Privacy Policy

Magical Story ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our AI-powered personalized storybook service. We comply with the EU General Data Protection Regulation (GDPR), the Swiss Data Protection Act, and other applicable privacy laws.

Magical Story Zurich, Switzerland Email: privacy@magicalstory.ch For GDPR purposes, we are the data controller for the personal data we process.

We collect and process the following types of data: Account Information: • Email address • Password (encrypted) • Account preferences Photos and Character Data: • Photos you upload for character creation • Character names and descriptions • Age, gender, and personality traits you provide Generated Content: • AI-generated avatar images • Story text and illustrations • Scene descriptions Usage Data: • IP address • Browser type and device information • Pages visited and features used • Story generation history Payment Information: • Processed securely through our payment provider (Stripe) • We do not store full credit card numbers

This is important: Your photos are processed as follows: 1. Upload & Processing: When you upload a photo, it is sent to our AI image processing system to create an illustrated avatar that resembles the person in the photo. 2. Temporary Storage: Original photos are stored temporarily during the story creation process. 3. Avatar Generation: The AI analyzes facial features, clothing, and other visual elements to create a cartoon/illustrated version. 4. Data Retention: • Original photos: Deleted within 30 days after story completion • Generated avatars: Retained as part of your story until you delete your account • You can request immediate deletion at any time 5. No Third-Party Sharing: Your photos are never shared with third parties for marketing or other purposes. They are only processed by our AI systems and cloud infrastructure providers (under strict data processing agreements).

We process your personal data based on: • Consent: For processing photos and creating personalized stories (you provide explicit consent during upload) • Contract: To provide the services you have purchased • Legitimate Interest: For improving our services and preventing fraud • Legal Obligation: For tax records and legal compliance

Our service may be used to create stories featuring children. We take special care with this data: • Only parents or legal guardians may upload photos of children • We require explicit consent confirmation before processing photos of minors • Photos of children are subject to the same security measures and retention policies • We comply with COPPA (US), GDPR-K (EU), and other child privacy regulations • We do not knowingly collect data directly from children under 16

We implement robust security measures: • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256) • Access Control: Strict access controls limit who can access personal data • Infrastructure: We use enterprise-grade cloud infrastructure with security certifications • Monitoring: Continuous security monitoring and regular audits • Incident Response: Documented procedures for handling any data breaches

We share data only with: Service Providers (under Data Processing Agreements): • Cloud hosting (Railway, AWS) • AI processing (Google Cloud, OpenAI) • Payment processing (Stripe) • Email services We never sell your personal data to third parties. Legal Requirements: We may disclose data if required by law, court order, or to protect our legal rights.

Your data may be processed in: • Switzerland (primary) • European Union • United States (for certain AI processing) For transfers outside the EU/EEA, we rely on: • EU Standard Contractual Clauses • Adequacy decisions where applicable • Appropriate safeguards as required by GDPR

Under GDPR and applicable laws, you have the right to: • Access: Request a copy of your personal data • Rectification: Correct inaccurate data • Erasure: Request deletion of your data ("right to be forgotten") • Restriction: Limit how we process your data • Portability: Receive your data in a portable format • Objection: Object to certain processing activities • Withdraw Consent: Withdraw consent at any time To exercise these rights, contact us at privacy@magicalstory.ch or use the account settings in our app.

We retain data for the following periods: • Account data: Until you delete your account • Original photos: Maximum 30 days after story completion • Generated stories and avatars: Until you delete them or your account • Payment records: 7 years (legal requirement) • Server logs: 90 days You can delete your account and all associated data at any time through account settings.

We use: Essential Cookies: • Authentication and session management • Security features Google Ads (Cookieless Mode): • We use Google Ads conversion tracking in cookieless mode (Google Consent Mode v2 with all storage denied) • No advertising cookies or tracking pixels are stored on your device • Google may use anonymized, aggregated signals for statistical conversion modeling • No personal data is shared with Google for ad personalization You can block all Google tags entirely via your browser settings or a browser extension such as uBlock Origin.

We may update this Privacy Policy periodically. We will notify you of significant changes via: • Email notification • Prominent notice on our website • In-app notification Continued use after changes constitutes acceptance of the updated policy.

For privacy questions or to exercise your rights: Email: privacy@magicalstory.ch If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority: • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) • EU: Your national Data Protection Authority