Privacy Policy

Magic Doodle Books Last Updated: [DATE - To be added at publication]

Introduction
Eligibility and Age Requirements
Information We Collect
How We Use Your Information
How We Share Your Information
Artificial Intelligence and Photo Processing
Biometric Information Disclosure
Children's Privacy
Your California Privacy Rights (CCPA/CPRA)
Your Rights (Other States)
International Users
Data Security
Data Retention and Deletion
Your Choices and Controls
Do Not Sell My Personal Information
Links to Third-Party Sites
Do Not Track Signals
Changes to This Policy
Contact Us

1. Introduction

1.1 About Magic Doodle Books

Magic Doodle Books operates the website magicdoodlebooks.com and provides personalized coloring book products. We transform your family and pet photos into custom illustrated coloring book adventures using artificial intelligence technology.

Contact Information:

Company Name: Magic Doodle Books
Website: https://magicdoodlebooks.com
Email: privacy@magicdoodlebooks.com
Support Email: support@magicdoodlebooks.com
Legal Email: legal@magicdoodlebooks.com
Mailing Address: [To be determined], [To be determined], [To be determined] [To be determined]
Phone: [To be determined]

1.2 Scope of This Policy

This Privacy Policy describes how Magic Doodle Books collects, uses, shares, and protects your personal information when you:

Visit our website at magicdoodlebooks.com
Create an account or place an order
Upload photos for product customization
Communicate with our customer service team
Purchase our products through Amazon Custom

This policy applies to all services and platforms operated by Magic Doodle Books, including our direct website and third-party marketplace integrations.

1.3 Your Acceptance

By using our website or services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with this policy, please do not use our services.

1.4 Updates to This Policy

We reserve the right to modify this Privacy Policy at any time. When we make changes, we will:

Post the updated policy on our website with a new "Last Updated" date
For material changes affecting your rights, send email notification to registered users at least 30 days before the changes take effect
Provide a prominent notice on our homepage

Your continued use of our services after changes are posted constitutes your acceptance of the modified policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

2. Eligibility and Age Requirements

2.1 Adult-Only Website

Our website is intended for use by adults only. You must be at least 18 years old to:

Create an account on magicdoodlebooks.com
Upload photos
Place orders
Use any features of our website

We do not knowingly allow individuals under 18 to create accounts or use our services independently. If we discover that a person under 18 has created an account, we will terminate the account immediately and delete associated information.

2.2 Legal Capacity

By using our services, you represent and warrant that:

You are at least 18 years of age
You have the legal capacity to enter into binding contracts under applicable law
You will comply with all terms and policies governing our services
You have obtained all necessary rights, permissions, and consents for any photos you upload (including photos of other people)

2.3 Account Responsibility

As an account holder, you are responsible for:

Maintaining the confidentiality of your account credentials
All activities that occur under your account
Providing accurate, current, and complete information during registration
Updating your information promptly when it changes
Notifying us immediately of any unauthorized access to your account

2.4 Product Age Suitability

While our website is for adults only, our coloring book products are suitable for recipients of all ages, including children. As the adult purchaser, you are solely responsible for:

Determining whether the product is appropriate for the intended recipient
Making all customization decisions (theme, photo selection, personalization)
Ensuring you have permission to use any photos that include other people, especially minors

3. Information We Collect

3.1 Account and Order Information

Information You Provide Directly:

When you create an account or place an order, we collect:

Full name (for account and shipping purposes)
Email address (for account login and order communications)
Phone number (optional, for delivery notifications)
Shipping address (for product delivery)
Billing address (if different from shipping address)
Order preferences:
- Theme selection (e.g., Christmas Adventure)
- Product tier (number of pages)
- Personalization text (child's name for book cover)
Customer service communications:
- Support inquiries and responses
- Feedback and reviews
- Refund or replacement requests

Payment Information:

We do not store your complete credit card numbers or payment credentials. All payment transactions are processed by Stripe, our PCI DSS Level 1 certified payment processor. We receive only:

Transaction confirmation and status
Last four digits of card (for reference)
Order ID and transaction amount
Billing address for fraud prevention

3.2 User-Uploaded Photos

Photo Content:

For each order, you upload between 2 and 10 photos that may include:

Images of people (family members, children, friends)
Images of pets (dogs, cats, other animals)
Other subjects you wish to appear in your custom coloring book

Photo Data We Collect:

When you upload photos, we collect and process:

Original photo files (JPEG, PNG, or other supported formats)
File metadata:
- File name, format, and size
- Resolution and dimensions
- Upload timestamp
- EXIF data (camera settings, GPS data if present)
Processing data:
- Quality assessment results (resolution check, blur detection, face detection)
- Subject labels assigned during order processing (e.g., "Adult Male," "Child Female," "Dog," "Cat")
- Photo-to-scene assignments (which photos are used for which coloring book pages)
- Crop and adjustment parameters

Important Note on Photo Rights:

By uploading photos, you represent and warrant that:

You own the photos or have obtained all necessary rights and permissions to use them
You have consent from all identifiable individuals in the photos (or their legal guardians if minors) to use their likeness for this purpose
The photos do not infringe on any third-party copyrights, trademarks, or privacy rights
You are authorized to provide these photos to us for commercial product creation

3.3 AI-Generated Content

During order processing, we create and temporarily store:

Custom coloring book scenes generated from your photos using AI technology
Compiled PDF files:
- Interior pages (coloring book content)
- Cover file (with personalized name)
Generation metadata:
- Scene prompts used for AI generation
- Processing timestamps and logs
- Quality control review results
- Regeneration history (if scenes are revised)

3.4 Technical and Usage Information

Automatically Collected Information:

When you visit our website, we automatically collect certain technical information:

Device information:
- IP address
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Screen resolution
Usage data:
- Pages visited and URLs accessed
- Date and time of access
- Time spent on each page
- Referral source (how you found our website)
- Click patterns and navigation paths
- Error messages and page load times

Cookies and Tracking Technologies:

We use minimal cookies and tracking technologies:

Essential cookies: Required for website functionality (session management, authentication, shopping cart)
Session data: Temporary storage of your browsing session for a seamless experience

We do NOT use:

Third-party advertising cookies
Cross-site tracking cookies
Analytics cookies (Google Analytics, Facebook Pixel, etc.)
Behavioral tracking for marketing purposes

You can control cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

3.5 Amazon Custom Orders

For orders placed through Amazon Custom, we receive information from Amazon, including:

Amazon order ID and order date
Customer name and shipping address (provided by Amazon)
Product selections:
- Theme choice
- Page count and tier selection
- Personalization text
Customer-uploaded photos (uploaded through Amazon's custom product interface)
Order fulfillment requirements and delivery timelines

Amazon's collection and use of your information is governed by the Amazon Privacy Notice. We receive only the information necessary to fulfill your custom order.

3.6 Information We Do Not Collect

To protect your privacy, we do NOT collect:

Social Security numbers or government ID numbers
Financial account information (bank accounts, investment accounts)
Health or medical information
Precise geolocation data (GPS coordinates)
Racial or ethnic origin, religious beliefs, political opinions (except if visible in uploaded photos, used only for product creation)
Biometric identifiers for authentication purposes (see Section 7 for AI processing disclosure)

4. How We Use Your Information

4.1 Order Fulfillment (Primary Purpose)

We use your information primarily to create and deliver your custom coloring book:

Photo Processing:

Analyze uploaded photos for quality (resolution, clarity, face detection)
Identify subjects in photos (people, pets, objects)
Assign photos to appropriate coloring book scenes based on subject type
Extract facial features and characteristics for AI illustration generation

AI Scene Generation:

Create custom coloring book illustrations that transform your photo subjects into cartoon characters
Apply your chosen theme (e.g., Christmas Adventure) to each scene
Generate 25-50 unique coloring pages based on your selected tier
Ensure consistency across all scenes in your book

Book Production:

Compile AI-generated scenes into a complete coloring book PDF
Create personalized cover with recipient's name
Format files to print specifications (300 PPI, correct bleed, embedded fonts)
Transmit print-ready files to our print partner, Lulu

Order Management:

Process your payment through Stripe
Coordinate printing and shipping with Lulu
Track order status from creation through delivery
Handle quality control and approval workflows

4.2 Customer Communications

We use your contact information to:

Transactional Emails (Required):

Send order confirmation immediately after purchase
Provide order status updates (payment received, photos approved, generation started, printing, shipped)
Deliver shipping notifications with tracking numbers
Send delivery confirmation when your order arrives
Request photo replacements if uploaded images don't meet quality requirements

Customer Service:

Respond to your inquiries and support requests
Address order issues, defects, or quality concerns
Process refund or replacement requests
Answer questions about our products and services

Administrative Communications:

Notify you of changes to our Terms of Service or Privacy Policy
Send security alerts if we detect unauthorized account access
Provide important service announcements

Timeline: We aim to respond to all customer service inquiries within 48 business hours.

4.3 Internal Business Operations

We use aggregated and anonymized data (not linked to individual identities) to:

Service Improvement:

Analyze order patterns to optimize the customer experience
Identify and fix technical issues or errors
Test new features and product offerings
Improve AI generation quality and consistency
Optimize photo upload and processing workflows

Business Analytics:

Generate reports on order volume, revenue, and product performance
Understand which themes and tiers are most popular
Track operational metrics (order completion rates, delivery times, customer satisfaction)
Forecast demand and manage inventory

Product Development:

Develop new coloring book themes based on customer preferences
Create additional customization options
Expand product lines (different sizes, formats, add-ons)

4.4 Security and Fraud Prevention

We use information to protect our business and customers:

Detect and prevent fraudulent transactions or account activity
Verify identity for high-value orders or suspicious patterns
Investigate violations of our Terms of Service
Enforce our intellectual property rights
Protect the security and integrity of our systems

4.5 Legal Compliance

We process information as required to:

Comply with applicable laws and regulations
Respond to legal process (subpoenas, court orders, government requests)
Cooperate with law enforcement investigations
Exercise or defend legal claims
Comply with tax and accounting requirements (order records retained for 7 years)

4.6 What We DON'T Do With Your Information

We explicitly do NOT:

Sell your personal information to third parties, data brokers, or advertisers
Share your information for third-party marketing purposes
Use your uploaded photos to train AI models or improve AI technology (our agreement with OpenAI prohibits this)
Retain your photos longer than necessary (30-day automatic deletion after shipment)
Display your photos publicly or use them in our marketing without your separate written consent
Target advertising based on your personal data (we don't use advertising networks)
Track you across other websites or create cross-site profiles
Send promotional marketing emails (we send transactional emails only)

5. How We Share Your Information

We share your information only with trusted service providers necessary to fulfill your order and operate our business. All third parties are contractually obligated to protect your information and use it only for specified purposes.

