Privacy Policy | Booklly

Booklly is operated by Računalniško programiranje Janko Tomšič s.p., a sole proprietorship registered in Slovenia.

1. Introduction

Welcome to Booklly. We provide a platform for parents and guardians to create personalized AI-generated stories for children through our website and application (collectively, the "Services").

We are committed to protecting your privacy and the privacy of your children. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Services. It complies with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.

Important: This Privacy Policy governs your personal data. The ownership and licensing of stories you create are governed by our Terms of Service.

Data Controller:

Računalniško programiranje Janko Tomšič s.p.

Pugljeva ulica 1

8000 Novo mesto

Slovenia

contact page

2. Information We Collect

We collect personal data to provide and improve our Services. The types of data we collect depend on how you interact with Booklly.

2.1 Information You Provide

Category	Examples	Purpose
Account Data	Email address, username, password	Create and authenticate your account
Profile Data	Display name, profile photo	Personalize your experience and attribute content
Kid Profile Data	Child's first name, gender, birthdate, interests, profile photo	Personalize AI-generated stories for your children
Payment Data	Billing address, payment method (via Stripe)	Process subscription payments
User Content	Story prompts, generated stories, uploaded images	Provide the story generation service
Communications	Support emails, feedback, survey responses	Respond to inquiries and improve Services
Preferences	Newsletter subscriptions (Content Updates, Marketing), language settings	Customize communications and experience

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

Category	Examples	Purpose
Device Data	Device type, operating system, browser type, screen resolution	Optimize display and functionality
Usage Data	Pages visited, features used, story generation frequency, playback history	Improve Services and personalization
Log Data	IP address, access times, referring URLs, error logs	Security monitoring and troubleshooting
Cookie Data	Session identifiers, preferences	Maintain sessions and remember settings

2.3 Information from Third Parties

We may receive data from:

Authentication Providers: If you sign in with Google, Apple, or other social logins, we receive your name and email based on your settings with those services.
Payment Processor: Stripe provides transaction confirmations and subscription status (not your full card number).

3. Children's Data

Booklly is designed for use by adults. Our Services are intended for parents and guardians who create stories for their children. Children do not interact with the platform directly.

3.1 Kid Profile Data

When you create a Kid Profile, you provide information about your child (name, gender, birthdate, interests) to personalize story generation. This data is:

Provided by you, the parent or guardian—not collected directly from children.
Used solely to customize AI-generated content appropriate for your child's age and interests.
Not shared with third parties for marketing purposes.
Not used for behavioral advertising or profiling.
Stored securely and deleted upon your request or account deletion.

3.2 Parental Consent and Control

By creating a Kid Profile, you represent that you are the parent or legal guardian of the child and consent to the processing of their data for story personalization.

You may at any time:

View, edit, or delete Kid Profile data through your account settings.
Request complete deletion of all Kid Profile data by contacting us.
Restrict how Kid Profile data is used.

3.3 Compliance

We do not knowingly collect personal data directly from children under 16 (or the applicable age in your jurisdiction). If you believe a child has provided us data without parental consent, contact us immediately at hello@booklly.com.

4. How We Use Your Information

We process your personal data under the following legal bases:

4.1 Contract Performance (GDPR Art. 6(1)(b))

To provide the Services you request:

Creating and managing your account.
Processing story generation requests.
Managing subscriptions and payments.
Providing audio playback and story access.
Enabling Family sharing features.
Sending transactional emails (account confirmations, password resets, story notifications).

4.2 Legitimate Interests (GDPR Art. 6(1)(f))

For purposes that do not override your rights:

Service Improvement: Analyzing usage patterns to enhance features and fix issues.
Security: Detecting and preventing fraud, abuse, and unauthorized access.
Library Integrity: Retaining anonymized published stories to maintain the Booklly Library for other subscribers (see Section 7).
Basic Analytics: Understanding how Services are used to make informed decisions.

4.3 Consent (GDPR Art. 6(1)(a))

Where you have given specific consent:

Sending marketing emails and newsletters (you may opt out at any time).
Using optional cookies for analytics and personalization.
Processing Kid Profile data for story personalization.

4.4 Legal Obligation (GDPR Art. 6(1)(c))

To comply with laws:

Tax and financial record-keeping.
Responding to lawful government requests.
Enforcing our Terms of Service.

5. Sharing of Information

We do not sell your personal data. We share data only as follows:

5.1 Service Providers (Data Processors)

We use third-party providers who process data on our behalf under strict contractual obligations:

Provider	Location	Function	Data Processed
Supabase	EU/US	Database, authentication, file storage	Account data, user content, session data
Stripe	US (EU SCCs)	Payment processing	Payment tokens, billing address, subscription status
OpenAI	US	AI text generation	Story prompts (anonymized)
Anthropic	US	AI text generation	Story prompts (anonymized)
Google (Gemini)	US (EU SCCs)	AI text and voice generation	Story prompts, text for voice synthesis
ElevenLabs	US	Voice synthesis	Story text for audio generation
FAL.ai	US	Image generation	Character and scene descriptions
Resend	US	Email delivery	Email addresses, message content
Trigger.dev	EU	Background job processing	Story generation job metadata

All US-based processors have appropriate safeguards in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

5.2 AI Provider Data Handling

When you generate a story:

Your prompts and Kid Profile attributes (age, interests—not names or birthdates) are sent to AI providers.
AI providers process this data to generate text, images, and audio.
We do not send personally identifiable information about children to AI providers.
AI providers may retain prompts temporarily for abuse monitoring (typically 30 days) per their policies.

