Privacy Policy
How we handle your data — plain English version
Last updated: 20 April 2026
Section 1: Who We Are
The Egg Consultancy GmbH, Ing.-Etzelstraße 23/Top 2, 6020 Innsbruck, Austria.
Commercial Register: FN 581798 k, Landesgericht Innsbruck
Email: hello@memolio.io
We are the data controller under GDPR Article 4(7).
Section 2: What We Collect
- Name, email, and delivery address (for physical books)
- Photographs of the person the book is about (e.g. the grandparent), as well as photographs of family members such as their partner, children, and grandchildren who may appear in the story
- Biographical information and memories you share about the subject and their family
- Appearance and ethnicity descriptions (optional, sensitive data under GDPR Article 9 — collected only with your explicit, separate consent. If provided, stored as part of your book record to enable illustration corrections)
- WhatsApp phone number (if using WhatsApp channel)
- Order and payment data
Section 3: How We Use Your Data & AI Processing
3.1 Legal Basis for Processing
- Contract Performance (GDPR Article 6(1)(b)): For order fulfilment
- Explicit Consent (GDPR Article 9(2)(a)): For processing ethnicity and other sensitive data
- Legitimate Interest (GDPR Article 6(1)(f)): For service improvement
3.2 Text Generation
Your biographical information and memories are sent to OpenAI's GPT API (US servers) to generate the story. OpenAI does NOT retain API data or use it for training. This is covered by OpenAI's zero-retention business API policy.
3.3 Photo Analysis
Your photographs — including photos of the grandparent and any family members you provide (partner, children, grandchildren) — are analysed by OpenAI's vision API to generate character descriptions for use in the illustrations. The same zero-retention policy applies.
3.4 Image Generation
The illustrations in your book are generated using Seedream v4.5, an AI image generation model developed by ByteDance. We access this model through BytePlus Pte. Ltd. (Singapore), ByteDance's international technology platform.
To create illustrations that resemble the person the book is about, we send BytePlus a text description of the scene and one or more reference photographs of the subject (in the relevant life stage) and, where applicable, their partner and grandchildren. This is what allows the AI to render a recognisable likeness on each page. Photographs are used solely for this purpose and are not used to train AI models.
We do not send complete intake documents or identity documents to BytePlus — only the photographs needed to illustrate a specific page, together with the scene description.
Where the photographs submitted reveal or may be used to infer ethnicity, skin tone, or other characteristics covered by GDPR Art. 9, we rely on your explicit, separate consent (Art. 9(2)(a) GDPR), collected during the intake process.
Section 4: Who Processes Your Data (Processor List)
| Processor | Service | Location | DPA Status |
|---|---|---|---|
| OpenAI, Inc. | Text generation, photo analysis | USA | ✅ Covered (DPA + zero retention) |
| BytePlus Pte. Ltd. | AI image generation (Jimeng API / Seedream v4.5) | Singapore | ✅ Covered (DPA with EU SCCs) |
| Twilio Inc. | WhatsApp messaging | USA | ✅ Covered (DPA in ToS) |
| Cloudinary Ltd. | Image hosting | USA (AWS) | ✅ Covered (paid plan DPA) |
| Supabase, Inc. | Database (book records, order data, questionnaire responses) | EU (Ireland) | ✅ DPA signed |
| Amazon Web Services | PDF storage | EU (Frankfurt) | ✅ Covered (DPA in agreement) |
| Google LLC | Order tracking (Sheets), Email (Gmail) | USA | ✅ Covered (CDPA in ToS) |
| n8n GmbH | Workflow automation | Germany | ✅ Covered (DPA in ToS) |
| CloudPrinter B.V. | Print fulfilment | Netherlands + partners | ✅ Signed DPA |
| Meta Platforms Ireland Ltd. | WhatsApp message delivery (sub-processor of Twilio) | Ireland (EU) | ✅ Covered (Twilio sub-processor) |
| Typeform S.L. | Web intake form (secondary channel) | Spain (EU) | ✅ Covered (DPA via account settings) |
| PDFShift SAS | PDF rendering | France (EU) | ✅ Covered (DPA on request, EU-based) |
| Netlify, Inc. | Website hosting | USA (CDN global) | ✅ Covered (DPA + SCCs) |
Section 5: International Transfers
Your data is transferred to the USA for processing. We rely on:
- EU Standard Contractual Clauses (SCCs) with each US processor
- EU-US Data Privacy Framework where the processor is certified
We have assessed the transfer risks and consider them acceptable given the nature of the data and the safeguards in place.
