Privacy Policy
Effective Date: May 1, 2025
1. Introduction
Magical Letters ("we", "us", or "our") is an Australian-based web application operating from 35 Queens Bridge Street, Southbank, VIC 3006, Australia. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Magical Letters website and services (the "Service"). It is designed to comply with our obligations under the Australian Privacy Act 1988 (Cth) (including the Australian Privacy Principles), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). By using our Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use Magical Letters.
2. Personal Data We Collect
We collect personal data to provide and improve our Service. The types of information we may collect include:
Information You Provide to Us: When you use Magical Letters, you may provide personal details such as your name and email address (for account registration or newsletters), the parent's name(s), and information about your child (e.g. child’s first name, date of birth, height, weight). These details are optional but providing them allows us to generate personalized name artwork. If you contact us for support or feedback, we will collect the information you submit (such as your name, email, and the content of your message).
User-Generated Content: The artwork and designs generated through our Service based on the information you provide (for example, a personalized name art image) are stored by us so that you can preview, save, and share them. This content may include personal data (e.g. a child’s name or birth details embedded in the artwork) since it is derived from the information you input.
Payment Information: If you choose to purchase a high-resolution download or any paid product on Magical Letters, you will provide payment details. Payments are processed securely by our third-party payment processor (Stripe). We do not receive or store your full credit card number or financial account information. Stripe may provide us with limited information related to the transaction (such as your name, email, payment amount, and a confirmation that payment was completed) for record-keeping.
Automatically Collected Data: Like most websites, we automatically collect certain information when you visit Magical Letters:
Technical Data: This includes your IP address, browser type, device type (e.g. mobile or desktop), operating system, and device identifiers. An IP address can sometimes be used to identify your general location.
Usage Data: We collect information about your activity on our site, such as the pages or screens you view, the features you use (e.g. generating an artwork), the date and time of your visits, and the URL that referred you to our site.
Cookies and Similar Technologies: Magical Letters uses cookies and similar tracking technologies to provide and analyze our Service. For example, we use cookies to maintain your session (so you can remain logged in or keep your artwork in your cart) and to remember your preferences. We also use cookies through our analytics tools (described below) to understand how users interact with our site. You can control cookies through your browser settings and other tools; however, note that disabling cookies may affect certain features of the Service (such as keeping you logged in or remembering your preferences).
We will only collect personal information by lawful and fair means. Where possible, we will collect personal data directly from you. If we ever need to collect personal data about you from a third party, we will do so only with your consent or as otherwise permitted by law.
3. How We Use Your Personal Data
Magical Letters uses your personal data for the following purposes:
Providing and Personalizing the Service: We use the information you provide about yourself and your child to generate the personalized name artwork you request. For example, our system (through OpenAI’s API) will take your input (such as the child’s name and details) and create a custom art piece for you. We also use your data to display, save, or allow you to share your generated artwork.
Account Creation and Management: If you create an account on Magical Letters, we use your email and password to set up and manage your user account. Your account information allows you to save artworks, view past creations, and make future transactions more easily. We may also use your email to verify your account and communicate with you about account-related issues (such as password resets or important notices).
Communicating with You: We may use your contact information (e.g. email address) to send you Service-related communications. This includes confirmations of your generated art or purchase, receipts or invoices, notifications about major updates or changes to our Service or policies, and customer support responses. If you opt in to receive marketing communications, we will use your email to send newsletters, special offers, or updates about new features. You can withdraw consent and opt out of marketing emails at any time by clicking the “unsubscribe” link in those emails or contacting us directly. We will not send you promotional emails if you have not opted in.
Processing Payments: When you make a purchase, we use the personal and payment information provided to process the transaction and deliver your high-resolution digital download. For example, we use your payment information to charge the purchase amount, and your email to send you the download link or order confirmation. Payment details are handled via Stripe and are subject to Stripe’s privacy and security policies. We maintain records of transactions (excluding sensitive card details) for billing, audit, and legal compliance purposes.
Analytics and Improvements: We use automatically collected data (via cookies and Google Analytics) to understand how our Service is used and to improve the user experience. For instance, we analyze what features are most popular or identify areas of the site that may be confusing, so we can enhance them. Google Analytics helps us see aggregate trends (such as the number of visitors, demographic insights, and usage patterns) which we use for statistical analysis and product development. This information is generally in an aggregated form that does not identify you personally. (See Analytics below for more detail.)
Customer Support: If you contact us with a question, feedback, or issue, we will use the information you provided (e.g. your email and the content of your request) to address your inquiry, resolve problems, and improve our services. We may also use feedback you provide to improve Magical Letters (for example, fixing a bug you reported or considering feature suggestions you make).
