Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide when you:

• Create an account: Name, email address, password (hashed), and a timestamp recording when you accepted our Terms of Service and Privacy Policy (GDPR Article 7 -- demonstrable consent)
• Use OAuth login: Profile information from Google or Microsoft (name, email, profile picture)
• Subscribe to paid plans: Billing information processed by Stripe (we do not store full credit card numbers)
• Create content: Text, prompts, and inputs you provide for ebook generation
• Use Life Story feature: Personal stories, memories, and biographical information you share
• Contact support: Communications and feedback you send us
• Upload files: Custom fonts, documents, or other files you upload
• Sell books on the storefront: Payout email address, book pricing, and author profile information you provide for the storefront feature

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device information: Browser type, operating system, device identifiers
• Usage data: Pages visited, features used, actions taken, time spent
• Log data: IP address, access times, error logs
• Cookies and similar technologies: See our Cookie Policy for details

1.3 Information from Third Parties

We may receive information from:

• OAuth providers: Google, Microsoft (profile information you authorize)
• Payment processors: Stripe (payment confirmation, subscription status)
• Cloud storage: Microsoft OneDrive, Google Drive (file metadata when you connect)

1.4 Data We Do Not Collect

For transparency, the following categories of data are not collected by GreatLibrary.AI:

• Biometric data: We do not collect fingerprints, facial recognition data, voiceprints, or any biometric identifiers
• Precise geolocation: We do not use GPS or precise location tracking. Only approximate location from IP address is available in server logs
• Health or genetic data: We do not collect or process health, medical, or genetic information
• Financial account details: We never store full credit card numbers, bank account numbers, or payment credentials. All payment processing is handled by Stripe
• Government identifiers: We do not collect Social Security numbers, national ID numbers, passport numbers, or tax identification numbers
• Contacts or address book data: We do not access your device contacts or address book
• Keystroke or screen recording data: We do not use keyloggers, screen recording, or session replay tools

1.5 Legal Basis for Processing (GDPR Art. 6)

We process your personal data only when we have a valid legal basis under the GDPR. The following table summarizes our legal bases for each category of processing:

Legal basis for each data processing activity under GDPR Article 6

Data Category	Legal Basis	GDPR Article
Account registration data	Performance of contract	Art. 6(1)(b)
Ebook content and AI generation	Performance of contract	Art. 6(1)(b)
Payment processing	Performance of contract	Art. 6(1)(b)
Life Story biographical data	Explicit consent	Art. 6(1)(a), Art. 9(2)(a)
Security and fraud prevention	Legitimate interest	Art. 6(1)(f)
Error tracking (Sentry)	Legitimate interest	Art. 6(1)(f)
Marketing communications	Consent	Art. 6(1)(a)
Legal and regulatory compliance	Legal obligation	Art. 6(1)(c)
Service improvement analytics	Legitimate interest (anonymized)	Art. 6(1)(f)

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting dpo@greatlibrary.ai.

1.6 Legitimate Interest Assessment Summary (Art. 6(1)(f))

The following table summarizes our legitimate interest assessments for processing activities that rely on Art. 6(1)(f):

Legitimate interest balancing test results for each processing activity

Processing Activity	Our Legitimate Interest	Impact on You	Balancing Outcome
Security and fraud prevention	Protecting the Service and all users from unauthorized access, abuse, and fraud	Minimal -- log data is used only for security analysis and is not shared with third parties	Interest justified: security measures protect your account and data
Error tracking (Sentry)	Identifying and fixing bugs to maintain service quality and reliability	Low -- PII is scrubbed from error reports; only technical context is retained	Interest justified: error tracking directly benefits your user experience
Service improvement analytics	Understanding usage patterns to improve features and fix usability issues	Minimal -- data is aggregated and anonymized before analysis; no individual profiling	Interest justified: aggregated analytics do not impact individual privacy

You have the right to object to processing based on legitimate interest at any time (GDPR Art. 21). To exercise this right, contact dpo@greatlibrary.ai specifying which processing activity you object to. We will cease the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

2. How We Use Your Information

2.1 Purposes and Legal Basis

We use your information for the following purposes:

Purposes for which we use your data and the corresponding legal basis

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Contract performance
Process payments and subscriptions	Contract performance
Generate AI content based on your inputs	Contract performance
Send transactional emails (receipts, confirmations)	Contract performance
Provide customer support	Contract performance / Legitimate interest
Improve and optimize the Service	Legitimate interest
Detect and prevent fraud or abuse	Legitimate interest
Send marketing communications (with consent)	Consent
Comply with legal obligations	Legal obligation
Improve service quality using aggregated, anonymized usage statistics (we do not use your individual content to train AI models)	Legitimate interest (anonymized data only)

2.2 Categories of Personal Information (CCPA Disclosure)

As required by the California Consumer Privacy Act, the following categories of personal information have been collected in the preceding 12 months:

• Identifiers: Name, email address, IP address, account ID
• Commercial information: Subscription plan, payment history, transaction records
• Internet or network activity: Browsing history on our Service, search queries, interaction data
• Geolocation data: Approximate location based on IP address (we do not collect precise geolocation)
• Professional information: Author profile information provided for the storefront
• Inferences: Preferences and characteristics derived from usage patterns (for service improvement only)

We do not collect biometric information, sensory data, or protected classification characteristics. We do not sell or share personal information for cross-context behavioral advertising.

3. AI and Your Content

4. How We Share Your Information

5. Data Retention

We retain your information for the following periods. Each retention period has a defined justification, and data is automatically purged or anonymized when the retention period expires.

Upon account deletion, all personal data listed above is permanently removed from our systems, except payment records which we retain for 7 years as required by tax law (anonymized -- name and email removed). After account deletion, we do not retain any directly identifiable personal data.

5.2 Data Retention Principles

Our data retention schedule is governed by the following principles, derived from GDPR Article 5(1)(e) (storage limitation) and applicable law:

Principles governing how long we retain your data

Principle	Description	Legal Basis
Purpose limitation	Data is retained only as long as it serves the original purpose for which it was collected. When the purpose ceases, the data is deleted or anonymized.	GDPR Art. 5(1)(b)
Storage limitation	Retention periods are defined in advance for every data category. No indefinite retention without legal justification.	GDPR Art. 5(1)(e)
Legal hold override	Data subject to an active legal proceeding, regulatory investigation, or preservation request is retained until the matter is resolved, overriding standard retention periods.	Applicable litigation hold requirements
Anonymization as alternative	Where complete deletion would compromise legitimate analytics or legal compliance, data is irreversibly anonymized so it can no longer identify any individual.	GDPR Recital 26
Backup propagation	Deleted data may persist in encrypted backups for up to 30 days after deletion from the live database. Backups are rotated on a rolling schedule and are not used for any purpose other than disaster recovery.	GDPR Art. 17(1) -- reasonable technical delay

5.1a Data Retention Review

We conduct an annual review of our data retention practices to ensure:

• Retention periods remain proportionate and justified for each data category
• Data that has exceeded its retention period is properly deleted or anonymized
• New data categories introduced during the year are assigned appropriate retention periods
• Legal requirements that may have changed are reflected in our retention schedule

The most recent retention review was completed in April 2026. Results of our retention reviews are documented internally and available to our Data Protection Officer.

5.1b Data Retention Schedule -- Deletion Triggers

In addition to time-based retention periods, the following events trigger data deletion or anonymization:

For any questions about data deletion timing or to request confirmation that your data has been deleted, contact privacy@greatlibrary.ai.

5.2 Data Deletion Process

When you request account deletion or data erasure:

• Immediate (within 24 hours): Account access is deactivated, login disabled, and active sessions revoked
• Within 7 days: All user content (ebooks, covers, life stories, chat history) is permanently deleted from primary storage
• Within 30 days: All personal data is purged from backup systems. A confirmation email is sent upon completion
• Retained for legal compliance: Payment records and transaction history are retained for 7 years in anonymized form (name and email are removed; only transaction IDs and amounts are preserved for tax reporting)

You may request a data export before deletion by using the export feature in your account settings or by contacting privacy@greatlibrary.ai.

6. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced sitewide)
• Encryption at rest: Database and file storage are encrypted at rest on our hosting infrastructure
• Password hashing: Passwords are hashed using Werkzeug's PBKDF2-SHA256 with per-user salts; we never store plaintext passwords
• Session management: Secure, HttpOnly, SameSite cookies with configurable expiry; CSRF protection on all state-changing requests
• Content Security Policy: Strict CSP headers enforced via Flask-Talisman to mitigate cross-site scripting (XSS) attacks
• Rate limiting: Request rate limiting on authentication and API endpoints to prevent brute-force and abuse
• Access controls: Role-based access; personal data accessible only to authorized personnel on a need-to-know basis
• Input validation: Server-side validation and sanitization on all user inputs, including path traversal guards on file operations
• Error monitoring: Application errors are monitored via Sentry, configured to scrub PII from error reports
• Infrastructure security: Hosted on Railway with managed PostgreSQL, automatic security patches, and isolated container environments
• Incident response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach within 72 hours as required by GDPR

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

6.1a Security Standards and Third-Party Compliance

Our security posture is supported by the following standards and third-party compliance measures:

Security certifications and compliance status of our third-party providers

Provider	Security Standard	Relevance to Your Data
Stripe	PCI DSS Level 1	All payment card data is processed by Stripe under their PCI DSS certification. We never receive or store full card numbers
Railway (Hosting)	SOC 2 Type II	Our hosting infrastructure meets SOC 2 controls for security, availability, and confidentiality
OpenAI	SOC 2 Type II, GDPR DPA	AI processing is covered by OpenAI's data processing agreement. User content sent for generation is not used for model training per our agreement
Google Cloud (OAuth)	ISO 27001, SOC 2	OAuth authentication tokens are processed through Google's certified infrastructure
Sentry (Error Tracking)	SOC 2 Type II, GDPR DPA	Error tracking is configured with PII scrubbing to minimize personal data in error reports

We review the security posture and compliance certifications of all sub-processors on an annual basis. If a sub-processor's security status changes materially, we will update the sub-processor register in Section 4.1a and notify users if required.

