← Back to Home

Privacy Policy

How we protect and process your personal data

Data Protection Statement

This Privacy Policy explains how Carsten Ludwig (trading as petitWUNDER) collects, processes, and protects your personal data when you use our AI-powered personalized children's book creation service, in accordance with the Swiss Federal Act on Data Protection (FADP), EU General Data Protection Regulation (GDPR), and EU AI Act.

1. Data Controller Information

Data Controller:

Name: Carsten Ludwig (trading as petitWUNDER)

Address: Funkwiesenstrasse 93, 8050 Zurich, Switzerland

Email: info@petitwunder.com

Registration: Swiss Sole Proprietorship (transitioning to petitWUNDER GmbH)

2. Personal Data We Collect

We collect the following types of personal data:

  • Email address and account information
  • Family photos for book creation
  • Character names and story preferences
  • Payment information (processed by secure payment providers)
  • Technical data (IP address, browser information)

Children's Data

Our service is for adults 16+. You must have legal authority to upload photos containing minors. We do not directly collect data from children and delete all photos after processing.

3. Legal Basis for Processing

We process your personal data based on:

  • Explicit Consent: For processing family photos and biometric data
  • Contract Performance: For account creation, book creation, and delivery
  • Legitimate Interest: For service improvement and security

4. AI Processing and Photo Transformation

AI Systems We Use

  • OpenAI GPT-4.1: Photo transformation and character creation
  • OpenAI GPT-4o: Story generation and multilingual translation
  • OpenAI GPT-4o Vision: Photo analysis and composite image creation

AI-Specific Risks and Mitigations

  • Potential biases in AI outputs mitigated through diverse training data and human review
  • Biometric data risks (e.g., facial analysis) addressed via strict access controls and automatic deletion
  • Accuracy limitations handled with 100% human oversight
  • Regular risk assessments as per EU AI Act requirements

AI Data Protection Impact Assessments

We conduct regular Data Protection Impact Assessments (DPIAs) for high-risk activities like photo analysis, ensuring compliance with GDPR and FADP. Audits include risk evaluations and mitigation reviews.

5. Data Retention and Automatic Photo Deletion

Our Commitment to Data Minimization

  • ✅ Original photos automatically deleted 7 days after delivery
  • ✅ Permanent deletion - cannot be recovered once deleted
  • ✅ Email confirmation when photos are deleted
  • ✅ Photos used solely for book creation purposes

Full Retention Schedule

Data TypeRetention Period
Photos7 days post-delivery
Account InfoUntil deletion request
Payment DataAs required by law (e.g., 10 years for tax)
Technical Logs1 year

6. Security Measures and Breach Notification

How We Protect Your Data

  • Industry-standard encryption for data in transit and at rest
  • Access controls and authentication protocols
  • Regular security audits and vulnerability assessments
  • Secure processing environments for AI operations

In case of a data breach, we will notify affected users and authorities within 72 hours, as required by GDPR and FADP.

7. Third-Party Sharing and International Transfers

Data Sharing Safeguards

  • OpenAI (USA): For AI processing, under Standard Contractual Clauses
  • Supabase (EU/USA): For database services, with EU adequacy decisions
  • Stripe (USA): For payments, under Data Privacy Framework
  • All transfers use appropriate safeguards like encryption and contracts

Cookie and Tracking Summary

We use cookies for essential functions. For details and management, see our Cookie Preferences.

8. Your Rights Under GDPR

You have the following rights under GDPR:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests

9. How to Exercise Your Rights

  • Email info@petitwunder.com with subject "Data Access Request" for a copy of your data
  • Use "Data Rectification Request" to correct information
  • Submit "Data Erasure Request" for deletion (subject to legal obligations)
  • We respond within 30 days; no fee for standard requests

Complaint Procedure

If unsatisfied with our response, contact the Swiss FDPIC or your local data protection authority.

10. Contact Information

Data Protection Inquiries

Email: info@petitwunder.com

Subject: "Data Protection Inquiry"

Response Time: 30 days maximum

Terms & ConditionsCookie PreferencesCommunication Settings

Last updated: January 15, 2025 | Effective: January 15, 2025

Version History

  • v1.0 - January 15, 2025: Initial version