Marketing and Testimonials: With your permission, we may use non-identifiable information from your generated artworks for marketing purposes. For example, we might showcase a gallery of sample name artworks on our website or social media to demonstrate our Service capabilities. In doing so, we will not reveal personal details that could identify you or your child without explicit consent. We might use a generic first name or dummy data when presenting examples publicly, or we will anonymize/remove any personal info. If you explicitly provide us with a testimonial or permission to share your actual artwork, we may publish it along with attribution, but this will only be done with your consent.
Ensuring Compliance and Preventing Misuse: We may use your information to enforce our Terms of Use and policies, to prevent fraudulent, abusive, or unlawful activities on our platform, and to keep our Service secure. For example, we might monitor usage patterns to detect and prevent bot abuse or to protect against unauthorized payment transactions. If necessary, we will use and disclose information to investigate security incidents or violations of our terms.
Legal Obligations: We will use or disclose your personal data when required to comply with applicable laws, regulations, legal processes, or governmental requests. For example, we may retain transaction records for a certain period to comply with tax and accounting laws, or disclose information if we receive a valid legal order (such as a subpoena or court order). We may also use and retain your data as needed to fulfill our obligations in the event of audits or to comply with data retention laws.
Legal Bases for Processing (GDPR): If you are in a jurisdiction that requires a legal basis for data processing (such as the European Union under GDPR), we process your personal data under the following bases: (a) Consent – for example, when you provide optional information about your child or opt in to marketing emails, we process those data with your consent (you have the right to withdraw consent at any time); (b) Performance of a Contract – when we process your data to provide the Service you requested (e.g. generating your artwork or completing a purchase, which constitutes a contract for services between you and us); (c) Legitimate Interests – we may process data to further our legitimate business interests, such as improving our Service, preventing fraud, and securing our platform, in a manner that does not override your privacy rights; and (d) Legal Obligation – when processing is necessary to comply with laws (for instance, retaining transaction information for financial regulations).
4. Cookies and Analytics
Cookies: Magical Letters uses cookies (small text files stored on your device) and similar technologies to ensure our Service functions properly and to collect analytics data. For example, we use session cookies to keep you logged in as you navigate the site and remember your settings or the contents of your current project. We also use preference cookies to recall your choices (like language or other preferences) so you have a smoother experience. You can manage or delete cookies in your browser settings. However, please note that if you disable all cookies, some features of Magical Letters may not work as intended (for instance, you might not be able to stay logged in or your artwork settings might not be saved between sessions).
Google Analytics: We use Google Analytics, a web analytics service provided by Google, to help us understand how users engage with Magical Letters. Google Analytics uses cookies and similar technologies to collect data about website usage (such as your IP address, pages visited, time spent on pages, and interactions with features). This information is transmitted to and stored by Google on servers (which may be in the United States or other countries) and then provided to us in aggregated reports. We use these reports to evaluate usage trends, track the effectiveness of new features or content, and identify ways to improve the Service. Importantly, we do not use Google Analytics to gather information that personally identifies you; we focus on aggregate trends. Google may also set and read its own cookies on your devices as part of the Analytics service.
You can opt out of Google Analytics data collection if you wish. Google provides an opt-out browser add-on you can install (available at tools.google.com/dlpage/gaoptout) which prevents your browser from sending data to Google Analytics. Additionally, some browsers have “Do Not Track” signals; while our site does not currently respond differently to DNT signals, you can also adjust cookie settings as noted above to limit tracking. For more details on how Google Analytics works, you can review Google’s own Privacy Policy and Google Analytics’ data practices. Keep in mind that analytics cookies help us improve our product for you, but the choice to opt out is yours.
Other Third-Party Tools: Aside from Google Analytics, Magical Letters does not currently use other third-party advertising or tracking networks on our site. We do not serve targeted advertisements, so we do not use advertising cookies or tracking pixels for advertising purposes at this time. If in the future we integrate additional analytics or advertising services, we will update this Privacy Policy and provide any necessary notices or consent options required by law.
