Dear Little Me is a service for parents. We collect only what we need to write and deliver your letter. We do not sell your data, advertise to you, or share your information with third parties except the services listed below that make the product work.

1. Who we are

Dear Little Me is operated by Curious Head Labs. If you have any questions about this policy, contact us at info@curiousheadlabs.com.

2. What we collect and why

Data Why we collect it Stored?
Email address Account sign-in (magic link) and time capsule delivery Yes, in Supabase
Child's name and age Personalising the generated letter Yes, with the letter
Milestones, message, tone Generating the letter Yes, with the letter
Photo (optional) Sent to OpenAI for description in the letter. Not stored by us. No — processed and discarded
Letter content Storing your letters in My Letters and delivering time capsules Yes, in Supabase
IP address Rate limiting to prevent abuse Temporarily, in Upstash Redis (TTL ≤ 1 hour)
Usage events (anonymous) Understanding how the product is used Yes, in PostHog

3. Third-party services

We use the following services to operate Dear Little Me. Each processes data only to the extent necessary for its function.

Service Purpose Privacy policy
Supabase Authentication and database supabase.com/privacy
OpenAI Letter generation (your inputs are sent to OpenAI's API) openai.com/privacy
Brevo Transactional email delivery brevo.com/privacy
PostHog Product analytics (anonymous usage events) posthog.com/privacy
Upstash Rate limiting (IP addresses, short TTL) upstash.com/privacy
Vercel Hosting and serverless functions vercel.com/privacy

OpenAI note: When you upload a photo or enter milestones and a message, this content is sent to OpenAI's API to generate your letter. OpenAI's API usage policies apply. Per OpenAI's API terms, they do not use API inputs to train their models.

4. Data retention policy

We retain your data only as long as necessary to provide the Service or as required by law.

Data typeRetention periodDeletion
Letters and account data Until you close your account Email us to request deletion. We delete within 30 days.
Photos Not retained — processed in memory only Discarded immediately after letter generation. Never written to disk or stored in a database.
IP addresses (rate limiting) Up to 1 hour Automatically deleted by TTL expiry in our rate-limit cache.
Analytics events (anonymous) 12 months Automatically purged after 12 months per our analytics provider's retention settings.
Email address (marketing, optional) Until you unsubscribe Reply "unsubscribe" to any marketing email, or email us directly.

To request deletion of your account and all associated data, contact us at info@curiousheadlabs.com. We will confirm deletion within 30 days.

5. Children's privacy (COPPA)

Dear Little Me is a tool for parents and guardians. The following statements apply to compliance with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide.

6. Your rights

Depending on where you live, you may have the right to:

To exercise any of these rights, email us at info@curiousheadlabs.com. We will respond within 30 days.

7. Cookies and browser storage

We use minimal local storage and cookies. We do not use advertising cookies or track you across other websites.

Storage itemPurposeRequired?
Authentication session Keeps you signed in between visits. Stores your session token in localStorage. Yes — the app cannot function without it.
Anonymous analytics identifier A randomly-generated ID stored in localStorage used to measure feature usage. Contains no personal data and is not linked to your account. No — you can decline via the cookie banner. You can also opt out by enabling "Do Not Track" in your browser settings.
Visit counter A single integer in localStorage counting how many times you've visited. Used to distinguish new from returning visitors. No personal data. No — only used alongside analytics consent.
Cookie consent preference Stores your accept/decline choice from the cookie banner so you are not asked again. Yes — required to respect your preference.

8. Data transfers

Dear Little Me operates globally. Your data may be processed in the United States and European Union. We rely on standard contractual clauses and service providers' data processing agreements where required by law.

9. Security

We take reasonable technical measures to protect your data: HTTPS everywhere, JWT-authenticated API routes, and role-based Supabase access control. No method of transmission over the internet is 100% secure. If you discover a security issue, please contact us at info@curiousheadlabs.com.

10. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date at the top of this page. Continued use of Dear Little Me after changes constitutes acceptance of the updated policy.

11. Contact

Questions, requests, or concerns: info@curiousheadlabs.com