Privacy Policy

Aivaprint ("we", "us", "our") is a software-as-a-service (SaaS) platform that provides AI-powered tools for creating, formatting, and exporting books for Amazon Kindle Direct Publishing (KDP). Aivaprint is owned and operated by Soul Family Entertainment, a company registered in Sweden.

We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Swedish Data Protection Act (Dataskyddslagen), and all other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data. By using Aivaprint, you acknowledge that you have read and understood this policy.

The data controller responsible for your personal data is:

For any privacy-related inquiries, requests, or complaints, please contact us using the email address above.

3.1 Account Data

When you create an account, we collect:

• First name and last name
• Email address
• Password (stored in hashed form; we never have access to your plaintext password)
• Profile picture (if you upload one or sign in with Google)

3.2 Authentication Data

If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

3.3 Contact Form Data

When you submit a message through our contact form, we collect your name, email address, and the content of your message. This data is stored in our database and used solely for the purpose of responding to your inquiry and providing customer support. A copy of your message may also be delivered to us via email through our transactional email provider, Resend.

3.4 Payment Data

Subscription payments are processed entirely by Stripe. We store only your Stripe customer ID, subscription ID, billing cycle, and subscription status. We do not store, process, or have access to your credit card numbers, bank account details, or other payment instrument data. All payment data is handled by Stripe in accordance with PCI DSS standards.

3.5 User-Generated Content

We store content you create on our platform, including:

• Book interior designs and formatting settings
• Cover designs and associated image assets
• Thumbnails and preview images
• Project names and descriptions

Users are solely responsible for ensuring that content they create, upload, or export through Aivaprint complies with copyright laws, intellectual property rights, and applicable publishing regulations.

3.6 AI-Generated Content

When you use our AI-powered features (Title Generator, Description Generator, Niche Validator), your input prompts are sent to our AI processing service to generate results. The generated output is returned to your browser and is not stored on our servers unless you explicitly save it as part of a project.

Users must not submit sensitive personal data (such as health information, financial data, government identification numbers, or confidential third-party data) when using AI-powered features. Aivaprint is not intended for processing special categories of personal data under Article 9 of the GDPR.

3.7 Technical and Usage Data

We automatically collect limited technical data:

• Browser-based session identifiers stored in your browser's local storage
• Font preferences and recently used fonts
• UI state preferences

We do not use third-party analytics services. We do not track your behaviour across other websites.

Aivaprint does not use traditional tracking cookies. Instead, we use your browser's local storage and session storage to maintain your session, preferences, and application state. This data remains on your device and is not transmitted to third-party tracking services.

Authentication session tokens are managed by our authentication provider (Supabase) and are required for the platform to function.

Authentication tokens and session identifiers managed by Supabase are strictly necessary for the platform to function. These identifiers enable secure login, session management, and protection against unauthorised access. Because they are essential for service delivery, they do not require separate user consent under applicable EU cookie regulations.

We process your personal data for the following purposes:

• Providing the service: Creating and managing your account, saving your projects, generating PDFs, and delivering the features you use.
• Customer support: Responding to inquiries submitted through the contact form and providing assistance with your account or projects.
• Processing payments: Managing your subscription through Stripe, handling billing cycles, and maintaining payment records.
• AI content generation: Processing your input text through AI services to generate book titles, descriptions, and niche analyses.
• Security and fraud prevention: Verifying payment webhook signatures, enforcing content policies, and protecting the integrity of the platform.
• Legal compliance: Maintaining records required by applicable tax, accounting, and commercial laws.

Transactional emails and contact form responses are processed under the legal basis of performance of a contract or legitimate interest, depending on the nature of the communication.

5.1 Automated Decision-Making

Aivaprint uses AI-assisted tools to generate creative content suggestions. These tools do not make automated decisions that produce legal effects or similarly significant impacts on users. All generated content is presented as optional assistance and remains fully under user control.

We process your personal data under the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Aivaprint service, including account management, project storage, PDF generation, and subscription management.
• Legitimate interest (Art. 6(1)(f)): Maintaining the security and stability of the platform, preventing abuse, responding to contact form inquiries, and improving our services. Our legitimate interests do not override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Retaining financial records and transaction data as required by Swedish and EU tax and accounting regulations.
• Consent (Art. 6(1)(a)): Where applicable, such as when you choose to sign in with Google OAuth, granting us access to your Google profile information.

We share your data with the following third-party service providers who process data on our behalf:

7.1 Supabase

Supabase provides our database infrastructure, user authentication, file storage, and serverless backend functions. Your account data, project data, contact form submissions, and uploaded files are stored on Supabase infrastructure. Supabase processes data in accordance with their privacy policy and maintains SOC 2 Type II compliance.

7.2 Stripe

Stripe processes all payments and manages subscription billing. When you subscribe to a paid plan, your payment details are collected and processed directly by Stripe. We never receive or store your full payment card details. Stripe is PCI DSS Level 1 certified. Stripe also sends webhook notifications to our servers to synchronise subscription status changes.

7.3 Google OAuth

If you choose to sign in with Google, Google acts as an identity provider and shares your name, email address, and profile picture with us for account creation and authentication. Google's data practices are governed by Google's Privacy Policy.

7.4 OpenAI

Our AI features (Title Generator, Description Generator, Niche Validator) use OpenAI's API to process your text inputs and generate outputs. Your input prompts are sent to OpenAI for processing. We use OpenAI's API configuration where submitted data is not used for model training. OpenAI may retain data temporarily for abuse monitoring in accordance with their data usage policies.

7.5 Pexels

When you search for stock images within the platform, your search queries are sent to the Pexels API. Images are loaded directly from Pexels' servers. Pexels may log search requests in accordance with their privacy policy.

7.6 Cloudinary

Image assets used in cover designs may be processed through Cloudinary for resizing, cropping, format conversion, and delivery optimisation. Cloudinary processes images on its infrastructure as a sub-processor.

7.7 Google Fonts

Font files are self-hosted and cached on our infrastructure. The Aivaprint platform does not require direct browser connections to Google Fonts servers during normal operation.

7.8 Resend

Resend is used for transactional email delivery, including delivering contact form submissions to our support inbox. When you submit a contact form, your name, email, and message content are transmitted through Resend's infrastructure for email delivery. Resend processes this data solely for the purpose of delivering the email and in accordance with their privacy policy.

Where required by law, Aivaprint maintains Data Processing Agreements (DPAs) with all third-party processors to ensure GDPR-compliant handling of personal data.

Some of our third-party processors (Supabase, Stripe, OpenAI, Pexels, Cloudinary, Resend) may process your data outside the European Economic Area (EEA), including in the United States.

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

• EU-U.S. Data Privacy Framework certification where applicable
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for certain jurisdictions

You may request details about the specific safeguards in place for any data transfer by contacting us at john@soulfamilyent.com.

We retain your personal data as follows:

• Account data: Retained for as long as your account is active. Upon account deletion, your profile data is removed.
• Project data: Book and cover designs are stored until you delete them or until your account is deleted.
• Contact form submissions: Retained for up to 24 months after resolution of the inquiry, unless a longer retention period is required for legal or support-related reasons.
• Payment records: Transaction records, invoices, and billing data are retained for a minimum of 7 years as required by Swedish accounting law (Bokforingslagen, SFS 1999:1078).
• AI inputs: Input text sent to AI services is not persistently stored by us. OpenAI may retain data temporarily in accordance with their own retention policies.
• Local storage data: Browser-stored data persists until you clear your browser data.

We implement the following security measures to protect your data:

• All data in transit is encrypted using TLS (HTTPS). All connections to our servers, databases, and third-party services use encrypted channels.
• Passwords are hashed and salted using industry-standard algorithms. We never store plaintext passwords.
• Row-Level Security (RLS) policies are enforced on all database tables, ensuring users can only access their own data. Each table has granular policies for read, write, update, and delete operations.
• Stripe webhook signatures are verified using HMAC-SHA256 to prevent unauthorised or forged payment events from being processed.
• Authentication tokens are managed securely through Supabase Auth, with automatic session expiration and refresh mechanisms.
• Administrative access to user data and platform management is restricted to authorised personnel only, protected by role-based access controls.
• AI content generation includes input filtering to prevent misuse of the platform's generative features.

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data. You can update your name and profile picture directly in your account settings.
• Right to erasure (Art. 17): You may request deletion of your personal data. This includes deleting your account and all associated projects and files.
• Right to restriction (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at john@soulfamilyent.com. We will respond within 30 days as required by the GDPR. If we need additional time due to the complexity of the request, we will notify you within the initial 30-day period.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or your local data protection authority.

Aivaprint is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will take steps to delete their account and associated data. If you believe a child under 16 has provided us with personal data, please contact us at john@soulfamilyent.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, our third-party processors, or applicable laws. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: