Privacy Policy
Last updated: April 2026
Introduction
This Privacy Policy explains how Zarpo collects, uses, and protects your personal information when you use our service. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.
Data Controller
ZarpoApps S.L. (CIF: B21857602), with registered address at Rec Comtal 12, 3-3, 08003 Barcelona, Spain, is the data controller for the personal information collected through zarpo.io. ZarpoApps S.L. is registered in the Registro Mercantil de Barcelona. For any data protection inquiries, you may contact us at privacy@zarpo.io.
Data We Collect
We collect information you provide directly: your name and email address when you register; photos you upload to create character references; story details and preferences you enter; shipping addresses if you order a printed book. We also collect technical data such as your locale preference, authentication session information, and basic usage analytics.
How We Use Your Data
We use your data to provide and improve our service: to create your account and authenticate you; to generate personalized stories and AI illustrations using the information you provide; to process payments and fulfill print orders; to communicate with you about your orders; and to comply with legal obligations. We do not sell your personal data to third parties.
Third-Party Services
We use the following third-party services to operate our platform: Google OAuth and Firebase Authentication for account management; Stripe for secure payment processing; BBVA and Redsys for secure card payment processing via virtual POS terminal (TPV Virtual); Gelato for print fulfillment and shipping (your shipping address is shared with Gelato solely to fulfill your print order); Google Gemini AI for story and illustration generation. Each provider operates under their own privacy policy and data processing terms; PostHog for web analytics, with data stored in Frankfurt, Germany (EU). Payment data entered through the BBVA/Redsys gateway is processed directly by Redsys and BBVA under PCI-DSS security standards — Zarpo does not store or have access to your full card details.
Analytics
We use PostHog (posthog.com) for web analytics to understand how users interact with our service, improve functionality, and analyse conversion funnels. Analytics data is stored exclusively on PostHog Cloud EU servers in Frankfurt, Germany, ensuring all data stays within the European Union. Analytics data includes page views, user interactions, session recordings (with sensitive form fields masked), and device information. We do not collect children's names, photos, or personal data through our analytics system. You can opt out of analytics tracking at any time by rejecting cookies via the consent banner. Analytics data is retained for 25 months.
Photo Data
Photos you upload to create character references are processed in memory only to generate AI character illustrations. Uploaded photos are not permanently stored on our servers once the character generation process is complete. The AI-generated character illustrations (not your original photos) are stored in your account for use in book generation.
AI-Generated Content
Stories, illustrations, and other AI-generated content created for your books are stored in your account until you delete your account or request deletion. This content is owned by you. We store it solely to enable you to access, review, and order your personalized books.
Children's Data
Our service allows users to create books featuring children as characters. We apply heightened protections under GDPR when processing information about children. We do not knowingly collect personal data directly from children under 13. If you upload photos of children, you confirm you have the right to do so. We process such data only to provide the book creation service and never use it for profiling or advertising.
Photo Processing & COPPA
Zarpo is operated by adults who create personalized storybooks. Photos uploaded to create character illustrations are processed in-memory and never permanently stored, shared with third parties, or used for AI model training. By uploading photos of others, including minors, you confirm you have the right to do so.
Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or tax compliance purposes. AI-generated book content is deleted when your account is deleted.
Your Rights
Under GDPR, you have the right to: access your personal data; rectify inaccurate data; erase your data (right to be forgotten); export your data in a portable format; restrict processing of your data; and object to processing for certain purposes. To exercise any of these rights, contact us at privacy@zarpo.io. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority.
California Privacy Rights (CCPA)
We do not sell, share, or rent your personal information to third parties for advertising or marketing purposes. California residents may contact us to exercise their rights under the CCPA.
Cookies
We use the following cookies and local storage items: Essential cookies — Firebase Authentication session cookies to keep you logged in (always active, no consent required). Analytics cookies — PostHog cookies (prefixed ph_) for usage analytics and session identification (only set after you accept cookies via the consent banner). Consent storage — a cookie-consent item in your browser's localStorage to remember your cookie preference. Analytics cookies are only placed when you explicitly accept via the consent banner. You can withdraw consent at any time by clicking the cookie preferences option in the footer. Disabling essential cookies via your browser settings may prevent the service from functioning.
International Transfers
Some of our service providers operate outside the EU/EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) as required by GDPR. Google and Stripe participate in frameworks that provide adequate protection for data transfers.
Contact Information
For any privacy-related questions or to exercise your data rights, contact us at privacy@zarpo.io. We aim to respond to all data protection inquiries within 30 days.