Child Data Policy
Last updated: May 2026
Operating entity: FJ Cognitive, LLC, California, USA. Applies to all YouVerseBooks products and services. This policy supplements our general Privacy Policy.
1. Scope
This policy describes how YouVerseBooks handles personal data about children when a parent or legal guardian commissions a personalized book.
YouVerseBooks is a service for adults purchasing a product for a child. We do not direct our service at children, we do not allow children to create accounts, and children do not interact with our website or app at any point. This distinction matters legally (COPPA applies to services directed at children) and operationally (we have no chat, social, or feedback features that children could use).
2. What We Collect About a Child
To personalize a book, we ask the purchasing parent or legal guardian for:
- The child's first name (or chosen nickname)
- The child's approximate age range, used to select age-appropriate text and themes
- The child's gender, used to depict the character and personalize the story text
- One photo of the child, used as art reference for the illustrated character
- Optionally, a dedication message
We do not collect: last name, date of birth, address (the shipping address belongs to the purchaser), school, medical information, or any data the child generates themselves.
3. Lawful Basis
We process child-related data on the basis of explicit parental consent, attested at checkout by an authenticated adult account holder. The adult account holder is the data subject for purposes of consent. The child is the data subject for purposes of the photograph and personalization data, which the adult provides on the child's behalf.
Under GDPR our processing relies on Article 6(1)(a) (consent) and Article 6(1)(b) (performance of the purchase contract). Because the child does not directly interact with our service and the consent is given by the holder of parental responsibility, the Article 8 child-consent thresholds are not the operative provision here.
Under COPPA (where applicable) we operate outside the regulation's scope because our service is not directed at children and we do not knowingly collect information from children themselves. All personalization data, including photographs, is submitted by an adult account holder acting on behalf of a child.
4. How the Photo Is Used
The uploaded photo is used as visual reference for an illustrator working with AI image-generation models. The output is an illustrated character, not a photographic likeness. The finished book contains illustrations only. The original photo is not printed, embedded, or distributed in any form.
Photos are passed to two categories of processor:
- Image-generation API providers (such as Google, fal.ai, WaveSpeed, and OpenAI) on commercial or enterprise API tiers. Under these terms, providers do not use customer images to train their models, and any provider-side storage is short-term and limited to operational and abuse-monitoring purposes. Images are not used for training, marketing, or any purpose beyond generating the ordered book.
- Prodigi, our print fulfillment partner, receives the final illustrated PDF only. Prodigi does not receive the source photo.
The photo is never used for model training, marketing material, sample galleries, social media, public display, or any purpose outside producing the specific book that was ordered.
5. Retention Schedule
| Data | Retention | Reason |
|---|---|---|
| Source photo (no order placed) | 24 hours from upload | Recovery of mid-flow uploads, then purged |
| Source photo (order placed) | 90 days after order completion | Production review and defect window |
| Illustrated character (final art) | 12 months after order completion | Reprints, gift redelivery, dispute review |
| Order receipt and shipping address | 7 years | US tax compliance |
| Account email and name | Until account deletion requested | User-controlled |
6. Storage and Security
- All uploaded photos are stored in Cloudflare R2, encrypted at rest, with access restricted to our production worker processes.
- Our database is encrypted at rest and accessible only via authenticated application code.
- Backups are encrypted and follow the same retention schedule.
- We do not store payment information. Payments are processed by our payment provider, which is PCI-DSS compliant.
7. Parental Controls
A parent or legal guardian may at any time:
- View the photos and illustrations associated with their account, in-app
- Request deletion of any uploaded photo, generated illustration, or the entire account, by emailing support@youversebooks.com or using in-app account deletion. Confirmed within 7 days.
- Withdraw consent for further processing. The underlying order can no longer be reprinted, but already-shipped books are unaffected.
- Request a portable copy of the data we hold, per GDPR Article 20
8. Sub-Processors
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Vercel | Frontend hosting, analytics, speed insights | Page traffic, session data, any information rendered or submitted through the website (including the child's first name in checkout) | US |
| Railway | Backend application hosting | All operational data | US |
| Cloudflare R2 | Encrypted storage of uploaded photos | Source photos, generated illustrations | Global edge |
| Google (Gemini API) | AI image generation | Source photo, text prompt | US |
| fal.ai | AI image generation | Reference image, text prompt | US |
| WaveSpeed AI | AI image generation | Reference image, text prompt | US |
| OpenAI | AI image generation | Source photo, text prompt | US |
| Prodigi | Print and ship final book | Final illustrated PDF, shipping address | UK |
| Resend | Transactional email delivery (order confirmations, status updates) | Parent email address, message body including the child's first name | US |
| Payment processor | Payment processing | Payment data, billing address | US |
| Google, Apple | OAuth identity | Email, name | US |
We will update this list before adding any new sub-processor that touches child-related data.
9. Breach Notification
In the event of a security incident affecting child-related data, we will notify affected parents by email within 72 hours of confirming the incident, and provide: scope of data affected, mitigations taken, and any recommended action.
10. International Transfers
Data may be transferred between the US, UK, and EU as part of normal operations. Where personal data is transferred outside the EU or UK, we use providers that offer recognized transfer safeguards, such as the EU Standard Contractual Clauses or the UK Addendum, under their data processing terms. Customers in jurisdictions with stricter data-localization requirements should contact us before ordering.
11. Updates to This Policy
Material changes to this policy will be announced by email to all account holders at least 30 days before taking effect. Non-material changes (clarifications, sub-processor list updates) will be reflected in the "Last updated" date above.
12. Contact
For any question about this policy, or about a child's data specifically, contact:
Email: support@youversebooks.com
For escalated concerns, the same address with subject line DPO request will route to the founder directly.