6.1b Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue in our Service:

• Contact: Email security@greatlibrary.ai with details of the vulnerability
• Response: We will acknowledge your report within 2 business days and provide an initial assessment within 5 business days
• Safe harbor: We will not take legal action against researchers who report vulnerabilities in good faith and do not exploit them or access user data beyond what is necessary to demonstrate the issue
• Scope: Reports should relate to the GreatLibrary.AI platform (greatlibrary.ai, greatlibrary.app, greatlibrary.ai) and should not involve social engineering, denial of service, or accessing other users' accounts or data

6.2 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by GDPR Article 34
• Notifications will include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach
• We maintain an internal breach register documenting all personal data breaches, including their effects and remedial actions taken

6.3 Breach Response Procedures

Our data breach response plan follows a structured incident management process to ensure rapid containment, transparent communication, and effective remediation:

6.3.1 Detection and Identification (0-4 hours)

• Automated monitoring: Sentry error tracking, Railway infrastructure alerts, and application-level anomaly detection continuously monitor for signs of unauthorized access or data exposure
• Manual reporting: Any team member, user, or third party who suspects a breach can report it immediately to security@greatlibrary.ai
• Initial assessment: The incident lead determines within 4 hours whether a reportable personal data breach has occurred, identifying the type of breach (confidentiality, integrity, or availability), the data categories involved, and the approximate number of affected individuals

6.3.2 Containment (4-24 hours)

• Immediate containment: Isolate affected systems, revoke compromised credentials, block unauthorized access vectors, and preserve forensic evidence
• Impact scoping: Determine the full scope of data affected, including which user accounts, data categories, and time periods are involved
• Risk assessment: Evaluate the severity of the breach using a risk matrix that considers the sensitivity of the data, the number of individuals affected, the likelihood of harm, and whether the data was encrypted

6.3.3 Notification (within 72 hours)

• Supervisory authority notification: If the breach meets the GDPR Article 33 threshold (likely to result in a risk to rights and freedoms), we file a notification with the relevant supervisory authority within 72 hours of becoming aware of the breach. The notification includes all information required by Article 33(3)
• User notification: If the breach meets the GDPR Article 34 threshold (likely to result in high risk to rights and freedoms), we notify affected users without undue delay via email, providing a clear description of the breach, the types of data involved, potential consequences, steps we have taken, and recommended protective measures the user should take (such as changing passwords)
• US state notification: For US-based users, we comply with applicable state breach notification laws, including California Civil Code 1798.82, which requires notification without unreasonable delay
• Public disclosure: For breaches affecting a large number of individuals (over 500 in a single state under HIPAA/state law thresholds), we publish a notice on our website in addition to individual notifications

6.3.4 Remediation and Post-Incident Review

• Root cause analysis: Within 14 days of containment, we complete a root cause analysis to identify the vulnerabilities or failures that led to the breach
• Remediation plan: Implement technical and organizational measures to prevent recurrence, including security patches, access control updates, policy revisions, and additional employee training as needed
• Breach register update: All details of the breach -- including timeline, scope, response actions, root cause, and remediation measures -- are recorded in our internal breach register as required by GDPR Article 33(5)
• Post-incident report: A summary report is prepared for internal review and, where required, shared with the relevant supervisory authority. Affected users may request a copy of the summary report (with confidential forensic details redacted) by emailing dpo@greatlibrary.ai
• Continuous improvement: Lessons learned are incorporated into our security training program and incident response procedures. We conduct annual tabletop exercises to test and refine our breach response capabilities

7. Your Rights and Choices

7.1 Rights Under GDPR (European Users)

If you are in the European Economic Area (EEA) or UK, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.1a Right to Object -- Detailed Guidance (GDPR Art. 21)

Under GDPR Article 21, you have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. This section provides detailed guidance on how and when to exercise this right.

When You Can Object

You may object to any processing activity listed in our Legitimate Interest Assessment (Section 1.6) at any time, including:

• Security monitoring and abuse prevention: IP address logging, rate limiting, and anomaly detection
• Error tracking: Sentry-based error monitoring (PII is scrubbed)
• Service improvement analytics: Aggregated, anonymized usage pattern analysis

How to Object

1. Email your objection to dpo@greatlibrary.ai with the subject line "Right to Object -- [Processing Activity]"
2. Specify the processing activity you object to (you may reference the table in Section 1.6)
3. Explain your grounds for objection, including how the processing relates to your particular situation

Our Response

• Acknowledgment: We will acknowledge your objection within 3 business days
• Assessment: We will assess your objection within 30 calendar days (extendable by 60 days for complex cases, with notice)
• Outcome -- objection upheld: We will cease the processing activity for your data and confirm in writing
• Outcome -- objection declined: We will provide a detailed written explanation of the compelling legitimate grounds that override your interests, rights, and freedoms, along with information about your right to lodge a complaint with a supervisory authority
• Interim measures: During the assessment period, we will restrict the contested processing unless it is essential for the security or integrity of the Service

Direct Marketing

Where we process personal data for direct marketing purposes, you have an absolute right to object at any time, and we will cease processing without requiring justification. You can exercise this right by:

• Clicking the "unsubscribe" link in any marketing email
• Emailing privacy@greatlibrary.ai with "Unsubscribe" in the subject line
• Adjusting your communication preferences in your account settings

Limitations

Please note that objecting to certain processing activities may affect your ability to use the Service. For example:

• Objecting to security monitoring may prevent us from detecting unauthorized access to your account
• Objecting to error tracking may slow our ability to resolve bugs affecting your experience

We will clearly explain any such consequences before processing your objection, so you can make an informed decision.

7.2 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA, effective January 1, 2023):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information we hold about you (CPRA addition)
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Limit Use of Sensitive Personal Information: Direct us to limit the use and disclosure of your sensitive personal information to what is necessary to perform the Service (CPRA addition)
• Right to Non-Discrimination: Not be discriminated against for exercising your rights
• Right to Data Portability: Receive your personal information in a portable and, to the extent technically feasible, readily usable format (CPRA addition)

We do not sell or share personal information. In the past 12 months, we have not sold or shared (as defined by the CCPA/CPRA) any personal information for cross-context behavioral advertising or any other purpose. Specifically:

• We do not sell personal information to data brokers, advertisers, or any third parties
• We do not share personal information for cross-context behavioral advertising
• We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA Section 1798.121
• We do not knowingly sell or share personal information of consumers under 16 years of age

Right to Limit Use of Sensitive Personal Information: While we process certain sensitive personal information (account credentials, payment information), this processing is limited to purposes necessary to provide the Service as reasonably expected. You have the right to limit our use of sensitive personal information to what is necessary for performing the Service.

California "Shine the Light" (Cal. Civ. Code 1798.83): California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not share personal information with third parties for their direct marketing purposes.

Financial Incentive Disclosure: We do not offer financial incentives or price differences in exchange for the retention or sale of personal information.

7.2a Do Not Sell or Share My Personal Information (CCPA/CPRA)

7.2b CCPA/CPRA Request Metrics (Annual Disclosure)

In accordance with CCPA Section 1798.185(a)(7) and California Code of Regulations, Title 11, Division 1, Chapter 20, Section 999.317(g), we disclose the following annual metrics regarding consumer requests received in the preceding calendar year. This disclosure will be updated annually by July 1 for the preceding calendar year.

Annual CCPA consumer request metrics showing types and volumes of privacy requests received

Request Type	Requests Received	Requests Fulfilled (Whole or Part)	Requests Denied	Median Response Time
Right to Know (categories)	First report due July 1, 2027 (covering 2026)
Right to Know (specific pieces)	First report due July 1, 2027
Right to Delete	First report due July 1, 2027
Right to Correct	First report due July 1, 2027
Right to Opt-Out of Sale/Sharing	First report due July 1, 2027
Right to Limit Use of Sensitive PI	First report due July 1, 2027

Note: GreatLibrary.AI launched in 2026. The first annual CCPA metrics report will cover the period from service launch through December 31, 2026, and will be published by July 1, 2027.

7.3 How to Exercise Your Rights

To exercise any of these rights, you may:

• Email us at: privacy@greatlibrary.ai
• Email our Data Protection Officer at: dpo@greatlibrary.ai
• Use account settings to download or delete your data
• Use the unsubscribe link in marketing emails

7.3a Request Verification

To protect your personal data from unauthorized access, we verify your identity before processing rights requests. Verification methods include:

• Account holders: We verify your identity by matching the email address on the request to the email address associated with your account. We may ask you to confirm recent account activity (such as the date you last logged in or recent ebook titles)
• Non-account holders: If you do not have an account but believe we hold your data (for example, as a storefront buyer), we may ask you to provide enough identifying information for us to locate your records, such as the email address used at purchase and an order reference number
• Authorized agents (CCPA): If you are a California resident and wish to use an authorized agent to submit a request on your behalf, the agent must provide: (a) written authorization signed by you, and (b) proof of the agent's identity. We may also contact you directly to confirm the request

7.3b Response Timelines

We respond to verified rights requests within the following timelines:

• GDPR requests (EEA/UK): Within 30 days of receiving a verified request. If the request is complex or we receive a large number of requests, we may extend this by an additional 60 days, and will inform you of the extension and reasons within the initial 30-day period
• CCPA/CPRA requests (California): We will acknowledge receipt within 10 business days and provide a substantive response within 45 calendar days. If additional time is needed, we may extend by an additional 45 days with notice
• All other requests: Within 30 days of receiving a verified request

All rights requests are free of charge. We may charge a reasonable administrative fee for manifestly unfounded or excessive requests, or refuse to act on such requests, as permitted by GDPR Article 12(5).

