Privacy Policy
How we handle your data — plain English version
Last updated: 22 June 2026
Section 1: Who We Are
The Egg Consultancy GmbH, Ing.-Etzelstraße 23/Top 2, 6020 Innsbruck, Austria.
Commercial Register: FN 581798 k, Landesgericht Innsbruck
Email: hello@memolio.io
We are the data controller under GDPR Article 4(7).
Section 2: What We Collect
- Name, email, and delivery address (for physical books)
- Photographs of the person the book is about (e.g. the grandparent), as well as photographs of family members such as their partner, children, and grandchildren who may appear in the story
- Biographical information and memories you share about the subject and their family
- Appearance details you choose to share about the people in the book (optional free text, alongside the photos you upload). Because such details may reveal special-category data — for example ethnicity — we process them only on your explicit, separate consent (GDPR Article 9(2)(a)). If provided, they are stored as part of your book record to guide and correct the illustrations
- WhatsApp phone number (only if you used our legacy WhatsApp channel, now being wound down)
- Order and payment data
- Voice recordings, if you use the optional audio-dictation feature on the web form (sent for transcription into text)
Section 3: How We Use Your Data & AI Processing
3.1 Legal Basis for Processing
- Contract Performance (GDPR Article 6(1)(b)): For order fulfilment
- Explicit Consent (GDPR Article 9(2)(a)): For any special-category data you choose to share — for example appearance details that may reveal ethnicity
- Legitimate Interest (GDPR Article 6(1)(f)): For service improvement
3.2 Text Generation
Your biographical information and memories are sent to Anthropic (the Claude API, US servers) to generate the story text. Anthropic does not use API data to train its models. API inputs and outputs are automatically deleted after a short retention period (currently up to 30 days) used only for trust-and-safety and abuse monitoring. This processing is governed by Anthropic's Commercial Terms of Service and Data Processing Addendum.
3.3 Photo Analysis
Your photographs — including photos of the grandparent and any family members you provide (partner, children, grandchildren) — are analysed by Anthropic's Claude vision models (US servers) to generate character descriptions for use in the illustrations. The same terms apply: the photos are not used for model training and are deleted after the short retention period.
3.4 Image Generation
The illustrations in your book are generated using Seedream v4.5, an AI image generation model developed by ByteDance. We access this model through BytePlus Pte. Ltd. (Singapore), ByteDance's international technology platform.
To create illustrations that resemble the person the book is about, we send BytePlus a text description of the scene and one or more reference photographs of the subject (in the relevant life stage) and, where applicable, their partner and any children. This is what allows the AI to render a recognisable likeness on each page. Photographs are used solely for this purpose and are not used to train AI models.
We do not send complete intake documents or identity documents to BytePlus — only the photographs needed to illustrate a specific page, together with the scene description.
Where the photographs submitted reveal or may be used to infer ethnicity, skin tone, or other characteristics covered by GDPR Art. 9, we rely on your explicit, separate consent (Art. 9(2)(a) GDPR), collected during the intake process.
BytePlus applies a content pre-filter to the material we send, to screen for unsafe content. Where this filter flags potentially risky content, BytePlus retains the related logs and the filtered content for a limited period on servers in Malaysia or Singapore, in line with its published Content Pre-filter terms, in order to operate and troubleshoot the safety feature.
3.5 Audio Transcription
If you use the optional voice-dictation feature on the web form, the audio you record is sent to Eleven Labs, Inc. (US servers) and transcribed into text, so you don't have to type your answers. The audio is used only to produce that transcript.
3.6 Payments
Payments are handled by Stripe (Stripe Payments Europe, Ltd., Ireland). When you pay, your card and billing details are submitted directly to Stripe; we never see or store your full card number.