Section 6: How Long We Keep Your Data
- Photos and generated images (Cloudinary): 90 days after book delivery, then deleted
- Digital PDF (AWS S3): Automatically deleted 90 days after creation
- Book and page records (Supabase): Personal data anonymised 90 days after delivery. Financial/order metadata retained for 7 years (Austrian tax law, BAO § 132)
- Order records (Google Sheets): 7 years (Austrian tax law, BAO § 132)
- WhatsApp messages (Twilio): Message records deleted 90 days after creation. Media attachments deleted within 30 days thereafter
- Email correspondence (Gmail): Retained for the duration of the business relationship plus 3 years (Austrian limitation period, § 1489 ABGB)
- n8n execution logs: 30 days (automatic)
- Ethnicity descriptions: If provided, stored as part of your book record in our database for the 90-day retention period to enable illustration corrections. Anonymised along with other personal data after 90 days
Section 7: Marketing Communications
If you join our waitlist, request a free sample, or sign up via any of our forms, we treat the resulting emails in two distinct ways:
7.1 Transactional emails
When you request something specific — a sample illustration, a launch notification — we send you the thing you asked for, plus any directly related follow-up (e.g. a sample-expiry reminder, a launch announcement when ordering opens). These are transactional emails: we send them under Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) (legitimate interest), and you cannot opt out of them while the underlying request is active. They will stop once the request is fulfilled or withdrawn.
7.2 Marketing emails
We will only send you ongoing promotional content — special offers, product updates, drip sequences, content highlights — if you have given us explicit, separate, opt-in consent by ticking the marketing-consent checkbox at point of collection (Article 6(1)(a) GDPR + § 7 UWG (Austria) / Reg. 22 PECR (UK)).
For each consent record, we store: the boolean choice you made, the timestamp, and the version of the consent wording you saw. You can request a copy of this audit trail at any time.
7.3 Withdrawing consent
You can withdraw your consent at any time, with immediate effect, by:
- Clicking the unsubscribe link in any marketing email we send you
- Emailing us at hello@memolio.io with the subject line "unsubscribe"
Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
7.4 Retention of marketing data
Email addresses on the waitlist are retained until the launch, plus 12 months thereafter, or until withdrawal of consent — whichever comes first. Once you withdraw consent we keep a minimal "do-not-contact" record (your email + the fact that you withdrew) for 30 days, after which the email is removed from our systems. Sample-related contact data follows the schedule in Section 6.
Section 8: Your Rights
Under GDPR, you have the right to:
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion ("right to be forgotten")
- Restrict Processing (Art. 18): Limit how we use your data
- Data Portability (Art. 20): Receive your data in a portable format
- Object (Art. 21): Object to certain processing
To exercise any right, email hello@memolio.io. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at
Section 9: Children's Data
We do not knowingly collect data directly from children under 16. However, the storybook may include photographs of grandchildren or other children as family members. All such photographs must be submitted by a parent or legal guardian with appropriate authority and consent.
Photographs of grandchildren are not required — you can describe their appearance in text instead and your book will still be created.
Section 10: AI Transparency
All text and illustrations are generated by artificial intelligence. No human author or illustrator is involved.
We use:
- OpenAI GPT for story generation and photo analysis
- Seedream v4.5 (via BytePlus Jimeng API) for illustration generation
This disclosure is made in accordance with the EU AI Act (Regulation (EU) 2024/1689), Article 50.
Section 11: Changes to This Policy
We may update this policy at any time. Changes will be posted on this page with an updated date. Your continued use of our service constitutes acceptance of the updated policy.
Section 12: Contact
The Egg Consultancy GmbH
hello@memolio.io
Section 13: Cookies and Tracking
On your first visit to memolio.io a cookie consent banner records your choice (Accept or Decline). Your choice is stored in your browser's localStorage under the key memolio_cookie_consent — it is not transmitted to our servers and is not linked to any account. You can change your choice at any time using the link at the end of this section.
Today Memolio does not use analytics cookies, advertising cookies, or third-party tracking pixels. We do not use Google Analytics, Meta Pixel, or any similar service. The banner exists so that — should we add analytics in the future — your consent has already been collected lawfully and you have a clear way to withdraw it.
Our website host (Netlify) collects standard web server logs (IP addresses, user agents, timestamps) for normal hosting operations. These are processed under Netlify's own privacy policy and are not linked to any Memolio user account. Our network provider (Cloudflare) may set a strictly-necessary __cf_bm cookie for bot protection; under ePrivacy guidance this does not require consent.