LuluStories

Privacy Policy

Last updated 2026-05-13. At LuluStories, we believe every child deserves a story — and every family deserves to know exactly how their data is used. This policy explains what we collect, why we collect it, and the choices you have. We are committed to full compliance with the EU General Data Protection Regulation (GDPR) and special protections for children's data.

1. Who we are

LuluStories is operated by LuluGroup AB, registered in Sweden. We are the data controller for all personal data processed through our platform at lulustories.com.


Registered address: Norrbackagatan 70b, Stockholm, Sweden

Contact: privacy@lulustories.com


Data Protection Officer: LuluGroup AB has not appointed a formal Data Protection Officer at this time. All privacy-related enquiries are handled directly by our privacy team at privacy@lulustories.com. We keep this under review as our platform grows.

2. What data we collect

Account data — when you register, we collect your name, email address, and password (stored as a hash).

Story content — story prompts, themes, character names, age ranges, and language preferences you provide when creating a story.

Photos — photos you voluntarily upload to generate a character likeness. These are processed solely for character creation (see Section 5).

Payment data — subscription and print order payments are processed by our third-party payment provider. We do not store full card details on our servers.

Usage data — pages visited, features used, story creation events, and session duration, collected to improve the service. For tools involve data transfers outside the EU, appropriate safeguards are in place as described in Section 7.

Communications — messages you send to our support team.

Device & technical data — IP address, browser type, device type, and operating system, collected automatically when you use the platform.

3. How we use your data

  • Providing, operating, and improving the LuluStories platform and AI story generation features
  • Processing subscriptions, payments, and printed book orders
  • Personalizing stories to the age range, language, and preferences you set
  • Sending service-related emails (order confirmations, account notices)
  • Sending marketing emails about new features or offers — only with your explicit consent via a confirmed opt-in. You may unsubscribe at any time using the link in any marketing email or by contacting us at privacy@lulustories.com.
  • Responding to support requests
  • Detecting and preventing fraud, abuse, or safety issues
  • Complying with legal obligations

We do not sell your personal data. We do not use your data or your child's data to train AI models.

4. Children's privacy

Accounts for children under 16: Under GDPR Article 8, processing of a child's personal data in connection with online services requires parental or guardian consent for children under 16 (or under 13 in certain member states). If a child under 16 registers directly, we require verifiable parental consent before activating the account. We verify parental consent by requiring a confirmed email response from a parent or guardian's registered email address before the account becomes active. Where we have reason to doubt the age of a registering user, we may request additional confirmation before granting access.


Parent/guardian accounts: Parents, guardians, and educators create accounts on behalf of children. The child's name, age range, and photo (if uploaded) are provided by the adult account holder, who is responsible for ensuring they have the right to share this information.


What we do not do:

  • We do not direct marketing at children
  • We do not share children's data with third parties for advertising
  • We do not use children's photos or story content for any purpose other than generating their story
  • We do not allow children's personal data to be made publicly visible without explicit parental action

If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@lulustories.com and we will delete it promptly.

5. Photo uploads & AI processing

When you upload a photo, our AI processes it immediately to generate a stylized illustrated character for use in your story. To protect your privacy and minimize data retention, the original photo is permanently deleted from our systems as soon as the character has been created — typically within seconds of upload.

The generated character illustration is:

  • Stored securely on encrypted servers
  • Accessible only to you and the systems required to generate your story
  • Retained in your account until you manually delete it in your account settings, or within 30 days of account deletion
  • Never used to train, fine-tune, or improve any AI model
  • Never shared with third parties for any purpose

Photos of children are classified as sensitive personal data under GDPR. By deleting original photos immediately after processing, we ensure we never retain source images of children beyond what is strictly necessary. We process this data solely on the legal basis of explicit consent provided by the parent or guardian who uploads the photo.

If you wish to use the same character in future stories, simply re-upload a photo at any time — the process takes only seconds.

