← Back to Home

Privacy Policy

How we handle your data — plain English version

Last updated: 22 June 2026

Section 1: Who We Are

The Egg Consultancy GmbH, Ing.-Etzelstraße 23/Top 2, 6020 Innsbruck, Austria.

Commercial Register: FN 581798 k, Landesgericht Innsbruck

Email: hello@memolio.io

We are the data controller under GDPR Article 4(7).

Section 2: What We Collect

Section 3: How We Use Your Data & AI Processing

3.1 Legal Basis for Processing

3.2 Text Generation

Your biographical information and memories are sent to Anthropic (the Claude API, US servers) to generate the story text. Anthropic does not use API data to train its models. API inputs and outputs are automatically deleted after a short retention period (currently up to 30 days) used only for trust-and-safety and abuse monitoring. This processing is governed by Anthropic's Commercial Terms of Service and Data Processing Addendum.

3.3 Photo Analysis

Your photographs — including photos of the grandparent and any family members you provide (partner, children, grandchildren) — are analysed by Anthropic's Claude vision models (US servers) to generate character descriptions for use in the illustrations. The same terms apply: the photos are not used for model training and are deleted after the short retention period.

3.4 Image Generation

The illustrations in your book are generated using Seedream v4.5, an AI image generation model developed by ByteDance. We access this model through BytePlus Pte. Ltd. (Singapore), ByteDance's international technology platform.

To create illustrations that resemble the person the book is about, we send BytePlus a text description of the scene and one or more reference photographs of the subject (in the relevant life stage) and, where applicable, their partner and any children. This is what allows the AI to render a recognisable likeness on each page. Photographs are used solely for this purpose and are not used to train AI models.

We do not send complete intake documents or identity documents to BytePlus — only the photographs needed to illustrate a specific page, together with the scene description.

Where the photographs submitted reveal or may be used to infer ethnicity, skin tone, or other characteristics covered by GDPR Art. 9, we rely on your explicit, separate consent (Art. 9(2)(a) GDPR), collected during the intake process.

BytePlus applies a content pre-filter to the material we send, to screen for unsafe content. Where this filter flags potentially risky content, BytePlus retains the related logs and the filtered content for a limited period on servers in Malaysia or Singapore, in line with its published Content Pre-filter terms, in order to operate and troubleshoot the safety feature.

BytePlus and China: BytePlus Pte. Ltd. is a separate international entity registered in Singapore. Singapore does not have an EU adequacy decision. We rely on BytePlus's published Data Processing Addendum, which incorporates EU Standard Contractual Clauses (Module 2, Controller-to-Processor) governed by Irish law. Under these terms, your data is processed in BytePlus's Singapore region (with content pre-filter logs in Malaysia or Singapore) and is not transferred to China. BytePlus processes your data solely on our instruction.

3.5 Audio Transcription

If you use the optional voice-dictation feature on the web form, the audio you record is sent to Eleven Labs, Inc. (US servers) and transcribed into text, so you don't have to type your answers. The audio is used only to produce that transcript.

3.6 Payments

Payments are handled by Stripe (Stripe Payments Europe, Ltd., Ireland). When you pay, your card and billing details are submitted directly to Stripe; we never see or store your full card number.

Section 4: Who Processes Your Data (Processor List)

Processor Service Location DPA Status
Anthropic, PBC Story text generation & photo analysis (Claude models) USA ✅ Covered (Commercial Terms + DPA; no training, short retention)
BytePlus Pte. Ltd. AI image generation (Jimeng API / Seedream v4.5) & content pre-filter Singapore (pre-filter logs: Malaysia / Singapore) ✅ Covered (DPA with EU SCCs)
Twilio Inc. WhatsApp messaging (legacy channel, being wound down) USA ✅ Covered (DPA in ToS)
Cloudinary Ltd. Image hosting USA (AWS) ✅ Covered (paid plan DPA)
Supabase, Inc. Database (book records, order data, questionnaire responses) EU (Ireland) ✅ DPA signed
Amazon Web Services PDF storage EU (Frankfurt) ✅ Covered (DPA in agreement)
Google LLC Order tracking (Sheets), Email (Gmail) USA ✅ Covered (CDPA in ToS)
n8n GmbH Workflow automation Germany ✅ Covered (DPA in ToS)
CloudPrinter B.V. Print fulfilment Netherlands + partners ✅ Signed DPA
Meta Platforms Ireland Ltd. WhatsApp message delivery (sub-processor of Twilio) — legacy channel Ireland (EU) ✅ Covered (Twilio sub-processor)
PDFShift SAS PDF rendering France (EU) ✅ Covered (DPA on request, EU-based)
Netlify, Inc. Website hosting USA (CDN global) ✅ Covered (DPA + SCCs)
Stripe Payments Europe, Ltd. Payment processing (checkout, card & billing data) Ireland (EU) ✅ Covered (DPA + SCCs)
Eleven Labs, Inc. Voice-to-text transcription of optional web-form audio dictation USA ✅ Covered (DPA + SCCs + EU-US DPF)
Meta Platforms Ireland Ltd. Advertising & conversion measurement (Meta Pixel) — consent only Ireland (EU); USA (Meta Platforms, Inc.) ⚠️ Loads only after you Accept cookies
Google Ireland Ltd. / Google LLC Website analytics (Google Analytics 4) — consent only Ireland (EU); USA ⚠️ Loads only after you Accept cookies
Pinterest Europe Ltd. Advertising & conversion measurement (Pinterest Tag) — consent only Ireland (EU); USA (Pinterest, Inc.) ⚠️ Loads only after you Accept cookies
Klaviyo, Inc. Email marketing & onsite activity (Klaviyo) — consent only USA ⚠️ Loads only after you Accept cookies

