Privacy Policy
# Privacy Policy
**Last Updated:** December 30, 2025
This Privacy Policy describes how Xperiate ("we," "us," or "our") collects, uses, discloses, and safeguards your personal information when you visit our website at xperiate.com or app.xperiate.com (the "Website"), purchase products (including apparel, t-shirts, and other merchandise), use our AI-powered story generation services, or interact with our platform.
**By using our Website, purchasing products, or using our services, you consent to the data practices described in this Privacy Policy.**
---
## 1. Information We Collect
### 1.1 Personal Information You Provide
When you make a purchase or use our services, we collect:
- **Name** (first name and last name)
- **Email Address**
- **Shipping Address** (name, street address, city, state/province, postal code, country)
- **Phone Number** (optional)
- **Payment Information** (processed securely by our payment processor; we do not store complete credit card numbers)
- **Product Preferences** (sizes, colors, styles for apparel purchases)
- **Order Details** (items purchased, quantities, customization requests)
### 1.2 AI Story Generation Data (Applicable to Custom Story Books Only)
When you use our AI-powered custom story book service, we additionally collect:
- **Story Prompts**: The text descriptions you provide to generate your personalized story
- **Generated Content**: The AI-generated stories, images, and related content created based on your prompts
- **Generation Metadata**: Timestamps, generation count, and usage patterns
**Important:** Your story prompts are processed by third-party AI services (OpenAI and Google Gemini) to generate your personalized content. These providers may have their own data processing policies.
### 1.3 Automatically Collected Information
We automatically collect certain information when you visit our Website:
- **Device Information**: Browser type, operating system, device identifiers
- **Usage Data**: Pages visited, time spent on pages, click patterns, referring URLs
- **IP Address**: Used for fraud prevention and analytics
- **Cookies and Tracking Technologies**: See Section 8 for details
### 1.4 Account Information
If you create an account:
- **Username and Password** (encrypted)
- **Order History**
- **Saved Preferences**
- **Story Generation History**
---
## 2. How We Use Your Information
### 2.1 Order Processing and Fulfillment
- Process and fulfill orders for all products (apparel, merchandise, custom story books)
- Coordinate with manufacturing and shipping partners
- Communicate order status and shipping updates
- Handle returns, exchanges, and customer inquiries
- Provide customer support
- Send transactional emails (order confirmations, shipping notifications)
### 2.2 AI Content Generation (Custom Story Books Only)
For customers who purchase custom AI-generated story books:
- **Send your story prompts to AI service providers** (OpenAI GPT-4 for text, Google Gemini Imagen for images) to generate your personalized stories
- Store your generated stories and images in secure cloud storage (AWS S3)
- Create print-ready PDFs for physical book production
- Enable preview and review before final purchase
### 2.3 Analytics and Improvement
- Track usage patterns and generation frequency
- Analyze popular story themes and user preferences
- Improve our AI story generation algorithms
- Enhance website functionality and user experience
- Prevent fraud and ensure security
### 2.4 Marketing (With Your Consent)
- Send promotional emails about new features and special offers
- Personalize your experience based on past generations
- **You may opt-out at any time** using the unsubscribe link in emails
---
## 3. Third-Party Service Providers
We share your information with trusted third parties who help us operate our business:
### 3.1 AI Service Providers (Custom Story Books Only)
For customers who purchase AI-generated custom story books:
- **OpenAI**: Processes your story prompts to generate text content
- Privacy Policy: https://openai.com/policies/privacy-policy
- **Google (Gemini AI)**: Processes your prompts to generate story illustrations
- Privacy Policy: https://policies.google.com/privacy
**Important:** These AI providers may use your prompts to improve their services. We recommend not including sensitive personal information in your story prompts. These providers are ONLY used for custom story book orders, not for regular product purchases.