5.1 Service Providers and Business Partners

OpenAI (AI Image Generation)

Purpose: Generate custom coloring book illustrations from your uploaded photos using OpenAI's image generation API (gpt-image-1 model)
Information Shared:
- Your uploaded photo files
- Scene prompt text describing the desired illustration
- Processing parameters (style, fidelity, quality settings)
Processing Location: OpenAI servers in the United States
Data Usage:
- Images are processed according to our API agreement with OpenAI
- Your photos are NOT used to train OpenAI's AI models
- OpenAI's API Terms prohibit use of customer data for model training
Retention: Images are deleted from OpenAI's servers immediately after scene generation is complete (typically within seconds)
Privacy Policy: OpenAI Privacy Policy
API Terms: OpenAI API Data Usage Policies

Lulu (Print-on-Demand Fulfillment)

Purpose: Print and ship your personalized coloring books
Information Shared:
- Final book PDF files (interior and cover, no original photos)
- Shipping name and address
- Personalization text (recipient's name)
- Order ID and quantity
Processing Location: Lulu printing facilities in the United States
Retention: Lulu retains order records according to their standard business practices (typically 1-2 years for customer service purposes)
Privacy Policy: Lulu Privacy Policy
Note: Lulu receives only the final print-ready PDF, not your original uploaded photos

Supabase (Database and Storage Services)

Purpose: Store order information, account data, and temporarily store uploaded photos during processing
Information Shared:
- Account information (name, email, hashed passwords)
- Order records (order details, status, timestamps)
- Uploaded photo files (stored temporarily in Supabase Storage)
- System logs and application data
Processing Location: Supabase cloud infrastructure in the United States
Security:
- All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Row-level security policies enforce access controls
- Secure API keys (publishable and secret key model)
- Regular security audits and penetration testing
Retention: Photos deleted from Supabase Storage 30 days after order shipment; order records retained per our retention policy
Privacy Policy: Supabase Privacy Policy

Stripe (Payment Processing)

Purpose: Securely process credit card and payment transactions
Information Shared:
- Transaction amount and currency
- Billing name and address
- Order ID and description
- Email address for receipt delivery
Processing Location: Stripe servers in the United States
Security:
- Stripe is PCI DSS Level 1 certified (highest security standard)
- We never see or store your complete credit card numbers
- Stripe uses tokenization to secure payment credentials
Privacy Policy: Stripe Privacy Policy

Resend (Transactional Email Communications)

Purpose: Send order confirmations, shipping notifications, and customer service emails
Information Shared:
- Email address
- First name (for personalization)
- Order details (order number, status, tracking information)
Processing Location: Resend servers in the United States
Usage: Emails are transactional only (no marketing communications)
Privacy Policy: Resend Privacy Policy

Vercel (Website Hosting and Infrastructure)

Purpose: Host our website and application infrastructure
Information Shared:
- Technical logs (IP addresses, request URLs, response codes)
- Page view data and performance metrics
- Error logs for troubleshooting
Processing Location: Vercel edge network (global CDN with data centers worldwide)
Security: TLS encryption for all connections, DDoS protection, automatic security updates
Privacy Policy: Vercel Privacy Policy

Amazon (Marketplace Orders)

Purpose: Facilitate orders placed through Amazon Custom
Information Flow:
- Amazon provides to us: Customer name, shipping address, uploaded photos, order details
- We provide to Amazon: Order fulfillment status, tracking numbers, shipping confirmations
Governance: Orders placed through Amazon are governed by Amazon's Marketplace Agreement and Amazon Privacy Notice
Note: Amazon is a data controller for information collected through their platform; we are a data processor for fulfilling custom orders

5.2 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or part of our business assets, your information may be transferred to the acquiring entity. In such circumstances:

The successor entity will be bound by this Privacy Policy
We will provide advance notice (at least 30 days) via email and website posting
If the new owner intends to materially change how your information is used, you will have the opportunity to delete your account before the transfer
Your data protection rights will continue under applicable law

5.3 Legal Requirements and Protection of Rights

We may disclose your information without your consent when we believe in good faith that disclosure is necessary to:

Comply with applicable laws, regulations, or legal obligations
Respond to subpoenas, court orders, or other valid legal process
Cooperate with law enforcement or government investigations
Enforce our Terms of Service, this Privacy Policy, or other agreements
Detect, prevent, or investigate fraud, security issues, or illegal activity
Protect the rights, property, safety, or security of Magic Doodle Books, our users, or the public

When legally permitted, we will attempt to notify you before disclosing your information in response to legal process.

5.4 With Your Consent

We may share your information with third parties for purposes not described in this policy when we have your explicit consent. For example:

Using your photos or testimonials in marketing materials (requires separate written consent)
Sharing your information with partners for joint promotions (requires opt-in consent)
Any other uses we clearly disclose at the time of collection

You may withdraw consent at any time by contacting privacy@magicdoodlebooks.com.

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. For example:

"75% of customers choose the Christmas theme"
"Average order includes 6 photos"
Industry research and benchmarking data

This anonymized data is not considered personal information and is not subject to this Privacy Policy.

6. Artificial Intelligence and Photo Processing

6.1 How We Use AI Technology

Magic Doodle Books uses artificial intelligence technology to transform your uploaded photos into custom coloring book illustrations. Understanding how this works is important to making an informed decision about using our service.

Magic Doodle Books uses artificial intelligence technology to transform your uploaded photos into custom coloring book illustrations. The specific technical details of our AI processing pipeline are proprietary and not disclosed.

General Process:

You upload photos through our website
Our AI system processes photos to generate coloring book scenes
Generated scenes are compiled into a PDF for printing
Your photos are sent to our AI provider (OpenAI) for processing
OpenAI processes images and returns generated scenes
We compile the final book and send to our print partner (Lulu)

We do not disclose detailed information about:

Facial analysis methodologies
Scene assignment algorithms
Internal quality review procedures
Biometric processing techniques

6.2 What Information Is Processed

The AI system processes visual information in your photos to generate coloring book scenes. We do not disclose the specific data points analyzed or processing methodologies used. Processing is performed in accordance with our agreements with OpenAI and complies with applicable privacy laws.

6.3 AI Training and Model Improvement

Your Photos Are NOT Used for AI Training:

Per our agreement with OpenAI and OpenAI's API Data Usage Policies:

Customer data submitted via the API (your photos) is NOT used to train or improve OpenAI's models
Your photos are processed solely to generate your custom coloring book
Images are deleted from OpenAI's servers immediately after generation completes
No facial data or biometric information is retained by OpenAI

Our Own AI Improvements:

We may use aggregated, anonymized data to improve our own systems:

Quality assessment algorithms (detecting blur, low resolution, poor lighting)
Subject detection and scene assignment logic
Error rates and processing performance metrics

This improvement process uses statistical patterns only, never individual photos or identifiable information.

6.4 Accuracy and Limitations

AI-Generated Illustrations Are Artistic Interpretations:

The AI creates cartoon-style coloring book characters inspired by your photos
Results are stylized illustrations, not photorealistic representations
Accuracy varies based on photo quality, lighting, angle, and other factors
Some features may be simplified or adapted for the coloring book style

You Have Review and Approval Rights:

For direct website orders, you can review scenes before final production (coming soon in our admin dashboard)
If a scene doesn't meet your expectations, you can request regeneration
We strive for customer satisfaction and will work with you to achieve the desired result

6.5 Your Control Over AI Processing

Consent Through Use: By uploading photos and placing an order, you consent to AI processing as described in this section.

Opt-Out: If you are not comfortable with AI processing of your photos, you should not use our service. There is no way to create a custom coloring book without AI processing of your uploaded images.

Deletion: You can request deletion of your photos and AI-generated content at any time before shipment. After shipment, photos are automatically deleted within 30 days (see Section 13).

7. Biometric Information Disclosure

7.1 What Is Biometric Information?

Biometric information refers to data derived from measurements or analysis of biological characteristics used to identify individuals. In the context of our service, this includes:

Facial geometry scans (measurements of facial features and their spatial relationships)
Facial feature analysis (eye shape, nose structure, mouth characteristics, face shape)
Facial recognition data (unique identifiers derived from facial images)

7.2 Illinois Biometric Information Privacy Act (BIPA) Compliance

Illinois law (740 ILCS 14, the Biometric Information Privacy Act) requires businesses that collect biometric information from Illinois residents to make specific disclosures. This section complies with BIPA requirements.

For Illinois Residents:

When you upload photos containing faces to Magic Doodle Books, our AI technology analyzes facial geometry and features to create custom cartoon character illustrations. This analysis may constitute collection of biometric identifiers or biometric information under Illinois law.

