Your privacy matters to us. This policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information.
1. Who We Are
Mystical Messages ("we," "our," or "us") operates the Mystical Messages web application and related services. We are the data controller responsible for your personal information collected through our service.
We can be reached at support@mysticalmessages.com for any privacy-related inquiries.
2. Information We Collect
We collect the following categories of personal information:
| Category |
Data Collected |
Required? |
| Account Info |
First name, last name, email address, password (hashed) |
Yes |
| Contact Info |
Phone number (parent/guardian) |
Yes |
| Child Info |
Child's first name, birthday (optional) |
Optional |
| Payment Info |
Billing details (processed by Stripe β we do not store card numbers) |
For paid plans |
| Message Data |
Message content, recipient phone numbers, send timestamps |
Yes |
| Usage Data |
Login timestamps, features used, session data |
Automatic |
| Device Info |
Browser type, device type, IP address |
Automatic |
We do not collect Social Security numbers, government IDs, biometric data, or precise geolocation data.
3. How We Collect Information
- Directly from you: When you create an account, update your profile, add children, or create messages
- Automatically: Through cookies, session storage, and server logs when you use the service
- From third parties: Payment information from Stripe; SMS delivery status from Twilio
4. How We Use Your Information
We use your information for the following purposes:
- Service delivery: To create your account, process payments, and send SMS messages
- Personalization: To personalize messages with your child's name and details
- Account management: To authenticate you, manage your subscription, and process billing
- Customer support: To respond to your questions, issues, and refund requests
- Service improvement: To analyze usage patterns and improve features
- Legal compliance: To comply with applicable laws and regulations
- Security: To detect, prevent, and address fraud or abuse
- Communications: To send transactional emails about your account and subscription
We do not use your data for targeted advertising or sell your data to third parties.
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
- Service providers: With trusted third-party vendors (Stripe for payments, Twilio for SMS) who are contractually obligated to protect your data and use it only as directed by us
- Legal requirements: When required by law, court order, or government authority
- Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections
- Safety: When necessary to protect the rights, property, or safety of our users or others
- With your consent: For any other purpose with your explicit consent
6. Third-Party Services
We use the following third-party services to operate Mystical Messages:
| Service | Purpose | Data Shared |
|---|
| Stripe |
Payment processing |
Name, email, billing details |
| Twilio |
SMS delivery |
Phone numbers, message content |
Each provider maintains their own privacy policy and security practices. We encourage you to review:
7. Children's Privacy & Safety (COPPA)
π‘οΈ Our Child Safety Commitment β Non-Negotiable Rules:
1. Adults Only: Mystical Messages accounts may only be created and operated by individuals who are 18 years of age or older. We do not permit minors to hold accounts.
2. Adult Phone Numbers Only: All SMS messages are delivered exclusively to the phone number registered by the adult account holder. We never collect, store, or transmit messages to a minor's phone number or device. The registered phone must belong to a person 18 years of age or older.
3. No Unsupervised Messaging: No message can be sent through our platform without an adult-authored script reviewed and approved by the account holder. Characters cannot "auto-reply" to children or send messages without explicit adult initiation. Child safety through adult supervision is a core technical requirement of our platform, not merely a policy.
4. Minimal Child Data: We collect only a child's first name and optional birthday β solely for message personalization. We do not collect children's phone numbers, email addresses, photos, or any identifying information beyond a first name.
Mystical Messages is designed for use by parents and guardians only. Our service is not directed at children, and we do not knowingly collect personal information directly from any child under the age of 13.
While our service creates magical experiences involving children, the adult account holder controls all aspects of the platform: account setup, character selection, message scripting, and delivery timing. Children are never given access to the account, the app, or any communications interface.
We comply with the Children's Online Privacy Protection Act (COPPA) and the Children's Online Privacy Protection Rule (COPPA Rule). If you believe we have inadvertently collected information from or about a child without verifiable parental consent, please contact us immediately at support@mysticalmessages.com. We will promptly investigate and delete such information.
Parents and guardians may request to review, update, or permanently delete all information associated with their child at any time through the Settings page or by contacting us directly. Such requests will be honored within 5 business days.
8. SMS Data & Messaging
π± Adult Phone Numbers Only β Always.
All SMS messages sent through Mystical Messages are delivered exclusively to the phone number
registered by the adult account holder. We do not send, forward, or store messages destined
for a minor's phone or device under any circumstances. The registered delivery phone number
must belong to an adult who is 18 years of age or older.
When you use our messaging features:
- Message content and your (adult) phone number are stored in our database solely to provide message history within your account
- SMS messages are transmitted through Twilio's infrastructure to the adult account holder's registered phone number only
- We retain message logs so you can review what was sent from your account dashboard
- Phone numbers are used solely for sending messages you explicitly script, review, and authorize β never for unsolicited outreach
- No message is ever sent automatically or without adult initiation. Our platform technically enforces this: every message requires an adult-authored script before dispatch
- We do not collect, store, or transmit any phone number belonging to a minor
We will never send unsolicited messages to any phone number associated with your account. Every single message sent through our platform is one you created, reviewed, and triggered.
SMS Opt-Out: You may reply STOP to any message to opt out of future messages from our Twilio number. Opt-out requests are honored immediately by the carrier network and within 24 hours in our system. Reply HELP for support information.
9. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specifically:
- Account data: Retained while your account is active and for 30 days after deletion
- Message history: Retained for 12 months from the date of sending
- Payment records: Retained for 7 years as required by financial regulations
- Server logs: Automatically deleted after 90 days
You may request deletion of your account and associated data at any time. See "Your Rights" below.
10. Data Security
We take reasonable technical and organizational measures to protect your personal information, including:
- Passwords are stored using bcrypt hashing β we never store plain-text passwords
- All data transmission is encrypted via HTTPS/TLS
- Payment data is handled exclusively by Stripe and never stored on our servers
- Session tokens are secured with HTTPOnly cookies
- Database access is restricted to authorized application processes only
While we implement strong security practices, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.
In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
11. Your Rights
You have the following rights regarding your personal data:
ποΈ
Access
Request a copy of your personal data
βοΈ
Correction
Update inaccurate information
ποΈ
Deletion
Request deletion of your data
π¦
Portability
Receive your data in a portable format
π«
Objection
Object to certain processing activities
βΈοΈ
Restriction
Request we limit how we use your data
To exercise any of these rights, contact us at support@mysticalmessages.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.
You can update your profile information directly from the Settings page in your account. You can delete your account from Settings β Danger Zone or by emailing us.
12. Cookies & Tracking
We use minimal cookies strictly necessary for the service to function:
- Session cookie: Used to keep you logged in while using the app. This cookie is deleted when you log out or after 7 days of inactivity.
We do not use:
- Advertising or tracking cookies
- Third-party analytics cookies (e.g. Google Analytics)
- Social media tracking pixels
- Fingerprinting technologies
You can disable cookies in your browser settings, but this will prevent you from staying logged in to the service.
13. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request information about the categories and specific pieces of personal data we have collected about you in the past 12 months.
- Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out: We do not sell personal information, so there is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, email support@mysticalmessages.com with "CCPA Request" in the subject line.
14. International Users
Mystical Messages is operated from the United States. If you access the service from outside the United States, please be aware that your data may be transferred to and processed in the United States, where data protection laws may differ from those in your country.
By using our service, you consent to this transfer, processing, and storage of your information in the United States.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to your registered email address
- Display a notice within the app
We encourage you to review this policy periodically. Your continued use of the service after changes take effect constitutes your acceptance of the updated policy.