Malbuch
Sign InSign Up

Privacy Policy

Last updated: 2026-04-30

1. Controller

The controller under Art. 4(7) GDPR is the operator named in the imprint. The email address listed there is also the primary contact for privacy requests.

2. Overview

Malbuch is a web app that lets parents create, store, print and manage AI-assisted coloring pages for their children. Children do not receive their own accounts; child profiles are managed under the parent account.

3. Data we process

  • Account data such as email address, name, language and login state.
  • Child profile data such as display name, age group, avatar and preferences.
  • Prompts, themes, styles, generated images, selected variants and usage counters.
  • Temporary source photos for the photo feature; originals are deleted after generation or failure.
  • Billing metadata handled through Stripe; we do not process full card numbers ourselves.
  • Email preferences, double-opt-in status, unsubscribe tokens and delivery logs.
  • Technical data such as request metadata, security logs, moderation events and cookieless analytics.

4. Purposes and legal bases

We process data to provide the app (Art. 6(1)(b) GDPR), handle billing and legal obligations (Art. 6(1)(b) and (c)), secure the service and prevent abuse (Art. 6(1)(f)), send optional emails based on consent (Art. 6(1)(a)), and understand product usage through cookieless analytics where legally permitted (Art. 6(1)(f)).

5. Hosting, storage and AI

The app runs on Vercel. Authentication, database, private file storage and background functions use Supabase. AI moderation, vision and image generation are routed through the Vercel AI Gateway and may involve providers such as OpenAI and Black Forest Labs. We configure AI use so that prompts and photos are not used to train provider models where contractually available.

6. Children and safety

Children use Malbuch only through profiles controlled by a parent or legal guardian. Parent verification, parent PINs, device trust, keyword filters and AI-assisted moderation help prevent unsafe use. Kids Mode contains no advertising and no behavioral targeting of children.

7. Cookies, analytics, payments and emails

We use strictly necessary cookies and local storage for login, language, parent security features and the cookie notice. Vercel Analytics provides cookieless page-view statistics. Payments and subscriptions are handled by Stripe. Optional onboarding, recap and win-back emails require consent and double opt-in; every non-essential email includes an unsubscribe link. The actual SMTP provider must be documented before launch.

8. Service providers and transfers

Recipients may include Vercel, Supabase, Stripe, Google for Google sign-in, AI model providers such as OpenAI and Black Forest Labs, and the configured email provider. Where required, we use data processing agreements. International transfers rely on adequacy decisions, standard contractual clauses or other safeguards under Art. 44 et seq. GDPR.

9. Retention

Account data is kept while the account exists and afterwards only as required by law or legitimate evidence needs. Unsaved generated images are deleted after 90 days. Saved images and child profiles stay until you delete them or close the account. Original uploaded photos are deleted after generation or failure. Billing and tax records may be retained for up to 10 years.

10. Your rights

You have rights of access, rectification, erasure, restriction, data portability, objection and withdrawal of consent under the GDPR. You may also lodge a complaint with a data protection authority. Contact us using the address in the imprint.

11. Automated decisions and changes

We do not make automated decisions with legal effect under Art. 22 GDPR. Automated moderation may block individual prompts for child safety. We update this policy when features, providers, legal requirements or processing activities change.