BIPA-Required Disclosures:

Purpose and Duration:
- Purpose: We collect and use facial geometry data solely to generate custom coloring book illustrations where your photo subjects become cartoon characters
- Duration: Biometric data is typically deleted within 30 days after your order ships, subject to technical limitations and legal retention requirements. We cannot guarantee deletion timing due to factors outside our control (backup systems, server replication, legal holds). See Section 13.1 for complete retention schedule.
Disclosure of Collection:
- We are disclosing to you through this Privacy Policy that we collect, store, and use biometric information from your uploaded photos
- This disclosure is made before you upload any photos and place an order
- By uploading photos and completing checkout, you acknowledge this disclosure
Disclosure of Use:
- Biometric information is used exclusively for AI-based illustration generation
- We share facial data with OpenAI (our AI service provider) solely to create your custom coloring pages
- OpenAI deletes images immediately after processing (within seconds)
- We do NOT sell, lease, or trade biometric information
- We do NOT disclose biometric information to third parties except OpenAI for order fulfillment
Written Consent (BIPA Requirement):
- Illinois law requires your written consent before collecting biometric information
- During the photo upload and checkout process, you will be asked to check a box acknowledging:
  - You have read this Privacy Policy, including Section 7 on biometric information
  - You understand that facial geometry data will be collected from your photos
  - You consent to this collection and use for creating your custom coloring book
- You cannot complete an order without providing this consent
Storage and Protection:
- Biometric data is stored with the same level of security as other sensitive personal information (see Section 12)
- Files are encrypted at rest (AES-256) and in transit (TLS 1.3)
- Access is restricted to authorized personnel only
- We use industry-standard security measures to protect against unauthorized access, disclosure, or destruction
No Sale or Profit from Biometric Data:
- We do NOT sell, lease, or trade biometric information
- We do NOT profit from biometric data beyond the sale of your custom coloring book product
- We do NOT share biometric data with third parties except as necessary to fulfill your order (OpenAI for AI generation, as disclosed above)

7.3 Other State Biometric Privacy Laws

Several other states have enacted or proposed biometric privacy laws with requirements similar to Illinois BIPA. The disclosures in this section apply to residents of all states with biometric privacy regulations, including:

Texas (Texas Business and Commerce Code Chapter 503)
Washington (Washington HB 1493)
Arkansas (Arkansas Personal Information Protection Act)
And other states as laws are enacted

7.4 Biometric Data Deletion

Automatic Deletion:

All uploaded photos (including biometric data derived from faces) are deleted within 30 days after your order ships, subject to technical limitations and backup retention cycles as described in Section 13.6
Deletion is automatic and does not require a request
Deletion applies to:
- Original uploaded photo files
- Extracted facial geometry data
- AI-generated coloring book scenes
- All backups and copies (subject to backup retention cycles)

Early Deletion Requests:

You may request deletion of your photos and biometric data before the automatic 30-day period
Submit requests to privacy@magicdoodlebooks.com
We will delete within 10 business days of verification
Note: Early deletion before order completion will prevent fulfillment of your order

Verification of Deletion: Upon request, we will provide written confirmation that your biometric data has been deleted.

7.5 Your Biometric Privacy Rights

Right to Information:

You have the right to know what biometric information we collect and how it's used (disclosed in this section)

Right to Consent:

We will not collect biometric information without your informed written consent

Right to Deletion:

You may request deletion of biometric data at any time

Right to Non-Retaliation:

We will not deny service, charge different prices, or otherwise retaliate if you decline to provide biometric information (though this means we cannot create your custom product)

Right to Legal Action (Illinois Residents):

Under Illinois BIPA, you have a private right of action if we violate biometric privacy requirements

Exercise Your Rights: Contact privacy@magicdoodlebooks.com with "Biometric Privacy Request" in the subject line.

8. Children's Privacy

8.1 Website Not Directed to Children

Magic Doodle Books is intended for adult users aged 18 and older. Our website is designed for parents, grandparents, and other adults to create personalized gifts.

We do NOT:

Knowingly collect personal information directly from children under 13
Allow children to create accounts independently
Direct any marketing or communications to children
Permit children to upload photos or use our services without adult supervision

Children Under 13: If we discover that a child under 13 has created an account or provided personal information directly to us (not through an adult), we will:

Delete the account and information immediately
Not use the information for any purpose
Not disclose the information to third parties (except as required by law)

If you believe a child under 13 has provided information to us, please contact privacy@magicdoodlebooks.com immediately.

8.2 Photos of Children - Adult Responsibility Model

COPPA Compliance Approach:

While children may appear in photos uploaded to our service, we do not collect information "from" children as defined by the Children's Online Privacy Protection Act (COPPA). Instead:

Adult users upload photos of children as part of product customization
Information is collected from the adult account holder, not from the child
The adult is responsible for obtaining any necessary permissions and consents
This is analogous to an adult customer providing a child's clothing size when ordering a custom t-shirt

Legal Classification:

Information is classified as "product customization data provided by an adult purchaser"
NOT "personal information collected from children under 13" under COPPA
The adult user is the data subject; children in photos are product subjects

8.3 Adult User Responsibilities

By uploading photos that include children, you (the adult user) represent and warrant that:

You are the parent, legal guardian, or have obtained permission from the parent/guardian of any child whose photo you upload
You have the legal right to provide these photos for commercial product creation
You understand that children's images will be processed using AI technology to create cartoon illustrations
You consent to the uses described in this Privacy Policy on behalf of any children in the photos

Parental Authority: We rely on the adult account holder to exercise parental authority and make decisions about:

Whether to upload photos of children
Which photos are appropriate
Whether the product is suitable for the child recipient
All customization and personalization choices

8.4 Use Limitations for Children's Images

We use children's images ONLY for:

Creating the specific custom coloring book you ordered
Quality control and customer service related to your order
Fulfilling your order through our print partner (Lulu)

We do NOT use children's images for:

Marketing or promotional purposes (unless you provide separate written consent)
Training AI models or improving technology
Any purpose beyond fulfilling your specific order
Sharing with third parties except as required for order fulfillment (see Section 5)

8.5 Data Retention and Deletion for Children's Photos

Same 30-Day Deletion Policy Applies:

All photos, including those containing children, are automatically deleted 30 days after order shipment
No long-term retention of children's images
Deletion includes:
- Original uploaded photos
- Extracted facial data (see Section 7 on biometric information)
- AI-generated coloring book scenes
- All copies and backups

Early Deletion: Parents/guardians may request deletion of children's photos at any time by contacting privacy@magicdoodlebooks.com. We will delete within 10 business days of verification.

8.6 Parental Rights and Controls

Parents and legal guardians have the right to:

Review information collected about their child (the photos they uploaded)
Request deletion of photos containing their child at any time
Refuse further collection by not uploading additional photos
Contact us with questions or concerns about children's privacy

How to Exercise Parental Rights:

Email privacy@magicdoodlebooks.com with subject line "Parental Privacy Request"
Provide:
- Your name and email address associated with the order
- Order number (if available)
- Description of your request (review, deletion, question)
We will verify your parental status before responding
We will respond within 30 days (typically much sooner)

Verification Process: To protect children's privacy, we will verify you are the parent/guardian by:

Matching your email to the account that placed the order
Requesting additional order details (order date, child's name on book, last 4 digits of payment card)
In some cases, requesting government-issued ID (redact sensitive information)

8.7 COPPA Safe Harbor and Compliance

Age-Gating: Our website includes age verification mechanisms:

Account creation requires birth date confirmation (18+ only)
Terms of Service state the site is for adults only
Upload page includes notice that user must be 18+ and have rights to all photos

Parental Notice: This Privacy Policy serves as notice to parents about:

What information may be collected about children (photos uploaded by adults)
How that information is used (product creation only)
Our disclosure practices (service providers for order fulfillment)
Parental rights to review and delete

No Direct Collection from Children: We have designed our service to avoid direct interaction with or collection from children:

No child accounts
No child-directed content or communications
No data collection from children's devices
All interactions through adult account holders

9. Your California Privacy Rights (CCPA/CPRA)

9.1 Applicability

This section applies to California residents only and describes rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective January 1, 2023.

If you are not a California resident, see Section 10 for information about privacy rights in other states.

9.2 Categories of Personal Information We Collect

Over the past 12 months, we have collected the following categories of personal information from California residents:

Category	Examples from Our Service	Collected?
A. Identifiers	Name, email address, shipping address, IP address, order ID	YES
B. Personal information under Cal. Civ. Code § 1798.80(e)	Name, address, phone number, payment card (last 4 digits only)	YES
C. Protected classifications under California or federal law	Age (18+ verification), characteristics visible in photos (gender presentation, age range) - used only for product creation	YES
D. Commercial information	Purchase history, order preferences (theme, tier), product interactions	YES
E. Biometric information	Facial geometry from uploaded photos (see Section 7)	YES
F. Internet or network activity	Browsing history on our site, pages viewed, clicks, device information	YES
G. Geolocation data	General location derived from IP address (city/state level, not precise GPS)	YES
H. Sensory data	Photos you upload (visual information)	YES
I. Professional or employment information	None	NO
J. Non-public education information	None	NO
K. Inferences	Preferences for themes, likelihood of repeat purchase (limited use)	YES
L. Sensitive Personal Information	Precise geolocation (NO), racial/ethnic origin visible in photos (used only for illustration accuracy), biometric information (YES, see Section 7)	Partial

9.3 Sources of Personal Information

We collect personal information from the following sources:

Directly from you (account registration, photo uploads, order placement, customer service)
Automatically from your device (IP address, browser data, usage information)
From Amazon (for Amazon Custom orders: customer name, address, photos, order details)
From service providers (payment confirmation from Stripe, delivery confirmation from Lulu)

9.4 Business and Commercial Purposes for Collection and Use

We collect and use personal information for the following business purposes:

Order fulfillment: Create and deliver your custom coloring book
Customer service: Respond to inquiries, resolve issues, process refunds
Payment processing: Complete transactions and prevent fraud
Service improvement: Analyze usage patterns, fix bugs, develop new features
Security: Detect and prevent fraud, abuse, and security incidents
Legal compliance: Comply with laws, respond to legal process, enforce Terms of Service
Internal operations: Maintain records, generate business analytics, train staff

We do NOT use personal information for cross-context behavioral advertising or other commercial purposes beyond providing our service.

9.5 Categories of Third Parties with Whom We Share Personal Information

We share personal information with the following categories of third parties:

Service providers: OpenAI (AI generation), Lulu (printing/shipping), Stripe (payment), Resend (email), Supabase (database/storage), Vercel (hosting) - see Section 5 for details
Affiliates: None (we do not have affiliated companies)
Business partners: Amazon (for Amazon Custom orders only)
Legal authorities: Law enforcement, courts, government agencies (only when required by law)

We do NOT sell or share personal information for cross-context behavioral advertising.

