Privacy Policy

Who we are

Wonder Saga is operated by Mawal AB, a Swedish private limited company (organization number 559279-0462, VAT number SE559279046201), with its registered office at Hallandsgatan 38, 118 57 Stockholm, Sweden. In this policy, "Wonder Saga", "we", "us", and "our" refer to Mawal AB; "you" and "your" refer to the person whose personal data we process.

Mawal AB is the controller of the personal data described in this policy under the EU General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (revFADP), and equivalent laws.

For any privacy question or to exercise your rights, write to info@wondersaga.com or to the address above.

What we collect

We collect three groups of personal data.

Account and authentication data. Your email address, an internal user identifier issued by Firebase Authentication, your locale preference, your account role, the date you created your account, and the date we last saw you signed in. If you sign in with Google or Facebook, we receive an identifier and email from the federated provider. Passwords are stored in hashed form by our authentication provider; we do not see plaintext passwords.

Content you create and how you use the service. The inputs you submit to generate a story (character name, plot details, the moral you choose, and the requested length), the generated stories and chapter outlines, generated illustrations and their alt text, and usage metadata such as which model was used and our internal token and cost figures. When the content filter declines an input, we also store the input and the filter's response so we can investigate abuse.

Subscription, technical, and ad-attribution data. Order and renewal data we receive from Paddle (order identifier, plan, amount, currency, billing country, partial billing details, subscription and renewal status). Device and connection data we observe when you visit the service (IP address, user agent, approximate location derived from IP, time zone, language). The Facebook or Google click identifier if you arrived through an ad, so we can attribute the conversion. Cookies and similar identifiers are described in our separate Cookie Policy.

We do not receive or store full card numbers, expiry dates, or CVCs. Card data flows directly from you to Paddle under PCI DSS.

We do not knowingly process special categories of data (race, ethnicity, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data about sex life or sexual orientation). Please do not include such information about identifiable people in story inputs.

Why and on what legal basis

We process your personal data for the purposes below. Each is paired with its legal basis under Article 6 of the GDPR, which applies in parallel under the UK GDPR and is the closest analogue under the Swiss revFADP.

• Providing Wonder Saga, processing payments, and managing your subscription: performance of a contract (Article 6(1)(b)).
• Sending transactional messages (order receipts, password resets, account notifications) and responding to support requests: performance of a contract (Article 6(1)(b)) and our legitimate interests in operating the service (Article 6(1)(f)).
• Service improvement, debugging, and error tracking: our legitimate interests in keeping Wonder Saga reliable (Article 6(1)(f)).
• Content moderation and abuse prevention: our legitimate interests in protecting the service and our users (Article 6(1)(f)), and compliance with legal obligations where applicable (Article 6(1)(c)).
• Fraud prevention: our legitimate interests (Article 6(1)(f)) and compliance with legal obligations (Article 6(1)(c)).
• Accounting, tax, and other legal obligations: compliance with legal obligations (Article 6(1)(c)).
• Occasional product updates sent to signed-up users: our legitimate interests in keeping subscribers informed (Article 6(1)(f)). You can opt out at any time.
• Ad-conversion measurement: your consent for the underlying cookies and identifiers (Article 6(1)(a)) where required, and our legitimate interests in measuring ad spend (Article 6(1)(f)).
• Disclosures required by law, including subpoenas, court orders, regulatory requests, and other legal process, or where disclosure is necessary to protect rights or safety: compliance with legal obligations (Article 6(1)(c)) and our legitimate interests (Article 6(1)(f)). Where the law permits and an investigation is not prejudiced, we will tell you before responding.
• Business transitions: if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your personal data may be transferred to the acquiring or successor entity, which we will require to honor this policy. For California residents, an asset transfer of this kind is not a "sale" of personal information as defined under the CCPA.

Where our basis is your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where our basis is legitimate interests, you can object as described below.

Who we share with

We use the following service providers to operate Wonder Saga. Each acts as a processor on our written instructions under Article 28 GDPR, except Paddle and the ad-measurement providers, which are independent controllers for the purposes noted.

