Privacy Policy
Last updated: June 2025
1. Who We Are
Once Upon is operated by COTR Global Group Ltd, a company registered in England and Wales. Our service is available at onceupon.gift. We create personalised AI-generated children's storybooks. For any privacy enquiries, contact us at hello@onceupon.gift.
2. Data We Collect
When you place an order we collect:
- Child's details โ first name, age, and the theme/adventure you choose for the story.
- Your name and email address โ provided via Stripe at checkout, used only to send your completed book.
- Payment information โ handled entirely by Stripe. We never see or store card numbers.
- Uploaded photo (optional) โ used solely to personalise the book illustrations.
We do not collect any data about children aged under 13 beyond the first name and age needed for story generation, and we do not ask for or store any sensitive personal data.
3. How We Use Your Data
- To generate your personalised storybook (text and illustrations).
- To deliver the finished PDF to your email address.
- To respond to support requests you send us.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Data Retention
Order data (including your generated book files) is retained for 7 days and then automatically deleted from our systems. Session data held in our cache is also cleared within 7 days. Email delivery records may be retained by our email provider for up to 30 days for troubleshooting.
5. Third-Party Processors
We share data only with the processors necessary to deliver the service:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Name, email, payment details |
| Anthropic | Story text generation (Claude AI) | Child's name, age, theme |
| fal.ai | Illustration generation | Story prompts, optional photo |
| Vercel | Hosting & file storage | All order data (stored on Vercel infrastructure) |
| Upstash | Session & queue data (Redis) | Order status, session tokens |
| Resend | Email delivery | Your email address, book PDF |
All processors are contractually bound to use your data only for the purposes described above.
6. Cookies
We use functional cookies only. These are strictly necessary for the service to work (e.g. remembering your consent preference and order session). We do not use tracking, analytics, or advertising cookies. No data is shared with ad networks.
7. Your Rights (GDPR)
If you are located in the UK or EU you have the following rights under UK GDPR / EU GDPR:
- Right of access โ request a copy of the data we hold about you.
- Right to rectification โ ask us to correct inaccurate data.
- Right to erasure (Article 17) โ ask us to delete your data. Because most data is automatically deleted within 7 days, erasure requests will be actioned immediately upon receipt.
- Right to restriction โ ask us to limit how we process your data.
- Right to object โ object to processing based on legitimate interests.
To exercise any of these rights, email hello@onceupon.gift. We will respond within 30 days.
8. Data Security
All data is transmitted over HTTPS. File storage uses Vercel Blob with access-controlled URLs. We apply the principle of minimal data collection โ we only ask for what is strictly necessary to generate and deliver your book.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be noted at the top of this page with a revised date. Continued use of the service after changes constitutes acceptance of the updated policy.
10. Contact
COTR Global Group Ltd
Email: hello@onceupon.gift