MiniMe Stories, operated by [YOUR FULL LEGAL NAME], sole proprietorship (enskild firma) in Sweden (hereinafter 'MiniMeStories', 'we', 'us', or 'our'), values your privacy and handles your personal data with care.

This privacy policy explains what personal data we collect when you use https://minimestories.com (the 'Website'), create an account, create personalized books, place an order, or contact us. It also explains how we use that data, how long we keep it, with whom it may be shared, and what rights you have under applicable data protection law, including the GDPR.

We process personal data for the following purposes:

• creating and managing your account;
• authenticating users and keeping accounts secure;
• enabling you to create, edit, save, purchase, and access personalized books;
• generating story text, story suggestions, images, and related assets using AI tools;
• providing your permanent library of purchased digital books and related content;
• processing payments and maintaining billing records;
• producing and fulfilling physical book orders;
• arranging printing and shipping of physical products;
• managing generation packs and related purchase/usage records;
• communicating with you about your account, orders, and support requests;
• sending service-related emails, such as account, order, payment, and delivery notifications;
• preventing fraud, abuse, misuse, and violations of our terms;
• checking certain inputs for policy, safety, and copyright-related issues, including attempts to create books around protected characters or other prohibited content;
• maintaining, securing, debugging, and improving the Website and our services;
• complying with legal obligations, including accounting and tax obligations.

Under the GDPR, we rely on one or more of the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR) — We process personal data when this is necessary to create and manage your account, generate your books, provide your library, process your purchases, deliver digital products, and print/ship physical products.

Legal obligation (Art. 6(1)(c) GDPR) — We process and retain certain data where necessary to comply with legal obligations, including bookkeeping, tax, and other legal compliance requirements.

Legitimate interests (Art. 6(1)(f) GDPR) — We process certain data where necessary for our legitimate interests, such as operating and securing the Website, preventing fraud and misuse, enforcing our terms, handling support, improving reliability, and screening inputs for copyright/policy issues.

Consent (Art. 6(1)(a) GDPR) — Where we rely on consent, we will ask for it separately. This may apply, for example, if we later introduce non-essential cookies, optional marketing communications, or other optional processing activities that require consent.

We do not sell your personal data.

We share personal data only where necessary to operate MiniMe Stories and provide the services you request. Depending on the circumstances, we may share personal data with the following categories of recipients:

• Payment providers, such as Stripe, to process payments and related fraud-prevention activities;
• Hosting, infrastructure, and database providers, such as Supabase, Vercel, and Railway, to host the Website, authenticate users, store project data, and run background processing;
• Email service providers, such as Resend, to send transactional emails;
• AI and image-processing providers, such as OpenAI, Google, and Fal.ai, to generate story text, story suggestions, images, and image enhancements;
• Printing and shipping partners, such as Gelato, to produce and deliver physical books;
• Professional advisers or authorities, where required by law or necessary to establish, exercise, or defend legal claims.

Some providers act as our processors, while others may act as independent controllers for the parts of processing they carry out in their own role, such as payment processing.

We may change providers from time to time. Our current providers and subprocessors may be updated as our service evolves.

International transfers — Some of our service providers may process personal data outside the European Economic Area ('EEA'), including in the United States. Where that happens, we aim to use appropriate safeguards under the GDPR, such as: an adequacy decision adopted by the European Commission, where available; or the European Commission's Standard Contractual Clauses ('SCCs') and related supplementary measures where required.

We do not keep personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is required by law. GDPR's storage-limitation principle expects controllers to set retention periods that match the purpose of the processing.

We currently apply the following general retention approach:

Account data — We keep your account data while your account remains active. If you request deletion of your account, we will delete or anonymize account data within a reasonable period, except where we must retain certain information for legal, security, fraud-prevention, or accounting reasons.

Draft projects — Draft books and other unfinished projects are kept while your account remains active, unless you delete them yourself or ask us to delete them.