5. Disclosure of Your Information to Third Parties
We value your privacy and only share personal information with third parties in limited circumstances. The situations in which we disclose personal data (and the categories of recipients) are as follows:
Service Providers (Processors): We use reputable third-party companies to help us deliver the Magical Letters Service. These providers only receive the information necessary to perform their functions, and we contractually require them to protect personal information and use it only for the purposes we specify. Our key service providers include:
OpenAI (Content Generation): Magical Letters uses OpenAI’s API to generate the personalized name artwork. This means that the details you provide for the artwork (such as the names and other personal inputs) are sent securely to OpenAI’s servers, which then return the generated art or text to us. OpenAI processes this information solely to provide the generation service on our behalf. According to OpenAI, data submitted through their API is not used to train their models by default and is retained only for a limited time to monitor for abuse. (As of March 2023, OpenAI has stated that API data is retained for 30 days for abuse prevention and is not used for model training unless users opt in.) We do not send more personal information to OpenAI than is necessary – typically just the text needed to generate your requested output (e.g., "[Child’s Name] is born on [Date], weighs [Weight]..." etc., which the AI uses to create the artwork). OpenAI is a third-party data processor for us, and we rely on their security and privacy commitments to protect that data.
Payment Processor (Stripe): We use Stripe to handle all credit card transactions and payments on Magical Letters. When you make a purchase, the payment details you provide (such as card number, expiration date, CVV, billing address) go directly to Stripe. Stripe is certified as a PCI-DSS Level 1 service provider, which is the highest level of payment data security. Stripe’s systems will process your payment and inform us whether the transaction was approved or declined. We receive transaction details like the last four digits of your card (for reference), the card type, the transaction ID, and amount paid. We do not see or store your full credit card number or CVV at any point. Stripe may also collect some identifying information about you (such as name, email, and IP address) to process the payment and for fraud prevention. This information is handled under Stripe’s Privacy Policy. We recommend you review Stripe’s privacy policy to understand how they manage your payment data. We share information with Stripe only to the extent necessary to process your payments (and handle any potential refunds).
Cloud Hosting and Storage: Magical Letters’ website and database may be hosted on third-party cloud infrastructure (for example, Amazon Web Services or another cloud provider). This means personal data you provide could be stored on servers provided by these cloud services. We choose reputable providers that have strong security practices. These providers do not access your data except for storage and computing purposes as needed to keep our Service running. Any personal information stored in the cloud is subject to strict access controls – only authorized Magical Letters personnel or subprocessors can access it as needed for the purposes listed in this policy.
Email and Communication Tools: If we send emails (such as support replies or marketing newsletters), we may use an email service platform to distribute those communications (for example, services like SendGrid, Mailchimp, or similar). These platforms would handle your email address and the content of the email on our behalf. We ensure any such service provider is GDPR-compliant and has appropriate privacy safeguards. They will not use your email for their own marketing, only to send our communications to you.
Analytics (Google Analytics): As noted, we use Google Analytics to help improve our Service. Google acts as a data processor in providing aggregated insights. In using Google Analytics, some data (like your IP and device info) is shared with Google. We have enabled settings to anonymize IP addresses where feasible (which means Google truncates your IP address within the EU before forwarding it to the US, for example) to add an extra layer of privacy. Google is prohibited from sharing Analytics data with others (except as required by law) or using it for their own purposes under the terms of our agreement with them. You can learn more in Google’s Analytics terms and privacy documentation.
Law Enforcement or Legal Requirements: We may disclose personal information to courts, law enforcement, governmental authorities, or authorized third parties if we have a good-faith belief that such disclosure is required or permitted by law. Examples include responding to a court subpoena or a lawful request by public authorities (such as for meeting national security or law enforcement requirements). We will only share the information that is reasonably necessary in these situations and will object to overly broad requests if appropriate.
Business Transfers: If Magical Letters is involved in a merger, acquisition, sale of assets, or similar corporate transaction, personal information may be transferred to the succeeding entity or buyer as part of that deal. We will ensure any such transfer is subject to appropriate confidentiality and security arrangements and will notify you (for example, via a notice on our website or email) if a transfer occurs, along with any choices you may have. The new entity will continue to honor your rights and this Privacy Policy or inform you of any changes.
Professional Advisors: We may share information with our accountants, lawyers, and other professional advisors as necessary to obtain guidance or to manage business obligations. For instance, our accountants may see transaction records (which include personal information like names or amounts) when preparing financial statements, or our legal counsel might review data if needed to provide advice on compliance or handle a legal claim. These parties are bound by duties of confidentiality.
With Your Consent: In cases not covered by the above, we will ask for your explicit consent before sharing your personal data with third parties. For example, if we ever want to post a specific piece of your artwork or story on our blog or marketing materials that includes personal details, we would seek your permission. You have the right to refuse or revoke such consent at any time.
No Sale of Personal Information: We do not sell your personal information to third parties. “Selling” in this context means sharing personal data with third parties for monetary or other valuable consideration, as defined under laws like the CCPA. We also do not share your personal information for third-party marketing or advertising purposes. All the data disclosures listed above are for business and operational purposes, or at your direction, and not for the commercial benefit of selling data. (If this ever changes, we will update this policy and provide required opt-out mechanisms, but we have no intention of selling user data.)