Section 4: Who Processes Your Data (Processor List)
| Processor | Service | Location | DPA Status |
|---|---|---|---|
| Anthropic, PBC | Story text generation & photo analysis (Claude models) | USA | ✅ Covered (Commercial Terms + DPA; no training, short retention) |
| BytePlus Pte. Ltd. | AI image generation (Jimeng API / Seedream v4.5) & content pre-filter | Singapore (pre-filter logs: Malaysia / Singapore) | ✅ Covered (DPA with EU SCCs) |
| Twilio Inc. | WhatsApp messaging (legacy channel, being wound down) | USA | ✅ Covered (DPA in ToS) |
| Cloudinary Ltd. | Image hosting | USA (AWS) | ✅ Covered (paid plan DPA) |
| Supabase, Inc. | Database (book records, order data, questionnaire responses) | EU (Ireland) | ✅ DPA signed |
| Amazon Web Services | PDF storage | EU (Frankfurt) | ✅ Covered (DPA in agreement) |
| Google LLC | Order tracking (Sheets), Email (Gmail) | USA | ✅ Covered (CDPA in ToS) |
| n8n GmbH | Workflow automation | Germany | ✅ Covered (DPA in ToS) |
| CloudPrinter B.V. | Print fulfilment | Netherlands + partners | ✅ Signed DPA |
| Meta Platforms Ireland Ltd. | WhatsApp message delivery (sub-processor of Twilio) — legacy channel | Ireland (EU) | ✅ Covered (Twilio sub-processor) |
| PDFShift SAS | PDF rendering | France (EU) | ✅ Covered (DPA on request, EU-based) |
| Netlify, Inc. | Website hosting | USA (CDN global) | ✅ Covered (DPA + SCCs) |
| Stripe Payments Europe, Ltd. | Payment processing (checkout, card & billing data) | Ireland (EU) | ✅ Covered (DPA + SCCs) |
| Eleven Labs, Inc. | Voice-to-text transcription of optional web-form audio dictation | USA | ✅ Covered (DPA + SCCs + EU-US DPF) |
| Meta Platforms Ireland Ltd. | Advertising & conversion measurement (Meta Pixel) — consent only | Ireland (EU); USA (Meta Platforms, Inc.) | ⚠️ Loads only after you Accept cookies |
| Google Ireland Ltd. / Google LLC | Website analytics (Google Analytics 4) — consent only | Ireland (EU); USA | ⚠️ Loads only after you Accept cookies |
| Pinterest Europe Ltd. | Advertising & conversion measurement (Pinterest Tag) — consent only | Ireland (EU); USA (Pinterest, Inc.) | ⚠️ Loads only after you Accept cookies |
| Klaviyo, Inc. | Email marketing & onsite activity (Klaviyo) — consent only | USA | ⚠️ Loads only after you Accept cookies |
Section 5: International Transfers
Some of your data is transferred outside the EU for processing — to the USA (e.g. Anthropic, Eleven Labs, Twilio, Cloudinary, Google) and to Singapore / Malaysia (BytePlus image generation and its content pre-filter logs). We rely on:
- EU Standard Contractual Clauses (SCCs) with each non-EU processor (including BytePlus)
- EU-US Data Privacy Framework where the processor is certified
We have assessed the transfer risks and consider them acceptable given the nature of the data and the safeguards in place.
Section 6: How Long We Keep Your Data
- Photos and generated images (Cloudinary): 90 days after book delivery, then deleted
- Digital PDF (AWS S3): Automatically deleted 90 days after creation
- Book and page records (Supabase): Personal data anonymised 90 days after delivery. Financial/order metadata retained for 7 years (Austrian tax law, BAO § 132)
- Order records (Google Sheets): 7 years (Austrian tax law, BAO § 132)
- WhatsApp messages (Twilio): Message records deleted 90 days after creation. Media attachments deleted within 30 days thereafter
- Email correspondence (Gmail): Retained for the duration of the business relationship plus 3 years (Austrian limitation period, § 1489 ABGB)
- n8n execution logs: 30 days (automatic)
- Appearance details (Art. 9 data): Any optional appearance details you share that may reveal special-category data are stored as part of your book record for the 90-day retention period to guide and correct the illustrations. Anonymised along with other personal data after 90 days
Section 7: Marketing Communications
If you join our waitlist, request a free sample, or sign up via any of our forms, we treat the resulting emails in two distinct ways:
7.1 Transactional emails
When you request something specific — a sample illustration, a launch notification — we send you the thing you asked for, plus any directly related follow-up (e.g. a sample-expiry reminder, a launch announcement when ordering opens). These are transactional emails: we send them under Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) (legitimate interest), and you cannot opt out of them while the underlying request is active. They will stop once the request is fulfilled or withdrawn.
7.2 Marketing emails
We will only send you ongoing promotional content — special offers, product updates, drip sequences, content highlights — if you have given us explicit, separate, opt-in consent by ticking the marketing-consent checkbox at point of collection (Article 6(1)(a) GDPR + § 7 UWG (Austria) / Reg. 22 PECR (UK)).
For each consent record, we store: the boolean choice you made, the timestamp, and the version of the consent wording you saw. You can request a copy of this audit trail at any time.