Section 5: International Transfers

Some of your data is transferred outside the EU for processing — to the USA (e.g. Anthropic, Eleven Labs, Twilio, Cloudinary, Google) and to Singapore / Malaysia (BytePlus image generation and its content pre-filter logs). We rely on:

We have assessed the transfer risks and consider them acceptable given the nature of the data and the safeguards in place.

Section 6: How Long We Keep Your Data

Section 7: Marketing Communications

If you join our waitlist, request a free sample, or sign up via any of our forms, we treat the resulting emails in two distinct ways:

7.1 Transactional emails

When you request something specific — a sample illustration, a launch notification — we send you the thing you asked for, plus any directly related follow-up (e.g. a sample-expiry reminder, a launch announcement when ordering opens). These are transactional emails: we send them under Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) (legitimate interest), and you cannot opt out of them while the underlying request is active. They will stop once the request is fulfilled or withdrawn.

7.2 Marketing emails

We will only send you ongoing promotional content — special offers, product updates, drip sequences, content highlights — if you have given us explicit, separate, opt-in consent by ticking the marketing-consent checkbox at point of collection (Article 6(1)(a) GDPR + § 7 UWG (Austria) / Reg. 22 PECR (UK)).

For each consent record, we store: the boolean choice you made, the timestamp, and the version of the consent wording you saw. You can request a copy of this audit trail at any time.

7.3 Withdrawing consent

You can withdraw your consent at any time, with immediate effect, by:

Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.

7.4 Retention of marketing data

Email addresses on the waitlist are retained until the launch, plus 12 months thereafter, or until withdrawal of consent — whichever comes first. Once you withdraw consent we keep a minimal "do-not-contact" record (your email + the fact that you withdrew) for 30 days, after which the email is removed from our systems. Sample-related contact data follows the schedule in Section 6.

Section 8: Your Rights

Under GDPR, you have the right to:

To exercise any right, email hello@memolio.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at

Section 9: Children's Data

We do not knowingly collect data directly from children under 16. However, the storybook may include photographs of children (for example grandchildren) as family members. All such photographs of children must be submitted by a parent or legal guardian with appropriate authority and consent.

Photographs of children are not required — you can describe their appearance in text instead and your book will still be created.

Section 10: AI Transparency

All text and illustrations are generated by artificial intelligence. No human author or illustrator is involved.

We use:

This disclosure is made in accordance with the EU AI Act (Regulation (EU) 2024/1689), Article 50.

Section 11: Changes to This Policy

We may update this policy at any time. Changes will be posted on this page with an updated date. Your continued use of our service constitutes acceptance of the updated policy.

Section 12: Contact

The Egg Consultancy GmbH
hello@memolio.io

Section 13: Cookies and Tracking

On your first visit to memolio.io a cookie consent banner records your choice (Accept or Decline). Your choice is stored in your browser's localStorage under the key memolio_cookie_consent — it is not transmitted to our servers and is not linked to any account. You can change your choice at any time using the link at the end of this section.

Strictly necessary cookies / storage. These are always active and do not require consent. They include the consent record itself (localStorage key memolio_cookie_consent) and a strictly-necessary __cf_bm bot-protection cookie that our network provider (Cloudflare) may set under ePrivacy guidance. Our website host (Netlify) also collects standard web server logs (IP addresses, user agents, timestamps) for normal hosting operations, processed under Netlify's own privacy policy.

Analytics & marketing cookies (consent required). If — and only if — you click Accept on the cookie banner, we load analytics and marketing tools from the following providers. If you click Decline, none of these are loaded and no requests are sent to them. You can withdraw your consent at any time via the “Cookie settings” link below, which stops further loading.

Typical cookies set by these tools once you accept:

CookieSet byPurposeTypical duration
_fbpMeta PixelAdvertising / conversion measurement~3 months
_ga, _ga_*Google Analytics 4Distinguish users / sessions (analytics)up to 2 years
_pin_unauth, _pinterest_ct_*Pinterest TagAdvertising / conversion measurement~1 year
__kla_idKlaviyoOnsite activity / email attribution~2 years

Legal basis. Analytics and marketing cookies are loaded only on the basis of your consent under Art. 6(1)(a) GDPR (and § 25(1) TTDSG / the equivalent ePrivacy provision). Consent is voluntary and can be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

International transfers. Meta, Google, Pinterest and Klaviyo may process data in the USA. Where the provider is certified under the EU–US Data Privacy Framework (this currently includes Meta, Google and Klaviyo), transfers are covered by that adequacy decision; otherwise they are based on EU Standard Contractual Clauses. Accepting these cookies means accepting that your data may be transferred to and processed in the USA.

Cookie settings →