Back to Home

Privacy Policy

Version: 1.0

Effective date: 23.02.2026

Last updated: 26.05.2026

This Privacy Policy describes how Jan Drobčinský ("we", "us", or "our") — the operator of this website and the MagicalBook personalized children's book services — collects, uses, processes, and protects personal data.

Jan Drobčinský

Na Jarově 1989/50

130 00 Praha

Czech Republic

Company ID (IČO): 07692374

Email: support@magicalbook.store

Jan Drobčinský is the data controller, is established in the Czech Republic, and processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

We may collect and process the following categories of personal data:

  • Name and surname
  • Email address
  • Billing information
  • Order details
  • Uploaded photos (including photos of minors)
  • Technical data (IP address, browser type, device information)
  • Account-related information (if account registration is available)

To generate personalized books, customers may upload photos, including photos of minors. We recognize that photos of children constitute sensitive personal data and apply enhanced protection measures.

Uploaded photos:

  • are used exclusively for generating the personalized book requested by the Customer,
  • are NOT used for training artificial intelligence models,
  • are NOT added to any public or private AI training datasets,
  • are NOT sold, licensed, or shared for marketing purposes,
  • are NOT used for advertising, portfolio examples, demonstrations, or promotional materials,
  • are NOT publicly displayed without explicit separate consent.

Photos and related prompts may be processed by our subprocessors strictly to operate the service, including: Supabase (storage of uploads and generated assets in our project); Replicate (cloud image generation for illustrated pages and related outputs); Google (Google Generative AI / Gemini APIs for story text and related AI-assisted book processing); and, for certain cover preview flows, OpenAI (image generation API) to render a preview image from your inputs. If you order a printed book, print files and shipping details are shared with our print-on-demand partner (Lulu) as described in section 7 of this Policy. These providers act as processors under GDPR where applicable.

Uploaded photos are retained for a limited period strictly for technical support, dispute resolution, refund handling, and fraud prevention purposes. Photos are automatically and permanently deleted no later than 30 days after upload, unless a longer retention is required due to an ongoing dispute or legal obligation.

Access to uploaded photos is strictly restricted and limited to authorized personnel only when necessary. Customers confirm that they have the legal right and permission to upload photos, including photos of minors.

We process personal data based on:

  • Performance of a contract (Article 6(1)(b) GDPR) – order fulfillment and service delivery
  • Legal obligations (Article 6(1)(c) GDPR) – accounting and tax requirements
  • Legitimate interest (Article 6(1)(f) GDPR) – fraud prevention, dispute handling, service security, system improvement
  • Consent (Article 6(1)(a) GDPR) – where required

Online payments are processed by Stripe, Inc. We do not store full payment card numbers on our own servers. Stripe processes card and payment data under its privacy policy and industry security standards (including PCI-DSS). You can read Stripe's privacy information at https://stripe.com/privacy.

We retain personal data only as long as necessary:

  • Accounting and billing data: up to 10 years (legal requirement)
  • Account data: until account deletion
  • Uploaded photos: permanently deleted no later than 30 days after upload (unless dispute/legal obligation applies)
  • Technical logs: retained for a limited security period

We use the following categories of subprocessors to run the website and deliver the service. They process personal data on our behalf and only as needed for their role. We do not sell personal data.

  • Stripe, Inc. (United States) — payment processing for digital and print purchases.
  • Supabase, Inc. (hosted infrastructure; storage region follows your Supabase project settings) — PostgreSQL database, authentication, and object storage for accounts, orders, uploaded photos, and generated book assets.
  • Vercel Inc. (United States) — hosting of the Next.js application and related edge/proxy execution; Vercel Web Analytics for aggregate product analytics (see also our Cookie Policy).
  • Google LLC / Google Ireland Limited, as applicable (United States / Ireland) — Google Generative AI (Gemini) for AI-assisted story text and related book processing; Google OAuth when you choose Sign in with Google (authentication is integrated with Supabase); and, when enabled in our deployment, Google Cloud Tasks on Google Cloud Platform to queue asynchronous generation jobs (limited technical metadata and secure callbacks).
  • Replicate, Inc. (United States) — hosted machine-learning image generation for book illustrations.
  • OpenAI, L.L.C. (United States) — image generation API used for certain cover preview flows.
  • Resend, Inc. (United States) — transactional email (for example order notifications, password reset, and contact form delivery).
  • Meta Platforms, Inc. (United States) — Meta (Facebook) Pixel only where you allow marketing/analytics cookies (see Cookie Policy).
  • Lulu Press, LLC and its printing/shipping partners (United States and countries needed to deliver your order) — print-on-demand manufacturing and delivery of physical books; we share the print files and recipient/shipping details required to fulfil print orders.

Processor names and roles may evolve as our stack is updated; we will revise this Policy when changes are material.

Some of the processors listed above are located in the United States or otherwise outside the European Economic Area. Where personal data is transferred outside the EEA, we apply GDPR-compliant safeguards such as Standard Contractual Clauses or equivalent mechanisms offered by the relevant provider (for example Stripe, Google, Vercel, Meta, OpenAI, Replicate, and Supabase publish data transfer information in their documentation).

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encrypted connections (HTTPS)
  • Restricted access controls
  • Secure cloud storage environments
  • Data minimization principles

However, no system can guarantee absolute security.

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority

Our Service is intended for adults purchasing books for children. We do not knowingly collect personal data directly from children without parental involvement. Parents or legal guardians are responsible for ensuring they have authority to provide children's data.

We may use cookies and similar technologies for website functionality, analytics, and performance monitoring. For categories of cookies, purposes, retention, and how to change your choices, please read our Cookie Policy (available from the site footer and cookie banner).

We may update this Privacy Policy from time to time. Updated versions will be published on our website with a revised date.

If you have any questions about this Privacy Policy or your personal data, please contact us at support@magicalbook.store.