### 3.2 Infrastructure and Storage
- **Amazon Web Services (AWS)**: Stores your data, generated stories, and images in secure cloud storage (US region)
- Privacy Policy: https://aws.amazon.com/privacy/
### 3.3 E-Commerce and Payment Processing
- **Shopify**: Powers our online store and checkout process
- Privacy Policy: https://www.shopify.com/legal/privacy
- **Payment Processors**: Process credit card and payment transactions (we do not store complete payment card details)
### 3.4 Print Fulfillment
- **Prodigi**: Prints and ships your physical books
- Privacy Policy: https://www.prodigi.com/privacy-policy/
- We share your name, shipping address, and order details with Prodigi to fulfill your order
### 3.5 Analytics and Website Tools
- **Google Analytics** (if applicable): Analyzes website traffic and user behavior
- **Vercel**: Hosts our web application
**These third parties are contractually obligated to protect your information and use it only for the purposes we specify.**
---
## 4. Data Storage and Security
### 4.1 Security Measures
We implement industry-standard security measures to protect your information:
- **Encryption**: Data transmitted over HTTPS/TLS
- **Secure Storage**: AWS S3 with access controls and encryption at rest
- **Password Protection**: Account passwords are hashed and encrypted
- **Regular Security Audits**: Ongoing monitoring for vulnerabilities
### 4.2 Data Storage Location
Your data is primarily stored in:
- **United States** (AWS S3 US-East-2 region)
- Data may be processed by third-party AI services in various locations globally
### 4.3 Data Retention
- **Account Data**: Retained while your account is active and for 3 years after account closure
- **Order History**: Retained for 7 years for accounting and legal compliance
- **Generated Stories**: Stored indefinitely unless you request deletion
- **Email Records**: Retained while you remain subscribed to marketing communications
- **Analytics Data**: Retained in aggregated, anonymized form indefinitely
**You may request deletion of your data at any time (see Section 10).**
---
## 5. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- **Essential Cookies**: Required for website functionality, login, and checkout
- **Analytics Cookies**: Track website usage and performance (Google Analytics)
- **Preference Cookies**: Remember your settings and preferences
- **Marketing Cookies**: Personalize ads and track campaign effectiveness (if applicable)
**You can control cookies through your browser settings.** Note that disabling cookies may limit website functionality.
**EU/UK Users:** We obtain consent before using non-essential cookies in compliance with GDPR.
---
## 6. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process your data based on:
- **Contract Performance**: Processing necessary to fulfill your order and provide services
- **Consent**: Marketing communications and non-essential cookies (you may withdraw consent anytime)
- **Legitimate Interests**: Fraud prevention, analytics, service improvement
- **Legal Obligations**: Compliance with tax, accounting, and other legal requirements
---
## 7. International Data Transfers
Your information may be transferred to and processed in countries outside your country of residence, including the United States. These countries may have different data protection laws.
**For EEA/UK users:** We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Your explicit consent for certain transfers
---
## 8. Children's Privacy
### 8.1 Age Restrictions
- **United States**: Our services are not intended for children under 13 years old (COPPA compliance)
- **European Union**: Our services are not intended for children under 16 years old (GDPR compliance)
- **Other Jurisdictions**: We comply with local age restrictions
### 8.2 Parental Consent
We do not knowingly collect personal information from children without verified parental consent. If we discover we have collected information from a child without proper consent, we will delete it immediately.
**Parents:** If you believe your child has provided us with personal information, please contact us at xperiate888@gmail.com immediately.
---
## 9. Your Privacy Rights
### 9.1 General Rights (All Users)
You have the right to:
- **Access**: Request a copy of your personal data
- **Correction**: Update or correct inaccurate information
- **Deletion**: Request deletion of your personal data ("right to be forgotten")
- **Opt-Out**: Unsubscribe from marketing communications
- **Account Closure**: Close your account and request data deletion
### 9.2 GDPR Rights (EEA/UK Users)
Additionally, you have the right to:
- **Data Portability**: Receive your data in a structured, machine-readable format
- **Restriction of Processing**: Request we limit how we use your data
- **Object to Processing**: Object to processing based on legitimate interests
- **Withdraw Consent**: Withdraw consent for marketing or cookies at any time
- **Lodge a Complaint**: File a complaint with your local data protection authority
**Your local supervisory authority:**
- UK: Information Commissioner's Office (ICO) - https://ico.org.uk/
- EU: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
### 9.3 California Rights (CCPA/CPRA)
California residents have the right to:
- **Know**: Request disclosure of personal information collected, used, and shared
- **Delete**: Request deletion of your personal information
- **Opt-Out**: Opt-out of the "sale" or "sharing" of personal information
- **Non-Discrimination**: Not receive discriminatory treatment for exercising your rights
- **Correct**: Request correction of inaccurate personal information
- **Limit Use**: Limit use and disclosure of sensitive personal information
**We do not "sell" your personal information in the traditional sense.** However, we share data with AI providers for service delivery, which may qualify as "sharing" under CCPA.