6. Legal bases for processing (GDPR)

Under GDPR, we rely on the following legal bases:

Contract (Art. 6(1)(b)): processing necessary to provide the service you signed up for — account management, story generation, order fulfilment.

Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, and service analytics, where these interests are not overridden by your rights.

Consent (Art. 6(1)(a)): marketing emails, and for any processing of children's personal data, including photos of children uploaded for character creation. Photos are processed solely to generate illustrated story characters and are not used for facial recognition or biometric identification purposes.

Legal obligation (Art. 6(1)(c)): retaining financial records and responding to lawful requests from authorities.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Data sharing & third parties

We share personal data only as strictly necessary:

  • Payment processors — to handle subscription billing and print book orders. These processors are PCI-DSS compliant and operate under data processing agreements with us.
  • Cloud infrastructure providers — to host and run the platform. Data processing agreements are in place, and data is stored within the EU or under adequate safeguards.
  • Print fulfilment partners — your name and delivery address are shared only when you order a physical book, solely for fulfilment and shipping purposes.
  • AI generation services — story prompts and character images may be processed by AI infrastructure providers operating under strict data processing agreements. No personal data is retained by these providers for training purposes.
  • Legal authorities — when required by law or to protect safety and rights.

We do not sell, rent, or trade your personal data with any third party for marketing or commercial purposes.

8. International transfers

LuluStories is based in Sweden (EU). Where our service providers are located outside the EU/EEA, we ensure transfers are protected through:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other appropriate safeguards under GDPR Chapter V

You can request details of the safeguards in place for specific transfers by contacting us at privacy@lulustories.com.

9. Data retention

Account data: retained for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law.

Photos: deleted immediately when you remove them in your account settings, or within 30 days of account deletion.

Stories: retained as long as your account is active. You can delete individual stories at any time.

Payment records: retained for 7 years to comply with Swedish accounting and tax law.

Support communications: retained for 12 months after the last interaction, unless the communication relates to a dispute or legal matter, in which case it may be retained for up to 3 years.


10. Your rights

Under GDPR, you have the following rights. You can exercise most of them directly in your account settings, or by emailing privacy@lulustories.com. We will respond within 30 days.

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate or incomplete data
  • Erasure — Request deletion of your data ("right to be forgotten")
  • Restriction — Limit how we use your data in certain circumstances
  • Portability — Receive your data in a machine-readable format
  • Objection — Object to processing based on legitimate interests
  • Withdraw consent — Withdraw consent at any time without penalty
  • Complain — Lodge a complaint with the Swedish IMY supervisory authority

To exercise your rights, contact us at privacy@lulustories.com. You also have the right to complain to the Swedish supervisory authority: Integritetsskyddsmyndigheten (IMY) at imy.se.

11. Cookies

We use cookies and similar technologies to operate the platform and improve your experience. Essential cookies required to run the service do not require consent. Optional cookies (such as analytics) are only placed with your agreement via our cookie consent banner.


You can manage your cookie preferences at any time via the Cookie Preferences page. For full details, see our Cookie Policy.

12. Automated decision-making

LuluStories uses automated processes to generate story text and illustrations based on the inputs you provide. These automated processes do not make decisions that produce legal effects or similarly significant impacts on you or your child. You remain in full control — you can review, edit, or delete any generated story before saving, sharing, or printing it. If you have questions about how our AI generates content, contact us at privacy@lulustories.com.

13. Security

We use industry-standard technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Access controls limiting who can view personal data
  • Regular security assessments
  • Secure, hashed password storage

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.


14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a notice on the platform before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of LuluStories after changes take effect constitutes your acceptance of the revised policy.

15. Contact & complaints

For any privacy questions, data requests, or concerns, please contact our privacy team at privacy@lulustories.com.


If you're not satisfied with our response, you have the right to lodge a complaint with Sweden's data protection authority:


Integritetsskyddsmyndigheten (IMY)


www.imy.se