Purchased books, generated files, and library content — Because MiniMe Stories provides a continuing library for purchased content, we keep purchased books, generated PDFs, and related purchased project files while your account remains active, unless you request deletion. If you delete your account or ask us to remove purchased content, we will remove it unless we need to retain limited related data for legal, security, fraud-prevention, or accounting reasons.

Order and invoice data — We retain order, invoice, and related accounting records for at least as long as required by Swedish bookkeeping and tax rules. As a general rule, Swedish accounting information must be retained for 7 years after the end of the calendar year in which the financial year ended.

Support communications — We normally keep support emails and support records for up to 2 years after the matter has been resolved, unless a longer period is needed for a dispute, legal claim, or security reason.

Server and security logs — We generally keep server, error, and security logs only for as long as reasonably necessary for security, troubleshooting, fraud prevention, and service integrity, and review retention periodically.

We currently use only strictly necessary cookies and similar technologies required for:

• login and authentication;
• account security;
• maintaining sessions;
• core Website functionality.

We do not currently use analytics cookies, marketing cookies, or advertising trackers as part of the standard operation of the Website.

If we introduce non-essential cookies or similar technologies in the future, we will update this privacy policy and, where required by law, ask for your consent before using them.

You can also control cookies through your browser settings. Please note that disabling necessary cookies may affect the functionality of the Website.

We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or unlawful alteration. These measures may include encrypted connections, controlled access, managed infrastructure, authentication controls, and regular maintenance/security updates.

However, no method of transmission over the internet or method of electronic storage is completely secure. We therefore cannot guarantee absolute security.

Under the GDPR, you may have the following rights, subject to the conditions and limitations of applicable law:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to data portability;
• right to object to processing based on legitimate interests;
• right to withdraw consent at any time where processing is based on consent;
• right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, where applicable.

To exercise your rights, please contact us using the contact details at the end of this policy. We will respond without undue delay and normally within one month. In complex cases, that period may be extended as permitted by law. If necessary, we may ask for information to verify your identity before processing your request.

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

MiniMe Stories uses AI tools to help generate:

• story text;
• story suggestions;
• images and illustrations;
• image improvements or upscaling;
• moderation or screening of certain inputs.

This may include checking character-related input for policy and copyright-related issues, such as attempts to use protected third-party characters where this would conflict with our rules or legal obligations.

We do not use your uploaded images, prompts, project content, or generated books to train our own AI models.

Where possible, we aim to use business/API providers under terms that limit use of submitted customer content for model training. For example, OpenAI states that API data is not used to train or improve its models unless the customer explicitly opts in, and Google Cloud states that customer data is not used to train or fine-tune AI/ML models without prior permission or instruction.

Please note that third-party providers process data under their own legal terms and data protection commitments in addition to our agreements with them.

We do not currently make decisions about users based solely on automated processing that produce legal effects or similarly significant effects. However, automated systems may be used to flag or block certain content inputs for policy, safety, copyright, or abuse-prevention reasons.

MiniMe Stories is primarily intended for adults and for older teenagers. It is not intended for children under 13 to create accounts or use the service on their own.

If a child participates in the creative process, for example in a "create together" setting, a parent, guardian, or other responsible adult should create the account, supervise the use of the service, and make any purchases.

If you upload information about a child, including a child's name or photo, you confirm that you are authorized to provide that information and to request the creation of a personalized product based on it.

Personal data relating to children is used only for the personalization, production, delivery, and support of the requested product or service. If we learn that we have collected personal data from a child in a way that is not permitted, we will take appropriate steps to delete it.

Under Swedish guidance, for online services that rely on consent, parental consent is required for children under 13, and children's data requires particular care.

We may update this privacy policy from time to time. The most recent version will always be published on the Website with the updated date shown at the top.

If we make material changes, we may provide additional notice, for example on the Website or by email where appropriate.

If you have questions about this privacy policy, the way we process personal data, or if you want to exercise your rights, you can contact: