Privacy Policy

We, Story-Magic (Sample Street 1, 1234 Sample City, Austria – VAT ATU [please enter]) (hereinafter "we", "us", or "our"), value your privacy and handle your personal data with care. This privacy policy informs you pursuant to Art. 13 GDPR about the processing of your personal data. It describes what data we collect when you use our website https://story-magic.ai (hereinafter: "the Website"), place an order, or otherwise contact us, how we use this data, how it is stored, with whom it may be shared, and what rights you have.

1. Personal Data Collected

1.1 Data you provide directly: Contact and account data (name, email, password – encrypted), order data (billing and shipping address), personalization data (names in the book, occasion, textual instructions). Note: Do not enter sensitive medical or special category personal data in free text fields. Uploaded images: Processed by our AI systems to generate illustrations. Communication data: What you provide when contacting us. Payment data: Not stored by us; processed by Stripe; we only receive payment confirmations. 1.2 Automatically collected data: When you visit our Website, we may collect technical data (IP address, browser, operating system, device) and usage data (pages visited, click behavior, duration) via cookies and similar technologies (see Section 6).

2. Purposes of Data Processing

We process your personal data exclusively for: Creating and managing your account; processing, producing, and handling your orders; generating personalized children's books (eBooks and physical books) using AI; checking textual input for conflicts with our terms (e.g., copyrighted terms or inappropriate content); shipping products and making digital eBooks available for download; communicating about your order and providing customer service; sending service-oriented emails (order confirmations, shipping notifications); improving our products, services, and Website; analyzing website usage (anonymized where possible); complying with legal obligations (e.g., tax retention); preventing fraud and misuse.

3. Legal Grounds for Processing (GDPR)

Performance of the agreement (Art. 6(1)(b) GDPR): For processing your order, delivering products, managing your account, and for the processing of uploaded photos, personalization data, and book creation – these are necessary for contract performance. Consent (Art. 6(1)(a) GDPR): For marketing, newsletter, and marketing cookies. You give this consent separately in each case; you may withdraw it at any time. Legal obligation (Art. 6(1)(c) GDPR): To comply with tax and administrative obligations. Legitimate interest (Art. 6(1)(f) GDPR): For fraud prevention, enforcing our terms, and improving our services.

4. Sharing Personal Data with Third Parties

We do not sell your personal data. We only share it with third parties if necessary for our services. We conclude Data Processing Agreements (Art. 28 GDPR) with these parties. Affected categories: Payment providers (Stripe) for secure payment processing; shipping and printing partners for production and delivery; hosting and IT providers for the Website and storage; AI technology providers (e.g., OpenAI, Google) for generating texts and illustrations – your photos and textual input are processed by these systems; analytics services (e.g., Google Analytics) for website usage analysis (anonymized where possible); authorities if required by law. Transfer outside the EEA (in particular USA): Stripe, OpenAI, Google, and possibly other providers process data on servers in the USA. We use EU Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework to ensure an adequate level of protection. Third-country transfers nevertheless entail residual risks (e.g., access by authorities in the third country), which we minimize through contractual safeguards.

5. Retention Periods

We do not retain your personal data longer than necessary. Account data: As long as your account is active or until you request deletion. Order and invoice data: At least 7 years per statutory tax retention obligation. Personalization data (photos and eBooks): Uploaded photos and generated digital eBooks ("project files") are stored for a maximum of 10 weeks from creation. After that, they are automatically and permanently deleted. You must download your eBook within this period. Communication data: Up to 2 years after handling your request or complaint.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (e.g., pixels, local storage) to analyze Website use, improve functionality, and – with your consent – for marketing. Cookies are small text files placed on your device. Functional (necessary) cookies: Essential for the Website to function (navigation, login, shopping cart). Analytical cookies: Help us understand how visitors use the Website; data is anonymized where possible. Marketing cookies: Only placed after your explicit consent. On your first visit, you will be informed via a cookie banner and asked for consent for non-essential cookies. You can change your cookie settings or withdraw consent at any time. Disabling cookies may affect Website functionality.

7. Security of Personal Data

We take appropriate technical and organizational measures to protect your personal data against misuse, loss, unauthorized access, and unauthorized modification. This includes encryption (SSL/TLS) for transmission, secure servers, and access management. Despite adequate security measures, complete security for data transmitted over the internet cannot be guaranteed. In the event of a data breach with likely adverse consequences, we will inform you in accordance with legal obligations.

8. Your Rights (Data Subject Rights)

Under the GDPR, you have the following rights: Right of access (Art. 15 GDPR); Right to rectification (Art. 16 GDPR); Right to erasure ("right to be forgotten", Art. 17 GDPR); Right to restriction of processing (Art. 18 GDPR); Right to notification (Art. 19 GDPR); Right to data portability (Art. 20 GDPR); Right to object (Art. 21 GDPR); Right not to be subject to automated individual decision-making (Art. 22 GDPR). We do not engage in solely automated decision-making with legal or similarly significant effects. To exercise these rights, contact us using the details below. We will respond within one month; this period may be extended by two months for complex requests. We may ask you to identify yourself. If you believe our processing infringes privacy legislation, you have the right to lodge a complaint with the competent Data Protection Authority.

9. AI Generation and Use of Images

The processing of uploaded images for personalizing your children's book is carried out by our AI systems and those of our carefully selected technology partners (e.g., OpenAI, Google). This processing serves exclusively to generate the ordered product. We have concluded Data Processing Agreements (Art. 28 GDPR) with all AI providers. Important: We and our partners do not use your photos and input data to train AI models; our AI providers likewise do not use your data to train their models. Your data is only used for the execution of your order.

10. Children's Data

Our products are aimed at children but are ordered by adults. We do not knowingly collect personal data directly from children without parental consent. Personal data of children (e.g., name in the book, uploaded photo) is only processed for product personalization, based on the input of the adult Buyer. By uploading a photo and providing names, the Buyer confirms that they are the legal guardian or otherwise authorized to upload the image and provide the child's data. If you suspect we have collected data from a child without the required authorization, please contact us.

11. Changes to the Privacy Policy

We reserve the right to modify this privacy policy. Changes will be published on our Website. The date of the last revision is stated at the bottom. We advise you to consult this policy regularly. In the event of significant changes that substantially affect your rights or the way we process your data, we will actively inform you, e.g., via email or a clear notice on the Website.

12. Contact Details

If you have questions about this privacy policy, the processing of your personal data, or wish to exercise your rights, you can contact us via email: support@story-magic.ai, or via our contact page.

This privacy policy was last updated on February 18, 2026.