Privacy Policy
Information about how we process personal data at Little Hero.
1. Who Is Responsible
Little Hero Studios UG (haftungsbeschränkt)
Fregestraße 23
04105 Leipzig
Germany
Contact for privacy questions: info@little-hero.app
We have not appointed a data protection officer because we are not currently required to do so by law.
2. What We Process
Little Hero creates personalized children's books. We process only the data needed to run accounts, create books, handle payments, keep the service safe, provide support, or honor your choices.
- Account data: email address, login data, language settings, and customer status.
- Book creation data: child and family details you provide, story ideas, uploaded photos, descriptions, generated portraits, book pages, audio, and project metadata.
- Payment data: payment status, invoices, contract data, customer IDs, and transaction references. Full card details are processed directly by Stripe.
- Email data: email address, delivery status, transactional emails, newsletters, product emails, and related consent records.
- Technical and security data: IP address, browser and device information, log data, error reports, abuse-prevention data, and rate-limit data.
- Analytics data: product and usage events via PostHog as described below.
3. Children's Photos
Photos of children are sensitive. They may only be uploaded by a parent, legal guardian, or another person with the required permission. We do not use photos for identification, facial recognition, or biometric matching.
The uploaded original photo is processed so we can create an illustrated portrait and recognizable book illustrations. We do not keep the original photo as a permanent original file in our database or image storage. During processing, it may be technically necessary to send the photo to AI service providers.
If, in an exceptional case, a photo reveals special categories of personal data under Article 9 GDPR, we process that data only with explicit consent.
More detail: How we protect your child's photo
4. Purposes and Legal Bases
- Providing the service: contract performance or pre-contractual steps, Article 6(1)(b) GDPR.
- Photo processing and optional features: consent, Article 6(1)(a) GDPR; for special categories, also Article 9(2)(a) GDPR.
- Payments, accounting, and taxes: contract performance and legal obligations, Article 6(1)(b) and (c) GDPR.
- Security, error analysis, abuse prevention, and server billing checks: legitimate interests, Article 6(1)(f) GDPR.
- Newsletter and browser analytics: consent, Article 6(1)(a) GDPR.
5. Service Providers and Recipients
We work with service providers that receive data only for the task they perform. Depending on the feature, these categories and providers may be involved:
Hosting, database, and storage
Vercel for hosting, Supabase for authentication and database, and Cloudflare for CDN, security, R2 image storage, Workers, AI Gateway, and image processing.
AI and media processing
Google Gemini, OpenAI, xAI, KIE.ai, Replicate, and Cloudflare Workers AI / AI Gateway may be used where needed for text, image, audio, previews, upscaling, or security. We send only the data needed for the relevant processing step and minimize or pseudonymize content where reasonably possible.
Payments, email, and optional print orders
Stripe processes payments and subscriptions. Resend sends transactional emails, newsletters, and consent emails. If you order a printed book, print files and delivery details may be sent to Gelato for production and shipping.
Product analytics
PostHog browser analytics are loaded only if you accept analytics in the cookie banner. We also record selected payment and account events in PostHog server-side so purchases, refunds, and subscriptions can be tracked reliably. These server-side events do not set cookies in your browser.
6. Cookies and Local Storage
We use technically necessary cookies and local storage without separate consent where they are needed for login, security, language settings, cookie choices, checkout, restoring ongoing projects, and abuse prevention.
Analytics cookies and PostHog local storage are set only after you accept analytics. You can withdraw your consent at any time for the future.
7. AI, Training, and Automated Decisions
We do not use your content to train our own AI models. For external AI API services, we use business/API settings and contracts where available under which inputs and outputs are not used for model training. Some providers may retain inputs briefly to provide the service, keep it secure, or prevent abuse.
We do not make automated decisions under Article 22 GDPR that have legal or similarly significant effects on you or your child.
8. International Transfers
Some service providers are based outside the EU/EEA or process data there. Where required, we rely on adequacy decisions, the EU-U.S. Data Privacy Framework, standard contractual clauses, or comparable safeguards under Articles 44 et seq. GDPR.
9. Retention and Deletion
- We store accounts, projects, portraits, books, and audio until you delete them, delete your account, or the data is no longer needed for the contract.
- We do not keep original photos as permanent original files in our database or image storage.
- Payment, invoice, and accounting data is kept for the statutory retention periods.
- Technical logs, security data, and analytics data are kept only as long as needed for security, error analysis, records, or the relevant feature.
- When you delete your account, we delete related project and image data unless legal retention duties prevent deletion.
10. Your Rights
Under the GDPR, you may have rights to access, correct, delete, restrict, transfer, and object to the processing of your personal data. You may withdraw consent at any time for the future.
To exercise your rights, email info@little-hero.app.
11. Complaints
You may complain to a data protection supervisory authority. For Little Hero, the relevant authority is in particular:
Saxon Data Protection and Transparency Commissioner
Devrientstraße 5, 01067 Dresden, Germany
www.datenschutz.sachsen.de
12. Changes
We update this Privacy Policy if our service, our providers, or the legal situation changes.
Last updated: June 2026