Privacy Policy

LuluStories is operated by:

LuluHoldings AB

Registration number: [TO BE ADDED]

Registered address: [TO BE ADDED]

Country of establishment: Sweden

LuluHoldings AB is the data controller responsible for the processing of personal data described in this Privacy Policy.

If you have questions or wish to exercise your privacy rights, you can contact us at: privacy@lulustories.com

We use personal data to:

• Create and manage user accounts

• Generate personalized stories, illustrations, and print-ready files

• Store your story library so you can revisit, edit, or reorder content

• Process payments and manage subscriptions

• Provide customer support

• Improve our templates, illustration styles, and platform performance using anonymized and aggregated data

• Ensure platform security and prevent misuse

We do not sell your personal data, photos, or story prompts.

We process personal data under the following legal bases in accordance with Article 6 GDPR:

• Performance of a contract – to provide the LuluStories service you request

• Consent – for optional features, marketing communications, and non-essential cookies

• Legitimate interests – to improve and secure our service, provided these interests do not override your rights

• Legal obligation – where required to comply with applicable laws

Where consent is required, you may withdraw it at any time.

LuluStories is intended to be used by parents, guardians, or educators.

• We do not allow children under the age of 13 to create accounts on their own.

• Any personal data relating to a child is provided by a parent or legal guardian.

• Parents are responsible for ensuring they have the right to upload any child-related information or images.

• We minimize the collection of children's data and apply heightened security safeguards.

• If we become aware that personal data has been collected from a child without appropriate consent, we will delete it promptly.

LuluStories uses artificial intelligence to generate personalized stories and illustrations based on the inputs you provide.

• Content generation is automated

• No automated decision-making produces legal or similarly significant effects

• AI outputs may be imperfect, non-unique, or inaccurate

• You remain responsible for reviewing content before sharing it with children or third parties.

Stories remain private by default. If you choose to share a story in our community library:

• Only the story title, content, illustrations, and first name (if provided) may be visible

• You can remove shared stories at any time

• Cached previews are removed within 24 hours after removal

We may share personal data with trusted service providers who help us operate the platform, such as:

• Hosting and infrastructure providers

• Analytics providers

• Payment processors

• Customer support tools

These providers process data only on our instructions and under appropriate data processing agreements.

Some service providers may process data outside the EU/EEA (e.g. in the United States). Where this occurs, we ensure appropriate safeguards are in place, such as:

• EU Standard Contractual Clauses (SCCs)

• Equivalent lawful transfer mechanisms

We retain personal data only as long as necessary:

• Account data: retained while your account is active

• Generated content: retained until you delete it or your account is closed

• Uploaded photos: automatically deleted 30 days after a story is deleted, unless you archive them

• Legal and billing records: retained as required by law

We implement appropriate technical and organizational security measures, including:

• Encryption in transit (HTTPS/TLS) and at rest

• Access controls and role-based permissions

• SOC-2-aligned infrastructure

• Multi-factor authentication for internal systems

No system is 100% secure, but we continuously work to protect your data.

You have the right to:

• Access your personal data

• Correct inaccurate or incomplete data

• Request deletion ("right to be forgotten")

• Restrict or object to processing

• Request data portability

• Withdraw consent at any time

• Lodge a complaint with a supervisory authority

In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY).

You may opt out of marketing emails at any time by:

• Clicking the unsubscribe link in any email

• Updating your account settings

Service-related communications may still be sent when necessary.

We may update this Privacy Policy from time to time. If changes are material, we will notify you via the platform or email.

Continued use of LuluStories after updates take effect constitutes acceptance of the revised policy.