Privacy Policy.

1. Who we are.

"Lumi Stories", "we", "us", and "our" refer to Lumi Stories, a sole proprietorship operating in British Columbia, Canada, whose primary contact address is set out in section 17. Lumi Stories produces personalised hardcover children's books in which the customer's child becomes a character in the story. This policy describes how Lumi Stories collects, uses, and shares the personal information of parents, guardians, customers, and waitlist members who interact with our website, web application, and services (together, the "Services").

For purposes of applicable privacy laws, including the European Union's General Data Protection Regulation ("GDPR"), the United Kingdom's Data Protection Act 2018 ("UK GDPR"), the United States' Children's Online Privacy Protection Act ("COPPA"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA / CPRA"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and Quebec's Act respecting the protection of personal information in the private sector as amended by Bill 64 ("Quebec Law 25"), Lumi Stories is the controller / business / organization responsible for the personal information described in this policy.

2. Information we collect.

2.1 Information you provide directly.

• Account and contact information: email address, first and last name of the parent or guardian, password (stored only as a one-way cryptographic hash), and shipping address.
• Book personalisation information:the child's first name, an age range you select, an optional dedication you write, and other story-customisation choices made inside the web application.
• One photo of the child: a still image you upload through the web application. The photo is used solely to generate, within the same session, a drawn character sheet that will represent the child in the book. The original photo file is deleted from our processing systems in the same step in which the character sheet is generated. The photo is not persisted to our long-term storage, is not human-reviewed, is not shared with any other party, and is not used to train any machine-learning model.
• Payment information: the last four digits and brand of the card, the cardholder name, and the billing postal/zip code, all returned by our payment processor. Full card numbers, CVV codes, and full bank account numbers are processed by our payment processor and are not transmitted to, stored by, or accessible by Lumi Stories.
• Customer support communications: the contents of any message you send to us, the email address it was sent from, and metadata such as timestamps.

2.2 Information collected automatically.

• Device and connection data: IP address, approximate location derived from IP address (city / region level), browser type and version, operating system, screen size, language preference, and referring URL.
• Usage data: pages and screens viewed within the Services, features used, the date and time of access, and actions taken (such as joining the waitlist or completing a purchase). We do not record video sessions of your activity.
• Cookies and similar technologies: see section 10 for details.

2.3 Information from third parties.

• Payment confirmation from our payment processor (e.g., Stripe) after a successful charge.
• Shipping status updates from our printing and fulfilment partner.
• Analytics aggregates from privacy-respecting analytics providers, where used.

2.4 Information we do not collect.

We do not request, collect, or knowingly receive: government identification numbers, social insurance / social security numbers, full payment card numbers, biometric identifiers other than the appearance-based features extracted from the photo to generate the character sheet, precise geolocation, contents of communications outside our own customer-support channels, or information about a child's racial or ethnic origin, religion, health, sex life, or sexual orientation. The photo of the child may inherently depict some of these characteristics; it is used only to generate the character sheet and is deleted immediately thereafter (see section 7).

3. How we use information.

• To provide the Services. Generating the drawn character sheet from your uploaded photo, producing the personalised illustrations and book file, processing your order, and arranging shipment.
• To communicate with you. Transactional emails (order confirmations, shipping notices), customer-support replies, and, with your consent, marketing emails (which you may withdraw at any time).
• To operate and improve the Services. Diagnosing technical issues, securing the platform against fraud and abuse, and understanding aggregate usage patterns.
• To comply with legal obligations. Including record-keeping for tax purposes, responding to lawful requests by public authorities, and enforcing our terms of service.

We do not use your personal information, or the photo or drawn character of your child, to train artificial-intelligence or machine-learning models, whether ours or any third party's. We do not sell your personal information for advertising, profiling, or any other purpose, in any jurisdiction in which we operate.

4. Legal basis for processing (GDPR).

For users in the European Economic Area, the United Kingdom, or Switzerland, we process personal information on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)) for the processing necessary to deliver the Services you have ordered or signed up for, including processing the photo to generate the character sheet and using the character sheet to produce the book.
• Legitimate interests (Art. 6(1)(f)) for securing our platform against fraud and abuse, understanding aggregate usage, and limited direct communications to existing customers about products similar to those they have purchased from us. Where we rely on legitimate interests, we have determined that those interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)) for non-essential cookies, marketing communications to non-customers, and any processing of special-category data inferred from a photo. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c)) for tax, accounting, and other record-keeping required by law.

Where we process special-category data within the meaning of Article 9 GDPR (for example, where a photo may convey information about racial or ethnic origin), we rely on your explicit consent given at the moment of upload (Art. 9(2)(a)), and we delete the photo immediately after the character sheet is generated.

5. Children's privacy.

The Services are sold to and accounts are held by parents, guardians, and other adults. We do not knowingly market the Services to children, do not create accounts for users under 13 years of age, and do not collect personal information directly from a child.

We do, however, process limited personal information abouta child, supplied by a parent or guardian (the child's first name, an age range, and one photo used to generate the character sheet). This processing is carried out with the verifiable consent of the parent or guardian, given at the moment of upload, in accordance with COPPA. The parent or guardian:

• may review the personal information held about the child by contacting us at hello@lumistories.ca;
• may request that the information be deleted at any time;
• may refuse to permit further collection or use of the child's personal information.

We will not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary to participate.

6. How we share information.

We share personal information only with the categories of recipients listed below, and only to the extent necessary for the purposes described.

• Service providers who process information on our behalf under written contracts that restrict their use of the information to providing services to us, including: cloud hosting, transactional email delivery, payment processing, and printing and fulfilment of the physical book. Our printing partner receives only the finished print file (the bound pages of the book) and the shipping information needed to deliver it. The printer does not receive the photo or any reference imagery beyond the print file itself.
• Professional advisors such as our accountant and legal counsel, bound by professional confidentiality obligations.
• Authorities where required by law, court order, or to protect the rights, property, or safety of Lumi Stories, our customers, or the public.
• A successor in connection with a merger, acquisition, financing, reorganisation, or sale of assets, in which case the successor will be bound by privacy commitments at least as protective as this policy.

We do not sell, rent, lease, or share your personal information with advertisers, data brokers, social platforms for advertising purposes, or any other third party for their own marketing.

7. Data retention.

We retain personal information only as long as necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Original photo of the child: deleted within seconds of upload, in the same processing step in which the drawn character sheet is generated. The photo is not persisted to long-term storage at any point.
• Drawn character sheet: retained while the book is in production, for thirty (30) days after delivery to support reprints in the event of shipping damage, and thereafter retained inside your account so that you may reorder a follow-up book in the same series. You may delete the character sheet at any time from your account, or by contacting us.
• Account information: retained for the life of your account; deleted within thirty (30) days of your request to close the account, except where retention is required by law.
• Order and payment confirmation records: retained for seven (7) years to satisfy tax and consumer-protection record-keeping obligations under Canadian law, and then deleted or anonymised.
• Marketing-list subscriptions: retained until you unsubscribe.
• Server logs and security data: retained for up to ninety (90) days, then deleted.

8. Data security.

We implement technical and organisational measures designed to protect personal information against unauthorised access, disclosure, alteration, or destruction. These measures include encryption in transit (TLS) and at rest, access controls limiting employee access on a need-to-know basis, regular review of our processing systems, and contractual security obligations imposed on our service providers.

No method of transmission over the internet or method of electronic storage is one hundred percent secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. In the event of a personal-information breach affecting you that creates a real risk of significant harm, we will notify you and the relevant regulators as required by applicable law (including PIPEDA's breach-notification rules and Articles 33 and 34 of the GDPR).

9. International data transfers.

Lumi Stories is based in Canada. Some of our service providers (for example, our cloud hosting and payment-processing providers) operate servers located in the United States, the European Economic Area, or other jurisdictions. When personal information is transferred outside of your country of residence, we ensure an adequate level of protection through one or more of the following mechanisms:

• the European Commission's Standard Contractual Clauses and the United Kingdom's International Data Transfer Agreement / Addendum where required by GDPR / UK GDPR;
• contractual privacy commitments imposed on the recipient at least as protective as PIPEDA and Quebec Law 25;
• your informed consent where no other mechanism is applicable.

You may contact us at the address in section 17 to request information about the safeguards in place for a specific transfer.