Third-Party Websites: Our Service may include links to external websites or services (for example, a link to our social media pages, or payment pages hosted by Stripe). If you follow those links, please note that those third-party sites have their own privacy policies and practices, which we do not control. We encourage you to review the privacy policies of any site you visit. We are not responsible for the content or privacy practices of sites that are not under our control.
6. Data Retention
We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The retention period can vary depending on the type of information and the context in which it was collected:
Account Information: If you create an account with Magical Letters, we will retain your account data (such as your name, email, and any profile information) as long as your account remains active. If you choose to delete your account or if your account remains inactive for an extended period, we will delete or anonymize your personal information associated with the account, except for any data we are required to keep for legal or compliance reasons. We may retain backups of data for a short period after deletion (for example, in system backup files), but we will purge those according to our regular backup retention schedule.
Generated Artwork and User Content: We store your generated name art and related content so that you can access and download them at any time. This content will be retained until you delete it or delete your account. If you wish to remove specific artworks from our servers, you can delete them via your account (if that functionality is provided) or contact us to request deletion. We might periodically review and remove user-generated content that has not been accessed for a long duration (for example, if an unregistered user generated an image and never returned, we might delete such data after a certain number of months to free storage), but our default is to keep your content available to you unless you act to delete it.
Transaction Records: We keep records of purchases and transactions (excluding sensitive payment details) for a minimum period as required by Australian law and applicable accounting/tax regulations. In Australia, for instance, businesses often need to retain financial records for at least 5 to 7 years. Therefore, if you made a purchase, we may retain information such as the transaction date, amount, product purchased, and your contact details for that period. This helps us manage refunds, handle accounting, and satisfy legal audit requirements. After the required retention period, we will securely delete or anonymize those records.
Communications: If you contact us (e.g. via email or support chat), we may retain those communications and our responses for a period of time to ensure we have a history of your request and how it was resolved. This can help in any future interactions and to improve our support processes. We will generally not keep support emails longer than necessary—typically, communications are reviewed periodically and older inquiries may be deleted or archived, provided we don’t need them for ongoing support issues or legal purposes.
Analytics Data: Data collected via Google Analytics is retained as per our configuration in Google Analytics. We have set our Google Analytics data retention to a reasonable period (for example, 14 months) after which Google automatically deletes the old data. We mainly use aggregate analytics, and do not personally identify users in our analytics datasets. Any aggregated reports we derive may be kept longer than the raw data (since those reports contain no personal info).
Marketing Data: If you have opted into marketing communications, we will retain your contact details on our mailing list until you unsubscribe. If you unsubscribe or opt-out, we may keep your email on a suppression list to ensure we honor your opt-out (to avoid accidentally emailing you again) but we will not send you further emails. Any consent records (proof of opt-in) will be kept as required by law (for instance, under spam regulations) to demonstrate that we had permission to send emails until you withdrew it.
Legal Holds: In certain cases, we may need to retain information for longer than our standard periods if it is subject to a legal hold. For example, if we are involved in a legal dispute or receive a legal notice to preserve data, we will retain the relevant information until the issue is resolved and we are legally permitted to delete it.
When we no longer have a legitimate need to retain your personal information, we will ensure it is securely deleted or anonymized. For example, we may permanently erase data from our servers or overwrite it, and instruct our processors to do the same. Anonymization means we alter the information so it can no longer be associated with you (in which case we may retain anonymized data for statistical purposes without further notice to you).
7. Data Security
We take the security of your personal information seriously. Magical Letters implements reasonable technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: Our website is secured via industry-standard SSL/TLS encryption. This means that when you provide personal information (such as filling out forms or making a payment), the data is encrypted in transit between your device and our servers. You can verify you are on a secure connection by looking for "https://" and a lock icon in your browser’s address bar. Additionally, sensitive data (like passwords) is encrypted or hashed in our database so that even if our databases were accessed, this data would not be easily readable.
- Access Controls: We restrict access to personal data to employees, contractors, and service providers who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations. Our team members are trained on the importance of privacy and security. Administrative access to systems that contain personal data is limited and protected with strong authentication (such as multi-factor authentication) to prevent unauthorized logins.
- Secure Hosting: We host our application and data with established cloud service providers that employ robust security practices (firewalls, intrusion detection systems, etc.). Our servers are regularly updated with security patches to protect against vulnerabilities. Data centers hosting our Service have physical security controls as well, to prevent unauthorized physical access to the machines.
