Privacy Policy

Before the legal detail, here is what matters most in plain language:

• Your child’s photo is used only to create their book. We extract a text description (hair color, eye color, etc.) for AI illustration. That’s it.
• Photos are never used to train AI models. Not ours, not anyone else’s.
• Photos are deleted within 30 days of book completion. You can request immediate deletion at any time.
• We never sell your data. Not photos, not emails, not usage data. To anyone. Ever.
• Children do not use this app. MagicBook is a tool for adults — parents, grandparents, and educators — to create content for children.
• You own your book. The PDF is yours. No DRM. Print it, share it, keep it forever.

MagicBook, Inc. (“MagicBook,” “we,” “our,” or “us”) is committed to protecting the privacy of every person who uses our platform. This Privacy Policy describes how we collect, use, store, share, and protect information when you access or use our website, mobile application, and related services (collectively, the “Service”).

This Service is designed for and directed at adults — parents, legal guardians, and educators — to create personalized storybooks for children. The Service is not directed at children. We do not permit children under the age of 13 to create accounts or use the Service directly. This Privacy Policy incorporates our obligations under the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other applicable privacy laws.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this Policy.

2.1 Information You Provide Directly

Account Registration

When you create a MagicBook account, we collect your name, email address, password (stored in hashed form), and optionally your billing address and phone number.

Child Profile Information

To create a personalized storybook, you may provide us with information about a child, including:

• The child’s first name
• The child’s age or date of birth
• The child’s gender (used only to generate appropriate story pronouns)
• A photograph of the child (used solely to generate a text-based character description for AI illustration — see Section 4.3)
• Story preferences, themes, and any content exclusions you specify

This information is provided by you — the parent, guardian, or authorized educator — and is never collected directly from a child.

Payment Information

We use Stripe, Inc. as our third-party payment processor. When you make a purchase, your payment card details are collected and processed directly by Stripe. We do not store full payment card numbers, card verification codes, or bank account numbers on our systems. We retain only the last four digits of your payment method, card type, and billing address for account management purposes.

For purchases made through Apple’s App Store, payment is processed entirely by Apple. We receive only a transaction confirmation and subscription status from Apple — we never receive or store your Apple payment details. Subscriptions purchased through the App Store are managed through your Apple ID settings.

Communications

If you contact us via email, support ticket, or feedback form, we retain the contents of those communications and your contact information to respond and improve the Service.

2.2 Information Collected Automatically

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, buttons clicked, time spent on each step of the book creation process, error events, and session duration.

Device and Technical Data

We collect your IP address, browser type and version, operating system, device identifiers, screen resolution, language settings, and referring URL.

Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and analyze usage patterns. See Section 9 (Cookies) for details.

2.3 Information from Third Parties

Authentication Providers

If you sign in using a third-party authentication provider (such as Google or Apple), we receive your name, email address, and profile picture from that provider in accordance with your privacy settings on that platform.

Payment Processors

Stripe provides us with transaction identifiers, payment status, subscription status, and billing address to manage your account and detect fraud. Apple provides subscription status and transaction confirmations for App Store purchases.

2.4 Sensitive Personal Information

Under the CPRA, certain categories of personal information are classified as “sensitive personal information.” We may collect the following categories of sensitive personal information: account login credentials (email address in combination with a password). We use sensitive personal information only to provide the Service and do not use or disclose it for purposes other than those permitted under the CPRA. Photographs of children, while not classified as biometric information (because we do not use them to uniquely identify individuals — see Section 2.5), are treated with the highest degree of care as described in Section 4.

2.5 Biometric Information Notice

MagicBook does not collect, capture, or store biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, or similar state laws. Photographs you upload are transmitted to OpenAI for the sole purpose of generating a text-based illustration description and AI-generated artwork. We do not extract facial geometry, create facial templates, or use photographs for facial recognition or identification purposes. Photographs are processed and deleted in accordance with Section 4.3.

Service Delivery

• Creating, personalizing, and delivering your storybooks
• Processing and fulfilling orders
• Maintaining and managing your account and subscription
• Sending transactional emails (order confirmations, book-ready notifications, receipts)

AI Processing

• The child’s photograph you upload is transmitted to OpenAI’s API to generate a text-based character description (hair color, eye color, skin tone, distinguishing features), which is then used to create storybook illustrations via DALL-E 3. The photograph itself is not embedded in, stored alongside, or used beyond this character description step.
• Story text and narrative are generated using OpenAI’s GPT-4o model
• Your inputs and resulting outputs are processed by OpenAI under their API data usage policies. OpenAI’s API terms provide that API inputs and outputs are not used to train their models.