7.3c Right to Lodge a Complaint

If you believe we have not handled your data rights request satisfactorily, or that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. Key authorities include:

• EU: Contact the data protection authority in your member state. A full list is available at edpb.europa.eu
• UK: Information Commissioner's Office (ICO) -- ico.org.uk
• California (USA): California Attorney General -- oag.ca.gov/privacy

We encourage you to contact us first at dpo@greatlibrary.ai so we can attempt to resolve any concerns before you escalate to a supervisory authority.

7.4 Account Choices

• Marketing emails: Unsubscribe via link in emails or account settings
• Cookies: Manage via browser settings, our cookie banner, or the Cookie Preference Center
• Profile correction: Update your name, email, and profile information directly from your account settings page at any time (right to rectification)
• Account deletion: Request via settings or contacting support. A 14-day grace period applies during which you may cancel the deletion. See Section 5.2 for the full deletion timeline
• Data export: Download your ebooks, life stories, and account data in machine-readable format from your dashboard (right to data portability). Exports include JSON metadata and original file formats
• Consent withdrawal (GDPR Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawing consent is as easy as giving it -- you can withdraw by any of the following methods:
  • Email privacy@greatlibrary.ai with the subject "Withdraw Consent"
  • Use the cookie preference controls on our Cookie Policy page to revoke cookie consent
  • Click "unsubscribe" in any marketing email to withdraw marketing consent
  • Delete your account via Account Settings to withdraw all consent simultaneously
  We will process your withdrawal within 48 hours and confirm the action by email. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal

7.5 Data Portability -- Implementation Details

Under GDPR Article 20, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Here is exactly how we implement this right:

7.5.1 What Is Included in Your Data Export

Data categories included in portability exports with file formats and contents

Data Category	Format	Contents
Account profile	JSON	Name, email, registration date, terms acceptance timestamp, subscription plan, preferences, profile settings
Ebooks	PDF, EPUB, JSON	Full ebook files in their generated formats plus structured JSON metadata (title, chapter structure, theme settings, creation date)
Cover images	PNG, JPEG	All generated cover, back cover, and flyleaf images at original resolution
Life Story interviews	JSON, PDF	Complete interview transcripts including questions, answers, and the generated narrative
Chat history	JSON	Sovereign Chat conversation logs with timestamps
API usage records	CSV	Timestamped log of AI generation requests, token counts, and operation types (costs excluded from portability as they are derived data)
Payment history	CSV	Invoice dates, amounts, subscription changes (full payment details remain with Stripe)

7.5.2 How to Request a Data Export

• Self-service (recommended): Go to Account Settings and select "Export My Data." A ZIP archive containing all the data categories above is generated and made available for download. Processing takes up to 24 hours for large accounts
• Email request: Send a request to dpo@greatlibrary.ai with the subject line "Data Portability Request." We will verify your identity and deliver the export within 30 days
• Direct transfer: If you wish to have your data transmitted directly to another controller (where technically feasible), specify the receiving controller and provide a secure transfer endpoint. We support SFTP and HTTPS delivery

7.5.3 Technical Specifications

• Archive format: ZIP file containing organized subdirectories for each data category
• Character encoding: UTF-8 throughout all text and JSON files
• JSON schema: All JSON exports follow documented schemas. A schema.json file is included in the export describing the structure of each data file
• File naming convention: Files are named descriptively (e.g., ebooks/my-book-title.pdf, profile/account.json) for easy navigation
• Integrity verification: A checksums.sha256 file is included so you can verify that no files were corrupted during transfer

7.5.4 Limitations on Portability

The right to data portability applies to personal data you have provided to us and that we process based on your consent or contract performance. The following are not included in portability exports:

• Data derived through our internal analysis (e.g., fraud risk scores, internal account flags)
• Data that would adversely affect the rights and freedoms of others (e.g., if your ebook includes identifiable third-party personal data provided by others)
• Data we process under a legal obligation basis (retained for tax or regulatory compliance)

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, primarily the United States, where our service providers operate. These countries may have different data protection laws than your home jurisdiction.

8.1 Where Your Data Is Processed

Where each service provider processes your data and applicable transfer safeguards

Service Provider	Data Processed	Processing Location	Transfer Mechanism
OpenAI	User prompts, chapter instructions	United States	SCCs + DPA
Google (Vertex AI, OAuth, Drive)	Prompts, auth tokens, file metadata	United States	SCCs + DPA + EU-US DPF
Microsoft (Azure AI, OAuth, OneDrive)	Prompts, auth tokens, file metadata	United States	SCCs + DPA + EU-US DPF
Stripe	Billing and transaction data	United States	SCCs + DPA + EU-US DPF
Railway	All application data (encrypted)	United States	SCCs + DPA
Sentry	Error logs (PII scrubbed)	United States	SCCs + DPA
Upstash (Redis)	Ephemeral request counters (no PII)	United States	DPA

8.2 Transfer Safeguards

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): As approved by the European Commission (Commission Implementing Decision 2021/914) for transfers from the EEA to countries without an adequacy decision
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, in compliance with the UK GDPR and Data Protection Act 2018
• EU-US Data Privacy Framework (DPF): Where applicable, we rely on adequacy decisions and work with service providers certified under the DPF
• Data Processing Agreements (DPAs): Executed with all service providers, including data security obligations, breach notification requirements, and sub-processor restrictions
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate whether the laws of the destination country provide adequate protection for transferred data
• Supplementary measures: Where transfer impact assessments identify risks, we implement supplementary technical measures including encryption in transit and at rest, pseudonymization, and access controls
• Data minimization: We transfer only the minimum data necessary for each service provider to perform their function

8.4 Adequacy Decisions and Frameworks

The following table summarizes the adequacy decisions and legal frameworks we rely on for international data transfers from the EEA, UK, and Switzerland:

EU and UK adequacy decisions and data transfer frameworks applicable to our data flows

Destination Country	Adequacy Decision	Applicable Framework	Status
United States	EU-US Data Privacy Framework (adopted July 10, 2023)	DPF certification for applicable providers; SCCs as fallback for non-DPF-certified entities	Active
United States (UK transfers)	UK Extension to the EU-US DPF (adopted September 21, 2023)	UK IDTA / UK Addendum to EU SCCs for non-DPF-certified entities	Active
United States (Swiss transfers)	Swiss-US Data Privacy Framework (adopted January 31, 2024)	Swiss DPF certification for applicable providers; SCCs as fallback	Active

Monitoring commitment: We actively monitor the validity of adequacy decisions and transfer mechanisms. If any framework is invalidated by a court or regulatory authority (as occurred with Privacy Shield in the Schrems II decision), we will promptly transition to alternative transfer mechanisms (SCCs with supplementary measures) and notify affected users.

8.3 Your Rights Regarding International Transfers

• You may request a copy of the Standard Contractual Clauses and other safeguards we use by emailing dpo@greatlibrary.ai
• You may object to international transfers of your data, though this may limit our ability to provide the Service
• If you are in the EEA, UK, or Switzerland, you may lodge a complaint with your local data protection authority about our international transfers

8.5 Transfer Impact Assessment Summary

In accordance with the Schrems II judgment (C-311/18) and EDPB Recommendations 01/2020, we have conducted Transfer Impact Assessments (TIAs) for each international data transfer. The following table summarizes the assessment outcomes:

Summary of Transfer Impact Assessment results for each data recipient

Recipient	Data Transferred	Risk Assessment	Supplementary Measures
OpenAI (US)	User prompts, chapter text	Moderate -- US FISA 702 risk mitigated by API-only access, no bulk data storage, and transient processing (data deleted after 30 days per OpenAI's API policy)	TLS 1.2+ encryption in transit; DPA with SCCs; API data not used for training; no persistent storage of prompts by OpenAI beyond abuse monitoring window
Google (US)	Prompts, OAuth tokens, Drive metadata	Low-Moderate -- Google is DPF-certified; Vertex AI data governance ensures customer data isolation	EU-US DPF; SCCs; Vertex AI Customer Data Processing Addendum; OAuth tokens are session-scoped and expire
Microsoft (US)	Prompts, OAuth tokens, OneDrive metadata	Low-Moderate -- Microsoft is DPF-certified; Azure AI data privacy commitments	EU-US DPF; SCCs; Azure AI data not used for training; DPA with breach notification within 72 hours
Stripe (US)	Billing information, transaction data	Low -- Stripe is DPF-certified, PCI DSS Level 1 compliant, and subject to financial sector oversight	EU-US DPF; SCCs; PCI DSS encryption; tokenization of payment methods; no raw card data stored
Railway (US)	All application data (database)	Moderate -- infrastructure provider with broad access potential	SCCs; encryption at rest (AES-256) and in transit (TLS 1.2+); database access restricted to application layer; daily encrypted backups with geo-redundancy
Sentry (US)	Error logs (PII scrubbed)	Low -- PII is programmatically scrubbed before transmission; only technical error context retained	SCCs; PII scrubbing at source; data retention limited to 90 days; no user content transmitted

Assessment methodology: TIAs are reviewed annually or when there is a material change in the legal framework of a recipient country, a change in the data transferred, or a change in the recipient's data processing practices. The most recent review was conducted in April 2026.