- Payment Security: All payment transactions are handled by Stripe on secure, PCI-compliant servers. We never transmit or store sensitive card data on our systems. By outsourcing payment processing to a specialized provider, we reduce the risk to your financial information. Stripe uses advanced fraud detection and encryption to keep your payment details safe.
- Monitoring and Testing: We monitor our systems for potential vulnerabilities and attacks. We use security tools and best practices to detect unusual activities. From time to time, we may perform security testing or audits (or engage third-party experts to do so) to evaluate the strength of our security measures. If we find any issues, we address them promptly.
- Backups: We perform regular backups of critical data to prevent data loss. These backups are encrypted and stored securely. In the event of a technical issue or incident, we can restore data from these backups to ensure continuity of the Service and minimize any loss of data.
- Employee Practices: Our internal policies and practices reinforce security – for instance, we avoid storing personal data on unsecured local devices, and we ensure that any printed sensitive documents (if any) are securely stored or shredded. We also have procedures to handle any suspected security incidents.
Despite all our efforts, it's important to note that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You should also play a part in safeguarding your information. Please use a strong, unique password for your Magical Letters account and do not share it with others. If you suspect any unauthorized access to your account or any security vulnerabilities in our Service, please notify us immediately so we can take appropriate action.
Data Breach Procedures: In the unlikely event of a data breach that affects your personal information, Magical Letters will promptly notify you and the appropriate authorities as required by law. This includes complying with the Australian Notifiable Data Breaches scheme and any relevant obligations under GDPR or other regulations. We will inform you of the nature of the breach, the data impacted (if known), steps we are taking to address it, and recommendations for your own protection (such as changing passwords or watching for suspicious activity). Our goal is to be transparent and proactive in the event of any security issue.
8. International Data Transfers
Magical Letters is based in Australia, but the personal information we collect may be transferred to and stored in servers located in countries outside of Australia. In particular, some of our third-party service providers are located overseas, meaning your personal data may be transferred to or accessed from other countries including (but not limited to) the United States. For example:
- Our use of OpenAI, Google Analytics, and Stripe involves transferring data to the United States (since these providers are U.S.-based companies). Information sent to OpenAI’s API and data collected by Google Analytics or processed by Stripe will likely be stored on servers in the U.S.
- If our cloud hosting is provided by a global company, your data might be stored in data centers outside Australia (for instance, servers in the US, Europe, or Asia-Pacific region) depending on the provider’s infrastructure. We aim to use data centers in jurisdictions with strong data protection standards when feasible, but the primary factor is the location provided by our chosen hosting service.
When we transfer personal information internationally, we take steps to ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws. These steps may include:
- Contracts (Standard Data Protection Clauses): If you are in the European Economic Area (EEA) or United Kingdom, and we transfer your personal data outside the EEA/UK, such transfers will be governed by the European Commission’s Standard Contractual Clauses (SCCs) or equivalent legal mechanisms to ensure that your data receives an adequate level of protection. These clauses contractually oblige the recipient of the data to protect it to EU GDPR standards. For example, our agreements with service providers like Stripe or Google include data processing addenda with standard clauses where applicable.
- Adequacy Decisions: In some cases, we may transfer data to countries that have been officially deemed to have an adequate level of data protection by relevant authorities (e.g., the European Commission). Australia, for instance, is not currently on the EU’s formal adequacy list, so we rely on other mechanisms for EU data; however, within Australia we comply with the Australian Privacy Act which provides robust protections.
- Privacy Shield/Successor Frameworks: While the U.S.-EU Privacy Shield was invalidated in 2020, companies like Google and Stripe have other compliance measures. We anticipate that new frameworks or certifications (such as the EU-U.S. Data Privacy Framework, if applicable) may be used by our providers to ensure lawful transfers. We will update our practices in line with the latest international data transfer standards.
- Your Consent: In specific situations, we may ask for your explicit consent to transfer your data to a third country if no other lawful bases are available. However, in general, our reliance will be on the safeguards above.
By using Magical Letters and providing your information, you acknowledge that your personal data may be transferred to and processed in overseas jurisdictions as described. These jurisdictions may have different data protection laws than your country of residence. In all cases, we will protect your information as described in this Privacy Policy. If you have questions about our international data transfers or require more details on the safeguards we have in place, please contact us using the information in the Contact Us section.
