same level of data protection as your home jurisdiction.

7.3. When we transfer personal data outside the EU/EEA, we do so in accordance with GDPR requirements, for example by:

• using service providers that rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards, and/or
• ensuring that there are appropriate contractual and technical measures in place to protect your data.

You can contact us at care@mishami.com if you would like more information about the safeguards we use for international transfers.

8. Data Retention

8.1. We keep personal data only for as long as it is reasonably necessary for the purposes described in this Policy, including:

• to provide the Service to you,
• to maintain your account and story history (while your account is active),
• to comply with legal, tax, or accounting obligations,
• to resolve disputes and enforce our agreements.

8.2. In general:

• Account data and content (stories, situations, likes) are kept while your account is active.
• Payment and billing records are kept for the period required by tax and accounting laws.
• Technical logs and analytics data may be kept for shorter periods and then aggregated or anonymised.

8.3. If you request deletion of your account, we will delete or irreversibly anonymise your personal data within a reasonable period, subject to any data we are required to keep for legal reasons (for example, billing records).

9. Your Rights (for EU/EEA and Similar Jurisdictions)

If you are in the EU/EEA, the UK, or another jurisdiction with similar data protection laws, you may have the following rights regarding your personal data:

• Right of access: to ask if we process your personal data and to receive a copy.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to ask us to delete your personal data in certain circumstances.
• Right to restriction: to request that we limit processing in certain situations.
• Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.
• Right to object: to object to processing based on our legitimate interests, including profiling, where applicable.
• Right to withdraw consent: where we rely on consent (for example, analytics cookies), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise these rights, please contact us at care@mishami.com. We may need to verify your identity before fulfilling your request.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (PUODO).

10. Children's Privacy

10.1. Mishami is designed to support adults in talking to children; it is not directed to children as account holders.

10.2. Only adults (18+) may create accounts and provide information. We do not knowingly allow children to create accounts or directly submit personal data.

10.3. If we discover that a child has created an account or provided personal data without a parent or guardian, we will take reasonable steps to delete that data and, where appropriate, disable the account.

If you believe a child has provided personal data directly to us, please contact us at care@mishami.com.

11. Security

11.1. We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include:

• encryption in transit (HTTPS),
• access controls and authentication,
• regular updates and security patches,
• limiting access to personal data to personnel and service providers who need it.

11.2. However, no system is completely secure. We cannot guarantee absolute security of information transmitted via the internet. You use the Service at your own risk and are responsible for keeping your login credentials confidential.

12. Your Choices and Contact Options

12.1. Account data and content

If you would like to:

• stop using the Service,
• delete your account,
• request deletion of specific stories or situations,

you can contact us at care@mishami.com, and we will assist you, subject to applicable legal obligations.

12.2. Emails

For now, we send only essential transactional emails needed for the Service (for example, account and billing messages). If in the future we launch optional newsletters or educational emails, we will ask for your separate consent and provide an easy way to unsubscribe.

12.3. Cookies

You can manage cookies through your browser settings and, where available, through our cookie banner. See section 5 for more details.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in the Service, law, or our data practices.

When we make changes, we will:

• update the "Last updated" date at the top, and
• where required by law, inform you by email or through a notice in the Service.

If you continue to use the Service after these changes take effect, you are deemed to have accepted the updated Privacy Policy. If you do not agree, you should stop using the Service.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or how we handle personal data, please contact us at: