Coloring Magic Art
Coloring Magic Art
All policies

Privacy Policy

Last updated: March 2, 2026

1. Introduction

This Privacy Policy explains how [OPERATOR_NAME_PLACEHOLDER] ("we," "us," or "Coloring Magic"), established in Austria at [OPERATOR_ADDRESS_PLACEHOLDER], collects, uses, stores, and protects your personal data when you use our Service. It applies to all users regardless of location.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Austrian Data Protection Act (DSG), the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the U.S. Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Australian Privacy Act 1988, and other applicable privacy laws.

2. Data Controller

The data controller responsible for your personal data is:

[OPERATOR_NAME_PLACEHOLDER]
[OPERATOR_ADDRESS_PLACEHOLDER]
Email: support@coloringmagic.art

3. Data We Collect

3a. Account Data

When you create an account, we receive the following from your authentication provider (Google or GitHub): your name, email address, and profile image. We store this data in our database to identify your account and provide the Service.

3b. Payment Data

When you purchase tokens, your payment is processed by Stripe. We do not receive or store your credit-card number. We store your Stripe customer ID and transaction records (purchase amount, token quantity, transaction ID, and timestamp) for accounting and support purposes.

3c. User Content

We store the text prompts you submit, the AI-generated images, coloring-book project metadata (titles, page order, age-range settings), and exported PDF files. This data is stored to deliver the Service to you.

3d. Technical and Usage Data

When you use the Service, we may collect technical data including your IP address, browser type and version, operating system, device type, referring URL, pages visited, and timestamps. If you accept analytics cookies, we collect additional usage data through Vercel Analytics (see our Cookie Policy).

3e. Communication Data

If you contact us at support@coloringmagic.art, we store your email address, the content of your message, and any attachments for the purpose of responding to your inquiry.

4. Legal Bases for Processing (GDPR)

We process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR): Processing your account data, user content, and payment data is necessary to provide you with the Service under our Terms of Service.
  • Legitimate interests (Article 6(1)(f) GDPR): We process technical data for security, fraud prevention, service improvement, and troubleshooting. We process content data for content moderation and policy enforcement. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent (Article 6(1)(a) GDPR): We process analytics data through Vercel Analytics only if you have accepted non-essential cookies via our consent banner. You may withdraw consent at any time.
  • Legal obligations (Article 6(1)(c) GDPR): We process and retain certain data where required by law, including tax and accounting regulations (Austrian BAO, EU VAT regulations), mandatory reporting obligations (e.g., CSAM reporting), and compliance with court orders.

5. Data Processors and Recipients

We share your personal data with the following categories of processors and recipients, each bound by data-processing agreements:

  • OpenAI (United States).Your text prompts are sent to OpenAI's API for image generation. Under our API agreement, OpenAI does not use inputs or outputs for model training. Transfer basis: EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs).
  • Stripe (United States). Processes payments and stores payment-card data on our behalf. Transfer basis: EU-U.S. Data Privacy Framework and SCCs.
  • Amazon Web Services — AWS (EU and United States). Hosts our database (DynamoDB), file storage (S3), and background processing (Lambda, SQS). Data may be processed in EU and U.S. regions. Transfer basis: SCCs where applicable.
  • Vercel (United States). Hosts our web application and provides analytics (if you consent to analytics cookies). Transfer basis: EU-U.S. Data Privacy Framework and SCCs.
  • Google (United States). Provides OAuth authentication. When you sign in with Google, Google shares your name, email, and profile image with us. Transfer basis: EU-U.S. Data Privacy Framework and SCCs.
  • GitHub (United States). Provides OAuth authentication. When you sign in with GitHub, GitHub shares your name, email, and profile image with us. Transfer basis: EU-U.S. Data Privacy Framework and SCCs.

We do not sell your personal data to third parties. We do not share your data for advertising or marketing purposes.

6. International Data Transfers

Your data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). When transferring data outside the EEA, we rely on:

  • Adequacy decisions by the European Commission (where available).
  • The EU-U.S. Data Privacy Framework for transfers to certified U.S. organisations.
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as a supplementary or alternative safeguard.

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. For transfers from Switzerland, we apply the Swiss-U.S. Data Privacy Framework and SCCs as recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

  • Account data. Retained for the duration of your account. Deleted upon account closure, subject to any legal retention obligations.
  • User content (prompts, images, PDFs). Retained while your account is active. You may delete individual items at any time. All content is deleted upon account closure.
  • Payment and transaction records. Retained for seven (7) years after the transaction date to comply with Austrian tax and accounting obligations (Bundesabgabenordnung — BAO).
  • Technical and analytics data. Retained for up to twenty-four (24) months for service improvement and security purposes.
  • Communication data. Retained for as long as necessary to resolve your inquiry, plus a reasonable archival period for legal purposes.
  • Content-moderation records. Retained for the period required by the Digital Services Act and applicable law.

8. Your Rights

8a. Rights Under the GDPR (EU/EEA) and UK GDPR

If you are located in the EU, EEA, Switzerland, or the United Kingdom, you have the following rights:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Request correction of inaccurate or incomplete data.
  • Erasure. Request deletion of your data ("right to be forgotten").
  • Restriction. Request that we restrict the processing of your data in certain circumstances.
  • Data portability. Receive your data in a structured, commonly used, machine-readable format.
  • Objection. Object to processing based on legitimate interests.
  • Withdraw consent. Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint. Lodge a complaint with a supervisory authority. The lead supervisory authority for Coloring Magic is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, Austria, dsb@dsb.gv.at. You may also lodge a complaint with the supervisory authority in your country of residence.

8b. Rights Under U.S. State Privacy Laws (CCPA/CPRA)

If you are a California resident or a resident of another U.S. state with applicable privacy legislation, you have the following rights:

  • Right to know. Request information about the categories and specific pieces of personal data we collect, use, and disclose.
  • Right to delete. Request deletion of personal data we have collected from you.
  • Right to opt out of sale/sharing. We do not sell or share (as defined by the CCPA/CPRA) your personal data. No opt-out is necessary.
  • Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.

8c. Rights Under the Australian Privacy Act

If you are located in Australia, you have rights under the Australian Privacy Principles (APPs) to access and correct your personal information. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

8d. Exercising Your Rights

To exercise any of the above rights, contact us at support@coloringmagic.art. We will respond within one month (GDPR/UK GDPR) or as required by applicable law. We may request identity verification before processing your request.

9. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will take steps to delete it promptly.

In the EU/EEA, where the GDPR sets the age of digital consent at 16 (or as low as 13, depending on the member state), we require parental consent for users under the applicable age threshold.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/HTTPS), access controls, secure authentication via OAuth providers, and regular security reviews of our infrastructure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Automated Decision-Making

We use automated content-moderation systems to filter prompts against our Content Policy. If a prompt is blocked, the decision is made automatically. You may contest such decisions by contacting us. We do not use automated processing for profiling that produces legal or similarly significant effects on you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting a notice on our website and updating the "Last updated" date. Where required by law, we will provide advance notice and, if necessary, obtain your consent before changes take effect.

13. Contact

For privacy-related inquiries, data-subject requests, or complaints, contact us at support@coloringmagic.art.

Our full provider details are available on our Imprint page.