5.3 Family Members

If you create or join a Family group, stories you create may be visible to other Family members. This sharing is based on your consent when joining the Family.

5.4 Public Library

If you publish stories to the Booklly Library, they become visible to other subscribers. Your username is displayed with published stories unless anonymized.

5.5 Legal Requirements

We may disclose data when required by law, legal process, or government request, or to protect the rights, property, or safety of Booklly, our users, or the public.

5.6 Business Transfers

If Booklly is acquired, merged, or sells assets, your data may be transferred to the successor entity. We will notify you of any such change.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate.

For transfers outside the EEA, we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs): Approved by the European Commission.
Adequacy Decisions: For transfers to countries deemed adequate by the EU.
Supplementary Measures: Technical and organizational measures to protect data.

By using the Services, you acknowledge these transfers. You may contact us for more information about specific safeguards.

7. Data Retention

We retain your data only as long as necessary for the purposes described:

Data Type	Retention Period	Reason
Account Data	Until account deletion + 30 days	Service provision and reasonable recovery period
Kid Profile Data	Until deleted by you or account deletion	Story personalization
Payment Records	7 years after transaction	Tax and legal compliance
Story Content (Private)	Until deleted by you or account deletion	Your personal use
Story Content (Published)	Indefinitely (anonymized after account deletion)	Library integrity for other subscribers
Usage Logs	12 months	Security and analytics
Support Communications	3 years	Service improvement and dispute resolution

7.1 Library Retention Policy

When you delete your account:

Private stories (unpublished) are permanently deleted.
Published stories may be retained in anonymized form—your username and profile link are removed, and the story is attributed to "Booklly User."

This retention is based on our legitimate interest (GDPR Art. 6(1)(f)) in maintaining a consistent library for other subscribers who may have favorited or interacted with your stories. This balancing test considers:

Purpose: Maintaining service quality and user expectations.
Necessity: Deleting stories creates gaps in the library experience.
Safeguards: Anonymization protects your privacy while preserving content.

You may object to this retention by contacting us before deleting your account. We will consider your objection and may fully delete stories upon request.

8. Your Rights

Under GDPR and applicable laws, you have the following rights:

Right	Description	How to Exercise
Access	Obtain a copy of your personal data	Account settings or email us
Rectification	Correct inaccurate or incomplete data	Account settings or email us
Erasure	Request deletion of your data (subject to legal retention)	Account settings or email us
Restriction	Limit how we process your data	Email us
Portability	Receive your data in a machine-readable format	Email us
Objection	Object to processing based on legitimate interests	Email us
Withdraw Consent	Revoke consent for processing (e.g., marketing)	Account settings or email us
Complaint	Lodge a complaint with a supervisory authority	Contact your local DPA

To exercise your rights, contact us at hello@booklly.com. We will respond within 30 days (extendable by 60 days for complex requests). We may verify your identity before processing requests.

Slovenian Supervisory Authority:

Informacijski pooblaščenec

Dunajska cesta 22

1000 Ljubljana, Slovenia

https://www.ip-rs.si

9. Cookies and Tracking

We use cookies and similar technologies to operate our Services.

9.1 Essential Cookies

Required for basic functionality:

Session management and authentication.
Security features (CSRF protection).
Remembering your preferences.

These cannot be disabled while using the Services.

9.2 Analytics Cookies

Help us understand how Services are used:

Page views and navigation patterns.
Feature usage statistics.
Error tracking.

These are used only with your consent.

9.3 Managing Cookies

You can manage cookie preferences through:

Our cookie consent banner when you first visit.
Your browser settings (note: disabling cookies may affect functionality).
Account settings for communication preferences.

We do not use third-party advertising cookies or engage in cross-site tracking for advertising purposes.

10. Security

We implement appropriate technical and organizational measures to protect your data:

Encryption: Data encrypted in transit (TLS) and at rest.
Access Controls: Role-based access, multi-factor authentication available.
Monitoring: Security logging and anomaly detection.
Vendor Security: Processors selected for their security practices.
Incident Response: Procedures for detecting and responding to breaches.

No system is completely secure. If you discover a vulnerability, please report it to hello@booklly.com.

11. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. Review their privacy policies before providing data.

12. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will notify you by:

Email to the address associated with your account.
Prominent notice within the Services.
Updating the "Last Updated" date above.

Changes are effective upon posting unless otherwise stated. Your continued use after changes constitutes acceptance. If you disagree with changes, stop using the Services and delete your account.

13. Newsletter Communications

We offer optional newsletters on two topics:

Content Updates: New features, story categories, platform news.
Marketing: Promotional offers, partnerships, product announcements.

You choose your preferences during registration and can update them anytime in account settings. Each newsletter includes an unsubscribe link. Your preferences are synced with our email provider (Resend) for delivery management.

Transactional emails (account confirmations, password resets, story-ready notifications, payment receipts) are not affected by newsletter preferences and are sent as necessary for service operation.

14. Do Not Track

Some browsers support "Do Not Track" (DNT) signals. We do not currently respond to DNT signals because there is no industry standard for compliance. We limit tracking to essential and consented analytics as described in this policy.

15. Contact Us

For questions, concerns, or to exercise your rights, contact us:

Računalniško programiranje Janko Tomšič s.p.

Pugljeva ulica 1

8000 Novo mesto

Slovenia

contact page

We aim to respond to all inquiries within 5 business days.

By using Booklly, you acknowledge that you have read and understood this Privacy Policy.