Privacy Policy

Little Hero Book (hereinafter "we", "us", or "our") values your privacy and handles your personal data with care. This privacy policy explains what data we collect when you use our website littleherobook.com (hereinafter "the Website"), place an order, or otherwise contact us — how we use it, how long we retain it, with whom it may be shared, and what rights you have. By using the Website, you agree to the terms of this policy.

1. Personal Data We Collect

1.1 Data you provide directly to us

• Account data: Your name and email address when you sign in with Google OAuth.
• Order data: Shipping address and billing details required to produce and deliver your physical book.
• Personalization data: Character names, ages, genders, story selections, hobby choices, favorite foods, special events, and the dedication message you enter during book creation. Please do not enter sensitive medical or special-category personal data in any free-text field.
• Uploaded photos: Images you upload for personalizing the AI-generated illustrations. These are analyzed by our AI systems to generate illustrations resembling your characters.
• Communication data: Any information you provide when contacting us by email or through our contact page.
• Payment data: Payment details are not stored by us. They are processed directly and securely by our payment provider, Stripe. We only receive a payment confirmation.

1.2 Data collected automatically

When you visit the Website, we may automatically collect certain data via cookies and similar technologies (see also Section 6):

• Technical data: IP address, browser type, operating system, and device information.
• Usage data: Pages visited, click behavior, session duration, and interactions on the Website.

2. Purposes of Data Processing

We process your personal data exclusively for the following purposes:

• Creating and managing your account.
• Processing, producing, and fulfilling your orders.
• Generating your personalized children's book using AI technology (illustrations, story text).
• Reviewing textual input for conflicts with our Terms of Service (e.g., detection of copyrighted terms or inappropriate content).
• Coordinating the printing and physical delivery of your book.
• Communicating with you about your order, answering questions, and providing customer support.
• Sending service emails (order confirmations, shipping notifications, book-ready alerts).
• Improving our products, services, and Website functionality.
• Analyzing Website usage to optimize user experience (anonymized where possible).
• Complying with legal obligations, including tax retention duties.
• Preventing fraud and misuse of our services.

3. Legal Grounds for Processing

We process your personal data on the following legal grounds under the GDPR:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing your order, managing your account, and delivering your book.
• Consent (Art. 6(1)(a) GDPR): Processing the photos you upload and personalization data to create your book. You give this consent when uploading and confirming your choices. You may withdraw consent at any time, though this does not affect the lawfulness of processing already carried out.
• Legal obligation (Art. 6(1)(c) GDPR): Compliance with administrative and fiscal obligations (e.g., invoice retention).
• Legitimate interest (Art. 6(1)(f) GDPR): Fraud prevention, enforcing our Terms of Service (e.g., preventing intellectual property infringement), and improving our services.

4. Sharing Personal Data with Third Parties

We do not sell your personal data to third parties. We only share data with third parties to the extent necessary to provide our services, and we conclude Data Processing Agreements (DPAs) with these parties where required. Categories of recipients include:

• Payment providers (Stripe): For secure payment processing.
• Printing facilities and shipping partners: For the production and physical delivery of your book.
• Hosting and IT providers (Cloudflare): For Website hosting and data storage.
• AI technology providers: Your uploaded photos and text inputs are processed by AI systems to generate illustrations and story content for your book. These partners are carefully selected and operate under data processing agreements.
• Authentication providers (Google): For secure sign-in via Google OAuth.
• Analytics services: For anonymous Website usage analysis to improve our service.
• Authorities: When required by law or to protect our legal rights.

Transfer outside the EEA

Because we use advanced third-party AI technology, your data (including uploaded photos and personalization inputs) may be processed on servers outside the European Economic Area (EEA), particularly in the United States. We ensure that we only work with parties that provide an appropriate level of protection under the GDPR, for example via certification under the EU–US Data Privacy Framework or through EU-approved Standard Contractual Clauses (SCCs).

5. Retention Periods

We do not retain your personal data longer than necessary for the purposes described above, or as required by law:

• Account data: Retained as long as your account is active, or until you request deletion.
• Order and invoice data: Retained for at least 7 years in accordance with statutory tax retention obligations.
• Personalization data and uploaded photos: Your uploaded photos and the generated book project files are stored for a maximum of 10 weeks from the date of creation, after which they are automatically and permanently deleted for privacy and storage reasons. Reorders are not possible after this period.
• Communication data: Retained for up to 2 years after your question or complaint is resolved.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (such as local storage) to operate the Website, analyze usage, and — with your consent — for marketing purposes. Cookies are small text files stored on your device when you visit our Website. We use the following types:

• Functional (necessary) cookies: Essential for Website operation — these keep you logged in and save your book creation progress. They cannot be disabled without breaking core functionality.
• Analytical cookies: Help us understand how visitors use the Website (e.g., popular pages, session duration) so we can improve it. Data is anonymized where possible.
• Marketing cookies (with consent only): May be used to show relevant advertisements on our Website or on third-party platforms, based on your browsing behavior. These are only placed with your explicit consent.

You can withdraw your cookie consent or change your preferences at any time via your browser settings. Disabling certain cookies may affect Website functionality.

7. Security of Personal Data

We take appropriate technical and organizational measures to protect your personal data against misuse, loss, unauthorized access, unwanted disclosure, and unauthorized modification. These measures include SSL/TLS encryption for all data in transit, secure server infrastructure, access controls, and regular security reviews.

Despite these efforts, no method of internet transmission or electronic storage is completely secure. Should a data breach occur with likely adverse consequences for your privacy, we will notify you in accordance with our legal obligations.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access (Art. 15): Request an overview of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure — "right to be forgotten" (Art. 17): Request deletion of your personal data, unless we have a legal obligation or legitimate interest to retain it (e.g., tax retention obligations).
• Right to restriction of processing (Art. 18): Request that we temporarily limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and/or transfer it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to object (Art. 21): Object to processing based on our legitimate interests, or to processing for direct marketing purposes.
• Right not to be subject to solely automated decisions (Art. 22): Not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless necessary for a contract, authorized by law, or based on your explicit consent.

To exercise any of these rights, contact us at [email protected]. We will respond within one month. Depending on the complexity of your request, this period may be extended by up to two additional months. We may ask you to verify your identity before processing your request.

If you believe our processing of your personal data violates applicable privacy law, you have the right to lodge a complaint with the competent Data Protection Authority in your country.

9. AI Generation and Use of Images

By uploading photos for the personalization of your children's book, you explicitly consent to these images being processed by our AI systems and those of our carefully selected technology partners, solely for the purpose of generating the ordered product.

Important: We and our AI partners do not use your photos or input data to train AI models. Your data remains yours and is only used to fulfill your specific order.

10. Children's Privacy

Our products are designed for children but ordered exclusively by adults. We do not knowingly collect personal data directly from children. Personal data relating to children (such as the child's name, age, photo, and story details) is only processed for the purpose of personalizing the product, based on the input and consent of the adult placing the order. If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact us immediately so we can take appropriate action.

11. Changes to This Policy

We reserve the right to modify this privacy policy at any time. Changes will be published on this page with an updated date. We advise you to review this policy periodically. In the event of significant changes that materially affect your rights or how we process your data, we will inform you proactively — for example by email or a prominent notice on the Website.

12. Contact

If you have questions about this privacy policy, the processing of your personal data, or wish to exercise your rights, please contact us at [email protected].