Privacy Policy — NewTales

This Privacy Policy explains how NewTales ("we", "our", "the Service") collects, uses and protects personal data when you visit newtales.pro or use our audiobook generation service. We comply with the EU General Data Protection Regulation (GDPR).

1. Who we are

NewTales is an online service that generates AI-written audiobooks. The Service is operated as a sole proprietorship by Sergey Pinigin, based in Varna, Bulgaria. For the purposes of GDPR, we act as the data controller for data collected through the Service. Full merchant contact details are provided during checkout and in Stripe payment receipts, and are also available on request via privacy@newtales.pro.

2. What data we collect

2.1 Account data

Email address (used as login and for transactional messages).
Password — stored hashed with bcrypt; we never see or keep the plaintext.
Record of your acceptance of these Terms and this Privacy Policy (timestamp and version).
Account timestamps (created, last login, email verified).

2.2 Content you generate

Prompts, uploaded text, generated stories, cover images and audio files.
Story metadata (title, genre, language, tags).

2.3 Payment data

Payments are processed by Stripe. We never see your full card number. We store only a customer ID, subscription state, invoice history and tier/credit balance.

2.4 Technical data

IP address (used for rate limiting and anti-abuse), approximately for 30 days.
Browser, OS and device type (from the User-Agent header).
Access logs kept on the server for troubleshooting, rotated within 30 days.

2.5 Analytics

With your consent (via the cookie banner), we load a self-hosted Umami script. Umami is cookieless and aggregates page views and anonymous events. No cross-site tracking. See the Cookie Policy for details.

3. Why we process your data (legal bases)

Purpose	Legal basis (GDPR Art. 6)
Provide the Service (account, generation, storage)	Contract — Art. 6(1)(b)
Process payments, send invoices	Contract / legal obligation — Art. 6(1)(b), (c)
Transactional email (verification, password reset, receipts)	Contract — Art. 6(1)(b)
Security, fraud prevention, abuse monitoring	Legitimate interest — Art. 6(1)(f)
Analytics via Umami	Consent — Art. 6(1)(a)

4. Third-party sub-processors

We rely on the following sub-processors to deliver the Service. The same list (with location and purpose) appears in our Data Processing Agreement.

Stripe (Ireland / USA) — payments and invoicing.
Anthropic PBC (USA) — story generation via the Claude API. Prompts and resulting stories are sent to Anthropic.
Google LLC (USA) — cover image generation and text-to-speech via the Gemini API.
ElevenLabs (USA) — fallback text-to-speech when the primary provider is unavailable.
Resend (USA) — transactional email delivery (verification, password reset, receipts).
ImprovMX (USA) — inbound email forwarding for our support and privacy addresses.
Contabo GmbH (Germany / EU) — VPS hosting, server infrastructure, databases and object storage.

Where transfers to countries outside the EEA are involved, we rely on Standard Contractual Clauses or equivalent safeguards. Contact privacy@newtales.pro for copies. Some sub-processors (notably Stripe) retain payment and tax-related records on their systems under their own retention policies, which may be longer than ours.

5. How long we keep your data

Category	Retention	Basis
Email, password, profile, API keys	Up to 30 days after account deletion	GDPR Art. 17 erasure
Files (covers, audio, story text)	Free tier: 7 days TTL. Plus: while subscribed + 35-day grace. Up to 30 days after account deletion.	GDPR Art. 17
Consent records (timestamps, versions) with pseudonymised user ID	5 years after the transaction or account deletion (whichever is later)	GDPR Art. 17(3)(e) — establishment and defence of legal claims + Bulgarian limitation period
Invoices, tax records, Stripe customer ID, subscription history	10 years	Bulgarian tax law
Access logs (IP, User-Agent)	30 days	Legitimate interest (security)

When you delete your account we pseudonymise your record: your email is replaced with a non-identifying placeholder, password and API keys are wiped, and your files are scheduled for deletion. Payment metadata and consent records are retained for the periods above so that we can defend against disputes and comply with tax law.

6. Your rights under GDPR

You have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion ("right to be forgotten"), subject to retention exceptions above.
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent for analytics at any time.
File a complaint with your local data protection authority — in Bulgaria, the Commission for Personal Data Protection (CPDP).

To exercise any of these rights, email privacy@newtales.pro. We respond within 30 days.

7. How we protect your data

Passwords are hashed with bcrypt before storage.
All traffic is served over HTTPS (TLS 1.2+).
Authentication uses short-lived access tokens with refresh-token rotation.
Object storage is access-controlled and served via time-limited signed URLs.
Servers and databases are hosted in the EU (Germany).

8. Children

The Service is intended for adults. We do not knowingly allow users under 16 to create accounts. Parents and guardians may use the Service from their own adult account to generate content (including bedtime stories) for children under their responsibility, but they must not include sensitive personal data or private information about children — such as names, addresses, health data, school details or photos — in prompts or uploaded text. Prompts are sent to our AI sub-processors and fall under the same data-minimisation principles as any personal data.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a notice on the site. The "last updated" date at the top reflects the latest revision.

10. Contact

Questions about this policy or your data: privacy@newtales.pro.