Privacy Policy

Last updated: December 14, 2025

1. Data Controller

This Privacy Policy explains how your personal data is collected, used, and protected when you use the services provided by:

  • Business name: talesofus.ai (Eenmanszaak)
  • KvK-nummer: 98879200
  • Address: Anna van Buerenplein 56, 2595DB Den Haag, Netherlands
  • Email: hi@talesofus.ai
  • Website: talesofus.ai

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. What We Do

TalesOfUs creates personalized AI-generated storybooks. You provide us with a character name, a reference photo, story preferences, and customization choices. We use artificial intelligence to generate a unique illustrated story, which is then delivered as a digital file (EPUB/PDF) and optionally as a professionally printed hardcover book shipped to your address.

3. Personal Data We Collect

3.1 Information You Provide

  • Contact information: Name, email address, shipping address, phone number (optional)
  • Payment information: Processed securely by Stripe; we do not store your full payment card details
  • Story customization data: Character name, story preferences, settings, and personalization choices
  • Photographs: Reference photos you upload for character illustration (see Section 4 for details)
  • Communications: Messages you send to our customer support

3.2 Information Collected Automatically

  • IP address: Used for fraud prevention, rate limiting, and approximate geolocation for shipping
  • Device and browser information: Browser type, operating system, device type
  • Usage data: Pages visited, time spent on site, referring URLs (collected via Vercel Analytics)

4. Photographs and Image Data

Important Information About Photo Uploads

When you upload a reference photo, this image is transmitted to and stored by our third-party AI image generation provider, Leonardo.ai, to create character illustrations for your story. We do not extract, analyze, or process biometric identifiers (such as facial geometry) from these photos ourselves. However, the photos are used as visual references by AI systems.

Photo storage and retention: Uploaded photos are stored on Leonardo.ai's servers according to their data retention policies. We do not maintain copies of your photos on our own servers beyond the order fulfillment process. You may request deletion of your photo data by contacting us, and we will coordinate with Leonardo.ai to process your request.

Consent for photos of others: If you upload a photo of another person (including a child), you confirm that you have obtained their consent (or, for minors, the consent of their parent or legal guardian) to use their likeness for creating a personalized story.

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to fulfill your order, including generating your story, printing your book, shipping, and customer support
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and other legal requirements
  • Legitimate interests (Art. 6(1)(f)): Fraud prevention, service improvement, website analytics, and security measures, balanced against your rights and interests
  • Consent (Art. 6(1)(a)): Where required, such as for marketing communications (which we currently do not send)

6. How We Use Your Data

We use your personal data exclusively for:

  • Processing and fulfilling your book orders
  • Generating personalized AI stories and illustrations based on your inputs
  • Communicating order confirmations, shipping updates, and delivery notifications
  • Providing customer support and responding to inquiries
  • Preventing fraud and abuse (rate limiting, reCAPTCHA verification)
  • Complying with legal and tax obligations
  • Analyzing website usage to improve our service (aggregated, non-identifying data)

We do not: Sell your personal data, use it for advertising purposes, or share it with third parties for their own marketing.

7. Third-Party Service Providers (Data Processors)

To deliver our services, we share your data with trusted third-party providers who act as data processors under GDPR. These providers process your data only on our instructions and are contractually bound to protect it:

AI and Content Generation

  • OpenAI (USA): Generates story text based on your preferences. Receives: character name, story settings, customization choices. Does not receive: your email, address, or photos. Privacy Policy
  • Leonardo.ai (Australia): Generates and stores illustrations based on your uploaded reference photo. Receives: your uploaded photo and image generation prompts. Privacy Policy

Payment Processing

  • Stripe (USA): Processes payments securely in compliance with PCI DSS. Receives: payment card details, billing address, email. We do not have access to your full card number. Privacy Policy

Printing and Fulfillment

  • Lulu.com (USA): Prints and ships physical books. Receives: your name, shipping address, and book files (which contain your story and illustrations). Privacy Policy

Infrastructure and Analytics

  • Google Cloud / Firebase (USA): Hosts our backend services, database, and file storage. Privacy Policy
  • Vercel (USA): Hosts our website and provides basic analytics (page views, visitor counts). Privacy Policy
  • Google reCAPTCHA: Protects against automated abuse. May collect IP address and browser data. Privacy Policy

8. International Data Transfers

We are based in the Netherlands (EU), but some of our service providers are located in countries outside the European Economic Area (EEA), primarily the United States and Australia. When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

  • Transfers to the USA: Our US-based providers (Stripe, OpenAI, Lulu, Google, Vercel) participate in the EU-U.S. Data Privacy Framework or have implemented Standard Contractual Clauses (SCCs) approved by the European Commission
  • We regularly review our providers' compliance with data protection requirements

By using our services, you acknowledge that your data may be processed in these countries. You can request information about the specific safeguards in place by contacting us.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • SSL/TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Secure authentication and access controls
  • Regular security reviews of our systems and providers
  • Limited access to personal data on a need-to-know basis

While we take reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data during transmission or storage.

10. Data Retention

We retain your personal data only as long as necessary for the purposes described:

  • Order and transaction records: 7 years (Dutch tax law requirement)
  • Customer support communications: 3 years after last contact
  • Generated book files: Retained indefinitely to allow re-downloads, unless you request deletion
  • IP addresses and rate limit data: 90 days
  • Photos uploaded to Leonardo.ai: Subject to Leonardo.ai's retention policy; contact us to request deletion

After the retention period, data is securely deleted or anonymized.

11. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
  • Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at hi@talesofus.ai. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Cookies and Tracking

We use minimal cookies and tracking technologies:

  • Essential cookies: Required for the website to function (e.g., language preferences, session management)
  • Analytics: Vercel Analytics collects aggregated, privacy-friendly usage statistics without personal identifiers
  • reCAPTCHA: Google reCAPTCHA may set cookies to distinguish humans from bots

We do not use advertising cookies or trackers. You can manage cookie preferences through your browser settings.

13. Children's Privacy

Our service is designed to create children's storybooks, but the service itself is intended for use by adults (parents, guardians, gift-givers). We do not knowingly collect personal data directly from children under 16. If you are under 16, please ask a parent or guardian to use our service on your behalf.

Photos of children: If you upload a photo of a child to create a personalized story, you represent that you are the parent or legal guardian of that child, or that you have obtained consent from the parent or guardian.

14. Legal Disclosure

We may disclose your personal data if required by law or in good faith belief that such action is necessary to:

  • Comply with legal obligations, court orders, or valid legal process
  • Protect and defend our rights or property
  • Prevent fraud or investigate potential violations of our terms
  • Protect the safety of our users or the public

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • For significant changes, notify you by email (if we have your email address) or display a prominent notice on our website

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

  • Email: hi@talesofus.ai
  • Address: talesofus.ai, Anna van Buerenplein 56, 2595DB Den Haag, Netherlands

We aim to respond to all inquiries within 30 days.