1. Data Controller
The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR) is:
2. Data We Collect and Why
2.1 Account Data
When you register, we collect your email address. If you sign in via a third-party provider (Google or Apple OAuth), we also receive your name and, where available, your profile picture.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest in secure authentication).
2.2 Book Content and Photos
We store all books and their content that you create — including text, titles, configurations, and uploaded photos. This data is required to provide the core service.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
2.3 Payment Data
Payment data is processed exclusively by our payment provider Stripe. iOS in-app purchases are handled via Apple In-App Purchase; Android in-app purchases via Google Play In-App Billing. We do not store full payment data on our servers.
Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(c) GDPR (legal obligation).
2.4 Usage Statistics
We collect anonymised usage statistics (e.g. pages visited, features used, error messages) to improve the app. These data cannot be traced back to you individually and are not shared with ad networks.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the service).
2.5 Print Orders
When you order a physical book, we transmit your name and delivery address to our print service provider Lulu Direct to enable production and shipping.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
3. Third-Party Providers and Data Transfers
OpenAI
Privacy Policy →For AI-powered book creation we use the OpenAI API (GPT-4o). Your inputs (texts, prompts) are transmitted to OpenAI for processing. OpenAI processes data in the USA; the transfer is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Supabase
Privacy Policy →Our database and authentication run on Supabase (PostgreSQL). Your data is stored on servers within the EU.
Stripe
Privacy Policy →Payments on the web platform and Android are processed via Stripe. Stripe is PCI-DSS certified. EU Standard Contractual Clauses apply for US-based processing.
Apple (iOS)
Privacy Policy →In-app purchases and subscriptions in the iOS app are processed via Apple In-App Purchase.
Google (Android)
Privacy Policy →In-app purchases and subscriptions in the Android app are processed via Google Play In-App Billing.
Lulu Direct
Privacy Policy →For physical book printing and shipping we use Lulu Direct. Name and delivery address are transmitted for this purpose.
4. International Data Transfers
Data may be transferred to countries outside the European Economic Area (EEA), in particular to OpenAI (USA) and Lulu Direct (USA). Each transfer is based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or another appropriate safeguard mechanism. We will provide the relevant documents upon request.
5. Data Storage and Security
Your data is stored on secure servers within the EU. All transmissions are encrypted via HTTPS. Access to personal data is restricted to authorised personnel. Passwords are stored exclusively in hashed form (Argon2 / bcrypt).
6. Retention Periods
Personal data is stored only as long as necessary for the respective processing purposes or as required by statutory retention obligations:
- Account data: until account deletion
- Book content and photos: until deleted by you or upon account deletion
- Invoices and tax-relevant documents: 10 years pursuant to statutory retention obligation
- Anonymised usage statistics: indefinitely (no personal reference)
7. Cookies
We use only technically necessary cookies for authentication (session tokens). No tracking or advertising cookies are used. No consent is therefore required (§ 25(2)(2) TTDSG).
8. Your Rights as a Data Subject
You have the following rights with regard to your personal data:
- Access (Art. 15)You may request information about the data we hold about you at any time.
- Rectification (Art. 16)You may have inaccurate data corrected at any time.
- Erasure (Art. 17)You may request the deletion of your account and all associated data.
- Restriction (Art. 18)Under certain conditions, you may request restriction of processing.
- Portability (Art. 20)You may export your data in a machine-readable format.
- Objection (Art. 21)You may object to processing based on our legitimate interests.
- Withdrawal (Art. 7(3))You may withdraw any consent given at any time without giving reasons.
To exercise your rights, please contact info@bookcraft.dev. We will process your request within one month (Art. 12(3) GDPR).
9. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR). The responsible authority depends on your habitual residence, place of work, or the place of the alleged infringement.
10. Account Deletion
You may permanently delete your account at any time via Settings → “Delete account”. The following will be deleted:
- All books and content you have created
- Your account data (email, name)
- All uploaded photos and media
- Your usage history
Statutory retention obligations (e.g. 10 years for invoices) remain unaffected.
11. Automated Decision-Making
We do not use automated decision-making within the meaning of Art. 22 GDPR that would have a legal or similarly significant effect on you.
12. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy as needed to reflect changes in legal requirements or our services. For material changes, we will notify you by email or via an in-app notice.
13. Contact
For data protection enquiries and to exercise your rights, please contact:
© 2026 Bookcraft. All rights reserved. Back to App