10. Cookies and tracking technologies.

A cookie is a small text file stored by your browser. We use cookies and similar technologies for the following purposes:

• Strictly necessary cookies required for the Services to function, such as maintaining your signed-in session and storing cart contents. These cookies are set without consent because the Services cannot operate without them.
• Preference cookies that remember settings you have chosen (language, dark / light mode).
• Analytics cookies set by privacy-respecting analytics providers, used in aggregate to understand how the Services are used.

Where required by law (including the GDPR ePrivacy regime and Quebec Law 25), non-essential cookies are set only after you give consent through our cookie banner. You may change your preferences at any time through the cookie-settings link in our footer or through your browser settings.

We do not use cookies for cross-site advertising, retargeting, or for building advertising profiles of you.

11. Your rights.

Subject to applicable law, you have the following rights with respect to your personal information:

• Right of access. You may ask us to confirm whether we process personal information about you and to provide a copy.
• Right of rectification. You may ask us to correct inaccurate or incomplete information.
• Right of erasure (deletion). You may ask us to delete your personal information.
• Right to restrict processing. You may ask us to limit our use of your information while we investigate a request.
• Right to data portability. You may receive a copy of the personal information you provided to us in a structured, machine-readable format.
• Right to object. You may object to processing based on our legitimate interests, including direct marketing.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time.
• Right not to be subject to fully automated decisions that produce legal or similarly significant effects (we do not make any such decisions).

Section-specific additions for California, EU / UK, and Quebec residents follow below.

12. California residents (CCPA / CPRA).

If you are a resident of California, you have the rights described in section 11 as well as the following specific rights under the CCPA and CPRA:

• Right to know the categories of personal information we have collected about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom we have shared it.
• Right to delete the personal information we have collected from you, subject to certain legal exceptions.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information to the purposes necessary to perform the Services. The only sensitive personal information we process is the photo of the child, used solely to generate the character sheet and deleted in the same step.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioural advertising as those terms are defined under the CCPA.
• Right to non-discrimination for exercising any of these rights.

You may exercise these rights by contacting us at hello@lumistories.ca. We will verify your request before responding, typically by confirming your control of the email address associated with your account. Authorised agents may submit requests on your behalf with written authorisation.

13. EU and UK residents (GDPR).

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in section 11 under the GDPR or UK GDPR. You may exercise them by contacting us as described in section 15.

You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place where the alleged infringement occurred. A list of EU supervisory authorities is published by the European Data Protection Board; in the United Kingdom the supervisory authority is the Information Commissioner's Office (ico.org.uk).

14. Quebec residents (Law 25).

If you are a resident of Quebec, you have the rights described in section 11 as well as the following rights under Quebec Law 25:

• the right to be informed of the use of any technology that identifies, locates, or profiles you, and to deactivate such functions;
• the right to data portability in a structured, commonly used technological format;
• the right to demand cessation of dissemination of your personal information or de-indexing of any hyperlink attached to your name where such dissemination contravenes the law or a court order.

Lumi Stories has designated a privacy officer responsible for ensuring compliance with applicable Canadian privacy laws, including Quebec Law 25. The privacy officer may be reached at hello@lumistories.ca.

Quebec residents also have the right to file a complaint with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).

15. How to exercise your rights.

You may exercise any of the rights described in this policy by emailing us at hello@lumistories.ca with the subject line "Privacy request". We will acknowledge receipt within seven (7) days and respond substantively within thirty (30) days, or such shorter period as applicable law requires.

In addition to contacting us, you may also file a complaint with the appropriate regulator:

• Canada (federal): Office of the Privacy Commissioner of Canada, priv.gc.ca.
• Quebec:Commission d'accès à l'information du Québec, cai.gouv.qc.ca.
• United States: Federal Trade Commission, ftc.gov (for COPPA complaints); California Attorney General, oag.ca.gov/privacy (for CCPA complaints).
• European Union / United Kingdom:your national supervisory authority, including the UK Information Commissioner's Office at ico.org.uk.

16. Changes to this policy.

We may update this policy from time to time to reflect changes in our practices, the Services, or applicable law. The "Effective date" at the top of this page indicates when the most recent changes took effect. If the changes are material, we will provide more prominent notice (such as by email or by a notice on the Services) before the changes take effect. Continued use of the Services after the effective date of a change constitutes your acceptance of the updated policy.

17. Contact us.

If you have questions about this policy, the personal information we hold about you, or to exercise any of your rights, please contact our privacy officer: