Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use your personal information for the following purposes: • To create your personalised book: the child’s name, profile details, and photograph are processed by our AI partners to generate a unique story and illustrations tailored to the child. • To fulfil your order: your contact and shipping details are used to produce, ship, and deliver the book. • To process payment: payment details are transmitted securely to our payment provider. We do not store your card details. • To communicate with you: we send order confirmations, shipping updates, and respond to your enquiries by email. • To improve our service: we may analyse aggregated, de-identified usage data to improve our website, product quality, and customer experience. • To comply with legal obligations: we may use or disclose information where required by law or to protect our legal rights. We will not use your personal information for purposes other than those described above without your consent.

3. AI Processing and How Our Partners Handle Your Data

Almia uses AI to create your personalised book. We use two AI partners under their commercial API terms: • Anthropic, PBC (United States): text generation and quality review. • Google LLC (United States): image processing. Your child’s photograph: We share it only with Google for image processing. We do not share it with Anthropic. The original photograph is stored encrypted at rest on Amazon Web Services in the Sydney region. Our print partners and shipping providers never receive the photograph. Their commitments to your data: • Neither partner uses your inputs (text or images) to train their AI models when serving Almia under their commercial API terms. • Both partners automatically delete API inputs and outputs within 30 days, except where required by law or to enforce their abuse-monitoring rules. You can read each partner’s published commitment here: • Anthropic: privacy.claude.com/en/articles/7996866-how-long-do-you-store-personal-data • Google Gemini API terms: ai.google.dev/gemini-api/terms Almia’s own retention of your photograph (which is separate from, and in addition to, the partner retention above) is described in Section 7.

4. Children’s Information

Almia’s books are designed for parents, guardians, and other caregivers to create books for children. We take the privacy of children seriously and we do not knowingly collect personal information directly from children. Who provides the information: All information about a child must be provided by the child’s parent or legal guardian, or by someone with parental permission to do so. This explicitly covers gift-givers (for example, a grandparent, godparent, aunt, uncle, or family friend creating the book as a gift). By uploading a photograph or providing a child’s details, you confirm that you fall into one of these categories. Limited collection: We collect only the child information necessary to create the personalised book. No marketing to children: We do not use children’s information for marketing or advertising. We do not sell or share children’s information with third parties for their own purposes. The child as the data subject: Even when an account is held by a gift-giver or another caregiver, the child whose information appears in a book remains the data subject. If you are the parent or guardian of a child whose photograph or details appear in an Almia book and you did not place the order yourself, you can contact us at privacy@almia.com.au to request access, correction, or deletion of that information. We will act on your request within 30 days, subject to verification of your relationship to the child. Special handling of children’s photographs: see Section 3. If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information promptly.

5. Sharing and Disclosure

We share personal information only with the service providers required to deliver our service. Each provider is listed by legal name on our Subprocessor List at /privacy/subprocessors and that page is updated as our stack changes. Who sees your child’s photograph: only Google (for image processing) and Amazon Web Services (for encrypted storage). Print partners and shipping providers do not. Who sees your contact and shipping details: Stripe (payment), Postmark (transactional email), Brevo (marketing email if you have opted in), our print partner (Prodigi or Gelato, depending on the region your order ships from), Amazon Web Services (storage), and Vercel (hosting). Who sees the child’s profile text (name, age, interests, traits): Anthropic and Google (for story creation and image processing) and Amazon Web Services (for storage). Legal disclosures: We may disclose information if required by law, regulation, legal process, or governmental request. No sale of personal information: We do not sell your personal information. We do not share personal information with advertisers, data brokers, or cross-site tracking networks.

6. International Data Transfers

Some of our service providers operate outside Australia and New Zealand. When your information is transferred internationally, we take reasonable steps to ensure it receives comparable protection. Where your information goes: • United States: Anthropic, Google, Stripe, Postmark, Vercel. • France: Brevo. • United Kingdom or Norway (depending on your shipping region): our print partner. • Australia: storage of Almia data on Amazon Web Services in the Sydney region. How we protect transferred information: we rely on each partner’s contractual data handling commitments, including their published privacy and security terms. The full list of subprocessors and the data each one accesses is at /privacy/subprocessors.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected: • Order and account information: retained for the duration of your account and for 7 years after your last order for tax, legal, and warranty purposes. • Child photograph (the original you upload to Almia): retained for 90 days after your book is delivered, then permanently deleted, unless you request earlier deletion. Note that under Section 3, our AI partners delete their copies within 30 days under their own commercial terms. • Generated book content (story text and illustrations): the final book file is retained in your account for reordering purposes. You may request its deletion at any time. • Website analytics data: aggregated and de-identified data may be retained indefinitely. Individual browsing data is retained for no more than 26 months.

8. Cookies and Tracking

Our website uses cookies and similar technologies to: • Essential cookies: maintain your session, remember your cart, and enable core website functionality. These cannot be disabled. • Analytics cookies: help us understand how visitors use our website so we can improve it. We use privacy-respecting analytics that do not track you across other websites. We do not use advertising or tracking cookies. We do not participate in cross-site tracking networks.

9. Your Rights

10. Data Security

We implement technical and organisational measures to protect your personal information, including: • Encryption in transit (TLS 1.2 or higher for all browser and API traffic). • Encryption at rest for stored data, including your child’s photograph. • Australian data residency for storage: Amazon Web Services in the Sydney region. • Access controls limiting who within our organisation can access personal information. • Secure payment processing through PCI DSS compliant providers. • Multi-factor authentication on all administrative accounts. • Continuous monitoring and review of security practices and service provider arrangements. No method of electronic transmission or storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

11. Marketing Communications

We will only send you marketing communications if you have opted in to receive them. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting us. Unsubscribing from marketing will not affect transactional emails related to your orders. We handle marketing communications in line with the Spam Act 2003 (Cth) and the Unsolicited Electronic Messages Act 2007 (NZ).

12. Notifiable Data Breaches

If a data breach is likely to cause serious harm, we will notify affected individuals and the relevant authorities in line with the Notifiable Data Breaches scheme (Australia, Privacy Act 1988 Part IIIC) and the New Zealand Privacy Act 2020. Our commitment: • We will assess any suspected breach within 30 days of becoming aware of it. • Affected individuals will be notified by email and, where appropriate, by in-product notice. • Where a breach affects information about a child, we will notify the parent or guardian on file. • Notifications will include a description of the breach, the information affected, the steps we are taking to remediate, and any recommended steps for you. The primary channel for any privacy concern, including suspected breaches, is privacy@almia.com.au.

13. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on our website with an updated effective date. If we make significant changes to how we handle children’s information, we will take reasonable steps to notify affected users.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights: Privacy enquiries: privacy@almia.com.au (monitored for privacy-related requests only). For all other questions, please use the chat bubble in the corner of almia.com.au.