Privacy Policy

Welcome to FableLab ("we", "us", "our"). We are committed to protecting your personal data and respecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our website at fablelab.ai and our story generation service.

The data controller responsible for your personal data is:

Aphrodite Development Studio
Email: aphrodite.dev.studio@gmail.com

We collect the following categories of personal data:

Account data (via Google OAuth sign-in):

• Display name
• Email address
• Locale preference
• legal.privacyPage.s3accountItems.3

Story creation data (provided by you for each story):

• Child's first name
• Age group (1-3, 3-5, or 5-7 years)
• Selected interest tags (e.g., dinosaurs, space)
• Selected moral theme (e.g., kindness, courage)
• Preferred language

Payment data (processed by Lemon Squeezy):

• Transaction ID and event ID (for Spark fulfillment)
• We do NOT receive or store your payment card details — Lemon Squeezy handles all payment processing as Merchant of Record

Analytics data (anonymized/pseudonymized):

• Vercel Web Analytics: privacy-respecting, aggregated usage data, no personal data

• Child's full name or surname
• Child's exact date of birth
• Child's photos or images
• Precise geolocation data
• Data from minors directly — only parents/guardians use our service

• Contract performance (Art. 6(1)(b)): Processing your account and story creation data is necessary to provide our service
• Legitimate interest (Art. 6(1)(f)): Analytics for service improvement, fraud prevention, and security
• Consent (Art. 6(1)(a)): Optional marketing communications (if implemented in the future)

• Generate personalized stories and coloring pages
• Manage your account and Spark balance
• Process purchases and deliver PDFs via email
• Provide customer support
• Improve our service through anonymized analytics
• Send order-related notifications (e.g., story ready for download)
• Detect and prevent fraud or abuse

We share data with the following processors, all of which maintain appropriate data protection standards:

• Supabase (EU) — database and file storage
• Google Gemini API — AI text and image generation (story content only, no personal account data)
• Lemon Squeezy (US) — payment processing as Merchant of Record
• Resend — transactional email delivery
• Vercel (edge network) — website hosting
• Vercel Web Analytics — aggregated website analytics, no personal data
• Trigger.dev — background job processing
• Upstash (EU) — rate limiting via Redis

Your data is stored primarily in Supabase hosted within the European Union. We implement industry-standard security measures including:

• Row Level Security (RLS) on all database tables
• Encrypted connections (HTTPS/TLS)
• Service role access controls
• Signed URLs with 7-day expiry for PDF downloads
• Rate limiting to prevent abuse

• Account data: retained while your account is active, deleted upon account deletion request
• Story data: retained for the lifetime of your account so you can re-download stories
• PDF files: available via signed URLs that expire after 7 days (new URLs generated on demand)
• Transaction records: retained as required by applicable tax/accounting laws
• Analytics data: aggregated/anonymized, retained indefinitely

FableLab is a service for parents and guardians, not for children directly. We do not knowingly collect data from children under 16. Only adults may create accounts and use the service. The minimal child data we process (first name, age group, interests) is provided by the parent/guardian for story personalization purposes only.

As an EU/EEA resident, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request restricted processing of your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent

To exercise any of these rights, contact us at aphrodite.dev.studio@gmail.com. We will respond within 30 days.

We use minimal cookies strictly necessary for the service to function:

• Authentication session cookie (Supabase Auth)
• Locale preference cookie
• Referral tracking cookie (fl_ref_code, expires after 10 minutes)

We do not use advertising cookies or third-party tracking cookies. Vercel Web Analytics operates without cookies and does not collect personal data.

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions or to exercise your rights, contact us at:

Email: aphrodite.dev.studio@gmail.com

You also have the right to lodge a complaint with your local data protection authority.