Privacy

What we do with your photos, names, and emails.

Last updated 15 June 2026.

Short version: we use what you send us to make your chapter, and nothing else. We do not sell anything. We do not train public AI models on your photos. We delete what we no longer need. You can ask us to delete everything at any time and we will.

What we collect

• Your email, when you sign up, buy a trial, or ask to be notified.
• The child's first name and approximate age, so the story can be about them.
• The photo you upload as the chapter seed, plus any optional photos you add for context. The seed photo may also appear printed in the bound book if you upgrade.
• Your caption or notes for the chapter, if you choose to add one.
• Your shipping address, when you buy a bound book that needs to be shipped.
• Payment details, processed by Stripe. We never see or store your full card number.
• Basic usage data like which pages you visit on the website. We use Plausible analytics, which does not set tracking cookies or build user profiles.

What we do with it

• We generate your chapter from the photo, caption, and child's profile. Generation happens server-side using a small set of leading commercial AI providers based in the United States and Europe. Every provider we use has signed a contract with us that prohibits them from training on customer data.
• We will share the current list of AI providers and what each one does on request. We do not name them here because we evaluate and switch tools as the field evolves. Email us if you want to see the current list.
• We send the finished chapter to you, and to the parent or co-reader you share it with if you choose to share.
• When you upgrade to a book, we send Gelato, our print and fulfillment partner, the files they need to print and ship your book (the layout, your shipping address, the child's first name for the package).
• We email you about your book's progress, founder updates, and any issues with your order. We do not send marketing emails unless you opt in.

How long we keep your photos and chapters

• Trial purchases: your uploaded photo and the generated chapter are kept for 60 days, then deleted automatically. If you do not upgrade within that window, the source files go.
• Upgrades (founder or standard): uploaded photos are kept while your book project is active, with a hard cap of 90 days after the book ships. After that we delete the source photos and keep only the final printed book PDF for our records.
• You can ask us to delete photos earlier at any time. Email hello@nimmyandbee.com and we will confirm within 7 days.
• Order records, payment receipts, and email addresses are kept longer where the law requires (typically up to 7 years for tax and accounting purposes).

What we will never do

• Sell your data, your photos, or the child's name to anyone.
• Submit your photos to public AI training sets.
• Post anything publicly with the child's face or name without explicit permission from you.
• Share your data with advertisers or third-party trackers.

Children's data

Nimmy & Bee is sold to and used by adults. The child the book is about is not our customer.

At photo upload, you confirm that you are the parent of the child in the photo, or that the parent has given you permission to share the photo with us. You might be a parent, an aunt or uncle, a grandparent, a godparent, a family friend, or anyone else close to the child. The check is the same in every case: do you have the right to send us this photo of this child for this purpose. We rely on your confirmation as our authority to process the child's first name and image.

We do not knowingly collect data directly from children under 13 (US COPPA), under the age set by your EU member state (typically 13 to 16 for GDPR-K), or under 13 in Canada (PIPEDA). If you believe a child's data was shared with us without proper consent, email hello@nimmyandbee.com and we will delete it within 7 days.

Your rights

We process your data on these legal bases under GDPR Article 6: performance of our contract with you (your purchase), your consent (for marketing emails and for uploading photos), and our legitimate interests (fraud prevention and service improvement).

If you are in the EU, UK, or another GDPR-equivalent jurisdiction, you have the right to:

• Access the data we hold about you.
• Correct it if it is wrong or incomplete.
• Ask us to delete it.
• Restrict our processing of it in some situations.
• Object to processing we do on legitimate interest grounds.
• Receive a portable copy in a machine-readable format.
• Withdraw consent at any time, including for marketing emails.

If you are in California, you have similar rights under CCPA and CPRA. We do not sell your personal information. You can ask us to confirm that, request a copy of what we hold, or ask for deletion.

If you are in another jurisdiction with privacy rights (UK, Australia, Singapore, Philippines, India, and others), we will honour the rights your local law provides.

Email hello@nimmyandbee.com to exercise any of these rights. We respond within 30 days, sometimes within 7.

Deletion and access requests

You can ask us to delete everything we hold about you at any time. Email hello@nimmyandbee.com from the address you used to sign up. For paid customers, we may ask you to confirm a small detail of your order (for example, the date or the last four digits of your card) before we delete, so we can be sure the request is really from you.

We confirm deletion within 7 days. If you have an in-progress book, deletion ends the project because we cannot bind a book without the chapters.

You can also ask for a copy of everything we hold about you. Same email, same address, same 7-day window.

If something goes wrong

If your personal data is ever exposed in a security incident, we will email you within 72 hours of becoming aware of it, with details of what happened, what data was involved, and what we are doing about it.

Cookies

We use a small number of strictly functional cookies (your session, your cart). We do not use third-party advertising cookies. Plausible analytics is cookieless.

Where your data lives

Our infrastructure is hosted on Vercel (servers in the United States and Europe) and Supabase (servers in North America). Stripe processes payments. Resend sends our transactional emails. Beehiiv processes our newsletter list. Gelato prints and ships your bound book. Each of these providers has its own privacy commitments, which you can read on their websites.

When data moves outside the EU or UK to providers in the United States or elsewhere, we rely on EU Standard Contractual Clauses or the EU-US Data Privacy Framework with each provider. These are the legal mechanisms that give EU and UK residents equivalent legal protection wherever the data lives.

When this policy changes

We will update this page if we change how we handle data. We will email anyone with an active account at least 14 days before a material change takes effect.

Contact

Questions, deletion requests, or anything else: hello@nimmyandbee.com.