9. Your Rights and Choices
Magical Letters respects your rights to your personal information. You have the ability to access, correct, delete, or control the use of your personal data, as described below. The availability of certain rights may depend on your residency (for example, GDPR rights for EU residents, CCPA rights for California residents), but we strive to honor these rights for all users where feasible:
- Access and Correction: You have the right to request access to the personal information we hold about you and to request correction of any inaccuracies.
- Access: This means you can ask us to confirm whether we are processing your personal data and request a copy of that data (commonly known as a "data subject access request"). For example, you can ask for a copy of the account information and any relevant data we have stored about you. We will provide this except in limited circumstances where we are permitted not to (such as if providing it would unreasonably affect someone else’s privacy or if the request is manifestly unfounded or excessive). We will typically provide the information in a commonly used electronic format.
- Correction: If any of your personal details are outdated, incomplete, or incorrect, you have the right to have them updated or corrected. For instance, if you notice your name or your child’s information is spelled wrong in our records, you can let us know and we will fix it. If you have an account, you may also be able to log in and directly edit certain information (like your profile or email) yourself.
- Deletion (Right to Erasure): You can request that we delete personal information that we hold about you. For example, if you have created an account or provided personal data, you have the right to ask us to remove that information from our systems (this is sometimes called the "right to be forgotten"). We will honor deletion requests provided that we do not have a legal obligation or other valid reason to retain the data. Note that if you request deletion of data necessary for us to provide the Service (e.g. your user account or generated content), you may no longer be able to use those aspects of the Service. If you simply wish to stop receiving marketing emails, you do not need to delete your data with us; you can always just unsubscribe. If you delete your account or personal data, we may retain transactional records and certain information as required by law or for legitimate business purposes (as described in the Data Retention section), but we will isolate and protect that information from any routine use.
- Withdrawal of Consent: Where we rely on your consent to process information (such as consent to use optional personal details for artwork, or consent to send you marketing communications), you have the right to withdraw that consent at any time. For example, you can withdraw your consent for marketing emails by unsubscribing, or ask us to stop using and delete any optional information you provided about your child. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing of your data under other legal bases (for instance, it won’t undo a purchase transaction that has been processed). If you withdraw consent for us to use certain data, we will cease using and delete that data unless we have an alternative legal basis to keep it (for example, if you withdraw consent for marketing, we may still keep your email to ensure we don’t send you marketing, as noted).
- Objection to Processing: If we are processing your information based on legitimate interests, you have the right to object to that processing. For example, if you do not want your data to be used for analytics or product improvement purposes, you can object. If you do so, we will re-evaluate the necessity of the processing. We will comply with your objection unless we have compelling legitimate grounds to continue the processing or if it is needed for legal claims. With regard to direct marketing (including any profiling related to direct marketing), you have an absolute right to object and if you object we will stop that processing.
- Restriction of Processing: You have the right to request that we limit the processing of your personal data in certain situations. This could apply, for instance, if you contest the accuracy of the data (you can request we restrict processing until we verify accuracy), or if the processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need us to keep it for a legal claim, or if you have objected to processing and await verification of overriding grounds. When processing is restricted, we will still store your information but not use it for other purposes until the restriction is lifted (for example, until the issue is resolved).
- Data Portability: For data that you have provided to us and which we process by automated means on the basis of consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format so you can transfer it to another provider if desired. In practical terms, this right may apply to information like your account details or the specific input data you provided. If technically feasible, you can also request that we transmit that data directly to another service provider, when such transfer is secure and practicable. Note that the right to portability does not apply to data that is a result of our analysis or processing (for example, internal analytics data might not be portable) – it mainly covers raw data you provided us.
- California Privacy Rights (CCPA/CPRA): If you are a California resident, you have specific rights under the CCPA (as amended by the CPRA), in addition to those above. These include:
- Right to Know: You can request that we disclose the categories of personal information we have collected about you, the categories of sources of that information, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you. Essentially, you have the right to know what personal data we have collected about you and how we have handled it.
- Right to Delete: You can request deletion of your personal information that we have collected (with similar scope to the deletion right described above). There are certain exceptions under CCPA—for example, we may retain information needed to complete a transaction, to detect security incidents, comply with legal obligations, or other purposes permitted by law. We will inform you if any such exception applies when fulfilling your deletion request.
- Right to Opt-Out of Sale or Sharing: As noted, Magical Letters does not sell your personal information. If we ever engaged in “selling” or “sharing” personal information (as defined by California law), you would have the right to opt out of such sale or sharing. We honor the global privacy control (GPC) signals or any similar mechanism as required that indicates a preference to opt-out. Since we do not sell data, this right is more about our commitment. If that policy ever changes, we will provide a clear “Do Not Sell or Share My Personal Information” link or mechanism on our site for California residents to exercise this right.