Government access requests: To date, we have not received any government requests for user data under FISA 702, Executive Order 12333, or similar surveillance authorities. If we receive such a request, we will challenge it to the extent permitted by law and notify affected users unless legally prohibited from doing so. We publish a transparency report on government requests semi-annually (see our Acceptable Use Policy Section 8f).

9. Children's Privacy (COPPA Compliance)

The Service is not intended for children under 18 years of age. We take the protection of children's privacy seriously and comply with the Children's Online Privacy Protection Act ("COPPA"), GDPR age requirements, the UK Age Appropriate Design Code, and other applicable child protection regulations worldwide.

9.1 Age Restrictions and Verification

• Minimum age: You must be at least 18 years old to create an account or use GreatLibrary.AI
• No data collection from children: We do not knowingly collect personal information from children under 13 (COPPA threshold), under 16 (GDPR threshold), or under 18 (our service threshold)
• Age verification: Users represent and warrant their age during account registration. We may implement additional age verification measures where required by law

9.1a Age Verification Measures

We employ the following measures to prevent underage access to the Service:

Age verification requirements and our compliance measures across jurisdictions

Measure	Jurisdiction	Description
Self-declaration at registration	All	Users must confirm they are 18 or older during account creation
Terms acceptance gate	All	Users must accept Terms of Service, which include age requirements, before proceeding
Payment method verification	All (paid tiers)	Stripe payment processing provides an additional layer of age inference for paid accounts
Proactive monitoring	All	We may review accounts flagged by automated or manual signals suggesting underage use
Enhanced verification	Where required by law	We will implement age assurance mechanisms as mandated by applicable regulations (e.g., UK Online Safety Act, EU Digital Services Act)

9.2 Parental Rights (COPPA and GDPR)

If you are a parent or guardian and believe your child has provided us with personal information or created an account, you have the right to:

• Request disclosure: Ask us what personal information, if any, we have collected from your child
• Request deletion: Require us to delete all personal information collected from your child
• Refuse further collection: Direct us to stop any further collection or use of your child's data
• Withdraw consent: Under GDPR Article 8, where processing of a child's data was based on parental consent, you may withdraw that consent at any time
• Access information: Request details of what data was collected, how it was used, and whether it was disclosed to any third parties

Contact us immediately at privacy@greatlibrary.ai with subject line "COPPA -- Child Data Request" and include your name, your child's email or username, and your relationship to the child. We will verify your identity and respond within 48 hours.

9.2a Parental Verification Process

To protect children's safety, we verify parental identity before acting on COPPA requests. Our verification process includes:

1. Receipt of the parent/guardian request via email with required identifying information
2. Verification of parental relationship through one of: government-issued ID, signed parental consent form, or credit card verification (small temporary charge that is refunded)
3. Confirmation email sent to both the parent/guardian and the email address associated with the child's account (if different)
4. Action taken within 48 hours of successful verification

9.3 Our Response to Underage Users

If we become aware that we have collected personal information from a person under the applicable age threshold:

• We will immediately deactivate the account
• All personal data and generated content will be deleted within 48 hours
• We will notify the parent/guardian if contact information is available
• No data will be retained for any purpose, including legal compliance, except to the extent required to document the deletion for our own compliance records
• We will notify any third-party processors (OpenAI, Stripe, Google, Microsoft) to delete any data transmitted on behalf of the underage user

We do not knowingly use or disclose personal information from children for behavioral targeting of advertising, and we do not knowingly sell or share personal information of users under 16 years of age.

9.4 Educational Use and Institutional Accounts

If an educational institution wishes to use GreatLibrary.AI for students under 18, the institution must:

• Contact us at privacy@greatlibrary.ai to establish an institutional agreement
• Obtain and maintain verifiable parental consent for each student user, as required by COPPA and applicable state laws (e.g., FERPA, state student privacy laws)
• Designate an authorized administrator who will be responsible for student accounts
• Agree to additional data protection terms specific to educational use

We do not currently offer educational accounts. This section is provided for transparency regarding our position on potential future institutional use.

9.5 UK Age Appropriate Design Code (Children's Code)

In compliance with the UK Information Commissioner's Office Age Appropriate Design Code (the "Children's Code"), we apply the following standards. Although our Service is not targeted at children, we recognize our obligations should children access the platform:

UK Age Appropriate Design Code compliance measures

Standard	Our Approach
Best interests of the child	All design decisions prioritize child safety. We immediately terminate underage accounts and delete all data
Age-appropriate application	Service requires minimum age 18. Age verification at registration prevents access by children
Transparency	This privacy policy is written in clear language. Enforcement actions on underage accounts are communicated to parents/guardians
Data minimization	We collect only data necessary for the Service. No behavioral profiling is performed on any users
Default settings	Default privacy settings are the most privacy-protective available. No data sharing is enabled by default
Nudge techniques	We do not use nudge techniques to encourage children (or any users) to lower their privacy settings or provide more data than necessary
Profiling	We do not profile any users for behavioral advertising. See Section 12 (Automated Decision-Making) for details
Geolocation	We do not collect or use precise geolocation data from any users

10. Third-Party Links and Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

10a. US State Privacy Rights (Beyond California)

In addition to the California rights described above, residents of the following US states have specific privacy rights under their respective state laws. We honor these rights for all eligible residents:

Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, you have the right to:

• Confirm whether we are processing your personal data and access that data
• Correct inaccuracies in your personal data
• Delete personal data you have provided or that we have obtained
• Obtain a portable copy of your personal data in a readily usable format
• Opt out of the processing of your personal data for targeted advertising, sale of data, or profiling in furtherance of decisions that produce legal or similarly significant effects

We do not sell personal data, engage in targeted advertising, or profile consumers for decisions producing legal effects. You may appeal any refusal to act on your request by contacting privacy@greatlibrary.ai with the subject line "VCDPA Appeal".

Colorado Privacy Act (CPA)

If you are a Colorado resident, you have rights similar to those under the VCDPA, including the right to access, correct, delete, and port your personal data, and to opt out of targeted advertising, sale, and certain profiling. To exercise these rights, contact privacy@greatlibrary.ai with the subject line "Colorado CPA Request".

Connecticut Data Privacy Act (CTDPA)

If you are a Connecticut resident, you have the right to access, correct, delete, and port your personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. We honor these rights as described in our general data rights procedures above. Contact privacy@greatlibrary.ai with the subject line "CTDPA Request".

Universal Opt-Out Mechanisms

We recognize and honor Global Privacy Control (GPC) signals transmitted by your browser as valid opt-out requests under applicable US state privacy laws, including the CCPA, CPA, CTDPA, and VCDPA. When we detect a GPC signal:

• We treat it as a valid opt-out request for the sale or sharing of personal data
• We disable any non-essential tracking that would otherwise require consent
• No additional action is required on your part beyond enabling GPC in your browser

You can enable GPC in supported browsers or extensions. For more information, visit globalprivacycontrol.org.

11. Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature. While there is no universal standard for responding to DNT signals, we take the following approach:

• Global Privacy Control (GPC): We recognize and honor GPC signals as valid opt-out requests under applicable privacy laws, as described in Section 10a above
• Legacy DNT: We do not currently alter our data collection practices in response to legacy DNT header signals, as there is no industry-wide consensus on their interpretation
• Cookie controls: Regardless of DNT settings, you can manage tracking through our cookie banner, the Cookie Preference Center, or your browser settings

12. Automated Decision-Making and Profiling (GDPR Art. 22)

In accordance with GDPR Article 22, we disclose the following about automated processing on our platform. Under Art. 22(1), you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

12.1 Automated Processing We Perform

Inventory of automated processing activities, their legal basis, and human oversight

Process	Type	Legal Basis	Produces Legal Effects?	Human Oversight
AI content generation (text, covers)	Automated processing at your request	Contract performance (Art. 6(1)(b))	No	You review and approve all output before use
Rate limiting / abuse detection	Automated restriction	Legitimate interest (Art. 6(1)(f))	No -- temporary access restriction only	Manual review available on appeal
Fraud detection (via Stripe)	Automated assessment by third party	Legitimate interest (Art. 6(1)(f))	May affect payment processing	Stripe provides appeal mechanisms; we can escalate
Subscription tier feature gating	Rule-based access control	Contract performance (Art. 6(1)(b))	No	Determined by your chosen plan
Content moderation flags	AI-assisted review	Legitimate interest (Art. 6(1)(f))	May restrict content publication	Human review before enforcement action

12.2 Profiling

We do not engage in profiling as defined under GDPR Article 4(4) for the purposes of:

• Evaluating personal aspects relating to your work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
• Making credit or insurance decisions
• Targeted advertising based on personal characteristics
• Differential pricing based on user profiles

We may use aggregated, anonymized usage data (e.g., overall feature popularity, average generation times) to improve our Service. This does not constitute profiling under GDPR as it does not relate to identified or identifiable individuals.

12.3 Your Rights Regarding Automated Decisions

Under GDPR Article 22, you have the right to:

• Request human intervention: Ask that a human reviews any automated decision that affects you
• Express your point of view: Provide additional context or information relevant to the decision
• Contest the decision: Challenge the outcome and request reconsideration
• Obtain an explanation: Receive meaningful information about the logic involved in any automated decision-making

To exercise any of these rights, contact us at privacy@greatlibrary.ai with the subject line "Automated Decision Review Request". We will respond within 30 days (or sooner if required by your jurisdiction's laws).

12.3a Human Intervention Process (GDPR Art. 22(3))

When you request human intervention in an automated decision, the following process applies:

1. Acknowledgment: We acknowledge your request within 3 business days and confirm which automated decision is under review
2. Suspension: The effects of the automated decision are suspended during the review period (for example, if content was automatically flagged or restricted, the restriction is paused pending human review)
3. Review: A qualified staff member who was not involved in configuring the automated system reviews the decision, considering your input and any additional context you have provided
4. Decision: You receive a written explanation of the human reviewer's decision within 15 business days, including the reasoning and any change to the original outcome
5. Further recourse: If you disagree with the human review outcome, you may escalate to our Data Protection Officer at dpo@greatlibrary.ai, or lodge a complaint with your supervisory authority (see Section 7.3c)

12.4 AI Transparency Notice

13. Cookies and Tracking Technologies

We use the following cookies and similar technologies. For full details, see our Cookie Policy.

Summary of cookies and tracking technologies used on our platform

Cookie Name	Category	Purpose	Duration
session	Strictly Necessary	Maintains authenticated user session	Browser session
csrf_token	Strictly Necessary	Cross-site request forgery protection	Browser session
remember_token	Strictly Necessary	Persistent login ("Remember me")	30 days
gl_cookie_consent	Strictly Necessary	Records user cookie consent choice	1 year
theme	Functional	Stores dark/light mode preference	1 year
_ga, _gid, _gat	Analytics	Google Analytics (anonymized usage)	Up to 2 years

Non-essential cookies (functional and analytics) are only set after you provide consent via our cookie banner. You may change your preferences at any time on our Cookie Policy page.

13.1 Cookie Consent and Data Collection

Your cookie consent preferences directly affect what personal data we collect and how we process it. This section explains the relationship between cookie choices and data collection.

Impact of each cookie consent choice on what data is collected

Cookie Category	If You Accept	If You Decline
Strictly Necessary	Always active. Session data, CSRF protection, and login state are collected to operate the platform securely.	Cannot be declined. These are essential for the Service to function.
Functional	Your preferences (theme, language) are stored locally and remembered across visits.	Preferences reset each visit. No functional data is persisted in cookies.
Analytics	Anonymized usage data is collected via Google Analytics to improve the Service. Page views, session duration, and feature usage are recorded without identifying you personally.	No analytics cookies are set. No usage data is sent to Google Analytics. We retain only server-side aggregate metrics (total page views) that contain no personal data.

How to change your preferences: Visit our Cookie Policy page and use the interactive cookie manager to update your choices at any time. Changes take effect immediately. You can also clear existing cookies through your browser settings (see our mobile and desktop cookie management guides).

Consent records: We maintain a tamper-evident log of your consent choices including the timestamp, version of the cookie policy shown, and specific categories accepted or rejected. These records are retained for the duration required by applicable law (typically 3 years for GDPR, 5 years for UK GDPR). See our Consent Record Keeping section for details.

14. Privacy by Design

GreatLibrary.AI is built with privacy as a foundational principle, not an afterthought. In accordance with GDPR Article 25, we implement the following privacy-by-design and privacy-by-default measures:

• Data minimization: We collect only the minimum personal data necessary for each function. AI prompts are sent to providers without attaching your identity; only your content is transmitted
• Purpose limitation: Data collected for one purpose is not repurposed without your consent. Account data is used for account management, payment data for billing, and content data for generation only
• Storage limitation: We define and enforce retention periods for every data category (see Section 5). Temporary data such as uploaded reference files is auto-deleted within 24 hours
• Pseudonymization: Where feasible, we use pseudonymous identifiers rather than directly identifying information in our analytics and logging systems
• Privacy-friendly defaults: New accounts default to the most privacy-protective settings. Marketing communications require explicit opt-in. Non-essential cookies require consent before activation
• Security by design: All data is encrypted in transit (TLS 1.2+) and at rest. Passwords use PBKDF2-SHA256 with per-user salts. Sessions use HttpOnly, Secure, SameSite cookies
• Transparency: We maintain a public sub-processor list, publish this detailed privacy policy, and provide a dedicated DPO contact for privacy inquiries

14.1 Privacy Engineering Practices

We embed privacy into our software development lifecycle through the following engineering practices:

• Privacy threat modeling: Before building new features that handle personal data, we conduct privacy threat modeling to identify potential risks, data exposure points, and attack vectors. Each feature undergoes a privacy review before deployment
• Data classification: All data fields in our system are classified by sensitivity level (public, internal, confidential, restricted). Restricted data (passwords, payment tokens) receives the highest level of protection with encryption, access logging, and strict need-to-know access controls
• Least privilege access: Database access, API keys, and administrative permissions follow the principle of least privilege. Production database access is limited to automated systems and authorized personnel with audit logging enabled on all access
• PII scrubbing in logs: Application logs are configured to automatically redact email addresses, IP addresses, session tokens, and other personally identifiable information before storage. Sentry error reports use custom scrubbing rules to strip PII from stack traces and breadcrumbs
• Secure deletion: When data is deleted (account deletion, ebook removal), we perform cryptographic erasure or overwrite rather than simple logical deletion, ensuring data cannot be recovered from backups after the retention window expires
• Input sanitization: All user inputs are validated and sanitized server-side to prevent injection attacks, path traversal, and data leakage. File uploads are scanned and stored in isolated directories with randomized names
• Dependency auditing: Third-party libraries and dependencies are regularly audited for known vulnerabilities. We use automated tools to detect and patch security issues in our supply chain

14.2 Privacy by Default Configuration

Every new account is created with the following privacy-protective default settings, in accordance with GDPR Article 25(2):

• Ebooks are set to private by default -- nothing is published to the public storefront unless you explicitly choose to publish
• Marketing and promotional emails are opted-out by default -- you must explicitly opt in to receive them
• Non-essential cookies (analytics, functional) are blocked by default until you provide consent via the cookie banner
• Cloud storage integrations (Google Drive, OneDrive) are disconnected by default -- you must explicitly authorize each connection
• Public profile visibility is disabled by default -- your author name and profile are not visible on the storefront until you choose to list a book for sale
• AI-generated content is not shared with AI providers for training by default -- we use API agreements that prohibit the use of your content for model training

14.2a Consent Management Lifecycle (GDPR Art. 7)

Where we rely on consent as the legal basis for processing (Art. 6(1)(a)), the following lifecycle applies:

Stages of the consent lifecycle from collection to withdrawal

Stage	Requirements Met	Implementation
Collection	Freely given, specific, informed, unambiguous (Art. 4(11)); clear affirmative action; no pre-ticked boxes	Separate opt-in checkboxes for each consent purpose (marketing, non-essential cookies, Life Story data). Plain language descriptions of what you are consenting to. Consent is recorded with timestamp, purpose, and version of the policy presented
Record-keeping	Demonstrable consent (Art. 7(1)); records must prove who consented, when, to what, and how	We store: user ID, consent timestamp, consent purpose, policy version accepted, IP address at time of consent, and whether consent was given via registration form, cookie banner, or in-app prompt. Records are included in data exports
Withdrawal	As easy to withdraw as to give (Art. 7(3)); effective without detriment	Marketing: one-click unsubscribe link in every email. Cookies: re-open cookie preferences from the footer at any time. Life Story: delete from Account Settings. ToS/Privacy: delete account (Section 7). Withdrawal takes effect within 24 hours and does not affect the lawfulness of processing before withdrawal
Renewal	Consent must be refreshed if purposes change or after a reasonable period	If we materially change the processing purpose, we request renewed consent before the new purpose takes effect. We review consent validity annually and may prompt users to reconfirm if the original consent is older than 24 months
Special categories (Art. 9)	Explicit consent required for sensitive data	Life Story biographical data that may reveal racial/ethnic origin, political opinions, religious beliefs, or health information requires explicit, granular consent presented before the interview begins, with specific disclosure of how this sensitive data will be processed

Consent independence: Consent to one purpose does not imply consent to another. Declining marketing consent does not affect your ability to use the Service. We never bundle consent -- each processing purpose has its own consent mechanism.

14.3 Data Minimization Audit

We regularly audit our data collection practices against the GDPR principle of data minimization (Art. 5(1)(c)). The following table documents the results of our most recent audit, showing each data point we collect, why it is necessary, and what alternative (less data-intensive) approaches we considered.

Last audit date: April 15, 2026. Next scheduled audit: July 2026. Audit results are reviewed by the Data Protection Officer.

14a. Data Flow Diagram

The following diagram shows how your data moves through our system when you use GreatLibrary.AI. Understanding this flow helps you make informed decisions about your privacy.

14a.1 Third-Party Data Connections Map

The following visual shows all external services that receive data from GreatLibrary.AI, categorized by their function.

14a2. Third-Party Data Transmission Audit

The following table provides a complete audit of every external data transmission from GreatLibrary.AI, including what data is sent, why, and the data minimization measures applied.

This audit is reviewed quarterly. The last review was completed in April 2026. No unauthorized data transmissions were identified. If you have questions about any specific data flow, contact dpo@greatlibrary.ai.

14b. Your Privacy Controls

You have multiple ways to control how your data is used on GreatLibrary.AI. Use the links below to manage your privacy settings.