• Vercel Inc.: hosting, serverless functions, blob storage for generated images, and product analytics.
• Neon, Inc.: managed PostgreSQL database.
• Google LLC (Firebase Authentication): sign-in handling, password hashing, federated sign-in with Google and Facebook.
• OpenAI, L.L.C.: story text generation and content moderation.
• Featherless AI, Inc. (fal.ai): illustration generation.
• Intuit Inc. (Mailchimp Transactional, formerly Mandrill): transactional email and occasional product updates.
• Functional Software, Inc. (Sentry): error and performance reporting, configured to strip request bodies and prompt content.
• Google LLC (Google Tag Manager and Google Ads): ad-conversion measurement; independent controller for that purpose.
• Meta Platforms, Inc. (Facebook Conversions API): ad-conversion measurement; independent controller for that purpose.
• Paddle: Merchant of Record and independent data controller for payment, billing, fraud prevention, and tax compliance. The specific Paddle entity is the one shown in your checkout and on your order confirmation. Card details flow directly from you to Paddle under PCI DSS. See Paddle's privacy notice at www.paddle.com/legal/privacy.

We use OpenAI and fal.ai under business terms and configurations that prevent them from training or improving their models on Wonder Saga inputs or outputs.

Most of these providers are based in the United States or process data globally; see the next section.

We do not sell your personal data and we do not share it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

International transfers

Several recipients are based outside the European Economic Area, principally in the United States. For those transfers we rely on appropriate safeguards under Chapter V of the GDPR and the equivalent UK and Swiss provisions: the EU-US Data Privacy Framework where the recipient is self-certified to it, the UK Extension to that Framework (the UK-US Data Bridge) for UK personal data, the Swiss-US Data Privacy Framework for Swiss personal data, and the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) with the UK International Data Transfer Addendum for transfers not covered by an adequacy mechanism. You can request a copy of the safeguards in place for a specific transfer by writing to info@wondersaga.com.

How long we keep your data

We keep your personal data for as long as we need it for the purposes described in this policy, and longer where law requires.

We do not keep your personal data for more than three months past the termination of your account, except where law requires a longer period. In particular, payment, order, and invoice records are kept for as long as Swedish accounting and tax law requires, currently seven years from the end of the fiscal year of the transaction.

When we no longer have a legitimate basis to keep your data, we delete or anonymize it. Data held in encrypted backups is purged when the backup rotates out.

Your privacy rights

You have the following rights under the GDPR and UK GDPR, exercisable by writing to info@wondersaga.com:

• Right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), and data portability (Article 20).
• Right to withdraw consent at any time where consent is the basis (Article 7(3)), without affecting the lawfulness of earlier processing.
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (Article 22). See the AI section below.
• Right to lodge a complaint with a supervisory authority (Article 77). See the Complaints section.

How we verify your request. We confirm your identity before responding, usually by asking you to send the request from the email address on the account or by matching identifying information against the account record. We do not use the verification information for any other purpose.

How long it takes. Under the GDPR and UK GDPR we respond within one month, extendable by up to two further months for complex requests with notice within the first month. Under the California Consumer Privacy Act we respond within 45 days, extendable by an additional 45 days with notice.

Deleting your account or content. Wonder Saga does not currently provide an in-account button for deleting your account, your stories, or your illustrations. To delete your data, write to info@wondersaga.com from the email address on your account and we will action the request within the timing above.

Your right to object

You have the right to object at any time to our processing of your personal data where the processing is based on our legitimate interests, including any profiling based on those interests, and to processing for direct marketing or similar communications. If you object, we will stop processing your data for those purposes unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need the data to establish, exercise, or defend a legal claim.

To object, email info@wondersaga.com. For occasional product updates, you can also unsubscribe directly from any such email.

US state privacy rights

If you are a resident of a US state with a comprehensive privacy law (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Minnesota, Maryland, and other states whose laws come into force from time to time), you may have rights to know, access, delete, correct, and port your personal information; to opt out of its sale or sharing and of targeted advertising; and to appeal a decision we make about your request. Mawal AB does not currently meet the statutory thresholds for most of these laws and voluntarily honors the rights regardless. To exercise them, email info@wondersaga.com.

California specifics. In the past twelve months we have collected personal information in the CCPA categories of identifiers, commercial information, internet activity, geolocation derived from IP, inferences drawn from the above, and the content you create through the service. Sources are described above; business purposes and recipients are listed in the corresponding sections. We do not sell your personal information and we do not share it for cross-context behavioral advertising. We do not knowingly collect sensitive personal information for purposes that would trigger the "Limit the Use of My Sensitive Personal Information" right. We do not offer financial incentives in exchange for personal information, and we will not discriminate against you for exercising your CCPA rights. A California consumer may use an authorized agent; we may ask the agent for written permission signed by you and may still verify your identity with you directly.

Global Privacy Control. Because we do not sell or share your personal information, there is no opt-out signal to honor today. If our practices change, we will treat a valid Global Privacy Control signal as a request to opt out of any sale or sharing.

Appeals. If we decline a US-state-law privacy request, you may appeal by emailing info@wondersaga.com. We will respond in writing with the outcome and the reasons. If your appeal is denied, you may submit a complaint to your state attorney general.

Shine the Light (California Civil Code 1798.83). California residents may request information about any personal information we disclosed to third parties for the third parties' direct marketing purposes during the prior calendar year. We do not disclose personal information for that purpose.

Do Not Track. Web browsers can send a Do Not Track ("DNT") signal. There is no industry standard for honoring DNT and we do not respond to DNT signals. We treat a valid Global Privacy Control signal as described above.

Cookies and tracking

Cookies, similar identifiers, the categories we use, the vendors involved, and how to give or withdraw consent are described in our separate Cookie Policy.

Children

Wonder Saga is intended for adults. We do not knowingly collect personal data from anyone under 18 years of age, and we do not market the service to children. If we learn that we have collected personal data from someone under 18, we will deactivate the account and delete the data promptly. If you believe we have personal data from a child, write to info@wondersaga.com.

Information about children that you enter as content. When you create a story, you may include information that relates to a child, for example a child's first name. We treat this as your content, processed under your direction, and store it associated with your account. Please do not include full names, addresses, contact details, or other identifying information about a child that you would not want stored. To remove such content, write to info@wondersaga.com.

AI and automated decisions

Wonder Saga uses two AI providers. We send your story prompts to OpenAI for text generation, and the resulting scene description to fal.ai for illustration; the outputs are returned to your browser and saved to your account. Before generation we run your inputs through OpenAI's moderation model and may decline to generate a story if it flags the input. We use both providers under business terms and configurations that prevent training on Wonder Saga inputs or outputs. Inputs and outputs are processed in the United States.

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. The moderation model can cause an individual generation request to be declined; a human reviews repeated or contested cases before any account-level action. To contest a moderation decision, write to info@wondersaga.com.

Public sharing of content

You can publish a story or illustration through a shareable link from inside your account. Once a link exists, the content becomes reachable to anyone who has the link, which may include search engines and the general public depending on how the link is shared. Do not put anything in shared content that you do not want to be public. You can revoke a shareable link from your account at any time; cached or shared copies outside our control may persist.

Service messages

Transactional messages. Order receipts, password resets, billing alerts, and similar messages are part of the service. We send them on the basis of our contract with you and they are not marketing.

Occasional product updates. If you have a Wonder Saga account, we may occasionally email you product updates on the basis of our legitimate interests in keeping you informed. You can opt out by unsubscribing from any such email or by writing to info@wondersaga.com.

Ad-conversion measurement. When you click an ad and then register or buy a subscription, we tell Google Ads or Facebook that the conversion happened so we can measure ad spend. We do not use this data to build a profile of you for advertising on our side. Cookie-side details are in our Cookie Policy.

Security and data breaches

We protect personal data with measures that include encryption in transit, encryption at rest where supported by our hosting and storage providers, role-based access controls, vendor due diligence, signed data processing agreements with our processors, and audit logging. No online service is perfectly secure; if you become aware of a vulnerability, write to info@wondersaga.com.

If a personal data breach is likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR). Where the breach is likely to result in a high risk, we also notify affected individuals without undue delay (Article 34). We notify under applicable US state breach laws where they apply.

Complaints

You have the right to lodge a complaint with a data protection supervisory authority. Mawal AB's lead supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se. EU and EEA residents can also complain to the supervisory authority in their own member state through the European Data Protection Board's directory at www.edpb.europa.eu. Swiss residents can complain to the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch. UK residents can complain to the Information Commissioner's Office at ico.org.uk/concerns. California residents can complain to the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy. If you are in another jurisdiction, please contact your local data protection authority.

We would also like the chance to address your concern directly. Write to info@wondersaga.com before or alongside any complaint and we will respond.

Updates to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. We will notify you of material changes by email to the address on your account or by a prominent on-site notice before they take effect.

Contact us

Mawal AB
Hallandsgatan 38
118 57 Stockholm
Sweden

Email: info@wondersaga.com