Privacy Policy
Last updated: 26 October 2025
1. Introduction
ColorMeBooks ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.
We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
2. Information We Collect
2.1 Information You Provide
We collect information that you voluntarily provide when you:
- Create an account: Email address, name
- Place an order: Name, email address, shipping address, phone number, billing postal code
- Generate books: Text prompts, uploaded photos, customization preferences
- Contact us: Name, email, message content
2.2 Information Collected Automatically
When you visit our website, we automatically collect:
- Device information: IP address, browser type, operating system
- Usage data: Pages visited, time spent, links clicked
- Cookies: See our Cookie Policy for details
2.3 Payment Information
Payment card information is processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers. We only retain:
- Last 4 digits of card number (for order reference)
- Card brand (Visa, Mastercard, etc.)
- Expiry date
- Billing postal code
3. How We Use Your Information
We use your information for the following purposes:
- Order fulfillment: Process your orders, create your custom books, arrange printing and shipping
- Communication: Send order confirmations, shipping notifications, respond to inquiries
- Service improvement: Analyze usage patterns to improve our website and services
- Legal compliance: Comply with legal obligations, resolve disputes, enforce our terms
- Marketing: Send promotional emails (only if you opt-in; you can unsubscribe anytime)
4. Legal Basis for Processing (GDPR)
Under GDPR, we process your personal data based on:
- Contract performance: Processing necessary to fulfill your order
- Legitimate interests: Improving our services, preventing fraud, marketing (where you haven't objected)
- Legal obligation: Complying with tax, accounting, and legal requirements
- Consent: Marketing communications (where required), cookies (non-essential)
5. How We Share Your Information
We share your information with trusted third parties to provide our services:
5.1 Service Providers
- Stripe: Payment processing (USA) - Stripe Privacy Policy
- Lulu: Book printing and shipping (USA/UK) - Lulu Privacy Policy
- Supabase: Database and authentication (EU/USA) - Supabase Privacy Policy
- Fal.ai: AI image generation (USA) - Fal.ai Privacy Policy
- Resend: Email delivery (USA) - Resend Privacy Policy
5.2 Legal Requirements
We may disclose your information if required by law or to:
- Comply with legal process
- Enforce our Terms and Conditions
- Protect our rights, property, or safety
- Prevent fraud or abuse
6. International Data Transfers
Your information may be transferred to and processed in countries outside the UK/EU, including the United States. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with service providers
- Adequacy decisions by the UK/EU
- Certification under Privacy Shield frameworks (where applicable)
7. Data Retention
We retain your personal data for as long as necessary to:
- Order records: 7 years (for accounting and legal requirements)
- Account data: Until you request deletion or 3 years of inactivity
- Generated books: Until you delete them or request account deletion
- Marketing data: Until you unsubscribe or request deletion
8. Your Rights
You have the following rights regarding your personal data:
8.1 Rights for UK/EU Users (GDPR)
- Right of access: Request a copy of your personal data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): Request deletion of your data
- Right to restrict processing: Limit how we use your data
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests or direct marketing
- Right to withdraw consent: Withdraw consent for processing at any time
- Right to lodge a complaint: Contact the Information Commissioner's Office (ICO) in the UK
8.2 Rights for California Users (CCPA)
- Right to know: What personal information we collect and how we use it
- Right to delete: Request deletion of your personal information
- Right to opt-out: Opt-out of the "sale" of personal information (we do not sell your data)
- Right to non-discrimination: Equal service regardless of exercising your rights
8.3 How to Exercise Your Rights
To exercise any of these rights, please contact us or use your account dashboard to view and delete your data.
We will respond to your request within 30 days.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- SSL/TLS encryption for data transmission
- Encrypted database storage
- Access controls and authentication
- Regular security audits
- Secure payment processing (PCI DSS compliant via Stripe)
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
10. Children's Privacy
Our services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last updated" date at the top
- Sending an email notification for significant changes (if you have an account)
Your continued use of our services after changes become effective constitutes acceptance of the revised policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us.
Supervisory Authority (UK/EU)
If you are unhappy with how we handle your data, you have the right to lodge a complaint with:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk
Note: This Privacy Policy is designed to comply with UK GDPR, EU GDPR, and California CCPA. If you have specific questions about how your data is used, please don't hesitate to contact us.