Skip to main content
TaleKept

Privacy Policy

Last updated: February 21, 2026

1. Data Controller

Pyrenees Trading LLP Suite 1103 - 11871 Horseshoe Way V7A 5H5 Richmond, British Columbia, Canada

To contact us regarding this Privacy Policy or to exercise your data rights, please use our contact form.

2. Data We Collect

2.1 Account Information

  • Name, email address, avatar — provided during registration.
  • Hashed password — if you register with email/password.
  • OAuth tokens — if you sign in via Google or Apple.
  • Language preference — selected in the app.

Legal basis (GDPR): Performance of a contract (Art. 6(1)(b))

2.2 Session & Security Data

  • IP address and user agent — collected during authentication.
  • Session cookie — stored for 30 days for authentication purposes.

Legal basis: Legitimate interest — security and fraud prevention (Art. 6(1)(f))

2.3 Book Content

  • Scanned page images — sent to our OCR providers for text recognition, then stored in our cloud storage.
  • OCR transcriptions — text extracted from your handwritten pages.
  • Typed answers and photos — content you enter directly.
  • Activation code and activation images — used to link your physical book to your account.

Legal basis: Performance of a contract (Art. 6(1)(b))

2.4 Family Tree Data

  • Names and relationships of family members you choose to enter.

This data may constitute special category data under GDPR Article 9, as it reveals family relationships and potentially ethnic or racial origins. We process this data based on your explicit consent (Art. 9(2)(a)), which you provide when you enter family member information.

Important: You are responsible for obtaining the consent of any living individuals whose personal data you enter in your family tree.

Legal basis: Explicit consent (Art. 9(2)(a))

2.5 Publications

  • Blog slug, title, custom password (bcrypt-hashed) — for your published book.
  • View count, visitor IP address and user agent — via publication access tokens.
  • Guestbook comments — author name (optional) and message from visitors.

Legal basis: Legitimate interest — service operation (Art. 6(1)(f))

2.6 Feedback & Contact

  • Email (optional), subject, message, satisfaction rating — when you submit feedback or contact us.

Legal basis: Consent (Art. 6(1)(a))

3. Third-Party Services & International Transfers

We share your data with the following service providers to operate TaleKept:

  • Google Cloud (Vertex AI) / OpenRouter — OCR text recognition — Scanned page images — USA.
  • Resend — Transactional emails — Name, email — USA.
  • Cloudflare R2 — Image & file storage — Images, scans — Global (Cloudflare network).
  • Cloudflare Turnstile — Invisible CAPTCHA — Verification data — Global.
  • Cloudflare Web Analytics — Anonymous analytics — No personal data — Global.
  • Sentry — Client-side error tracking — Error data, IP — USA.

For transfers of personal data outside the European Economic Area (EEA) or the United Kingdom, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where applicable (e.g., Canada under PIPEDA).
  • Data Processing Agreements with each service provider.

We do not sell, rent, or trade your personal data to any third party.

4. Data Retention

  • Active account data — As long as your account exists.
  • Account after deletion request — 30-day grace period (soft-delete), then permanent deletion.
  • Session data — 30 days.
  • Scanned images — According to your retention settings (7 days to 1 year).
  • Published books — Duration of publication.
  • Server logs — 90 days.

When you delete your account, all associated data is permanently removed after the 30-day grace period, including all images stored in our cloud storage.

5. Your Rights

For all users

  • Access your personal data.
  • Correct inaccurate data.
  • Delete your account and all data (via Settings > Danger Zone > Delete my account).
  • Export your data (data portability).

Additional rights for EU/EEA residents (GDPR)

  • Right to restriction of processing (Art. 18).
  • Right to object to processing (Art. 21).
  • Right to lodge a complaint with your local data protection authority.

Additional rights for California residents (CCPA/CPRA)

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete your personal information.
  • Right to opt-out of the sale of personal information — TaleKept does not sell your personal information.
  • Right to non-discrimination for exercising your rights.

For Canadian residents (PIPEDA)

  • Right to access your personal information.
  • Right to correction of inaccurate information.
  • Right to withdraw consent at any time.

For UK residents (UK GDPR)

You have the same rights as EU/EEA residents under the UK General Data Protection Regulation.

To exercise any of these rights, please use our contact form.

6. Cookies

TaleKept uses only essential cookies required for the service to function. For detailed information about our cookies, please see our Cookie Policy.

7. Children's Privacy

TaleKept is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have collected personal data from a child under 16, we will delete that data immediately.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us via our contact form.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Password hashing with bcrypt.
  • HTTPS encryption for all communications.
  • Session expiration and management.
  • Rate limiting on API endpoints.
  • Invisible CAPTCHA (Cloudflare Turnstile) to prevent abuse.
  • Content Security Policy (CSP) headers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email. The "Last updated" date at the top of this policy indicates when it was last revised.

Your continued use of TaleKept after any changes constitutes your acceptance of the updated Privacy Policy.