Magnificent Worlds

Privacy Policy

Last updated: 13 April 2026

1. Who We Are

Magnificent Worlds is operated by Shape d.o.o., a company registered in the Republic of Slovenia ("we", "us", "our"). We operate the website magnificentworlds.io and the Magnificent Worlds application (collectively, the "Service"). We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

For any privacy-related questions or requests, you can reach us at privacy@magnificentworlds.io.

2. What Data We Collect

We collect the following categories of personal data:

a) Account information

  • Full name
  • Email address
  • Authentication data (password hash or Google OAuth token)

b) Child profile data

  • Child's first name
  • Age group
  • Gender (optional)
  • Uploaded photograph (used solely for generating personalised illustrations)

c) Story and content data

  • Story prompts and themes you provide
  • Generated story text and illustrations
  • Your edits to stories

d) Order and payment data

  • Shipping address
  • Order history
  • Payment data is processed exclusively by Stripe and is never stored on our servers

e) Technical data

  • IP address
  • Browser type and version
  • Device type
  • Pages visited and interaction data (via PostHog and Google Tag Manager)
  • Cookies and similar tracking technologies

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

  • To provide the Service (contract performance) — creating your account, generating personalised stories, processing print orders, and delivering books.
  • To send transactional emails (contract performance) — notifying you when your story or preview is ready.
  • To improve the Service (legitimate interest) — analysing usage patterns, debugging, and enhancing features.
  • To comply with legal obligations (legal obligation) — maintaining records required by applicable law, responding to lawful requests.

4. Children's Photos & Images

We understand the sensitivity of children's photographs. Here is how we handle them:

  • Photos are used exclusively to generate personalised illustrations for your child's storybook. They are never used for any other purpose.
  • Photos are stored securely in our cloud infrastructure (Supabase Storage) and are accessible only to your account.
  • Photos are sent to our illustration provider (fal.ai) solely for the purpose of generating story illustrations. They are not retained by the provider after processing.
  • You may delete your child's photo and all associated data at any time from your account settings. Deletion is permanent and irreversible.

5. Third-Party Processors

We share your data with the following third-party processors, all of which are bound by data processing agreements:

  • Supabase (EU region) — database hosting, authentication, and file storage.
  • Stripe — payment processing. Stripe acts as an independent controller for payment data.
  • OpenAI — story text generation. Prompts and generated text are processed but not used to train models under our API agreement.
  • fal.ai — illustration generation from text prompts and reference images.
  • Resend — transactional email delivery.
  • PostHog (EU hosting) — product analytics.
  • Google Tag Manager / Google Analytics — website analytics and conversion tracking.
  • Inngest — background job processing for story generation.

6. International Data Transfers

Some of our processors are based outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure adequate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions as recognised by the European Commission.

7. Data Retention

  • Account data is retained for as long as your account is active.
  • Story data and illustrations are retained for as long as your account is active, or until you delete them.
  • Child photos are retained until you delete the child profile or your account.
  • Order records are retained for 7 years after the transaction for accounting and legal compliance.
  • Analytics data is retained according to our analytics providers' retention policies (typically 12–26 months).

When you delete your account, all personal data — including child profiles, photos, and stories — is permanently deleted within 30 days, except where retention is required by law.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of all personal data we hold about you.
  • Right to rectification — correct any inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your personal data. You can delete child profiles, photos, and stories directly from your account at any time.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@magnificentworlds.io. We will respond within 30 days.

9. Cookies & Tracking

We use the following types of cookies and tracking technologies:

  • Essential cookies — required for authentication and core functionality (session cookies, CSRF tokens).
  • Analytics cookies — PostHog and Google Analytics cookies to understand how visitors use our site.
  • Preference cookies — to remember your language selection and interface settings.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls and role-based permissions
  • Regular security reviews
  • Secure authentication via Supabase Auth (bcrypt password hashing, OAuth 2.0)

11. Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection supervisory authority. For Slovenia, the supervisory authority is the Information Commissioner (Informacijski pooblaščenec). A list of EU supervisory authorities is available at edpb.europa.eu.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also notify you by email.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: