Privacy Policy

Last updated: January 2025

1. Introduction

Magical Story ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our AI-powered personalized storybook service. We comply with the EU General Data Protection Regulation (GDPR), the Swiss Data Protection Act, and other applicable privacy laws.

2. Data Controller

Magical Story Zurich, Switzerland Email: privacy@magicalstory.ch For GDPR purposes, we are the data controller for the personal data we process.

3. Data We Collect

We collect and process the following types of data: Account Information: • Email address • Password (encrypted) • Account preferences Photos and Character Data: • Photos you upload for character creation • Character names and descriptions • Age, gender, and personality traits you provide Generated Content: • AI-generated avatar images • Story text and illustrations • Scene descriptions Usage Data: • IP address • Browser type and device information • Pages visited and features used • Story generation history Payment Information: • Processed securely through our payment provider (Stripe) • We do not store full credit card numbers

4. How We Use Your Photos

This is important: Your photos are processed as follows: 1. Upload & Processing: When you upload a photo, it is sent to our AI image processing system to create an illustrated avatar that resembles the person in the photo. 2. Temporary Storage: Original photos are stored temporarily during the story creation process. 3. Avatar Generation: The AI analyzes facial features, clothing, and other visual elements to create a cartoon/illustrated version. 4. Data Retention: • Original photos: Deleted within 30 days after story completion • Generated avatars: Retained as part of your story until you delete your account • You can request immediate deletion at any time 5. No Third-Party Sharing: Your photos are never shared with third parties for marketing or other purposes. They are only processed by our AI systems and cloud infrastructure providers (under strict data processing agreements).

5. Legal Basis for Processing (GDPR)

We process your personal data based on: • Consent: For processing photos and creating personalized stories (you provide explicit consent during upload) • Contract: To provide the services you have purchased • Legitimate Interest: For improving our services and preventing fraud • Legal Obligation: For tax records and legal compliance

6. Children's Privacy

Our service may be used to create stories featuring children. We take special care with this data: • Only parents or legal guardians may upload photos of children • We require explicit consent confirmation before processing photos of minors • Photos of children are subject to the same security measures and retention policies • We comply with COPPA (US), GDPR-K (EU), and other child privacy regulations • We do not knowingly collect data directly from children under 16

7. Data Security

We implement robust security measures: • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256) • Access Control: Strict access controls limit who can access personal data • Infrastructure: We use enterprise-grade cloud infrastructure with security certifications • Monitoring: Continuous security monitoring and regular audits • Incident Response: Documented procedures for handling any data breaches

8. Data Sharing

We share data only with: Service Providers (under Data Processing Agreements): • Cloud hosting (Railway, AWS) • AI processing (Google Cloud, OpenAI) • Payment processing (Stripe) • Email services We never sell your personal data to third parties. Legal Requirements: We may disclose data if required by law, court order, or to protect our legal rights.

9. International Data Transfers

Your data may be processed in: • Switzerland (primary) • European Union • United States (for certain AI processing) For transfers outside the EU/EEA, we rely on: • EU Standard Contractual Clauses • Adequacy decisions where applicable • Appropriate safeguards as required by GDPR

10. Your Rights

Under GDPR and applicable laws, you have the right to: • Access: Request a copy of your personal data • Rectification: Correct inaccurate data • Erasure: Request deletion of your data ("right to be forgotten") • Restriction: Limit how we process your data • Portability: Receive your data in a portable format • Objection: Object to certain processing activities • Withdraw Consent: Withdraw consent at any time To exercise these rights, contact us at privacy@magicalstory.ch or use the account settings in our app.

11. Data Retention

We retain data for the following periods: • Account data: Until you delete your account • Original photos: Maximum 30 days after story completion • Generated stories and avatars: Until you delete them or your account • Payment records: 7 years (legal requirement) • Server logs: 90 days You can delete your account and all associated data at any time through account settings.

12. Cookies and Tracking

We use: Essential Cookies: • Authentication and session management • Security features Google Analytics 4: • We use Google Analytics 4 to understand how visitors use our website (pages visited, features used, where visitors leave) • Google Analytics sets cookies to recognize returning visitors; full IP addresses are not logged or stored by Google Analytics 4 • The data is used in aggregated form to improve our website and service Google Ads: • We use Google Ads conversion tracking to measure whether our advertising works (e.g. whether an ad click leads to a trial story) • Google Ads sets cookies to attribute website visits to ad clicks You can opt out at any time: block cookies in your browser settings, use a browser extension such as uBlock Origin, or install the Google Analytics opt-out add-on (tools.google.com/dlpage/gaoptout).

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via: • Email notification • Prominent notice on our website • In-app notification Continued use after changes constitutes acceptance of the updated policy.

14. Contact & Complaints

For privacy questions or to exercise your rights: Email: privacy@magicalstory.ch If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority: • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) • EU: Your national Data Protection Authority