Privacy Policy
Last updated: 16 May 2026
At Dinky Dodo, your privacy — and the privacy of your child — matters deeply to us. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.
Please read this policy carefully before placing an order. By using www.dinkydodo.com, you confirm that you have read and understood it.
If you have any questions, contact us at [email protected].
1. Who We Are
Dinky Dodo (“we”, “us”, or “our”) is the data controller responsible for the personal data collected through this website. We are based in the United Kingdom and are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
As a service directed at children and their parents, we also comply with the UK Age Appropriate Design Code (Children’s Code).
Contact: [email protected]
2. What We Do
Dinky Dodo creates personalised, AI-generated storybook PDFs for children. When placing an order, a parent or guardian provides details about their child — such as their name, age, and appearance. We use this information to generate a unique, illustrated storybook featuring that child as the main character. The finished storybook is delivered as a downloadable PDF.
3. The Data We Collect
3.1 Order & Contact Information
When you place an order, we collect:
- Your email address (used to deliver your download link and send order confirmations)
- Payment reference data from Stripe (session ID and payment intent ID — we do not receive or store your card details; these are handled entirely by Stripe)
- Order status, product type, amount, and currency
3.2 Story Personalisation Details (Children’s Data)
To generate your child’s storybook, we collect the following information about the child:
- Child’s first name
- Child’s age
- Hair colour and eye colour
- Their favourite thing
- A friend’s name and type (human friend or pet), if provided
- Chosen story theme
This information is used solely to personalise the story and illustrations. It is linked to your order and is automatically and permanently deleted 30 days after your order is placed.
3.4 Generated Content
We store the AI-generated storybook text and illustrations produced for your order. These are stored on secure cloud storage and are used to assemble your PDF. Generated content is automatically deleted 30 days after your order is placed.
3.5 Download Access
We create a unique, time-limited download token linked to your order. This token allows you to access your PDF and expires 30 days after your order is placed, or after 10 downloads — whichever comes first.
3.6 Consent Records
When you provide consent to process your child’s data, we record:
- The version of the consent text you agreed to
- The date and time consent was given
- Your IP address and browser user agent (for verification purposes only)
3.7 Technical & Analytics Data
We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect any personally identifiable information. It collects only aggregate, anonymised data such as page views and referrer sources.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing and fulfilling your order | Email, payment references, story inputs | Contract performance (Article 6(1)(b) UK GDPR) |
| Generating your personalised storybook | Story personalisation details | Contract performance & explicit consent (Article 6(1)(b) and 9(2)(a)) |
| Delivering your download link | Email address, download token | Contract performance (Article 6(1)(b)) |
| Sending order confirmation and support emails | Email address | Contract performance (Article 6(1)(b)) |
| Recording consent for processing children’s data | Consent record, IP address, user agent | Legal obligation (Article 6(1)(c)) |
| Maintaining financial records | Order amount, currency, Stripe references | Legal obligation — accounting (Article 6(1)(c)) |
| Fraud prevention and security | Order data, audit logs | Legitimate interests (Article 6(1)(f)) |
| Sending marketing emails (only with your consent) | Email address | Consent (Article 6(1)(a)) |
5. Children’s Privacy
Dinky Dodo is a service used by parents and guardians on behalf of their children. We do not knowingly collect data directly from children, and our website is not intended to be accessed by children without parental supervision.
5.1 Parental Consent
Before we process any personalisation details of a child, we require explicit, informed consent from a parent or guardian. By completing the consent step during checkout, you confirm that:
- You are the parent or legal guardian of the child whose data is being submitted.
- You consent to us processing the child’s name, age, and appearance details for the sole purpose of creating their personalised storybook.
- You understand that personalisation details will be transmitted to a third-party AI provider to generate the story and illustrations, and will not be used for any other purpose.
5.2 Minimisation & Retention
We collect only the minimum information needed to create the storybook. All story personalisation details and generated content are permanently deleted 30 days after your order is placed. We do not build profiles of children, use their data for advertising, or share it with any third party except as described in this policy.
5.3 UK Children’s Code Compliance
We design our service in accordance with the UK Age Appropriate Design Code. We apply the highest privacy settings by default for data relating to children, and we do not use children’s data in ways that are detrimental to their wellbeing.
6. Third-Party AI Providers
We use third-party AI services to generate your personalised storybook. In doing so, some of your child’s personalisation details are transmitted to these providers as part of the generation process.
6.1 Story Text Generation
Story text is generated using Anthropic’s Claude API. Personalisation details (such as the child’s name, age, and theme) are included in the generation prompt. Anthropic operates under a GDPR-compliant Data Processing Agreement and does not use API inputs to train its models.
7. Who Else We Share Your Data With
We do not sell your personal data. We share it only with the trusted third-party service providers listed below, and only to the extent necessary to operate our service.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, payment details (handled directly by Stripe) | USA / EU (SCCs in place) |
| OpenAI | AI image generation (illustrations) | Story scene descriptions and prompts (transient; no child photographs) | USA (DPA in place) |
| Anthropic | AI story text generation | Child’s name, age, theme, personalisation details (transient) | USA (DPA in place) |
| MailerSend | Transactional email (order confirmations, download links) | Email address | EU |
| Mailerlite | Marketing email (only if you opt in) | Email address | EU |
| DigitalOcean Spaces | Secure file storage (generated PDFs and images) | Generated storybook files | UK (London region) |
| IONOS | Web hosting (VPS) | All data processed by the application | UK / EU |
| Plausible Analytics | Privacy-friendly website analytics | Anonymised aggregate data only (no PII) | EU |
8. International Data Transfers
Some of our third-party providers (notably Stripe, OpenAI, and Anthropic) are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Data Processing Agreements incorporating the UK International Data Transfer Addendum (IDTA) or equivalent Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office.
9. How Long We Keep Your Data
| Data | Retention Period | Reason |
|---|---|---|
| Story personalisation details (child’s name, age, appearance, etc.) | 30 days from order date | Automatically deleted once the download period ends |
| Generated illustrations and PDF | 30 days from order date | Automatically deleted once the download period ends |
| Download token | 30 days from order date | Deleted on expiry |
| Order record (financial) | 7 years | Legal obligation for accounting and tax records |
| Email address on order record | 30 days from order date, then anonymised | PII is removed from order records after 30 days; the financial record is retained without it |
| Consent records | 7 years | Legal obligation to demonstrate parental consent was obtained |
| Marketing email subscription | Until you unsubscribe | Consent-based; removed promptly on request |
10. Security
We take appropriate technical and organisational measures to protect your personal data, including:
- All data in transit is encrypted using TLS (HTTPS).
- Files stored on DigitalOcean Spaces are encrypted at rest in our London (lon1) region.
- PDF download links are served via time-limited signed URLs (5-minute expiry) and are never proxied through our servers.
- Access to our admin systems is restricted by role-based access controls.
- We maintain audit logs of significant actions on order records.
- Automated deletion routines run daily to remove data as soon as the retention period expires.
Despite our efforts, no transmission over the internet is 100% secure. If you believe your data has been compromised, please contact us immediately at [email protected].
11. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data.
- Right to erasure — You can request deletion of your personal data, subject to our legal obligations (e.g. financial record-keeping).
- Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
- Right to data portability — You can request your data in a structured, machine-readable format.
- Right to object — You can object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent — Where processing is based on consent (including the processing of your child’s data), you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at [email protected] with your request. We will respond within 30 days. We may ask you to verify your identity before processing the request.
12. Withdrawing Consent for Your Child’s Data
If you wish to withdraw your consent for us to use your child’s personal data, or to request deletion of their data before the standard 30-day retention period expires, please email us at [email protected] with your order number. We will delete the story personalisation details and any generated content associated with your order as promptly as possible.
13. Cookies
We do not use tracking or advertising cookies. We use Plausible Analytics, which is entirely cookieless and collects no personally identifiable information. Any functional cookies used by our website (e.g. for your session during checkout) are strictly necessary and do not require your consent.
14. Marketing Emails
We will only send you marketing or promotional emails if you explicitly opt in. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, or by contacting us at [email protected]. Unsubscribing from marketing does not affect transactional emails relating to your orders.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For significant changes that affect how we process children’s data, we will take reasonable steps to notify you directly. Continued use of our website after changes are posted constitutes your acceptance of the updated policy.
16. How to Complain
If you have concerns about how we handle your personal data, please contact us in the first instance at [email protected] and we will do our best to resolve the issue.
If you remain unsatisfied, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
17. Contact Us
For any privacy-related queries or to exercise your rights:
- Email: [email protected]
- Website: www.dinkydodo.com
This Privacy Policy was last reviewed on 16 May 2026.