Privacy Policy
How we handle your data — plain English version
Last updated: 25 March 2026
Section 1: Who We Are
The Egg Consultancy GmbH, Ing.-Etzelstraße 23/Top 2, 6020 Innsbruck, Austria.
Commercial Register: FN 581798 k, Landesgericht Innsbruck
Email: theeggconsultancy@gmail.com
We are the data controller under GDPR Article 4(7).
Section 2: What We Collect
- Name, email, and delivery address (for physical books)
- Photographs of the person the book is about (e.g. the grandparent), as well as photographs of family members such as their partner, children, and grandchildren who may appear in the story
- Biographical information and memories you share about the subject and their family
- Appearance and ethnicity descriptions (optional, sensitive data under GDPR Article 9 — collected only with your explicit, separate consent. If provided, stored as part of your book record to enable illustration corrections)
- WhatsApp phone number (if using WhatsApp channel)
- Order and payment data
Section 3: How We Use Your Data & AI Processing
3.1 Legal Basis for Processing
- Contract Performance (GDPR Article 6(1)(b)): For order fulfilment
- Explicit Consent (GDPR Article 9(2)(a)): For processing ethnicity and other sensitive data
- Legitimate Interest (GDPR Article 6(1)(f)): For service improvement
3.2 Text Generation
Your biographical information and memories are sent to OpenAI's GPT API (US servers) to generate the story. OpenAI does NOT retain API data or use it for training. This is covered by OpenAI's zero-retention business API policy.
3.3 Photo Analysis
Your photographs — including photos of the grandparent and any family members you provide (partner, children, grandchildren) — are analysed by OpenAI's vision API to generate character descriptions for use in the illustrations. The same zero-retention policy applies.
3.4 Image Generation
Character descriptions and scene prompts are sent to Fal.ai (US servers), which runs Seedream v4.5, an open-weight AI model originally developed by ByteDance. Fal.ai downloaded the publicly available model weights and runs Seedream on its own US-based GPU servers.
Section 4: Who Processes Your Data (Processor List)
| Processor | Service | Location | DPA Status |
|---|---|---|---|
| OpenAI, Inc. | Text generation, photo analysis | USA | ✅ Covered (DPA + zero retention) |
| Fal.ai, Inc. | Image generation (Seedream v4.5) | USA | ⚠️ Being replaced |
| Twilio Inc. | WhatsApp messaging | USA | ✅ Covered (DPA in ToS) |
| Cloudinary Ltd. | Image hosting | USA (AWS) | ✅ Covered (paid plan DPA) |
| Supabase, Inc. | Database (book records, order data, questionnaire responses) | EU (Ireland) | ✅ DPA signed |
| Amazon Web Services | PDF storage | EU (Stockholm) | ✅ Covered (DPA in agreement) |
| Google LLC | Order tracking (Sheets), Email (Gmail) | USA | ✅ Covered (CDPA in ToS) |
| n8n GmbH | Workflow automation | Germany | ✅ Covered (DPA in ToS) |
| CloudPrinter B.V. | Print fulfilment | Netherlands + partners | ✅ Signed DPA |
Section 5: International Transfers
Your data is transferred to the USA for processing. We rely on:
- EU Standard Contractual Clauses (SCCs) with each US processor
- EU-US Data Privacy Framework where the processor is certified
We have assessed the transfer risks and consider them acceptable given the nature of the data and the safeguards in place.
Section 6: How Long We Keep Your Data
- Photos and generated images (Cloudinary): 90 days after book delivery, then deleted
- Digital PDF (AWS S3): Automatically deleted 90 days after creation
- Book and page records (Supabase): Personal data anonymised 90 days after delivery. Financial/order metadata retained for 7 years (Austrian tax law, BAO § 132)
- Order records (Google Sheets): 7 years (Austrian tax law, BAO § 132)
- WhatsApp messages (Twilio): Message records deleted 90 days after creation. Media attachments deleted within 30 days thereafter
- Email correspondence (Gmail): Retained for the duration of the business relationship plus 3 years (Austrian limitation period, § 1489 ABGB)
- n8n execution logs: 30 days (automatic)
- Ethnicity descriptions: If provided, stored as part of your book record in our database for the 90-day retention period to enable illustration corrections. Anonymised along with other personal data after 90 days
Section 7: Your Rights
Under GDPR, you have the right to:
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion ("right to be forgotten")
- Restrict Processing (Art. 18): Limit how we use your data
- Data Portability (Art. 20): Receive your data in a portable format
- Object (Art. 21): Object to certain processing
To exercise any right, email theeggconsultancy@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at
Section 8: Children's Data
We do not knowingly collect data directly from children under 16. However, the storybook may include photographs of grandchildren or other children as family members. All such photographs must be submitted by a parent or legal guardian with appropriate authority and consent.
Section 9: AI Transparency
All text and illustrations are generated by artificial intelligence. No human author or illustrator is involved.
We use:
- OpenAI GPT for story generation and photo analysis
- Seedream v4.5 (via Fal.ai) for illustration generation
This disclosure is made in accordance with the EU AI Act (Regulation (EU) 2024/1689), Article 50.
Section 10: Changes to This Policy
We may update this policy at any time. Changes will be posted on this page with an updated date. Your continued use of our service constitutes acceptance of the updated policy.
Section 11: Contact
The Egg Consultancy GmbH
theeggconsultancy@gmail.com