Product Improvement

• Analyzing usage patterns to improve features and user experience
• Identifying bugs and performance issues
• Developing new features based on aggregate, anonymized usage data

Safety and Security

• Detecting, preventing, and responding to fraud, abuse, or Terms of Service violations
• Protecting the safety and security of our users and the Service
• Enforcing our content moderation and child safety guardrails (see our Content Safety Policy)

Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to law enforcement requests where legally required

Communications

• Sending product updates, newsletters, and promotional materials (only with your consent, and you may opt out at any time via the unsubscribe link in any email or through your account settings)

MagicBook takes children’s privacy with the utmost seriousness.

4.1 No Direct Collection from Children Under 13

The Service is intended for use by adults (parents, legal guardians, and educators). We do not knowingly collect personal information directly from children under 13. The app requires account creation by an adult. There are no features that allow or encourage children to interact with the Service directly — no child-facing profiles, no child login, no social features, no chat, and no user-to-user interaction of any kind.

All child profile information is provided by the account holder — an adult who represents that they have the authority to make decisions about the child’s information.

If we learn that we have collected personal information directly from a child under 13 without verified parental consent, we will take immediate steps to delete that information.

4.2 Verifiable Parental Consent

By creating a child profile and uploading a child’s photograph, you represent that:

• You are the parent or legal guardian of the child, or
• You are an educator with written authorization from the child’s parent or legal guardian to submit the child’s information for educational use

4.3 Photographs of Minors

Photographs you upload of children are used solely to generate a text-based character description for AI illustration. Here is exactly what happens to a photo you upload:

1. Upload: The photo is encrypted in transit (TLS 1.3) and stored temporarily in our secure, access-controlled storage (Supabase with Row-Level Security).
2. Processing: The photo is sent to OpenAI’s Vision API, which returns a text description of the child’s appearance (hair color, eye color, skin tone, etc.). This text description is what our illustration system uses — not the photo itself.
3. Retention: The original photo is retained for up to 30 days after book completion to allow for page regeneration requests.
4. Deletion: After 30 days, the original photo is permanently deleted from all active systems. You may request immediate deletion at any time via your account settings or by emailing privacy@magicbook.com.

Photographs of minors are never:

• Used to train any AI or machine learning model — ours or any third party’s
• Shared with third parties for advertising, analytics, or any purpose beyond book generation
• Made publicly accessible or visible to any user other than the uploading account holder
• Used for facial recognition, biometric identification, or any purpose beyond character description
• Stored in any system beyond the 30-day post-completion window

4.4 Parental Rights Under COPPA

Parents and legal guardians have the right at any time to:

• Review the child profile information that has been collected
• Request deletion of the child’s personal information
• Refuse to permit further collection or use of the child’s information
• Request that the child’s photograph be deleted immediately, without waiting for the 30-day post-completion deletion cycle

To exercise any of these rights, contact us at privacy@magicbook.com or through your account settings. We will process deletion requests within 72 hours.

4.5 COPPA Operator Notice

If you are a school or educator using MagicBook for classroom purposes, you represent that you have obtained appropriate consent from parents or guardians as required by COPPA and your institution’s policies, and that your use complies with the Family Educational Rights and Privacy Act (FERPA).

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share information only in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who help us operate the Service:

All service providers are bound by data processing agreements requiring them to protect your information and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of MagicBook, our users, or the public.

5.3 Business Transfers

If MagicBook is acquired by, merges with, or transfers assets to another company, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service at least 30 days before such a transfer and before your information becomes subject to a materially different privacy policy.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

You may request earlier deletion of any data except where retention is required by law. See Section 8 (Your Rights).

