Last updated: June 25, 2026
Dear Little Me is a service for parents. We collect only what we need to write and deliver your letter. We do not sell your data, advertise to you, or share your information with third parties except the services listed below that make the product work.
Dear Little Me is operated by Curious Head Labs. If you have any questions about this policy, contact us at info@curiousheadlabs.com.
| Data | Why we collect it | Stored? |
|---|---|---|
| Email address | Account sign-in (magic link) and time capsule delivery | Yes, in Supabase |
| Child's name and age | Personalising the generated letter | Yes, with the letter |
| Milestones, message, tone | Generating the letter | Yes, with the letter |
| Photo (optional) | Sent to OpenAI for description in the letter. Not stored by us. | No — processed and discarded |
| Letter content | Storing your letters in My Letters and delivering time capsules | Yes, in Supabase |
| IP address | Rate limiting to prevent abuse | Temporarily, in Upstash Redis (TTL ≤ 1 hour) |
| Usage events (anonymous) | Understanding how the product is used | Yes, in PostHog |
We use the following services to operate Dear Little Me. Each processes data only to the extent necessary for its function.
| Service | Purpose | Privacy policy |
|---|---|---|
| Supabase | Authentication and database | supabase.com/privacy |
| OpenAI | Letter generation (your inputs are sent to OpenAI's API) | openai.com/privacy |
| Brevo | Transactional email delivery | brevo.com/privacy |
| PostHog | Product analytics (anonymous usage events) | posthog.com/privacy |
| Upstash | Rate limiting (IP addresses, short TTL) | upstash.com/privacy |
| Vercel | Hosting and serverless functions | vercel.com/privacy |
OpenAI note: When you upload a photo or enter milestones and a message, this content is sent to OpenAI's API to generate your letter. OpenAI's API usage policies apply. Per OpenAI's API terms, they do not use API inputs to train their models.
We retain your data only as long as necessary to provide the Service or as required by law.
| Data type | Retention period | Deletion |
|---|---|---|
| Letters and account data | Until you close your account | Email us to request deletion. We delete within 30 days. |
| Photos | Not retained — processed in memory only | Discarded immediately after letter generation. Never written to disk or stored in a database. |
| IP addresses (rate limiting) | Up to 1 hour | Automatically deleted by TTL expiry in our rate-limit cache. |
| Analytics events (anonymous) | 12 months | Automatically purged after 12 months per our analytics provider's retention settings. |
| Email address (marketing, optional) | Until you unsubscribe | Reply "unsubscribe" to any marketing email, or email us directly. |
To request deletion of your account and all associated data, contact us at info@curiousheadlabs.com. We will confirm deletion within 30 days.
Dear Little Me is a tool for parents and guardians. The following statements apply to compliance with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide.
Depending on where you live, you may have the right to:
To exercise any of these rights, email us at info@curiousheadlabs.com. We will respond within 30 days.
We use minimal local storage and cookies. We do not use advertising cookies or track you across other websites.
| Storage item | Purpose | Required? |
|---|---|---|
| Authentication session | Keeps you signed in between visits. Stores your session token in localStorage. | Yes — the app cannot function without it. |
| Anonymous analytics identifier | A randomly-generated ID stored in localStorage used to measure feature usage. Contains no personal data and is not linked to your account. | No — you can decline via the cookie banner. You can also opt out by enabling "Do Not Track" in your browser settings. |
| Visit counter | A single integer in localStorage counting how many times you've visited. Used to distinguish new from returning visitors. No personal data. | No — only used alongside analytics consent. |
| Cookie consent preference | Stores your accept/decline choice from the cookie banner so you are not asked again. | Yes — required to respect your preference. |
Dear Little Me operates globally. Your data may be processed in the United States and European Union. We rely on standard contractual clauses and service providers' data processing agreements where required by law.
We take reasonable technical measures to protect your data: HTTPS everywhere, JWT-authenticated API routes, and role-based Supabase access control. No method of transmission over the internet is 100% secure. If you discover a security issue, please contact us at info@curiousheadlabs.com.
We may update this policy from time to time. We will update the "Last updated" date at the top of this page. Continued use of Dear Little Me after changes constitutes acceptance of the updated policy.
Questions, requests, or concerns: info@curiousheadlabs.com