Privacy Policy

Scribblebook turns family photos into printed personalized coloring books. Most of those photos are of children, and we treat that as the most important fact about our company. This policy explains, in plain language, what we collect, what we do and don't do with it, how long we keep it, and how to make us delete it.

The service is operated by Scribblebook, Inc. (“Scribblebook”, “we”, “us”). For privacy questions, requests, or complaints, email support@scribblebook.com.

We collect three buckets of data, and nothing else.

1. Photos you upload. Every photo you add at /create is stored in our private storage, sent to our AI partner fal.ai for line-art conversion, and the result is stored alongside it. The line-art pages are assembled into a print-ready PDF and forwarded to Lulu Press. That is the entire path. We strip EXIF metadata (including GPS coordinates and camera identifiers) on upload and re-encode the image, so the file we keep does not carry the location or device fingerprints your phone embedded. We do not extract face geometry or store anything derived from a photo other than the line-art version and the assembled PDF.

2. Account and order information.Your email address, an optional display name, and — only when you place an order — a shipping address (passed to Lulu) and a contact email. For consent and abuse-prevention purposes we also record your IP address and user-agent at the moment you accept the upload consent checkbox. If you check out as a guest we link the order to a guest record so you can find it later, but you don't need to create an account.

3. Payment processor data. Card numbers, billing details, and similar payment information are collected and stored by Stripe under their own terms and security controls. Scribblebook never sees, stores, or logs your full card number, CVV, or bank credentials. We receive only an opaque payment intent ID and the amount, which we keep on the order record for accounting.

We do not buy data about you from anywhere else, we do not run third-party advertising trackers, and we do not run analytics on the contents of your photos.

These five promises are the core of the deal. They apply to every photo you upload, every account, and every order, and they are reflected in the contracts we hold with our sub-processors.

• We don't run face recognition. No face geometry, faceprints, embeddings, or biometric identifiers are extracted from your photos by us or by anyone we send them to.
• We don't train AI on your photos. Your images are used once to generate your book and are not added to training corpora — ours, fal.ai's, or anyone else's. This is contractually required of fal.ai.
• We don't enrich them with data from anywhere else. We never combine your photos or your child's name with data brokers, social graphs, or third-party datasets.
• We don't build a profile of your child. No persistent identifier, no cross-session linking, no behavioral record. Your child exists in our system only as part of one specific order.
• We don't sell them. Not to brokers, not to advertisers, not to anyone. There is no business model here that involves selling your data.

• Original photos: deleted 30 days after your book ships, or 30 days after upload if no order is placed.
• Generated coloring pages: deleted at 90 days.
• Print-ready PDFs: deleted at 180 days.
• Backups that may contain residual copies are purged within 14 days.
• Account-wide deletion, when you request it, completes within 7 days; you receive an email confirmation receipt within 24 hours.
• Financial records (order totals, Stripe payment intent IDs, tax records) are retained for 7 years to comply with U.S. tax law, but the shipping address, contact email, and any free-text fields are scrubbed on request — what we keep is enough to satisfy an auditor and not enough to identify a child.

At checkout you can opt in to a 90-day extensionon photo retention. It's unchecked by default; if you don't tick the box, the standard 30-day window applies.

Sub-processor-specific retention: Sentry replays are kept 30 days with photo URLs scrubbed before send; PostHog analytics are kept 90 days with book IDs masked; Resend email bodies are retained 7 days; Lulu print files are deleted via Lulu's API once the printer confirms receipt.

Scribblebook is intended for adults — parents, grandparents, and legal guardians — ordering on behalf of children. We do not knowingly let children under 13 create accounts or upload photos themselves. Before any photo is uploaded, the adult must confirm: “I'm the parent or legal guardian of every child in these photos, and I have permission for any other people pictured.”That consent is recorded against your book record with a timestamp, the consent text version, your IP address, your user-agent, and the list of sub-processors named at the time. If we later add a sub-processor that wasn't on that list, we'll ask again — we won't quietly expand the scope.

We follow COPPA's verifiable-parental-consent framework: the adult is the account holder, the consent is logged, and any parent or guardian deletion request is honored within the timelines above. If you believe a child uploaded photos without an adult's consent, email support@scribblebook.com and we will delete the account and all associated data immediately.

We use a small, named set of sub-processors. Each receives only the data category required to do its job. We have data processing agreements with each.

• Supabase — database, auth, file storage. Receives photos, account info, order metadata.
• fal.ai — AI line-art generation. Receives photos transiently; per our DPA, no training, deleted on schedule.
• Lulu Press — print and ship. Receives the print-ready PDF, shipping address, and contact email.
• Stripe — payment processing. Receives payment details, contact email, billing address.
• Resend — transactional email. Receives contact email and order metadata.
• Sentry — error tracking. Receives IP, user-agent, error context (photo URLs scrubbed).
• PostHog — product analytics. Receives IP, page views (book IDs masked).
• Vercel — application hosting. Receives request logs.
• Cloudflare Turnstile — bot/abuse prevention at upload. Receives IP and a browser challenge token.

When a sub-processor changes, we update this list and — for material changes — re-prompt for consent before processing further data on your account.

Wherever you live, you can ask us to show you what we have, fix what's wrong, or delete it.

• Access (GDPR Art. 15). Email support and we'll send you a machine-readable export of your account, books, orders, and consent records within 30 days.
• Correction (GDPR Art. 16). You can edit your name, email, and shipping address from /account. Anything not editable in-app, we'll fix on request.
• Erasure (GDPR Art. 17). Use the Delete my data button in /account (or for guests, the link in your most recent order email). The flow re-confirms via email, deletes storage objects and database rows, and cascades to fal.ai and Lulu (cancels the print job if not yet sent, otherwise deletes referenced print files). A receipt arrives within 24 hours; deletion completes within 7 days.
• California residents (CCPA / CPRA). You have the right to know, delete, correct, and opt out of “sale” or “sharing” — we don't sell or share your data, so opt-out is the default. We will not discriminate against you for exercising any of these rights.
• EU and UK residents (GDPR / UK GDPR). In addition to access, correction, and erasure, you have the right to data portability, the right to object to processing, and the right to lodge a complaint with your supervisory authority. For most EU residents that's your national Data Protection Authority; for the UK, the ICO.

Our application and primary data stores are hosted in the United States. For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses with each sub-processor that may receive your data outside the EEA. While we work toward EU-region data residency, we may geo-block checkout for EU buyers; if checkout is open in your country, the SCCs apply. Email support for a copy.

We do the basics, and we don't oversell what isn't built yet.

• Encryption at rest: photos, generated pages, and PDFs are stored with AES-256 server-side encryption.
• Encryption in transit: every connection uses HTTPS/TLS.
• Private buckets and signed URLs: photo storage buckets are private; in-app image rendering routes through a server-signed, short-lived URL proxy rather than raw storage URLs (currently rolling out).
• HMAC-signed guest sessions: guest checkout cookies are signed with a server secret so they can't be forged.
• Rate-limited APIs: upload, generation, and account endpoints are rate-limited per IP and per account.
• Consent audit log: every upload-consent acceptance is recorded with timestamp, text version, IP, user-agent, and sub-processor scope.
• Coming soon (Q3 2026): envelope encryption with per-book keys for original photos, and a user-facing photo-access log at /account/photos.

No system is perfectly secure. If you find a vulnerability, please email support@scribblebook.com with “SECURITY” in the subject line; we respond within 72 hours.

If a personal data breach occurs, we will notify the relevant supervisory authorities within 72 hours of becoming aware of it, per GDPR Article 33, and we will notify affected users by email without undue delay. Our internal sub-processor breach playbook keeps a customer-notification template, a regulator template, and the breach contact for every vendor on file so we can move fast.

If we make material changes — new sub-processor, new data category, longer retention, anything that affects what you agreed to — we'll email account holders, post an in-app banner on /create and /account, and update the Last updateddate at the top. Minor edits (typos, clarifying language) we'll just publish with the date bump.

Questions, requests, complaints, or just to talk to a human: support@scribblebook.com.