9.6 Data Retention Periods

Photos (including biometric data): Deleted 30 days after order ships
Order records (without photos): Retained 7 years for tax, legal, and warranty purposes
Account information: Retained while account is active; deleted within 90 days of account closure request (subject to legal retention requirements)
Customer service communications: Retained 2 years

See Section 13 for complete data retention details.

9.7 Your California Privacy Rights

California residents have the following rights under CCPA/CPRA:

Right to Know (Access)

You have the right to request disclosure of:

The categories of personal information we collected about you
The categories of sources from which the information was collected
Our business or commercial purpose for collecting or selling personal information
The categories of third parties with whom we share personal information
The specific pieces of personal information we collected about you

Timeframe: We will provide this information for the 12-month period preceding your request.

Right to Delete

You have the right to request deletion of personal information we collected from you, subject to certain exceptions.

Exceptions (we may retain information when necessary for):

Completing the transaction for which the information was collected
Providing goods or services you requested
Detecting security incidents or protecting against fraud
Debugging to identify and repair errors
Complying with legal obligations (e.g., tax records retention)
Internal uses reasonably aligned with your expectations

Note: Photos are automatically deleted 30 days after shipment. You may request early deletion.

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

How to exercise: Email privacy@magicdoodlebooks.com with the specific information that is inaccurate and the correct information.

Right to Opt-Out of Sale or Sharing

We do NOT sell your personal information to third parties or share it for cross-context behavioral advertising.

Therefore, there is no need to opt-out. However, if our practices change, we will update this policy and provide an opt-out mechanism.

Right to Limit Use of Sensitive Personal Information

Sensitive personal information includes biometric data (facial geometry from your photos). We use sensitive personal information only for purposes authorized under CCPA/CPRA:

Performing services you reasonably expect (creating your custom coloring book)
Security and fraud prevention
Verifying or maintaining quality of our service

We do NOT use sensitive personal information for other purposes that would trigger a right to limit.

Right to Non-Discrimination

We will NOT discriminate against you for exercising your CCPA/CPRA rights, including by:

Denying goods or services
Charging different prices or rates
Providing a different level or quality of goods or services
Suggesting you will receive a different price or quality of goods or services

You may still receive a different price or level of service if the difference is reasonably related to the value provided by your data.

9.8 How to Exercise Your California Privacy Rights

Submission Methods:

Email: privacy@magicdoodlebooks.com
- Subject line: "California Privacy Rights Request"
- Specify which right you are exercising (access, deletion, correction)
Online Form: [To be added: link to privacy request web form]
Mail: Magic Doodle Books Attn: Privacy Rights Request [To be determined], [To be determined], [To be determined] [To be determined]

Information to Include:

Your full name
Email address associated with your account (if applicable)
Order number (if applicable)
Specific request (e.g., "I request access to my personal information" or "I request deletion of my data")
Sufficient detail for us to locate your information

Verification Process:

To protect your privacy, we must verify your identity before fulfilling your request:

Low sensitivity requests (categories of data): Email verification (we send a confirmation link)
High sensitivity requests (specific data, deletion): Email verification + additional order details (order number, last 4 digits of payment card, shipping address)
Very high sensitivity requests: May require government-issued ID (redact SSN and other sensitive data)

We will not use information provided in your verification request for any other purpose.

Response Timeline:

Initial response: Within 10 business days acknowledging receipt
Complete response: Within 45 days of receiving your request
Extension: We may extend by an additional 45 days (total 90 days) if necessary; we will notify you of the extension and reason

No Fee: We do not charge a fee to process your request.

Excessive or Unfounded Requests: If requests are manifestly unfounded or excessive (particularly repetitive), we may:

Charge a reasonable fee, OR
Refuse to act on the request We will notify you and explain the reason.

9.9 Authorized Agents

California residents may designate an authorized agent to submit privacy requests on your behalf.

Requirements for Authorized Agents:

Proof of authorization: Valid power of attorney OR signed written permission from you
Verification: We may still require you to verify your identity directly with us
Confirmation: We may require you to confirm you authorized the agent to act on your behalf

Submit authorized agent requests to privacy@magicdoodlebooks.com with "Authorized Agent Request" in the subject line and include proof of authorization.

9.10 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes.

We do NOT disclose personal information to third parties for their direct marketing purposes. Therefore, no disclosure report is required.

If you have questions, contact privacy@magicdoodlebooks.com.

9.11 California Minors' Privacy Rights

California Business and Professions Code Section 22581 allows minors under 18 who are California residents to request removal of content they posted.

Our Policy:

Our website is restricted to users 18 and older
Minors are not permitted to create accounts or post content
If a minor has posted content in violation of our Terms of Service, contact privacy@magicdoodlebooks.com and we will remove it promptly

9.12 Do Not Sell My Personal Information

"Do Not Sell My Personal Information" Notice:

Magic Doodle Books does NOT sell personal information as defined by the CCPA.

We do not:

Sell personal information to third parties for monetary compensation
Share personal information with third parties for cross-context behavioral advertising
Disclose personal information to data brokers or advertisers

Our only disclosures of personal information are to service providers necessary to fulfill your order (see Section 5), which are not considered "sales" under CCPA.

10. Your Rights (Other States)

10.1 Multi-State Privacy Law Coverage

Several states have enacted comprehensive privacy laws similar to California's CCPA. If you are a resident of one of these states, you have privacy rights as described below.

States with comprehensive privacy laws (as of 2025):

Virginia (Virginia Consumer Data Protection Act - VCDPA, effective 2023)
Colorado (Colorado Privacy Act - CPA, effective 2023)
Connecticut (Connecticut Data Privacy Act - CTDPA, effective 2023)
Utah (Utah Consumer Privacy Act - UCPA, effective 2023)
Iowa (Iowa Consumer Data Protection Act, effective 2025)
Indiana, Montana, Oregon, Tennessee, Texas (effective 2024-2026)
Additional states continue to enact privacy legislation

10.2 Your Privacy Rights Under State Laws

While specific rights vary by state, most state privacy laws provide the following core rights:

Right to Access (Confirm and Know)

You have the right to confirm whether we are processing your personal data and access the personal data we hold about you.

What you can request:

Categories of personal data we collected
Specific pieces of personal data
Sources from which we obtained the data
Purposes for processing
Categories of third parties with whom we share data

Right to Correct (Data Accuracy)

You have the right to request correction of inaccurate personal data we maintain about you.

How to exercise: Email privacy@magicdoodlebooks.com with the inaccurate information and the correct information.

Right to Delete

You have the right to request deletion of personal data we collected from you, subject to certain exceptions.

Exceptions (similar to California law):

Necessary to complete your order
Comply with legal obligations
Detect security incidents or fraud
Exercise or defend legal claims
Other limited purposes permitted by law

Right to Data Portability (Some States)

You have the right to obtain a copy of your personal data in a portable, readily usable format (where technically feasible).

Format: We will provide data in JSON or CSV format via secure download link.

Right to Opt-Out

You have the right to opt-out of:

Sale of personal data: We do NOT sell personal data (no opt-out needed)
Targeted advertising: We do NOT engage in targeted advertising (no opt-out needed)
Certain profiling: We do NOT make decisions based solely on automated profiling that produce legal or significant effects (no opt-out needed)

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.3 Sensitive Data Disclosure

Some state laws require disclosure about collection of "sensitive data," which may include:

Precise geolocation data (we do NOT collect)
Biometric data (we collect facial geometry from photos - see Section 7)
Genetic data (we do NOT collect)
Health information (we do NOT collect)
Sexual orientation (we do NOT collect)
Citizenship or immigration status (we do NOT collect)
Contents of private communications (we collect customer service emails only to respond to you)

Biometric Data: We collect and process facial geometry from uploaded photos to create custom illustrations. See Section 7 for complete disclosure and your biometric privacy rights.

10.4 How to Exercise Your Rights (Non-California Residents)

Submission Methods:

Email: privacy@magicdoodlebooks.com
- Subject line: "Privacy Rights Request - [Your State]"
- Specify which right you are exercising
Online Form: [To be added: link to privacy request web form]
Mail: Magic Doodle Books Attn: Privacy Rights Request [To be determined], [To be determined], [To be determined] [To be determined]

Verification: We will verify your identity using the same process described in Section 9.8 for California residents.

Response Timeline:

Most state laws require responses within 45 days (may extend to 60-90 days for complex requests)
We will acknowledge receipt within 10 business days

Appeals Process (Where Required): Some state laws (Virginia, Colorado, Connecticut) provide a right to appeal if we deny your request.

If we deny your request, we will explain the reason and provide appeal instructions
Submit appeals to privacy@magicdoodlebooks.com with subject line "Privacy Rights Appeal"
We will respond to appeals within 60 days (or timeframe required by your state law)
If your appeal is denied, you may contact your state Attorney General or data protection authority

10.5 State-Specific Information

For detailed information about privacy rights specific to your state, including citations to applicable laws and state Attorney General contact information, visit:

[To be added: Link to state-specific privacy rights page on website]

Or contact privacy@magicdoodlebooks.com with subject line "Privacy Rights - [Your State]"

11. International Users

11.1 United States Operations

Magic Doodle Books is a United States-based company. Our operations, servers, and data processing activities are located in the United States.

By using our services, you acknowledge and agree that:

Your personal information will be transferred to and processed in the United States
Your information will be subject to United States federal and state laws
The United States may not provide the same level of data protection as your home jurisdiction

11.2 International Data Transfers

If you are accessing our website from outside the United States, please be aware that:

Information you provide will be transferred to the United States
Our service providers (OpenAI, Stripe, Supabase, etc.) may process your information in the United States or other jurisdictions
International data transfer mechanisms (such as Standard Contractual Clauses) may not be in place
You voluntarily consent to this transfer by using our services

11.3 European Union, United Kingdom, and EEA Users

Current Status: Magic Doodle Books does not specifically target or offer services to residents of the European Union (EU), United Kingdom (UK), or European Economic Area (EEA).