14c. Data Protection Impact Assessments

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms. We have completed DPIAs for the following processing operations:

• AI content generation: Assessment of risks arising from sending user prompts to third-party AI providers, including data minimization measures, provider selection criteria, and contractual safeguards
• Life Story feature: Assessment of the processing of sensitive biographical data, including enhanced security controls, purpose limitation, and user deletion rights
• Storefront payments: Assessment of payment data processing through Stripe, including PCI DSS compliance verification and data flow mapping
• OAuth integrations: Assessment of data shared during Google and Microsoft authentication, including scope limitation and token security

DPIAs are reviewed and updated whenever there is a significant change to the processing activity. Summaries of our DPIAs are available upon request from our Data Protection Officer at dpo@greatlibrary.ai.

14c.1 Privacy Impact Assessment Summary

The following table provides a public summary of our most recent privacy impact assessments. Full DPIA documents are available to supervisory authorities upon request.

Data protection impact assessment results for high-risk processing activities

Processing Activity	Risk Level (Pre-Mitigation)	Key Mitigations	Residual Risk	Last Reviewed
AI text generation via OpenAI	High	Data Processing Agreement (DPA) with OpenAI; zero data retention policy; no model training on user data; content transmitted without user identity metadata	Low	April 2026
AI image generation (covers)	High	DPA with OpenAI; image prompts contain no PII; generated images stored only in user's account; prompt text not logged beyond 30 days	Low	April 2026
Life Story biographical interviews	High	Special category data protections (Art. 9); enhanced encryption; user controls for deletion; no third-party sharing of interview transcripts; data isolated per user	Medium	April 2026
Payment processing (Stripe)	Medium	PCI DSS Level 1 compliance (Stripe); no storage of full card numbers; tokenized payment methods; webhook signature verification	Low	April 2026
OAuth authentication (Google, Microsoft)	Medium	Minimal scope requests (email, profile only); token refresh rotation; no persistent third-party access; user can revoke OAuth at any time	Low	April 2026
Cloud export (Google Drive, OneDrive)	Medium	User-initiated only; one-time file transfer (no persistent access); files encrypted in transit (TLS 1.2+); OAuth scopes limited to file write	Low	April 2026
Account data and analytics	Low	Pseudonymization of analytics data; IP anonymization in Google Analytics; data minimization in logging; automatic log rotation (30 days)	Low	April 2026

14d. Additional International Privacy Rights

In addition to GDPR and CCPA rights described above, we recognize and respect privacy rights under the following international frameworks:

Brazil -- Lei Geral de Protecao de Dados (LGPD)

If you are located in Brazil, you have rights under the LGPD (Law No. 13,709/2018), including:

• Confirmation of the existence of processing of your data
• Access to your personal data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability to another service provider
• Deletion of personal data processed with your consent
• Information about public and private entities with which your data has been shared
• Information about the possibility of denying consent and the consequences thereof
• Revocation of consent

To exercise your LGPD rights, contact our Data Protection Officer at dpo@greatlibrary.ai with the subject line "LGPD Rights Request".

Canada -- Personal Information Protection and Electronic Documents Act (PIPEDA)

If you are located in Canada, you have rights under PIPEDA, including:

• Access to your personal information held by us
• The right to challenge the accuracy and completeness of your information and have it amended
• The right to withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
• The right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

South Africa -- Protection of Personal Information Act (POPIA)

If you are located in South Africa, you have rights under POPIA, including:

• The right to be notified that your personal information is being collected and the purpose thereof
• The right to request access to your personal information
• The right to request correction or deletion of your personal information
• The right to object to the processing of your personal information
• The right to submit a complaint to the Information Regulator at inforegulator.org.za

Australia -- Privacy Act 1988 and Australian Privacy Principles (APPs)

If you are located in Australia, you have rights under the Privacy Act 1988 and the APPs, including:

• The right to access your personal information
• The right to request correction of your personal information
• The right to complain about a breach of the APPs to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

For all international privacy rights requests, contact dpo@greatlibrary.ai. We aim to respond within the timeframe required by the applicable law in your jurisdiction.

14e. Data Subject Access Request (DSAR)

Under the GDPR (Articles 15-22), CCPA, and other applicable privacy laws, you have the right to submit a formal Data Subject Access Request. We provide the template below to help you exercise your rights efficiently. You may submit a DSAR by email to dpo@greatlibrary.ai using the format below, or by writing a free-form email describing your request.

14e.1 DSAR Submission Template

14e.2 DSAR Processing Timeline

Data subject access request response deadlines for each jurisdiction

Jurisdiction	Applicable Law	Response Deadline	Extension Allowed
European Economic Area	GDPR	30 calendar days	Up to 60 additional days (complex requests)
United Kingdom	UK GDPR / DPA 2018	30 calendar days	Up to 60 additional days (complex requests)
California, USA	CCPA / CPRA	45 calendar days	Up to 45 additional days (with notice)
Virginia, USA	VCDPA	45 calendar days	Up to 45 additional days (with notice)
Brazil	LGPD	15 business days	Case-by-case basis
Canada	PIPEDA	30 calendar days	Extension with written notice
All other jurisdictions	Best practice	30 calendar days	Up to 30 additional days (with notice)

14e.3 Identity Verification

To protect your privacy and prevent unauthorized access to your data, we verify the identity of all DSAR requesters before processing a request:

• Account holders: We verify your identity by matching the request email against your registered account email. We may send a verification code to your registered email address
• Non-account holders: We may ask you to provide two forms of identification matching the data we hold
• Authorized agents: If you submit a DSAR on behalf of another person (e.g., as their legal representative), you must provide written authorization from the data subject and proof of your own identity

We will not charge a fee for reasonable DSAR requests. If a request is manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable administrative fee or refuse to act, in accordance with GDPR Article 12(5).

14f. Cross-Border Data Transfer Framework

GreatLibrary.AI is operated by Alexandria AI Systems. Our primary infrastructure is hosted in the United States via Railway. This section provides detailed documentation of our cross-border data transfer mechanisms, supplementing the summary in Section 8.

14f.1 Adequacy Decisions

Where possible, we rely on adequacy decisions issued by the European Commission or the UK Secretary of State to authorize cross-border data transfers. As of the date of this policy, the following relevant adequacy decisions apply to our operations:

EU and UK adequacy decisions applicable to our cross-border data transfers

Decision	Scope	Status
EU-US Data Privacy Framework	Transfers from EEA to DPF-certified US organizations	Active (Commission Implementing Decision C(2023) 4745, adopted July 10, 2023)
UK Extension to EU-US DPF	Transfers from UK to DPF-certified US organizations	Active (UK Data Bridge, effective October 12, 2023)
Swiss-US Data Privacy Framework	Transfers from Switzerland to DPF-certified US organizations	Active

We verify the DPF certification status of our US-based sub-processors (including OpenAI, Google, Microsoft, Stripe, and Sentry) and document their certification in our sub-processor register. Where a sub-processor is not DPF-certified, we rely on Standard Contractual Clauses as described below.

14f.2 Standard Contractual Clauses (SCCs)

For transfers from the EEA to countries that do not benefit from an adequacy decision, we execute Standard Contractual Clauses (SCCs) as approved by the European Commission under Implementing Decision 2021/914 of 4 June 2021. Our SCC arrangements include:

• Module 2 (Controller to Processor): Applied to transfers to sub-processors who process personal data on our behalf (e.g., Railway for hosting, Sentry for error tracking)
• Module 3 (Processor to Sub-processor): Applied where our processors engage their own sub-processors who receive EEA personal data
• Supplementary measures: In accordance with EDPB Recommendations 01/2020, we implement supplementary technical, organizational, and contractual measures where transfer impact assessments identify risks in the destination country

14f.3 UK International Data Transfer Mechanisms

For transfers from the United Kingdom, we use the following mechanisms in accordance with the UK GDPR and Data Protection Act 2018:

• UK International Data Transfer Agreement (IDTA): The standalone contractual framework issued by the UK Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018
• UK Addendum to EU SCCs: Where appropriate, we use the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022)
• Transfer Risk Assessments: We conduct transfer risk assessments (TRAs) for each destination country, evaluating the legal framework for government access to data, rule of law indicators, and the effectiveness of data subject rights

14f.4 Supplementary Technical Measures

Regardless of the legal mechanism used, we implement the following supplementary technical measures for all cross-border data transfers:

• Encryption in transit: All data transfers use TLS 1.2 or higher encryption
• Encryption at rest: Data stored at rest in destination countries is encrypted using AES-256 or equivalent
• Pseudonymization: Where feasible, we pseudonymize personal data before transfer, ensuring the re-identification key is stored separately from the transferred data
• Access controls: Strict role-based access controls limit who can access transferred personal data at each sub-processor
• Audit rights: Our data processing agreements with sub-processors include audit rights allowing us to verify compliance with data protection obligations
• Data minimization: Only the minimum personal data necessary for the sub-processor's function is transferred

14f.5 Requesting Transfer Documentation

You have the right to request copies of the following documents related to our cross-border data transfers:

• Standard Contractual Clauses (with confidential commercial terms redacted)
• Transfer Impact Assessments (summary version)
• Sub-processor register with transfer mechanisms noted
• UK IDTA or Addendum (where applicable)

To request these documents, contact our Data Protection Officer at dpo@greatlibrary.ai with the subject line "Transfer Documentation Request". We will respond within 30 calendar days.

14g. AI Data Processing Addendum

14g.1 How AI Models Process Your Content

GreatLibrary.AI uses third-party AI models to generate ebook content, covers, and other creative outputs. This section explains exactly what data is sent, how it is processed, and what happens to it afterward.

14g.2 Data Sent to AI Providers

When you use AI-powered features, the following data may be transmitted to our AI provider (currently OpenAI):

Data transmitted to AI providers by feature

Feature	Data Sent	AI Model Used	Data Retained by Provider
Chapter Generation	Book title, outline, chapter title, user prompts, reference material excerpts	GPT-4o / GPT-4o-mini	Up to 30 days for abuse monitoring, then deleted
Outline Generation	Book title, topic description, user preferences	GPT-4o-mini	Up to 30 days for abuse monitoring, then deleted
Cover Generation	Text prompt describing desired cover (no user images uploaded)	gpt-image-1 / DALL-E 3	Up to 30 days for abuse monitoring, then deleted
Text Enhancement	Selected text passage for improvement	GPT-4o-mini	Up to 30 days for abuse monitoring, then deleted
Sovereign Chat	Conversation messages within the session	GPT-4o-mini	Up to 30 days for abuse monitoring, then deleted
Life Story Interview	Interview questions and user responses within session	GPT-4o	Up to 30 days for abuse monitoring, then deleted

14g.3 What Is NOT Sent to AI Providers

• Your email address, password, or account credentials
• Your payment information or Stripe customer ID
• Your IP address or browser fingerprint
• Other users' content or data
• Your complete ebook files (only the specific chapter or section being generated is sent)

14g.4 AI Training Data Usage

• OpenAI API Terms: Per OpenAI's API Data Usage Policy, API inputs and outputs are not used for model training
• Retention for abuse monitoring: OpenAI may retain API data for up to 30 days solely for abuse and misuse monitoring, after which it is automatically deleted
• Zero data retention option: We have opted into OpenAI's zero-data-retention policy where available, minimizing even the 30-day abuse monitoring window
• No secondary use: We do not use your AI-generated content for any purpose other than delivering it back to you as part of the Service

14g.5 User Opt-Out Options

While AI processing is core to the Service, you have the following controls:

• Manual editing only: You may use the platform's editor without invoking AI features. Content typed directly is never sent to AI providers
• Reference material control: You choose which reference materials (if any) to upload. No reference material is sent to AI providers without your explicit action of generating a chapter
• Data export: You can export all your content at any time via Settings and retain full control of your data outside the platform
• Account deletion: Upon account deletion, all your content and associated AI processing records are permanently erased (see Section 14e for DSAR procedures)

14g.6 AI Processing Safeguards

• Encryption in transit: All data sent to AI providers is transmitted over TLS 1.2+ encrypted connections
• API key security: API credentials are stored as environment variables, never in source code or client-side code
• Input sanitization: User inputs are validated and length-limited before being sent to AI providers to prevent prompt injection attacks
• Output filtering: AI-generated content is checked for known harmful patterns before being displayed to users
• Cost tracking: Every AI API call is logged with the operation type, model used, token count, and cost. This data does not include the content of the prompts or responses

14g.7 EU AI Act Compliance (Regulation (EU) 2024/1689)

The EU AI Act imposes transparency and data governance obligations on deployers of AI systems. As a deployer of general-purpose AI systems, GreatLibrary.AI has implemented the following measures related to personal data processing:

• Transparency (Art. 50): All content generated through our platform is produced by AI systems. Users are informed at the point of generation that the output is AI-generated. Users who distribute AI-generated content within the EU must ensure it is clearly marked as artificially generated or manipulated in accordance with Article 50(2)
• Data governance (Art. 10): Personal data used as input for AI processing is subject to the data minimization, purpose limitation, and storage limitation safeguards described in this Privacy Policy. We transmit only the minimum data necessary for each AI operation (see Section 14g.2)
• Human oversight (Art. 14): All AI-generated outputs are presented to users for review and editing before final use. No AI-generated content is published or distributed without user approval
• Record-keeping (Art. 12): We maintain logs of AI system usage, including model type, operation, and timestamp, as part of our API cost tracking system. These records are available for regulatory inspection upon lawful request
• Risk classification: GreatLibrary.AI's use of AI for creative content generation (text and images) is classified as limited-risk under the EU AI Act. We do not deploy high-risk AI systems, nor do we engage in any prohibited AI practices listed in Article 5
• Data Protection Impact Assessment: Our DPIA (see Section 14c) has been updated to account for AI Act obligations, including the assessment of fundamental rights impacts of AI processing on personal data

For questions regarding our EU AI Act compliance, contact our Data Protection Officer at dpo@greatlibrary.ai.

14h. Data Breach Notification Procedure

14h.1 Detection and Assessment (GDPR Art. 33)

Upon discovering a suspected personal data breach, we will:

1. Identify and contain: Immediately isolate affected systems to prevent further unauthorized access
2. Assess scope: Determine the categories of data affected, the number of data subjects involved, and the likely consequences of the breach
3. Document: Record the facts of the breach, its effects, and the remedial actions taken, as required by GDPR Art. 33(5)
4. Classify severity: Categorize the breach as Low (no risk to rights and freedoms), Medium (risk exists but is limited), or High (high risk to rights and freedoms of individuals)

14h.2 Supervisory Authority Notification (GDPR Art. 33)

For breaches that pose a risk to the rights and freedoms of natural persons:

• Timeline: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Content of notification: The notification will include the nature of the breach, categories and approximate number of data subjects affected, the DPO's contact details, likely consequences, and measures taken or proposed to address the breach
• Phased reporting: If complete information is not available within 72 hours, we will provide information in phases without undue further delay, as permitted by Art. 33(4)

14h.3 Data Subject Notification (GDPR Art. 34)

For breaches that pose a high risk to the rights and freedoms of natural persons:

• Timeline: We will notify affected individuals without undue delay, and in any case within 7 calendar days of classifying the breach as high-risk
• Method: Notification will be sent via the email address associated with your account. If email is unavailable or unreliable, we will use a prominent notice on our website
• Content of notification: The notification will include, in clear and plain language: the nature of the breach, the DPO's contact details, likely consequences, measures taken to address the breach, and recommended steps you should take to protect yourself

14h.4 Categories of Data Potentially Affected

In the event of a breach, the following categories of personal data could potentially be affected:

Categories of data that could be affected in a breach

Data Category	Risk Level	Protection Measures
Account credentials (email, hashed password)	High	Passwords are hashed using PBKDF2-SHA256 with per-user salts; plaintext passwords are never stored
Ebook content and metadata	Medium	Stored with access controls; only the owning user can access their content
Payment metadata (Stripe customer ID, plan type)	Medium	Full payment card details are held by Stripe, not by us
Life story interview responses	High	Sensitive personal narratives; encrypted at rest, access-controlled per user
API usage logs (operations, token counts)	Low	Does not contain prompt or response content; aggregated for cost tracking

14h.5 Remediation Steps

Following any confirmed breach, we will:

• Force password reset: If credentials may have been exposed, we will require all affected users to reset their passwords
• Revoke sessions: All active sessions for affected users will be invalidated
• Rotate API keys: All third-party API credentials (OpenAI, Stripe, OAuth) will be rotated immediately
• Engage forensic review: An independent security assessment will be conducted to determine the root cause and prevent recurrence
• Update security measures: Based on findings, we will implement additional safeguards and update our security practices
• Publish incident report: Within 30 days of resolution, we will publish a transparent incident report describing what happened, what data was affected, and what we have done to prevent it from happening again

14h.6 US State Breach Notification

In addition to GDPR obligations, we comply with US state breach notification laws, including but not limited to:

• California (Cal. Civ. Code 1798.82): Notification to affected California residents without unreasonable delay
• New York (SHIELD Act): Notification to affected New York residents within the timeframes specified by the Act
• Other US states: Compliance with the breach notification requirements of each state where affected users reside

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We categorize changes as follows:

15.1 Material Changes

Material changes include modifications to how we collect, use, share, or protect your personal data, or changes that affect your rights. For material changes:

• Email notification: We will send a notification to the email address associated with your account at least 30 days before the changes take effect
• In-app banner: A prominent banner will be displayed within the application for 30 days, linking to the updated Privacy Policy with a summary of what changed
• Version history: We will update the version history table (Section 17) with a summary of what changed and why
• Last updated date: The date at the top of this page will be updated
• Re-consent where required: If changes affect processing based on your consent, we will request your renewed consent before the new practices take effect

15.2 Non-Material Changes

Non-material changes include typographical corrections, formatting improvements, clarifications that do not alter the scope of data processing, and updates to contact information. For non-material changes, we will update the page and version history without advance notice.

15.3 Your Options

• Accept: Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy
• Decline: If you do not agree to the updated Privacy Policy, you must stop using the Service before the changes take effect. You may export your data before discontinuing use
• Request clarification: Contact privacy@greatlibrary.ai if any change is unclear and we will provide an explanation

We encourage you to review this Privacy Policy periodically. Previous versions are available upon request by contacting privacy@greatlibrary.ai.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@greatlibrary.ai
• General support: support@greatlibrary.ai
• Website: https://greatlibrary.ai

Company: Alexandria AI Systems

Registered Address: Alexandria AI Systems, Abu Dhabi, United Arab Emirates

Security reports: security@greatlibrary.ai

Data Protection Officer (DPO)

Our Data Protection Officer oversees all data privacy matters and can be reached for GDPR, CCPA, LGPD, and other privacy-related inquiries:

• DPO Email: dpo@greatlibrary.ai
• Subject line format: Please include the relevant regulation (e.g., "GDPR Inquiry", "CCPA Request", "LGPD Rights") in your subject line for faster routing
• Response time: We acknowledge all DPO inquiries within 3 business days and provide a substantive response within the timeframes required by the applicable law in your jurisdiction (see Section 14e.2 for specific timelines)

EU Representative (GDPR Art. 27)

If you are located in the European Economic Area and wish to exercise your rights under the GDPR, you may also contact our EU Representative at eu-representative@greatlibrary.ai.