We implement industry-standard security measures to protect your information, including:

• AES-256 encryption of data at rest
• TLS 1.3 encryption of all data in transit
• Row-level security (RLS) on all database tables ensuring no user can access another user’s data
• Role-based access controls limiting internal employee access to personal data on a need-to-know basis
• Secure, access-controlled photo storage with automatic lifecycle deletion policies
• Regular security audits and penetration testing
• Incident response procedures with 72-hour breach notification to applicable supervisory authorities where required by GDPR, and notification to affected individuals as required by applicable U.S. state breach notification laws

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8.1 All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your account and associated data (subject to legal retention requirements)
• Opt out of marketing communications at any time
• Download your data in a portable format
• Request immediate deletion of your child’s photograph at any time

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights including:

• The right to know the categories and specific pieces of personal information we collect, use, and disclose
• The right to delete personal information (with exceptions)
• The right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Service
• The right not to be discriminated against or retaliated against for exercising your privacy rights

Categories of Personal Information Collected (preceding 12 months):

• Identifiers (name, email, IP address, device identifiers)
• Commercial information (purchase history, subscription status)
• Internet or electronic network activity (usage data, pages visited, interactions)
• Geolocation data (inferred from IP address; we do not collect precise geolocation)
• Sensory data (photographs, solely for book generation)
• Account access credentials (email and hashed password)

Authorized Agents: You may designate an authorized agent to submit privacy requests on your behalf. Authorized agents must provide written proof of authorization signed by you, and we may verify your identity directly before processing the request.

Verification: To protect your privacy, we will verify your identity before fulfilling access, deletion, or correction requests. We will match the identifying information you provide with information we already maintain.

To exercise these rights, contact us at privacy@magicbook.com, through your account settings, or by mail at: MagicBook, Inc., Attn: Privacy Team, United States.

8.3 Virginia, Colorado, Connecticut, and Other U.S. State Residents

If you are a resident of Virginia, Colorado, Connecticut, or another U.S. state with an applicable consumer data privacy law, you may have rights including the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or process personal data for targeted advertising.

To exercise these rights, contact us at privacy@magicbook.com. If we decline your request, you may appeal by contacting us at appeals@magicbook.com. If your appeal is denied, you may contact your state’s attorney general.

8.4 EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data (“right to be forgotten”)
• Restrict processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint with your local supervisory authority

Our lawful bases for processing are:

• Contract performance (providing the Service you purchased)
• Legitimate interests (improving the Service, fraud prevention)
• Consent (marketing communications, optional features)
• Legal obligation (financial records, law enforcement compliance)

Automated Decision-Making (GDPR Article 22): MagicBook uses automated AI systems to generate story content and illustrations, and automated content moderation guardrails to filter prohibited content. These automated processes are necessary for the performance of our contract with you (delivering your personalized book) and are subject to appropriate safeguards. You have the right to obtain human intervention with respect to any automated content moderation decision that affects your ability to use the Service by contacting support@magicbook.com.

Our EU representative for GDPR purposes may be contacted at gdpr@magicbook.com.

We use the following categories of cookies:

Strictly Necessary: Session authentication, security tokens, load balancing. Cannot be disabled.

Functional: Your preferences, saved settings, language choice. Can be disabled, but may affect functionality.

Analytics: Aggregate usage data to improve the Service. Can be disabled via cookie preferences.

Marketing: We do not use advertising or behavioral tracking cookies. We do not participate in cross-site ad tracking.

You can manage cookie preferences through the cookie banner on our website or your browser settings.

Do Not Track Signals: Some browsers transmit “Do Not Track” (DNT) signals to websites. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, MagicBook does not respond to DNT signals. However, we do not engage in cross-site tracking or behavioral advertising, so our data practices are consistent with the purposes underlying DNT signals.

Global Privacy Control (GPC): We honor Global Privacy Control signals as a valid opt-out of the sale or sharing of personal information where required by applicable law (such as the CCPA/CPRA).

MagicBook is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement or Addendum (as applicable), and appropriate transfer impact assessments where required.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated Policy with a new “Last Updated” date
• Send you an email notification at least 14 days before the changes take effect
• Display a prominent notice on the Service

Your continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.

Privacy Requests: privacy@magicbook.com

Data Protection Officer: dpo@magicbook.com

GDPR Representative: gdpr@magicbook.com

Appeals (U.S. State Privacy Laws): appeals@magicbook.com

General Support: support@magicbook.com

General Inquiries: hello@magicbook.com

MagicBook, Inc.
Attn: Privacy Team
United States

This Privacy Policy was last updated on March 8, 2026.