If you are an EU/UK/EEA resident:

Our service may not comply with the General Data Protection Regulation (GDPR) or UK Data Protection Act
We do not have a legal basis established for processing EU/UK/EEA residents' data under GDPR
We do not have a Data Protection Officer or EU/UK representative appointed
We recommend you do not use our services at this time

Future GDPR Compliance: If we decide to serve EU/UK/EEA customers in the future, we will implement GDPR compliance measures, including:

Appointing a Data Protection Officer (DPO) or EU representative
Establishing lawful bases for processing (consent, contract performance, legitimate interests)
Implementing Standard Contractual Clauses for international transfers
Providing GDPR-required rights (access, rectification, erasure, portability, restriction, objection)
Notifying supervisory authorities of data breaches within 72 hours

11.4 Canadian Users

PIPEDA Compliance Considerations:

If you are a Canadian resident, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) may apply. Under PIPEDA, you have rights including:

Right to access your personal information
Right to request correction of inaccurate information
Right to withdraw consent (subject to legal or contractual restrictions)
Right to file a complaint with the Privacy Commissioner of Canada

How to exercise rights: Contact privacy@magicdoodlebooks.com with subject line "PIPEDA Request"

Cross-Border Transfer Disclosure: Your personal information may be processed and stored in the United States by Magic Doodle Books and our service providers. U.S. law enforcement or government agencies may be able to access your information under U.S. law.

Privacy Commissioner of Canada: If you have concerns about our privacy practices, you may file a complaint with the Office of the Privacy Commissioner of Canada:

Website: https://www.priv.gc.ca
Phone: 1-800-282-1376

11.5 Australian Users

Australian Privacy Principles (APPs) Compliance:

If you are an Australian resident, the Privacy Act 1988 and Australian Privacy Principles may apply. You have rights including:

Right to access and correct your personal information
Right to make a complaint to the Office of the Australian Information Commissioner (OAIC)

Cross-Border Disclosure: We disclose personal information to overseas recipients in the United States (our servers and service providers). Australian Privacy Principle 8.1 requires us to take reasonable steps to ensure overseas recipients comply with the APPs. We use contractual agreements with service providers to protect your information.

Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au
Phone: 1300 363 992

11.6 Users in Other Jurisdictions

If you are located in a jurisdiction not specifically addressed in this section:

Contact privacy@magicdoodlebooks.com to inquire about privacy protections applicable to your location
Review your local data protection laws to understand your rights
Be aware that U.S. law will govern our processing of your information

12. Data Security

12.1 Our Security Commitment

We take the security of your personal information seriously and implement industry-standard measures to protect against unauthorized access, disclosure, alteration, or destruction.

Security is a shared responsibility: While we implement robust protections, no system is completely secure. You are responsible for protecting your account credentials and notifying us of any suspected security issues.

12.2 Technical Security Measures

Encryption:

Data in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security) with strong cipher suites
Data at rest: Sensitive data stored in our database (Supabase) is encrypted using AES-256 encryption
Photo storage: Uploaded photos are encrypted during storage in Supabase Storage
Payment data: Credit card information is encrypted and tokenized by Stripe (PCI DSS Level 1 compliant); we never store complete card numbers

Access Controls:

Authentication: User accounts protected by secure password hashing (bcrypt with salt)
Authorization: Role-based access controls (RBAC) limit employee access to customer data based on job function
Row-level security: Database implements row-level security (RLS) policies to prevent unauthorized data access
API security: Server-side API routes use secure authentication (Supabase publishable/secret key model)
Admin access: Administrative functions require multi-factor authentication (MFA)

Network Security:

Firewall protection: Cloud infrastructure (Vercel, Supabase) includes firewall and DDoS protection
Intrusion detection: Monitoring systems detect and alert on suspicious activity
Secure hosting: Website hosted on Vercel with automatic security updates and edge network protection

Application Security:

Input validation: All user inputs validated and sanitized to prevent injection attacks
Secure coding practices: TypeScript strict mode, Zod validation for external data, no use of eval() or unsafe functions
Dependency management: Regular updates to dependencies to patch known vulnerabilities
Security headers: HTTP security headers (Content-Security-Policy, X-Frame-Options, etc.) implemented

12.3 Organizational Security Measures

Employee Training:

All employees receive training on data protection and privacy requirements
Annual refresher training on security best practices
Specific training for employees with access to customer data

Access Restrictions:

Customer data access limited to employees with legitimate business need
Access logs maintained for audit purposes
Termination procedures immediately revoke access for departing employees

Vendor Management:

All third-party service providers (OpenAI, Lulu, Stripe, etc.) contractually obligated to maintain security standards
Vendor security assessments conducted before engagement
Regular review of vendor security practices

Incident Response Plan:

Documented procedures for detecting, responding to, and recovering from security incidents
Designated security incident response team
Regular testing of incident response procedures

12.4 Payment Security

PCI DSS Compliance: We use Stripe for payment processing, which is certified as a PCI DSS Level 1 Service Provider (the highest level of security certification in the payments industry).

Our Approach:

We never see, handle, or store complete credit card numbers
Payment card data is transmitted directly from your browser to Stripe's secure servers
We receive only a tokenized reference and transaction confirmation
Our PCI compliance burden is minimized through Stripe's secure infrastructure

Fraud Prevention:

Transaction monitoring for suspicious patterns
Address Verification Service (AVS) checks
Card Verification Value (CVV) validation
Suspicious order manual review process

12.5 Photo and Biometric Data Security

Given the sensitive nature of uploaded photos (which may include children's images and biometric facial data), we implement additional protections:

Storage Security:

Photos encrypted at rest using AES-256
Stored in Supabase Storage with restricted access (signed URLs with expiration)
Access logs maintained for all photo retrievals

Processing Security:

Photos transmitted to OpenAI via encrypted API connection (TLS 1.3)
OpenAI deletes images immediately after processing (seconds)
No photos stored in server memory longer than necessary for processing
Temporary files securely wiped after use

Deletion Assurance:

Automated deletion process runs daily to remove photos from orders older than 30 days post-shipment
Deletion verification: database records updated to confirm deletion
Backups also purged of deleted photos within 7 days

12.6 Limitations of Security

No System Is 100% Secure:

Despite our security measures, we cannot guarantee absolute security. Risks include:

Sophisticated cyberattacks that overcome current defenses
Vulnerabilities in third-party software or services
Insider threats or social engineering attacks
Unauthorized access due to weak user passwords

Your Responsibilities:

Use strong, unique passwords (at least 12 characters with mix of letters, numbers, symbols)
Do not share account credentials with others
Log out after using shared or public computers
Monitor your account for unauthorized activity
Report suspicious activity immediately to privacy@magicdoodlebooks.com
Keep your email account secure (we send order confirmations and password reset links to your email)

12.7 Data Breach Response

In the Event of a Data Breach:

If we experience a security incident that compromises your personal information, we will:

Contain the breach and secure systems to prevent further unauthorized access
Investigate the scope and impact of the breach
Notify affected users without unreasonable delay, and within timeframes required by law (typically within 72 hours of discovery)
Provide information about:
- What happened
- What information was affected
- Steps we are taking to address the breach
- Steps you can take to protect yourself
Notify regulatory authorities as required by applicable law (e.g., state Attorneys General, California Attorney General for California residents, FTC if appropriate)
Remediate vulnerabilities and implement additional safeguards to prevent recurrence
Offer assistance such as credit monitoring if financial information was compromised

How We Will Notify You:

Email to the address on file for your account
Prominent notice on our website homepage
For severe breaches, additional notification methods (e.g., postal mail)

What You Should Do:

Change your password immediately
Monitor your accounts for suspicious activity
Consider placing a fraud alert or security freeze on credit reports if financial information was affected
Contact us with questions at privacy@magicdoodlebooks.com

12.8 Third-Party Security

We carefully select service providers with strong security practices. However:

We are not responsible for the security practices of third parties (Stripe, OpenAI, Lulu, etc.)
Review the privacy and security policies of our partners (links in Section 5)
Contact third parties directly with security concerns about their services

12.9 Report Security Vulnerabilities

If you discover a security vulnerability in our systems, please report it responsibly:

Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
Do not publicly disclose the vulnerability until we have had a chance to address it
Email security@magicdoodlebooks.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (if you wish to be contacted)

We appreciate responsible disclosure and will acknowledge your report within 5 business days.

13. Data Retention and Deletion

13.1 Retention Periods by Data Type

We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy and to comply with legal obligations. Different types of data have different retention periods:

Customer Photos (Including Biometric Data)

Retention Period: We make reasonable efforts to delete photos within 30 days after order shipment, subject to technical limitations, backup retention cycles, and legal requirements.