- Right to Correct: Under the CPRA (effective 2023), California residents also have the right to request correction of inaccurate personal information held by a business. This aligns with the correction rights described above. We will correct any inaccuracies in your personal data upon verification of the request.
- Right to Limit Use of Sensitive Personal Information: The CPRA introduces rights around “sensitive personal information” (SPI). In our context, we do not collect highly sensitive info like government IDs or financial account passwords. Some data like a child’s date of birth or health-related metrics (height/weight at birth) could be considered “sensitive” in certain contexts. If we were using any sensitive personal information beyond what is necessary to provide our Service, California residents would have the right to limit our use of that information. Magical Letters only uses such information to create the artwork you requested (which is the purpose you provided it for). We do not use sensitive info for purposes like profiling or marketing without consent. Thus, this right to limit likely isn’t directly applicable to our current practices, because we don’t use sensitive info in that manner. If that ever changes, we will honor requests to limit use of SPI.
- Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means if you choose to exercise your privacy rights (for example, asking for deletion or opting out of sale), we will not deny you our Service, charge you different prices, or provide a lesser quality of service just because you exercised your rights. (However, please note that deleting certain data might inherently affect your ability to use some features – for instance, if you ask us to delete your account data, you will not be able to log in, since we no longer have your credentials. This is a natural consequence and not a form of discrimination, as allowed by CCPA.)
- Exercising Your Rights: To exercise any of the rights above, please contact us using the contact information provided in the Contact Us section of this Privacy Policy. Please clearly describe your request – for example, "I would like a copy of my personal information," or "Please correct my child’s name spelling," or "Delete my account and all associated data." For certain requests, especially those involving access, deletion, or copy of data, we will need to verify your identity to ensure the security of personal data. Verification may involve confirming control of your email address or answering a few questions to match information we have on file. If you are making a request on behalf of someone else as an authorized agent (such as a legal guardian for a child over 13, or an attorney-in-fact for a consumer), we will require proof of authorization and also verify the identity of the person for whom the request is made, to the extent required by law. California residents may use an authorized agent with a proper power of attorney or other written authorization to exercise rights on their behalf, subject to verification steps.
We will respond to your request within a reasonable timeframe. For GDPR-related requests, we aim to respond within one month. For CCPA requests, we aim to respond within 45 days (and if needed, we may extend once for another 45 days, and will let you know of the extension within the initial 45-day period). There is no fee for making a request, although if requests are manifestly unfounded or excessive, we might charge a reasonable fee or refuse to act (as permitted by law), but we will explain our reasoning in such cases.
- Complaint Rights: We are committed to resolving any concerns you may have about your privacy. We encourage you to contact us first if you have a complaint, and we will do our best to address it. However, if you are an Australian resident and believe we have breached the Australian Privacy Principles, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted through their website (oaic.gov.au) for guidance on how to submit a complaint. If you are in the EU/EEA, you have the right to file a complaint with your local Data Protection Authority (DPA) or lead supervisory authority. For example, a person in France can contact the CNIL, and someone in Germany could contact their state DPA. If you’re in the UK, you can reach out to the Information Commissioner’s Office (ICO). Contact information for DPAs is usually available on their respective websites. If you are in California and have concerns about how we handled your request or your data, you can contact the California Privacy Protection Agency (CPPA) or the California Attorney General’s office. We sincerely hope it never comes to that, and we welcome the opportunity to directly address any issues.
Your privacy is important to us, and we will not retaliate against you for exercising any of these rights. We’ve designed Magical Letters to collect only the information we need to provide a great service, and we want you to feel comfortable and in control of your data.
10. Children’s Privacy
Protecting the privacy of children is especially important. Magical Letters is not intended for use by children under the age of 13 without involvement of a parent or guardian. Our Service and content are generally directed at parents of newborns and young children, as well as older children (13+) and teens who may be interested in creating name artwork. We understand there may be interest from teenagers, and we allow teens 13 or older to use the site, but usage by anyone under 13 is not allowed in order to comply with child privacy regulations.
No Direct Collection from Children Under 13: We do not knowingly collect personal information from children under 13 years of age. In compliance with the U.S. Children’s Online Privacy Protection Act (COPPA), if we become aware that a child under 13 has provided us with personal information without verifiable parental consent, we will take immediate steps to delete such information from our servers. For example, if a 12-year-old somehow registered an account or entered their details, once discovered, we would delete the account and data. If you are a parent or guardian and you believe your child under 13 has used our Service or provided personal information, please contact us so we can investigate and delete any such data.
