Privacy Policy
Last updated: 7 March 2026
1. Who We Are
TripleGem Books ("we", "us", "our") creates personalised children's storybooks. We are committed to protecting your privacy and the privacy of your children. This policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: For any data protection queries, please email us at hello@triplegembooks.com.
2. What Data We Collect
When you use our service, we may collect the following:
2.1 Order Information
- Your child's details: first name, age, gender, personality traits, and favourite things. These are used solely to create your personalised story.
- Appearance data: skin tone, hair colour, hair style, eye colour, and other physical features. Used to generate accurate illustrations.
- Photos: photographs of your child and any companions (optional). Used exclusively for AI illustration reference.
- Companion details: names, types, descriptions, and photos of companions included in the story.
- Dedication message: optional text printed inside the book.
2.2 Contact & Payment Information
- Email address: to send order confirmations, preview notifications, shipping updates, and occasional marketing (only with your consent).
- Payment details: processed securely by Stripe. We never see or store your card number, CVV, or full payment details.
- Shipping address: collected by our print partner at the point of fulfilment.
2.3 Newsletter Subscribers
- Email address: if you subscribe to our mailing list (e.g. via the discount pop-up), we store your email for marketing communications. You can unsubscribe at any time.
2.4 Technical Data
- IP address: temporarily hashed and stored for rate limiting and abuse prevention. We do not store your raw IP address.
- Usage data: anonymised analytics to improve our service (via Azure Application Insights).
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Lawful Basis |
|---|---|
| Creating your personalised storybook | Contract performance |
| Processing payment | Contract performance |
| Sending order updates & shipping notifications | Contract performance |
| Sending marketing emails (newsletter) | Consent |
| Preventing abuse & rate limiting | Legitimate interest |
| Monitoring & improving service reliability | Legitimate interest |
4. Children's Data
We take the privacy of children very seriously. Please note:
- We only collect children's data when a parent or legal guardian submits an order on their behalf.
- Children's data (name, age, appearance, photos) is used exclusively to create the personalised storybook and is never used for marketing or shared for advertising purposes.
- Uploaded photos of children are stored securely and are automatically deleted within 30 days of order completion. Photos are used solely as a reference for AI illustration generation.
- We do not knowingly collect data directly from children under 13.
5. Photo Handling & Security
We understand that sharing photos of your child requires trust. Here is how we handle them:
- Photos are uploaded over an encrypted (HTTPS) connection and stored in secure Azure Blob Storage.
- Access to photos is restricted via time-limited, signed URLs — they cannot be accessed publicly.
- Photos are used only to generate AI character reference images for your book's illustrations.
- Once image generation is complete, photos are scheduled for deletion. All customer-uploaded photos are permanently deleted within 30 days of order fulfilment.
- Photos are never shared with third parties for marketing, training, or any purpose beyond creating your book.
6. Third-Party Processors
We use the following trusted third-party services to deliver our product:
| Service | Purpose | Data Shared |
|---|---|---|
| OpenAI | Story text & illustration generation | Child's name, age, appearance description, illustration prompts, photos (for image generation) |
| Stripe | Payment processing | Email address, payment details (handled directly by Stripe) |
| Lulu | Book printing & fulfilment | Shipping address, book PDF |
| Microsoft Azure | Hosting, storage, email delivery | All order data (stored in UK/EU data centres) |
| Azure Communication Services | Transactional emails | Email address, email content |
All third-party processors are bound by their own privacy policies and data protection agreements. We only share the minimum data necessary for each service.
7. Data Retention
We retain your data for only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Customer-uploaded photos | Deleted within 30 days of order fulfilment |
| Generated illustrations & story data | 12 months after order completion |
| Order records | 24 months, then anonymised |
| Newsletter subscriptions | Until you unsubscribe |
| Rate-limiting records (hashed IPs) | Automatically expire after 1 hour |
8. Your Rights
Under UK GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct any inaccurate data.
- Erasure: Request deletion of your data (subject to legal obligations).
- Restriction: Ask us to limit how we use your data.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent (e.g. marketing), you can withdraw at any time.
To exercise any of these rights, please contact us at hello@triplegembooks.com. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
9. Cookies
Our website uses localStorage (not cookies) to remember preferences such as:
- Whether you have subscribed to the newsletter (to avoid showing the pop-up again).
- Your subscriber email (to pre-fill the order form).
We do not use tracking cookies or third-party advertising cookies. Azure Application Insights may use a session cookie for anonymised performance monitoring.
10. Security
We take appropriate technical and organisational measures to protect your data, including:
- All data transmitted over HTTPS (TLS encryption).
- Photos and files stored in encrypted Azure Blob Storage with access-controlled signed URLs.
- Payment processing handled entirely by Stripe (PCI DSS compliant) — we never handle card details.
- Admin access protected by Azure Active Directory authentication with role-based access control.
- Rate limiting and CSRF protection on all API endpoints.
- Server-side input validation and sanitisation on all user-submitted data.
11. International Transfers
Your data is primarily stored and processed in the United Kingdom and European Union (Azure UK South data centres). Some data may be processed by OpenAI (US-based) for story and illustration generation. Where data is transferred outside the UK/EU, appropriate safeguards are in place in accordance with UK GDPR requirements.
12. Changes to This Policy
We may update this policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.