17. Version History

We maintain a record of material changes to this Privacy Policy for transparency:

Version history showing date and summary of changes for each Privacy Policy revision

Version	Date	Summary of Changes
5.4	May 2, 2026	Cookie consent compliance upgrade: deployed granular cookie category preferences (essential, functional, analytics, marketing) across all 30 templates per GDPR Article 7 and ePrivacy Directive requirements. Added "Manage Preferences" button to cookie consent banners, allowing users to toggle individual cookie categories rather than only accept-all or reject-all. Added revocable cookie consent via Settings page "Manage Cookies" control (GDPR Art. 7(3) withdrawal of consent). Per-category consent choices now persisted in localStorage for downstream enforcement
5.3	May 2, 2026	Third-party data transmission audit (Section 14a2): added Gmail SMTP (transactional email data flow), Railway hosting (application log data flow), and Google Fonts CDN (font-loading HTTP request data flow) disclosures. These three previously undisclosed external data transmissions are now documented with data-sent, data-not-sent, and minimization measures per GDPR Articles 13 and 14 transparency requirements
5.1	April 30, 2026	Compliance review: updated review date and version badge to reflect April 30, 2026 audit cycle. Verified all third-party processor disclosures remain accurate (OpenAI, Stripe, Google, Microsoft, Sentry, Railway). Confirmed account deletion flow completeness against GDPR Article 17 requirements including Stripe customer record deletion, life story data purge, and payment record anonymization for tax compliance retention
5.0	April 23, 2026	Accessibility pass (WCAG 2.1 AA): added aria-label attributes to 3 tables missing them (UK Children's Code, AI provider data, breach categories). Fixed heading hierarchy (WCAG 1.3.1) converting incorrectly-nested h3 sub-headings to h4 elements across breach response (6.3), right to object (7.1a), data portability (7.5), and related sub-sections. Added aria-label to 5 privacy control links (Section 14b) for screen reader clarity. Added h4 styling for screen and print. Updated print stylesheet page-break rules to include h4
4.9	April 23, 2026	Added Transfer Impact Assessment Summary (8.5) per Schrems II judgment and EDPB Recommendations 01/2020 with per-recipient risk assessments and supplementary measures for OpenAI, Google, Microsoft, Stripe, Railway, and Sentry. Added government access request transparency commitment and assessment methodology disclosure. Added CCPA/CPRA annual request metrics disclosure (7.2b). Updated TOC with TIA section reference
4.8	April 23, 2026	Added Data Processor Agreements Disclosure (4.1b) documenting GDPR Art. 28 mandatory DPA provisions across 9 requirement areas: subject matter, documented instructions, confidentiality, security measures, sub-processor engagement, data subject rights assistance, deletion/return, audit rights, and breach notification. Added sub-processor change notification process and DPA request procedures. Updated TOC with DPA section reference
4.7	April 23, 2026	Added EU AI Act (Regulation (EU) 2024/1689) compliance subsection (14g.7) documenting transparency obligations under Article 50, data governance measures under Article 10, human oversight provisions under Article 14, record-keeping under Article 12, risk classification as limited-risk, and DPIA alignment with AI Act fundamental rights impact assessment. Updated TOC with EU AI Act sub-entry reference
4.6	April 15, 2026	Final compliance review: verified children's privacy section (Section 9) covers COPPA minimum age 13, GDPR threshold 16, and service threshold 18 with parental rights, age verification, and educational use provisions. Confirmed data breach notification procedure (Section 14h) includes 72-hour authority notification and 7-day user notification. Verified last-reviewed date displayed in human-readable format. Validated all 28 table-of-contents anchor links match corresponding section IDs
4.5	April 15, 2026	Added accessible table captions (sr-only) to all 22 data tables for WCAG 1.3.1 compliance. Updated version badge to v4.5. Accessibility completeness review across all table structures
4.4	April 15, 2026	Added Data Retention Principles table (5.2) formalizing GDPR Art. 5(1)(e) storage limitation governance with purpose limitation, legal hold override, anonymization alternative, and backup propagation rules. Added Adequacy Decisions and Frameworks table (8.4) documenting EU-US DPF, UK Extension, and Swiss-US DPF transfer mechanisms with active status monitoring and Schrems II contingency commitment
4.3	April 15, 2026	Enhanced CCPA/CPRA section (7.2) with at-a-glance rights summary table including response times, added CPRA-specific rights (Right to Correct, Right to Limit Use of Sensitive PI, Right to Data Portability), and authorized agent reference
4.2	April 15, 2026	Added cross-references to Terms of Service, Acceptable Use Policy, DMCA Policy, and Cookie Policy in closing acknowledgment box. Cross-policy consistency review ensuring company name, contact information, and data definitions align across all companion legal pages
4.1	April 15, 2026	Added Data Minimization Audit Results (14.3) documenting GDPR Art. 5(1)(c) compliance review for 6 data points (email, password, IP, ebook content, OAuth profile, Stripe ID) with necessity justification, alternatives considered, and audit outcomes. Updated TOC with Data Minimization Audit sub-entry
4.0	April 15, 2026	Added Cookie Consent Cross-Reference section (13.1) with table showing how each cookie category affects data collection and links to cookie management. Updated version to 4.0
3.9	April 15, 2026	Added detailed Right to Object guidance (7.1a) per GDPR Art. 21 with step-by-step objection process, response timelines, interim measures, direct marketing absolute right, and limitations disclosure. Added Data Retention Deletion Triggers table (5.1b) documenting 10 event-based deletion triggers with affected data, actions, and timelines. Enhanced print stylesheet with page-break rules for new sections
3.8	April 15, 2026	Added AI Data Processing Addendum (14g) with per-feature data transmission table, AI training data non-usage confirmation, opt-out options, and processing safeguards. Added Data Breach Notification Procedure (14h) with GDPR Art. 33/34 compliance: 72-hour supervisory authority notification, data subject notification within 7 days for high-risk breaches, affected data categories table with risk levels, remediation steps, and US state breach notification compliance. Added UK Age Appropriate Design Code (Children's Code) compliance table (9.5) with 8 standards mapped to our approach
3.7	April 15, 2026	Added "Data We Do Not Collect" transparency section (1.4) listing 7 categories of data we never collect. Added comprehensive "Legal Basis for Processing" table (1.5) mapping each data category to its GDPR Article 6 legal basis with balancing test disclosure for legitimate interest processing. Enhanced Data Controller box with GDPR Art. 4(7) reference, registered address, and EU Representative contact (Art. 27). Added Sentry error tracking disclosure to legal basis table. Updated Contact Us (16) with company physical address and enhanced DPO contact details
3.6	April 14, 2026	Expanded Children's Privacy (9) with age verification measures table (9.1a), parental verification process (9.2a), educational use provisions (9.4), and third-party notification on underage deletion. Expanded Automated Decision-Making (12) with comprehensive ADM inventory table (12.1), profiling disclosure (12.2), Art. 22 rights detail (12.3), and AI transparency notice (12.4). Added Privacy Impact Assessment Summary table (14c.1) with risk levels, mitigations, and review dates for all processing activities
3.5	April 14, 2026	Added Data Subject Access Request (DSAR) form template section (14e) with submission template, processing timelines by jurisdiction, and identity verification procedures. Added comprehensive cross-border data transfer framework (14f) documenting EU-US Data Privacy Framework adequacy decisions, Standard Contractual Clauses (SCCs) implementation, UK IDTA/Addendum mechanisms, and supplementary technical measures. Added review schedule badges and enhanced print stylesheet
3.4	April 14, 2026	Expanded data retention table with justification and deletion method columns (5); added data retention review process (5.1a); added third-party data transmission audit table (14a2) with data minimization details; WCAG 2.1 AA accessibility improvements across all pages
3.3	April 14, 2026	Added US state privacy rights section (10a) covering Virginia VCDPA, Colorado CPA, and Connecticut CTDPA; added Global Privacy Control (GPC) recognition as universal opt-out mechanism; strengthened Do Not Track response with GPC integration (11)
3.2	April 9, 2026	Added Data Protection Impact Assessment disclosures (14c), international privacy rights coverage for LGPD (Brazil), PIPEDA (Canada), POPIA (South Africa), and Australian Privacy Act (14d)
3.1	April 8, 2026	Added CCPA "Do Not Sell or Share My Personal Information" section (7.2a), reading time indicator, email page link, floating back-to-top button, enhanced print stylesheet
3.0	April 8, 2026	Added data flow diagram (14a), Your Privacy Controls section (14b), expanded Children's Privacy with COPPA parental rights (9.1--9.3), expanded International Data Transfers with per-provider table and transfer mechanisms (8.1--8.3), print button
2.0	April 8, 2026	Added rights request verification procedures (7.3a), response timelines per regulation (7.3b), supervisory authority complaint guidance (7.3c), CCPA authorized agent provisions, consent withdrawal mechanism, version history (17)
1.1	April 8, 2026	Added multi-provider AI disclosures (Google Vertex AI, Azure AI Foundry), sub-processor table (4.1a), automated decision-making section (12), privacy by design (14), CCPA categories and non-sale disclosure (2.2, 7.2)
1.0	March 2026	Initial Privacy Policy

Previous versions of this Privacy Policy are available upon request by contacting privacy@greatlibrary.ai.

17.1 Document Changelog

Select a version transition below to see a summary of what changed between versions: