Almia Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use your personal information for the following purposes: • To create your personalised book: the child’s name, profile details, and photograph are processed by our AI partners to generate a unique story and illustrations tailored to the child. • To fulfil your order: your contact and shipping details are used to produce, ship, and deliver the book. • To process payment: payment details are transmitted securely to our payment provider. We do not store your card details. • To communicate with you: we send order confirmations, shipping updates, and respond to your enquiries by email. • To improve our service: we may analyse aggregated, de-identified usage data to improve our website, product quality, and customer experience. • To comply with legal obligations: we may use or disclose information where required by law or to protect our legal rights. We will not use your personal information for purposes other than those described above without your consent.

3. AI Processing and How Our Partners Handle Your Data

Almia uses AI to create your personalised book. We use two AI partners under their commercial API terms: • Anthropic, PBC (United States): text generation and quality review. • Google LLC (United States): image processing. Your child’s photograph: We share it only with Google for image processing. We do not share it with Anthropic. The original photograph is stored encrypted at rest on Amazon Web Services in the Sydney region. Our print partners and shipping providers never receive the photograph. Their commitments to your data: • Neither partner uses your inputs (text or images) to train their AI models when serving Almia under their commercial API terms. • Both partners automatically delete API inputs and outputs within 30 days, except where required by law or to enforce their abuse-monitoring rules. You can read each partner’s published commitment here: • Anthropic: privacy.claude.com/en/articles/7996866-how-long-do-you-store-personal-data • Google Gemini API terms: ai.google.dev/gemini-api/terms Almia’s own retention of your photograph (which is separate from, and in addition to, the partner retention above) is described in Section 7. Photographs and biometric information: photographs of identifiable individuals can carry biometric characteristics. Section 6 of the Privacy Act 1988 (Cth) treats certain biometric uses as sensitive information requiring heightened care: (a) biometric information that is to be used for the purpose of automated biometric verification (one-to-one matching against a known template) or biometric identification (one-to-many matching against a database), and (b) biometric templates. We do not use your child’s photograph for biometric verification or biometric identification. We are not matching your child’s face against a database, building a face-recognition system, or using their image for identity confirmation. Our use is creative: we use the photograph only to make the illustrations in your book look like your child. The illustrations we generate are artistic likenesses of your child rendered in a children’s-book style. They are not biometric templates and are not suitable for identifying your child against a database. Even though our use does not fall within the s 6 sensitive-information definition, we treat the photograph with the heightened care that definition calls for: explicit consent at the moment of upload (with the literal disclosure copy and policy version recorded in our audit trail), a narrow purpose (Section 2), a narrow recipient list (Section 5), and short retention windows (this section and Section 7). We follow this heightened-care approach voluntarily; we are not bound by the APP rules on sensitive information as a small business operator.

4. Children’s Information

Almia’s books are designed for parents, guardians, and other caregivers to create books for children. We take the privacy of children seriously and we do not knowingly collect personal information directly from children. Who provides the information: All information about a child must be provided by the child’s parent or legal guardian, or by someone with parental permission to do so. This explicitly covers gift-givers (for example, a grandparent, godparent, aunt, uncle, or family friend creating the book as a gift). By uploading a photograph or providing a child’s details, you confirm that you fall into one of these categories. Limited collection: We collect only the child information necessary to create the personalised book. No marketing to children: We do not use children’s information for marketing or advertising. We do not sell or share children’s information with third parties for their own purposes. The child as the data subject: Even when an account is held by a gift-giver or another caregiver, the child whose information appears in a book remains the data subject. If you are the parent or guardian of a child whose photograph or details appear in an Almia book and you did not place the order yourself, you can contact us at privacy@almia.com.au to request access, correction, or deletion of that information. We will act on your request within 30 days, subject to verification of your relationship to the child. Special handling of children’s photographs: see Section 3. If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information promptly.

