Privacy Policy

1. Introduction

OnceUponBooks ("we," "us," or "our") is committed to protecting the privacy of our users and the children featured in our personalized storybooks. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at onceuponbooks.com (the "Service").

We take special care when handling information related to children. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

3. Information We Collect

3.1 Information You Provide

• Account Information: Email address and name
• Child Information: Child's first name, age, and gender (for story personalization)
• Photos: Photos of children and family members you upload for character generation
• Family Member Information: Names and relationships of family members included in the story
• Payment Information: Billing details processed securely through Stripe
• Shipping Information: Delivery address for physical book orders
• Communications: Messages you send us through our contact form or email

3.2 Information Collected Automatically

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, time spent on pages, click patterns
• IP Address: For security, fraud prevention, and approximate location
• Cookies and Similar Technologies: Limited essential cookies (e.g., for security and staff admin authentication) and browser storage (localStorage/sessionStorage) used to support core functionality (such as remembering an order ID)

4. How We Use Your Information

We use collected information for the following purposes:

• Book Creation: To generate personalized AI illustrations and create your custom storybook
• Order Processing: To process payments, fulfill orders, and deliver physical books
• Customer Support: To respond to inquiries and provide assistance
• Service Improvement: To analyze usage patterns and improve our Service
• Communications: To send order confirmations and updates, and (if you opt in) marketing communications. You can unsubscribe from marketing emails at any time.
• Legal Compliance: To comply with applicable laws and regulations
• Fraud Prevention: To detect and prevent fraudulent transactions

Legal Bases for Processing (GDPR/UK GDPR)

• Performance of a Contract: Processing necessary to create and deliver your personalized storybook (including processing photos you provide).
• Consent: Marketing emails (opt-in), optional features, and where required for processing children's photos provided by parents/guardians.
• Legitimate Interests: Service security, fraud prevention, and product improvement (where these interests are not overridden by your rights).
• Legal Obligations: Tax, accounting, and compliance recordkeeping.

6. How We Share Information

We do not sell your personal information. We may share information with:

• Payment Processors: Stripe processes payments securely (see Stripe's Privacy Policy)
• AI Service Providers: OpenAI and Google for image generation (photos processed per their data processing agreements)
• Cloud Infrastructure: Amazon Web Services (AWS) for secure data storage and processing
• Error Monitoring (If Enabled): Sentry for error tracking and performance monitoring. When enabled, we configure Sentry Replay to mask text and block media.
• Shipping Partners: Gelato and other printing/shipping partners to fulfill physical book orders
• Legal Requirements: When required by law, court order, or governmental authority
• Business Transfers: In connection with a merger, acquisition, or sale of assets

7. Data Retention

We retain your data as follows:

• Draft Orders (Not Purchased): Orders created but not completed expire after about 24 hours.
• Original Uploaded Photos: Your original photos (used to create character illustrations) are deleted within 30 days of order completion.
• Generated Books & PDFs: Your personalized storybook, including AI-generated illustrations and downloadable PDF, is retained for up to 7 years so you can re-download or request reprints.
• Order Metadata: Order records (status, email, payment/shipping details) are retained for up to 7 years for legal and accounting purposes.
• Marketing Preferences: If you opt in, we retain your preference until you unsubscribe.

You may request earlier deletion of your order assets and personal data by contacting us. In some cases, we may need to retain certain records to comply with legal obligations, resolve disputes, or enforce agreements.

8. Data Security

We implement industry-standard security measures to protect your information:

• All data transmission is encrypted using TLS/SSL (HTTPS)
• Photos and data are stored in encrypted AWS S3 buckets
• Payment information is handled by PCI-DSS compliant Stripe
• Access to personal data is restricted to authorized personnel only
• Regular security audits and monitoring

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security. If we discover a data breach that presents a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by law.

9. Your Privacy Rights

Depending on your location, you may have the following rights:

All Users:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your personal data
• Opt-Out: Unsubscribe from marketing communications at any time

California Residents (CCPA):

• Right to know what personal information is collected and how it's used
• Right to delete personal information (with exceptions)
• Right to opt-out of "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising)
• Right to non-discrimination for exercising privacy rights

We do not use or disclose sensitive personal information (such as children's photos) for any purpose that would require offering a "Limit the Use of My Sensitive Personal Information" link under the CPRA.

European Users (GDPR):

• Right to access, rectify, and erase personal data
• Right to data portability
• Right to restrict or object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

To exercise these rights, contact us at team@kairolabs.ai. We will respond within the timeframes required by law (generally within 30 days under GDPR and 45 days under CCPA/CPRA).

10. Cookies and Tracking

We use limited cookies and similar technologies primarily for security and to enable admin authentication (for staff).

• Essential Cookies (Admin Only): Used to maintain admin sessions and protect access to admin tools.
• Local Storage / Session Storage: Used in your browser to help maintain your session and order flow (for example, storing an order ID or shared purchase flag).

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality for admin users.

11. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including standard contractual clauses for transfers from the EEA/UK.

12. Third-Party Links

Our Service may contain links to third-party websites (e.g., social media). We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we may send you an email notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.