What is typically deleted:

Original uploaded photo files (JPEG, PNG, etc.)
Extracted facial geometry and biometric data
AI-generated coloring book scenes (the custom illustrations created from your photos)
All image metadata, processing logs, and temporary files
Copies stored in backups (to the extent technically feasible within backup retention cycles)

Deletion method: Automated deletion process runs daily; files are permanently overwritten and unrecoverable

Rationale: 30-day retention allows time for:

Customer to receive order and confirm quality
Address any delivery issues or quality concerns
Handle refund or replacement requests
Provide customer service during initial ownership period

Early deletion: You may request deletion before the 30-day period; see Section 13.4

Cannot be restored: Once photos are deleted, we cannot recreate them or print additional copies of your book

Order Records (Without Photos)

Retention Period: 7 years after order date

What is retained:

Order ID and order date
Customer name and shipping address
Product details (theme, tier, page count, personalization text)
Transaction amount and payment method (last 4 digits only)
Order status history (created, paid, processing, shipped, delivered)
Shipping tracking number
Refund or dispute records (if applicable)

What is NOT retained:

Photos (deleted after 30 days as described above)
Complete payment card numbers
Unnecessary personally identifiable information

Rationale: 7-year retention is required for:

Tax compliance: IRS and state tax authorities require business records for 7 years
Legal defense: Statute of limitations for contract disputes and warranty claims
Accounting: GAAP (Generally Accepted Accounting Principles) requirements
Warranty support: Address quality issues or manufacturing defects

Data minimization: After photos are deleted (30 days), order records contain minimal personal information

Account Information

Retention Period: While account is active + 90 days after account closure request

What is retained:

Account credentials (email, hashed password)
Account creation date
Profile information (name, optional phone number)
Email preferences
Order history (summary, without photos)

What happens at account closure:

Account credentials deleted within 90 days
Order records (without account link) retained for 7 years for legal/tax purposes
Email address may be retained in suppression list to honor unsubscribe requests

Rationale: 90-day grace period allows:

Recovery if account closure was unintended
Completion of any pending customer service issues
Finalization of accounting and order history

Customer Service Communications

Retention Period: 2 years after last communication

What is retained:

Email correspondence (your inquiries and our responses)
Support ticket history
Chat transcripts (if we implement chat support)
Phone call notes (if we implement phone support)

Rationale:

Reference for ongoing customer service issues
Training and quality assurance
Legal defense for disputes
Pattern analysis to improve service

Deletion: Communications older than 2 years are automatically deleted unless related to an ongoing dispute or legal matter

Technical Logs and Usage Data

Retention Period: 90 days

What is retained:

Server logs (IP addresses, request URLs, timestamps)
Error logs for troubleshooting
Performance metrics
Security monitoring logs

Rationale:

Troubleshooting technical issues
Security incident investigation
Performance optimization

Exception: Security incident logs may be retained longer if related to an ongoing investigation

13.2 Legal Retention Requirements

In some cases, we may be required to retain information longer than the periods stated above:

Legal holds: If information is subject to litigation, government investigation, or other legal process, we will retain it until the matter is resolved

Regulatory requirements: Certain laws may require longer retention (e.g., tax records, anti-money laundering laws)

Dispute resolution: If you have an ongoing dispute with us (refund, quality issue, legal claim), we will retain relevant information until the dispute is resolved

We will notify you if we must retain your information beyond standard retention periods due to legal requirements.

13.3 Anonymization and Aggregation

After deletion periods expire, we may retain anonymized and aggregated data that cannot identify you, such as:

"25% of orders include photos of pets"
"Average order includes 6 photos"
"Most popular theme is Christmas Adventure"

This anonymized data is used for business analytics and is not subject to deletion requests.

13.4 Early Deletion Requests

You may request deletion of your personal information before the automatic retention periods expire.

How to Request Early Deletion:

Email privacy@magicdoodlebooks.com with subject line "Early Deletion Request"
Include:
- Your name and email address
- Order number (if requesting deletion of photos from a specific order)
- What you want deleted (photos, account, all data)
We will verify your identity (matching email address, order details)
We will process deletion within 10 business days of verification

Important Considerations:

Photos before order completion:

If you request photo deletion before your order is completed, we cannot fulfill the order
You may receive a refund (less any processing fees incurred)

Photos after shipment but before 30-day auto-deletion:

Photos will be deleted immediately
You will not be able to order reprints or additional copies

Complete account deletion:

All account data and order history will be deleted (subject to legal retention for tax records)
This action is irreversible
Order records (without personal identifiers) retained for 7 years for tax compliance

Exceptions to Deletion: We may decline deletion requests or retain certain information if:

Required by law (tax records, legal hold, regulatory requirement)
Necessary to complete a transaction you requested
Necessary to detect fraud or security incidents
Necessary to exercise or defend legal claims
Required to comply with our legal obligations

If we decline a deletion request, we will explain the reason and provide information about your appeal rights (for California and other covered states).

13.5 Deletion Verification

Upon request, we will provide written confirmation that your data has been deleted.

What we will confirm:

Date deletion was completed
Categories of data deleted
Systems from which data was removed (database, storage, backups)

Request verification: Email privacy@magicdoodlebooks.com with subject line "Deletion Verification Request"

13.6 Backup Retention and Deletion

Backup Systems: We maintain encrypted backups of our database and storage systems for disaster recovery purposes.

Backup Retention:

Daily backups retained for 7 days
Weekly backups retained for 30 days
Monthly backups retained for 90 days

Backup Deletion: When data is deleted from our primary systems (e.g., photos after 30 days), it may remain in backups until those backups expire according to the schedule above.

Maximum Backup Retention: Deleted data will be purged from all backups within 90 days of deletion from primary systems.

Backup Security: All backups are encrypted and access-restricted; backups are not used for any purpose other than disaster recovery.

14. Your Choices and Controls

14.1 Account Information Management

Update Your Information:

You can update your account information at any time:

Through your account dashboard: Log in at magicdoodlebooks.com and access Account Settings
What you can update:
- Name
- Email address (requires email verification)
- Password (requires current password confirmation)
- Default shipping address
- Phone number (optional)
Email change: If you update your email address, we will send a verification link to the new address to confirm ownership

Account Accuracy: Please keep your information accurate and up to date. Outdated information may cause order delivery issues.

Customer Service Assistance: If you have trouble updating your information, contact support@magicdoodlebooks.com

14.2 Email Communications

Transactional Emails (Cannot Opt Out):

These emails are essential to providing our service and cannot be disabled:

Order confirmations (sent immediately after purchase)
Payment receipts (from Stripe)
Order status updates (payment received, photos approved, generation started, printing, shipped)
Shipping notifications with tracking numbers
Delivery confirmations
Customer service responses (replies to your inquiries)
Security alerts (unauthorized login attempts, password changes)
Policy updates (material changes to Terms of Service or Privacy Policy)

If you opt out of transactional emails, you may miss critical information about your order and account.

Marketing Emails (Can Opt Out):

We currently do NOT send marketing emails (newsletters, promotions, new product announcements). If we introduce marketing communications in the future:

You will be able to opt out via unsubscribe link in each email
You can manage email preferences in your account settings
Opt-out requests will be processed within 10 business days

How to Manage Email Preferences:

Unsubscribe link: Click "Unsubscribe" at the bottom of any marketing email
Account settings: Log in and navigate to Email Preferences
Email us: privacy@magicdoodlebooks.com with subject line "Email Preferences"

14.3 Photo Management

Before Order Submission:

While creating your order, you have full control over uploaded photos:

Delete photos: Remove any photo from your upload before placing the order
Replace photos: Upload different photos if you change your mind
Cancel order: Abandon your order at any time before payment (photos will be deleted from our temporary session storage)

After Order Placement:

Once you complete payment, photos enter our production workflow and cannot be easily removed without affecting your order:

Request deletion: You may request photo deletion, but this will prevent order completion
Refund: If you delete photos before production is complete, you may receive a refund (less processing fees)
Automatic deletion: Photos are automatically deleted 30 days after your order ships (see Section 13.1)

Early Deletion After Shipment:

If you want photos deleted before the automatic 30-day period:

Email privacy@magicdoodlebooks.com with subject line "Early Photo Deletion"
Include your order number
Photos will be deleted within 10 business days
Consequence: You will NOT be able to order reprints or additional copies of your book

14.4 Account Closure and Data Deletion

How to Close Your Account:

Email privacy@magicdoodlebooks.com with subject line "Account Closure Request"
We will verify your identity (email match + order details or password)
We will confirm you understand the consequences:
- Loss of access to order history
- Cannot order reprints of past books
- Account cannot be recovered
We will delete your account within 90 days of your request

What Happens to Your Data:

Account credentials: Deleted within 90 days
Photos: Already deleted per 30-day automatic deletion policy
Order records (without personal identifiers): Retained for 7 years for tax and legal compliance
Email address: May be retained in suppression list to honor unsubscribe requests and prevent accidental account recreation

Legal Retention: We may retain certain information as required by law (tax records, legal holds) even after account closure. This information will be stored securely and used only for the specific legal purpose.

Reactivation: Within the 90-day grace period, you may request reactivation by emailing support@magicdoodlebooks.com. After 90 days, deletion is permanent and cannot be reversed.

14.5 Cookie Controls

Browser Settings:

You can control cookies through your browser settings:

Chrome: Settings > Privacy and Security > Cookies and other site data
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Cookies and website data
Edge: Settings > Privacy, search, and services > Cookies and site data

Cookie Options:

Block all cookies: May prevent website functionality (login, shopping cart)
Block third-party cookies: We don't use third-party cookies, so this won't affect our site
Clear cookies: Deletes existing cookies; you'll need to log in again

Our Cookie Use: We use minimal cookies for essential functionality only:

Session cookies (required for login and shopping cart)
Authentication cookies (remember your login between sessions)

We do NOT use:

Advertising cookies
Analytics cookies (Google Analytics, etc.)
Social media tracking cookies
Cross-site tracking cookies

14.6 Do Not Sell My Personal Information

We do NOT sell your personal information.

No opt-out is required. See Section 15 for complete "Do Not Sell" disclosure.

14.7 Opting Out of Future Features

If we introduce new features that involve data use beyond the current scope of this Privacy Policy:

We will notify you in advance
We will provide an opt-out mechanism
We will obtain your consent where required by law
You may decline new features and continue using core services

Examples might include:

Optional marketing communications (can unsubscribe)
Optional account features that use additional data (can disable)
Optional sharing features (e.g., social media integration - can decline)

14.8 Third-Party Account Connections

Current Status: We do NOT currently offer login via third-party accounts (Google, Facebook, Apple Sign-In).

If we add social login in the future:

You will be able to disconnect third-party accounts from your Magic Doodle Books account
Disconnection will not delete your Magic Doodle Books account (you'll need to use email/password login)
Review and revoke permissions in your third-party account settings (e.g., Google Account Settings > Security > Third-party apps with account access)

15. Do Not Sell My Personal Information

15.1 We Do Not Sell Personal Information

Magic Doodle Books does NOT sell your personal information.

This means:

We do NOT sell personal information to third parties for money
We do NOT share personal information with third parties for cross-context behavioral advertising
We do NOT disclose personal information to data brokers
We do NOT exchange personal information for any valuable consideration

No opt-out is necessary because we do not engage in sales of personal information.

15.2 What Is a "Sale" Under Privacy Laws?

State privacy laws (California CCPA, Virginia VCDPA, Colorado CPA, etc.) define "sale" broadly as:

Sale of Personal Information: Disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration.

Valuable consideration can include:

Money
Services or benefits received in exchange for data
Advertising revenue based on data sharing
Cross-promotional arrangements

15.3 How We Share Information (Not Sales)

We share personal information with third-party service providers only for order fulfillment and business operations, which is NOT considered a "sale" under privacy laws.

Our Service Provider Disclosures (See Section 5 for Details):

Service Provider	Purpose	Not a Sale Because...
OpenAI	AI illustration generation	Contractual service provider; processes data on our behalf to create your order; does not use data for their own purposes
Lulu	Print and ship books	Contractual service provider; fulfills your order; does not use your data for their own marketing or sales
Stripe	Payment processing	Processes payments on our behalf; does not sell your financial information
Supabase	Database and storage	Infrastructure provider; stores data on our behalf; does not use data for their own purposes
Resend	Transactional emails	Sends emails on our behalf; does not use your email for their own marketing
Vercel	Website hosting	Infrastructure provider; hosts our site; does not use visitor data for their own purposes

Key Distinction: Service providers are data processors working on our behalf under contract. They do not "own" your data or use it for their own independent business purposes. This is fundamentally different from selling data to third parties for their own use.

15.4 No Third-Party Advertising or Tracking

We do NOT:

Use third-party advertising networks (Google Ads, Facebook Ads, etc.)
Share data with advertisers for targeted ads
Participate in real-time bidding or ad exchanges
Use tracking pixels for advertising purposes
Enable cross-site tracking or behavioral profiling

We do NOT use:

Google Analytics
Facebook Pixel
Advertising cookies
Retargeting or remarketing services
Affiliate networks that track user behavior

15.5 No Data Broker Disclosures

We do NOT:

Share information with data brokers (companies that aggregate and sell consumer profiles)
Participate in data marketplaces
License customer lists to third parties
Provide information for people-search websites

15.6 Future Changes

If we ever decide to sell personal information or engage in data sharing for cross-context behavioral advertising, we will:

Update this Privacy Policy with at least 30 days' advance notice
Provide a clear and conspicuous "Do Not Sell My Personal Information" link on our homepage
Implement an opt-out mechanism allowing you to easily decline the sale of your information
Obtain your opt-in consent where required by law (e.g., for sale of information from users under 16)
Honor opt-out requests within 15 business days

15.7 Verification of No Sales

How to Verify:

Review our service provider contracts (available upon request to the extent not confidential)
Review service providers' privacy policies (links in Section 5)
Submit a CCPA request to know "categories of third parties to whom personal information was sold" - our response will confirm zero sales

Questions: If you have questions about how we share information or want to verify we do not sell data, contact privacy@magicdoodlebooks.com

15.8 Global Privacy Control (GPC)

Current Status: We do not currently recognize Global Privacy Control (GPC) signals because we do not sell personal information or engage in targeted advertising.

What is GPC: Global Privacy Control is a browser setting that sends an opt-out preference signal to websites, requesting they not sell or share your personal information.

Our Position:

Because we do not sell information, there is nothing to opt out of
If our practices change in the future, we will implement GPC signal recognition as required by law

16. Links to Third-Party Sites

16.1 External Links

Our website may contain links to third-party websites, services, or resources, including:

Payment processors: Stripe (for payment processing)
Print partners: Lulu (for print-on-demand services)
Marketplaces: Amazon Custom (for Amazon marketplace orders)
Service providers: Privacy policies of OpenAI, Supabase, Vercel, Resend
Social media: Links to our social media profiles (if we create them in the future)
Educational resources: Tutorials, guides, or articles on external sites

We Are Not Responsible for Third-Party Sites:

Third-party websites have their own privacy policies and terms of service
We do not control the content, practices, or policies of external sites
We are not responsible for the privacy or security practices of third-party sites
We do not endorse or make representations about third-party sites

16.2 Review Third-Party Privacy Policies

Before providing personal information to any third-party site, we encourage you to:

Read their privacy policy
Understand how they collect, use, and share your information
Review their data retention and security practices
Understand your rights and how to exercise them

Third-Party Privacy Policies We Reference:

For your convenience, here are links to the privacy policies of our key partners (correct as of publication date; third parties may update links):

Stripe: https://stripe.com/privacy
OpenAI: https://openai.com/policies/privacy-policy
Lulu: https://www.lulu.com/privacy
Supabase: https://supabase.com/privacy
Vercel: https://vercel.com/legal/privacy-policy
Resend: https://resend.com/privacy
Amazon: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496

16.3 Third-Party Payment Processing

When you make a payment through our website, you are redirected to Stripe Checkout, a third-party payment processing service.

What Happens:

You enter payment information directly on Stripe's secure platform (not our website)
Stripe processes your payment according to their privacy policy
Stripe sends us a confirmation token (not your complete card number)

Your Relationship with Stripe:

You are subject to Stripe's Terms of Service and Privacy Policy
Stripe collects and processes your payment information independently
Contact Stripe directly for questions about payment data handling

16.4 Amazon Custom Orders

If you place an order through Amazon Custom, you are interacting with Amazon's platform.

What Happens:

You upload photos and customize your product on Amazon.com
Amazon collects your information according to the Amazon Privacy Notice
Amazon sends us only the information necessary to fulfill your order
You are an Amazon customer; we are a third-party seller fulfilling your order

Governed by Amazon Policies:

Amazon Privacy Notice applies to information collected on Amazon.com
Amazon Terms of Service govern your order relationship
Amazon handles customer service for orders placed through their platform

16.5 No Third-Party Content on Our Site

Current Status: We do NOT currently embed third-party content on our website, including:

Social media widgets (Facebook Like, Twitter Share, etc.)
Advertising networks
Analytics services (Google Analytics, etc.)
Content delivery networks with tracking

If We Add Third-Party Embeds: We will update this Privacy Policy to disclose:

What third-party content is embedded
What data may be collected by third parties
How to opt out or control third-party tracking

17. Do Not Track Signals

17.1 What Is Do Not Track (DNT)?

"Do Not Track" is a browser setting that sends a signal to websites requesting they not track your browsing activity across websites over time.

How to Enable DNT:

Chrome: Settings > Privacy and Security > Cookies and other site data > Send a "Do Not Track" request
Firefox: Settings > Privacy & Security > Send websites a "Do Not Track" signal
Safari: Preferences > Privacy > Prevent cross-site tracking (Safari uses Intelligent Tracking Prevention instead of traditional DNT)
Edge: Settings > Privacy, search, and services > Send "Do Not Track" requests

17.2 Our Response to DNT Signals

We do not respond to or honor Do Not Track (DNT) browser signals.

Why:

There is no industry-wide standard for how to interpret or respond to DNT signals
We do NOT track users across third-party websites (no cross-site tracking), so DNT is not applicable to our practices
We do NOT use third-party advertising or analytics cookies that would engage in the tracking DNT is designed to prevent

17.3 Our Actual Tracking Practices

What We Track:

On our website only: Pages you visit, clicks, time spent (to improve user experience and troubleshoot issues)
Session data: Stored temporarily to maintain your shopping cart and login state

What We Do NOT Track:

Your browsing activity on other websites
Your activity across devices (cross-device tracking)
Your behavior for advertising purposes
Your data through third-party cookies or tracking pixels

No Third-Party Trackers: We do NOT use:

Google Analytics or other analytics services
Facebook Pixel or other social media trackers
Advertising networks or retargeting services
Cross-site tracking technologies

17.4 Global Privacy Control (GPC)

What Is GPC: Global Privacy Control (GPC) is a newer standard (successor to DNT) that sends a legally binding signal to websites requesting they:

Not sell or share your personal information
Opt out of targeted advertising

Our Response to GPC: We do not currently recognize GPC signals because:

We do NOT sell personal information (see Section 15)
We do NOT engage in cross-context behavioral advertising (see Section 17.3)
There is nothing to opt out of based on our current practices

Future Commitment: If our practices change such that we sell information or engage in targeted advertising, we will:

Recognize and honor GPC signals as required by applicable law (California, Colorado, etc.)
Implement GPC as a legally binding opt-out request
Update this policy to describe how we process GPC signals

17.5 How to Control Tracking

Even though DNT doesn't apply to our practices, you can control tracking by:

Browser Settings:

Enable "Block third-party cookies" (we don't use third-party cookies anyway)
Use private/incognito browsing mode
Enable "Prevent cross-site tracking" (Safari) or "Enhanced Tracking Prevention" (Firefox)

Browser Extensions:

Privacy Badger (blocks third-party trackers)
uBlock Origin (blocks ads and trackers)
Ghostery (blocks trackers and shows who's tracking you)

Cookie Settings:

Delete cookies regularly
Block or limit cookies in browser settings (may affect website functionality)

Account Settings (Our Website):

We do not have behavioral advertising settings (we don't advertise)
You can delete your account to stop any internal usage analytics (see Section 14.4)

18. Changes to This Policy

18.1 Right to Modify

We reserve the right to modify this Privacy Policy at any time to reflect:

Changes in our business practices
New features or services
Changes in applicable laws or regulations
Technology updates
Feedback from customers or regulators

18.2 Notice of Changes

All Changes: When we update this Privacy Policy, we will:

Post the updated policy on our website at magicdoodlebooks.com/privacy
Update the "Last Updated" date at the top of this document
Maintain an archive of previous policy versions (available upon request)

Material Changes:

For material changes that significantly affect your rights or how we use your information, we will provide additional notice:

Email notification to the email address associated with your account (if you have an account)
At least 30 days' advance notice before the changes take effect
Prominent notice on our website homepage with a summary of key changes
Option to review changes before they become effective

Examples of Material Changes:

Selling personal information when we previously did not
Sharing information with new categories of third parties
Using information for new purposes not previously disclosed
Significantly extending data retention periods
Reducing your rights or our security commitments

18.3 Your Acceptance of Changes

How You Consent to Changes:

By continuing to use our services after changes are posted, you acknowledge and agree to the modified Privacy Policy.

If You Disagree: If you do not agree with changes to this Privacy Policy, you may:

Discontinue using our services before the changes take effect
Delete your account (see Section 14.4)
Request deletion of your data (see Section 13.4)
Contact us to discuss your concerns at privacy@magicdoodlebooks.com

For Material Changes: You will have at least 30 days to review changes and decide whether to continue using our services before the new policy takes effect.

18.4 Changes Affecting Minors

If we make changes that would affect our practices regarding children's information or photos, we will:

Provide prominent notice on the photo upload page
Require re-consent before allowing new photo uploads
Allow users to delete existing photos before the new policy applies to them
Notify parents/guardians via email (if we have email addresses)

18.5 Policy Version History

Current Version: [DATE - To be added at publication]

Previous Versions: We maintain a record of all previous versions of this Privacy Policy. You may request a copy of previous versions by emailing privacy@magicdoodlebooks.com with subject line "Privacy Policy Version History."

Major Version Changes: We will note major version changes and summaries of key updates in this section in future updates. For example:

Version 2.0 (Date): Added biometric data disclosure (Section 7) in compliance with Illinois BIPA
Version 3.0 (Date): Updated service providers (replaced Cloudinary with Supabase Storage)

18.6 Legal Requirements

We may update this Privacy Policy without advance notice if required by law, such as:

Court order or regulatory action requiring immediate policy changes
Emergency security or fraud situations requiring immediate disclosure updates
Urgent compliance with newly enacted laws

In such cases, we will:

Post the updated policy immediately
Provide notice as soon as legally permissible
Explain the reason for the immediate change

19. Contact Us

19.1 Privacy Questions and Concerns

If you have questions, concerns, or feedback about this Privacy Policy or our privacy practices, please contact us:

Privacy Team Email: privacy@magicdoodlebooks.com

Customer Support Email: support@magicdoodlebooks.com

Legal Inquiries Email: legal@magicdoodlebooks.com

Mailing Address: Magic Doodle Books Attn: Privacy Officer [To be determined], [To be determined], [To be determined] [To be determined]

Phone: [To be determined] (Monday - Friday, 9:00 AM - 5:00 PM EST)

19.2 Privacy Rights Requests

To exercise your privacy rights (access, deletion, correction, opt-out, etc.), please use the contact methods above and include:

Required Information:

Your full name
Email address associated with your account
Specific request (e.g., "I request access to my personal information" or "I request deletion of my photos")
Order number (if applicable)
Sufficient detail for us to locate your information

Subject Lines for Faster Processing:

"California Privacy Rights Request" (CCPA/CPRA requests)
"Biometric Privacy Request" (BIPA or biometric data requests)
"Privacy Rights Request - [Your State]" (other state privacy laws)
"Parental Privacy Request" (requests related to children's photos)
"Early Deletion Request" (delete data before automatic retention period)
"PIPEDA Request" (Canadian residents)

Response Timeline: We will acknowledge receipt of your request within 10 business days and provide a complete response within 45 days (may extend to 90 days for complex requests; we will notify you of any extension).

19.3 Data Subject Requests (Verification Required)

For your security, we must verify your identity before fulfilling data access or deletion requests.

Verification Process:

We will send a verification email to the email address associated with your account
Click the verification link in the email
For sensitive requests, provide additional information (order number, last 4 digits of payment card, shipping address)
In rare cases, we may request government-issued ID (you may redact sensitive information like Social Security numbers)

We will not use information provided for verification purposes for any other purpose.

19.4 Complaints and Disputes

Internal Complaint Process:

If you have a complaint about our privacy practices:

Email privacy@magicdoodlebooks.com with subject line "Privacy Complaint"
Describe the issue in detail
We will investigate and respond within 30 days
If you are not satisfied with our response, you may escalate to legal@magicdoodlebooks.com

Appeals (Required by Some State Laws):

Virginia, Colorado, Connecticut, and some other states provide a right to appeal if we deny your privacy request.

If we deny your request, we will explain the reason and provide appeal instructions
Submit appeals to privacy@magicdoodlebooks.com with subject line "Privacy Rights Appeal"
We will respond to appeals within 60 days

Regulatory Complaints:

You also have the right to file a complaint with your state or federal regulatory authority:

California Residents:

California Attorney General's Office
Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
Phone: 916-210-6276

Other State Residents: Contact your state Attorney General's office. Find your state AG at: https://www.naag.org/find-my-ag/

Canadian Residents (PIPEDA):

Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca/en/report-a-concern/
Phone: 1-800-282-1376

Australian Residents:

Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au/privacy/privacy-complaints
Phone: 1300 363 992

Federal Trade Commission (FTC): For complaints about unfair or deceptive business practices:

Website: https://reportfraud.ftc.gov/
Phone: 1-877-FTC-HELP (1-877-382-4357)

19.5 Security Incident Reporting

If you discover a security vulnerability or potential data breach, please report it immediately:

Security Team Email: security@magicdoodlebooks.com

What to Include:

Description of the vulnerability or incident
Steps to reproduce (if applicable)
Potential impact
Your contact information (if you wish to be contacted)

Responsible Disclosure: Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and address the issue. We commit to acknowledging security reports within 5 business days.

19.6 Media and Press Inquiries

For media inquiries related to privacy or data protection:

Press Contact: legal@magicdoodlebooks.com Subject Line: "Media Inquiry - Privacy"

19.7 Business Hours and Response Times

Normal Business Hours: Monday - Friday, 9:00 AM - 5:00 PM Eastern Standard Time (EST) Closed on U.S. federal holidays

Response Times:

General privacy questions: Within 5 business days
Privacy rights requests: Acknowledged within 10 business days; completed within 45 days (up to 90 days for complex requests)
Security incidents: Acknowledged within 5 business days; investigation timeline varies based on severity
Complaints: Within 30 days

Holiday Delays: Responses may be delayed during major U.S. holidays (Thanksgiving, Christmas, New Year's). We will acknowledge your request and provide an expected response date.

19.8 Language Assistance

Primary Language: This Privacy Policy is written in English.

Translation Assistance: If you need assistance understanding this Privacy Policy in another language, contact support@magicdoodlebooks.com. We will make reasonable efforts to provide a translated summary (though the English version governs in case of conflicts).

Future Language Versions: If we serve significant populations of non-English speakers, we may provide official translated versions of this Privacy Policy (e.g., Spanish, French, Mandarin).

Acknowledgments

This Privacy Policy was last updated on [DATE - To be added at publication].

By using Magic Doodle Books' services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Thank you for trusting Magic Doodle Books with your family memories.

Magic Doodle Books Creating magical memories, one personalized coloring book at a time.

Website: https://magicdoodlebooks.com Email: privacy@magicdoodlebooks.com Support: support@magicdoodlebooks.com

End of Privacy Policy

Privacy Policy

Privacy Policy

Table of Contents

1. Introduction

1.1 About Magic Doodle Books

1.2 Scope of This Policy

1.3 Your Acceptance

1.4 Updates to This Policy

2. Eligibility and Age Requirements

2.1 Adult-Only Website

2.2 Legal Capacity

2.3 Account Responsibility

2.4 Product Age Suitability

3. Information We Collect

3.1 Account and Order Information

3.2 User-Uploaded Photos

3.3 AI-Generated Content

3.4 Technical and Usage Information

3.5 Amazon Custom Orders

3.6 Information We Do Not Collect

4. How We Use Your Information

4.1 Order Fulfillment (Primary Purpose)

4.2 Customer Communications

4.3 Internal Business Operations

4.4 Security and Fraud Prevention

4.5 Legal Compliance

4.6 What We DON'T Do With Your Information

5. How We Share Your Information

5.1 Service Providers and Business Partners

5.2 Business Transfers

5.3 Legal Requirements and Protection of Rights

5.4 With Your Consent

5.5 Aggregated and Anonymized Data

6. Artificial Intelligence and Photo Processing

6.1 How We Use AI Technology

6.2 What Information Is Processed

6.3 AI Training and Model Improvement

6.4 Accuracy and Limitations

6.5 Your Control Over AI Processing

7. Biometric Information Disclosure

7.1 What Is Biometric Information?

7.2 Illinois Biometric Information Privacy Act (BIPA) Compliance

7.3 Other State Biometric Privacy Laws

7.4 Biometric Data Deletion

7.5 Your Biometric Privacy Rights

8. Children's Privacy

8.1 Website Not Directed to Children

8.2 Photos of Children - Adult Responsibility Model

8.3 Adult User Responsibilities

8.4 Use Limitations for Children's Images

8.5 Data Retention and Deletion for Children's Photos

8.6 Parental Rights and Controls

8.7 COPPA Safe Harbor and Compliance

9. Your California Privacy Rights (CCPA/CPRA)

9.1 Applicability

9.2 Categories of Personal Information We Collect

9.3 Sources of Personal Information

9.4 Business and Commercial Purposes for Collection and Use

9.5 Categories of Third Parties with Whom We Share Personal Information

9.6 Data Retention Periods

9.7 Your California Privacy Rights

Right to Know (Access)

Right to Delete

Right to Correct

Right to Opt-Out of Sale or Sharing

Right to Limit Use of Sensitive Personal Information

Right to Non-Discrimination

9.8 How to Exercise Your California Privacy Rights

9.9 Authorized Agents

9.10 California "Shine the Light" Law

9.11 California Minors' Privacy Rights

9.12 Do Not Sell My Personal Information

10. Your Rights (Other States)

10.1 Multi-State Privacy Law Coverage

10.2 Your Privacy Rights Under State Laws

Right to Access (Confirm and Know)

Right to Correct (Data Accuracy)

Right to Delete

Right to Data Portability (Some States)

Right to Opt-Out