5. Sharing and Disclosure

We share personal information only with the service providers required to deliver our service. Each provider is listed by legal name on our Subprocessor List at /privacy/subprocessors and that page is updated as our stack changes. Who sees your child’s photograph: only Google (for image processing) and Amazon Web Services (for encrypted storage). Print partners and shipping providers do not. Who sees your contact and shipping details: Stripe (payment), Postmark (transactional email), Brevo (marketing email if you have opted in), our print partner (Prodigi or Gelato, depending on the region your order ships from), Amazon Web Services (storage), and Vercel (hosting). Who sees the child’s profile text (name, age, interests, traits): Anthropic and Google (for story creation and image processing) and Amazon Web Services (for storage). Legal disclosures: We may disclose information if required by law, regulation, legal process, or governmental request. No sale of personal information: We do not sell your personal information. We share limited advertising-measurement data (such as whether an ad click led to a sign-up or purchase) with Google Ads, as described in Section 8. We do not otherwise share your personal information with advertisers or data brokers.

6. International Data Transfers

Some of our service providers operate outside Australia and New Zealand. Where your information goes: • United States: Anthropic, Google, Stripe, Postmark, Vercel. • France: Brevo. • United Kingdom or Norway (depending on shipping region): our print partner. • Australia: AWS Sydney for storage. Each overseas recipient is contractually bound to handle your information consistently with the commitments in this policy. The named-recipient detail (which provider sees what) is at /privacy/subprocessors. For New Zealand residents: under Information Privacy Principle 12 of the Privacy Act 2020 (NZ), we only share your personal information with overseas recipients that we believe on reasonable grounds are subject to privacy safeguards comparable to the New Zealand Act, or where you have consented to the transfer.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected: • Order and account information: retained for as long as your account is active, and for up to 7 years after your last order to meet our tax and recordkeeping obligations. • Child photograph (the original you upload to Almia): retained for 90 days after your book is delivered, then permanently deleted, unless you request earlier deletion. If you do not place an order, your photo is deleted when it is no longer needed. Note that under Section 3, our image processing partner deletes its copy within 30 days under its own commercial terms. • Generated book content (story text and illustrations): the final book file is retained in your account for reordering purposes. You may request its deletion at any time. • Website analytics data: we use Vercel Web Analytics, which aggregates visit data at the edge and does not store individual browsing histories. See Vercel’s published policy for their retention. • Server access logs (IP address, user agent, request path, and timestamp for each request to our website and API): retained for 180 days, then automatically deleted by our hosting infrastructure.

8. Cookies and Tracking

Our website uses cookies and similar technologies to: • Essential cookies: maintain your session, remember your cart, and enable core website functionality. These cannot be disabled. • Analytics cookies: help us understand how visitors use our website so we can improve it. We use privacy-respecting analytics that do not track you across other websites. • Advertising cookies: when you arrive from a Google ad, Google sets cookies so we can measure whether the visit led to a sign-up or purchase. We use this only to measure and improve our advertising. You can opt out of personalised Google ads at myadcenter.google.com.

9. Your Rights

10. Data Security

We protect your personal information using: • Encryption in transit (TLS 1.2 or higher). • Encryption at rest for stored data, including your child’s photograph. • Australian data residency for storage (Amazon Web Services, Sydney region). • Access controls limiting who within Almia can access personal information. • Multi-factor authentication on administrative accounts. • Secure payment processing through Stripe, a PCI DSS Level 1 service provider. No method of electronic transmission or storage is completely secure. We take reasonable precautions but cannot guarantee absolute security.

11. Marketing Communications

We will only send you marketing communications if you have opted in to receive them. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting us. Unsubscribing from marketing will not affect transactional emails related to your orders. We handle marketing communications in line with the Spam Act 2003 (Cth) and the Unsolicited Electronic Messages Act 2007 (NZ).

12. Data Breaches

If a privacy breach affects your personal information and we assess that it is likely to cause serious harm, we will notify you by email and, where the law requires, the relevant privacy authority. For New Zealand residents: under s 114 of the Privacy Act 2020 (NZ), we will notify the New Zealand Privacy Commissioner of any notifiable privacy breach as soon as practicable after becoming aware of it, and notify affected individuals under s 115. Where a breach affects information about a child, we will notify the parent or guardian on file. The primary channel for any privacy concern, including suspected breaches, is privacy@almia.com.au.

13. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on our website with an updated effective date. If we make significant changes to how we handle children’s information, we will take reasonable steps to notify affected users.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights: Privacy enquiries: privacy@almia.com.au (monitored for privacy-related requests only). For all other questions, please use the chat bubble in the corner of almia.com.au.