Parental Use of Child Information: Magical Letters often involves parents providing information about their infant or child (such as the child’s name, birth date, etc.) to generate a personalized artwork. We assume that when a parent or guardian inputs a child’s personal details into our Service, they are doing so with the authority to act on behalf of the child and consent to the use of that information for the intended purpose. We use child-related data only to create the artwork and provide the Service to the parent/guardian. We do not use a child’s personal details for any secondary purposes such as marketing directly to the child. The generated artwork might include personal details (like the child’s first name or birth stats) visually, but this is under the control of the parent who uses/shares that artwork.
Teen Users (Children 13+): We recognize that teenagers (for example, an older sibling, or a 13-17 year old who wants to create art for a friend or themselves) might be interested in Magical Letters. Teen users who are at least 13 years old are permitted to use the Service, but if you are under 18 (the age of majority in most jurisdictions), you should do so with the consent and supervision of your parent or guardian. We recommend that parents of teenagers review this Privacy Policy and our Terms of Use with their teens to ensure they understand them. We do not knowingly solicit personal data from individuals 13-17 beyond what is necessary for using the Service. Any user, including teens, who creates an account or provides data is affirming that they are 13 or older. If we find that someone under 13 misrepresented their age to create an account, we will terminate the account and delete associated data. If a teen (13-17) uses the Service, we may collect and use their data as described in this Policy (since at 13+ they can legally consent in some jurisdictions), but certain jurisdictions (like some EU countries) require parental consent up to age 16. If you are in such a region (for instance, a 15-year-old in a country where the digital age of consent is 16 under GDPR), we expect that you have obtained your parent’s permission to use Magical Letters. We may take steps to verify parental consent for users in that category if needed.
Public Sharing: If you choose to share the generated artwork of your child on social media or publicly, please be mindful of the information it contains. While Magical Letters allows you to create and download these images, the act of sharing them publicly (on, say, Facebook or Instagram) is under your discretion. We encourage you to consider your child’s privacy when posting personal details (like full name, birth date, etc.) in a public forum. Magical Letters itself does not publish any child’s personal information to the public without consent, as noted. Any gallery or showcase content we use will either be fictional or anonymized unless explicit permission is given.
In summary, we take children’s privacy seriously and aim to involve parents/guardians in any collection of personal data related to children. We design our policies and features to avoid collecting data directly from young children and to give parents control. If you have any questions or concerns about your child’s data on Magical Letters, please contact us and we will be happy to discuss and address them.
11. How to Delete Your Data
If you have an account with Magical Letters and wish to delete your data, you can do so at any time by logging into your account.
Go to your profile via the Dashboard and click the “Delete” button. This will permanently delete your account and all associated personal information from our systems.
If you need assistance or encounter any issues, you can contact us at hello@magicalletters.com.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please feel free to contact us. We are here to help and address any issues:
- Email: You can email our privacy team at privacy@magicalletters.com (or an appropriate contact email for Magical Letters). This is the fastest way to reach us for privacy-related inquiries, including requests to access or delete your data.
- Mailing Address: You may also contact us by mail at:
Magical Letters – Privacy Officer
35 Queens Bridge Street Southbank,
VIC 3006 AustraliaIf you write to us, please include your contact information and a detailed description of your request or concern so we can respond appropriately. Keep in mind that postal inquiries may take longer for us to receive and respond.
- Website Contact Form: If available, you can use the contact form on our website (on the Contact Us page) to send a message directly to our support team. Please mention that your inquiry is about privacy so it can be forwarded to the correct personnel.
We will respond to legitimate inquiries as soon as reasonably possible, generally within a few business days. If you are making a specific rights request (like those described in the "Your Rights" section), please clearly state what you need so we can process it efficiently. We may follow up with you for verification or to ask for additional information if needed.
Your trust is extremely important to us. We welcome feedback about our Privacy Policy and practices. If there’s something you don’t understand or you need further clarification on, let us know. We’re continually working to ensure your experience with Magical Letters is safe and secure.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this page and update the “Effective Date” at the top of the policy. If the changes are significant, we will provide a more prominent notice (such as a banner on our website or an email notification, if appropriate) so that you are aware of the modifications.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Continued use of Magical Letters after any changes to the Privacy Policy constitutes your acceptance of the revised terms, to the extent permitted by law.
If we were to change the purposes of processing your personal information, or begin processing data in a manner that is materially different from what is described here, we will notify you and, if required by law, obtain your consent before doing so.
Thank you for reading our Privacy Policy. Your privacy and trust are paramount to us, and we are dedicated to safeguarding the personal information you share when using Magical Letters.