Privacy Policy

This Privacy Policy explains how we collect, use, and share your information when you use CustomColourbook (a trading name of ThinkHoos Ltd) (the “Service”). We comply with UK GDPR and the Data Protection Act 2018.

1) Who we are (Controller)

Controller: CustomColourbook (a trading name of ThinkHoos Ltd)
Address: 3 Tulip Close, Wynyard, TS22 5UU, United Kingdom
Email: support@customcolourbook.com
Company No.: 16660315
ICO Registration No.: ZB961616

2) What data we collect

• Account data: email address, password (hashed by Firebase), authentication tokens, login status.
• Usage data: actions such as image generation, token balance and redemptions, error logs, device/browser info, IP (for security/fraud prevention).
• Payment data: handled by YOUR PAYMENT PROVIDER (e.g., Stripe). We receive confirmation (e.g., amount, time, last4, status) but not full card details.
• Content data: prompts/descriptions you provide, optional uploads/sketches, and AI outputs necessary to deliver the Service.
• Cookies: essential cookies for login/session. Non‑essential analytics/marketing cookies only with your consent (see our Cookie Policy).

3) Why we use your data & lawful bases

• Provide the Service (account creation, login, token tracking, image generation) — Contract.
• Payments & invoices — Contract and Legal Obligation (tax/records).
• Security, fraud prevention, abuse detection — Legitimate Interests and/or Legal Obligation.
• Service communications (password reset, purchase confirmations) — Contract.
• Product analytics & improvement (if enabled) — Legitimate Interests (only with appropriate cookie consent where required).
• Marketing (optional, e.g., newsletters) — Consent (you can withdraw any time).

4) How we use content (prompts, uploads, outputs)

We process your prompts, optional uploads/sketches, and generated outputs to provide the Service (e.g., generate a colouring page, show results, prevent abuse). We don’t sell your content. If we use third‑party AI providers via API, content is sent securely to those providers only to perform the requested generation. We do not permit providers to use API data to train their models where an opt‑out is available.

5) Sharing your data

• Infrastructure & auth: Google Firebase (Authentication, Firestore). Data may be processed in the EEA/US.
• Payments: YOUR PAYMENT PROVIDER (e.g., Stripe) for payment processing.
• Hosting/CDN: Your site hosting (e.g., Vercel/Netlify) for delivery/performance and security logs.
• AI providers: If you use optional AI generation, content necessary for the request is shared with the selected model provider.
• Legal/Compliance: to regulators, law enforcement, or advisors when required by law or to establish/defend legal claims.

6) International transfers

Where data is transferred outside the UK/EEA (e.g., to the US), we rely on appropriate safeguards such as the UK International Data Transfer Addendum and/or Standard Contractual Clauses, plus additional technical and organisational measures used by our processors.

7) Retention

• Account data: kept for the life of your account. If inactive for 24 months, we may delete it after notifying you.
• Payment records: kept for 6 years to meet UK accounting/tax requirements.
• Content (prompts/outputs/uploads): stored as needed to deliver the Service and your history; you can delete items where features allow, or request deletion (see “Your rights”).
• Logs & security data: typically 30–180 days, unless required longer for security/legal reasons.

8) Your rights (UK GDPR)

You have the right to request: access, correction, deletion, restriction, objection (where we rely on legitimate interests), and data portability. Where we rely on consent, you can withdraw it at any time.

To exercise your rights, contact support@customcolourbook.com. You can also complain to the UK Information Commissioner’s Office: ico.org.uk.

9) Children’s privacy

The Service is intended to be used by adults and parents/guardians. Accounts must be created by individuals aged 18+. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child has provided personal data, please contact us and we will delete it.

10) Security

We use reasonable technical and organisational measures (including HTTPS, access controls, hashed passwords via Firebase Auth) to protect your data. No system is 100% secure, but we work to prevent and detect misuse.

11) Cookies

We use essential cookies for login/session. Non‑essential cookies (e.g., analytics) run only with your consent. For details and to manage preferences, see our Cookie Policy.

12) Third‑party links

Our site may link to third‑party sites. Their privacy practices are their own; please review their policies.

13) Changes to this policy

We may update this policy from time to time. We will post the new version here and update the “Last updated” date. Material changes may also be notified via email or in‑app notice.

14) Contact

Questions? Email support@customcolourbook.com.