7.3 Withdrawing consent
You can withdraw your consent at any time, with immediate effect, by:
- Clicking the unsubscribe link in any marketing email we send you
- Emailing us at hello@memolio.io with the subject line "unsubscribe"
Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
7.4 Retention of marketing data
Email addresses on the waitlist are retained until the launch, plus 12 months thereafter, or until withdrawal of consent — whichever comes first. Once you withdraw consent we keep a minimal "do-not-contact" record (your email + the fact that you withdrew) for 30 days, after which the email is removed from our systems. Sample-related contact data follows the schedule in Section 6.
Section 8: Your Rights
Under GDPR, you have the right to:
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion ("right to be forgotten")
- Restrict Processing (Art. 18): Limit how we use your data
- Data Portability (Art. 20): Receive your data in a portable format
- Object (Art. 21): Object to certain processing
To exercise any right, email hello@memolio.io. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at
Section 9: Children's Data
We do not knowingly collect data directly from children under 16. However, the storybook may include photographs of children (for example grandchildren) as family members. All such photographs of children must be submitted by a parent or legal guardian with appropriate authority and consent.
Photographs of children are not required — you can describe their appearance in text instead and your book will still be created.
Section 10: AI Transparency
All text and illustrations are generated by artificial intelligence. No human author or illustrator is involved.
We use:
- Anthropic Claude (Opus, Sonnet and Haiku models) for story generation and photo analysis
- Seedream v4.5 (via BytePlus Jimeng API) for illustration generation
This disclosure is made in accordance with the EU AI Act (Regulation (EU) 2024/1689), Article 50.
Section 11: Changes to This Policy
We may update this policy at any time. Changes will be posted on this page with an updated date. Your continued use of our service constitutes acceptance of the updated policy.
Section 12: Contact
The Egg Consultancy GmbH
hello@memolio.io
Section 13: Cookies and Tracking
On your first visit to memolio.io a cookie consent banner records your choice (Accept or Decline). Your choice is stored in your browser's localStorage under the key memolio_cookie_consent — it is not transmitted to our servers and is not linked to any account. You can change your choice at any time using the link at the end of this section.
Strictly necessary cookies / storage. These are always active and do not require consent. They include the consent record itself (localStorage key memolio_cookie_consent) and a strictly-necessary __cf_bm bot-protection cookie that our network provider (Cloudflare) may set under ePrivacy guidance. Our website host (Netlify) also collects standard web server logs (IP addresses, user agents, timestamps) for normal hosting operations, processed under Netlify's own privacy policy.
Analytics & marketing cookies (consent required). If — and only if — you click Accept on the cookie banner, we load analytics and marketing tools from the following providers. If you click Decline, none of these are loaded and no requests are sent to them. You can withdraw your consent at any time via the “Cookie settings” link below, which stops further loading.
- Meta Pixel (Meta Platforms Ireland Ltd.) — measures the effectiveness of our Facebook/Instagram advertising. Meta Privacy Policy
- Google Analytics 4 (Google Ireland Ltd. / Google LLC) — understands how visitors use the site. We run it with IP anonymisation enabled and Google Signals (cross-device advertising) disabled. Google Privacy Policy
- Pinterest Tag (Pinterest Europe Ltd.) — measures the effectiveness of our Pinterest advertising. Pinterest Privacy Policy
- Klaviyo (Klaviyo, Inc.) — onsite activity tracking for our email marketing. Klaviyo Privacy Policy
Typical cookies set by these tools once you accept:
| Cookie | Set by | Purpose | Typical duration |
|---|---|---|---|
_fbp | Meta Pixel | Advertising / conversion measurement | ~3 months |
_ga, _ga_* | Google Analytics 4 | Distinguish users / sessions (analytics) | up to 2 years |
_pin_unauth, _pinterest_ct_* | Pinterest Tag | Advertising / conversion measurement | ~1 year |
__kla_id | Klaviyo | Onsite activity / email attribution | ~2 years |
Legal basis. Analytics and marketing cookies are loaded only on the basis of your consent under Art. 6(1)(a) GDPR (and § 25(1) TTDSG / the equivalent ePrivacy provision). Consent is voluntary and can be withdrawn at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.
International transfers. Meta, Google, Pinterest and Klaviyo may process data in the USA. Where the provider is certified under the EU–US Data Privacy Framework (this currently includes Meta, Google and Klaviyo), transfers are covered by that adequacy decision; otherwise they are based on EU Standard Contractual Clauses. Accepting these cookies means accepting that your data may be transferred to and processed in the USA.