**To Exercise Your Rights:** Email us at xperiate888@gmail.com or use our online form at https://xperiate.com/privacy-request
### 9.4 Nevada Rights
Nevada residents may opt-out of the sale of personal information. We do not currently sell personal information as defined by Nevada law.
---
## 10. How to Exercise Your Rights
### To Request Access, Deletion, or Correction:
1. **Email**: xperiate888@gmail.com
2. **Subject Line**: "Privacy Rights Request"
3. **Include**:
- Your full name
- Email address associated with your account
- Specific request (access, deletion, correction, etc.)
- Proof of identity (for security purposes)
**Response Time:** We will respond within:
- **30 days** (CCPA)
- **1 month** (GDPR) - may extend to 3 months for complex requests
---
## 11. AI-Specific Disclosures
### 11.1 How AI Uses Your Data
- **Your story prompts are sent to OpenAI and Google Gemini** to generate personalized content
- These AI providers may use your prompts to improve their models (per their policies)
- Generated stories are unique to you but AI training data may influence output
### 11.2 AI Content Ownership
- **You own the story prompts** you submit
- **Generated content ownership** is governed by our Terms of Service
- AI providers retain certain rights as described in their terms
### 11.3 AI Limitations and Accuracy
- AI-generated content may contain inaccuracies or unexpected elements
- We encourage you to review all generated content before purchasing
- **We are not responsible for AI-generated content quality** beyond providing refunds as outlined in our Terms of Service
---
## 12. Data Breach Notification
In the event of a data breach affecting your personal information:
- **We will notify you within 72 hours** of becoming aware (GDPR requirement)
- **We will notify relevant authorities** as required by law
- **We will provide details** about the breach, affected data, and remedial actions
---
## 13. Do Not Track (DNT)
Our Website does not currently respond to Do Not Track (DNT) signals due to lack of industry standards. You may control tracking through browser settings and cookie preferences.
---
## 14. Third-Party Links
Our Website may contain links to third-party websites (OpenAI, Google, Prodigi, etc.). We are not responsible for their privacy practices. Please review their privacy policies before providing information.
---
## 15. Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent website notice before your data is transferred and becomes subject to a different privacy policy.
---
## 16. Changes to This Privacy Policy
We may update this Privacy Policy periodically. Changes will be effective immediately upon posting.
**We will notify you of material changes via:**
- Email to your registered address
- Prominent notice on our Website
- Pop-up notification on your next login
**Last Updated Date** will always appear at the top of this policy.
---
## 17. Contact Us
For questions, concerns, or to exercise your privacy rights:
**Email**: xperiate888@gmail.com
**Privacy Request Form**: https://xperiate.com/privacy-request
**Response Time**: We aim to respond within 48 hours for general inquiries and within 30 days for formal rights requests.
---
## 18. Consent
By using our Website and services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.
**For marketing communications:** You provide explicit consent by checking the opt-in box during account creation or checkout.
**For cookies:** EU/UK users provide consent through our cookie banner.
---
## 19. State-Specific Disclosures
### California Residents - "Shine the Light" Law
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
### California Residents - Categories of Information
**Categories Collected (Last 12 Months):**
- Identifiers (name, email, address)
- Commercial information (purchase history)
- Internet activity (browsing behavior)
- Inferences (story preferences, usage patterns)
**Categories Shared:**
- AI providers (prompts for service delivery)
- Print fulfillment (shipping information)
- Payment processors (transaction data)
**Business Purpose:** Service delivery, order fulfillment, fraud prevention, analytics
---
## 20. Accessibility
This Privacy Policy is available in accessible formats. For assistance, contact us at xperiate888@gmail.com.
---
**By continuing to use our services, you acknowledge your understanding and acceptance of this Privacy Policy.**