Privacy Policy
Last updated: March 22, 2026
This Privacy Policy explains how Flipebooks ("we," "us") collects, uses, stores, and protects your personal data when you use flipebooks.com ("Service"). We are based in Spain and comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.
1. Data Controller
Flipebooks is the data controller for personal data collected through the Service. Contact: legal@flipebooks.com.
2. Data We Collect
2.1 Account Data
When you register, we collect your email address and name. If you sign in with Google, we receive your name, email, and profile picture from Google.
2.2 Content Data
PDFs you upload, flipbook configurations, extracted text, AI-generated alt-text, translations, and chatbot interactions.
2.3 Analytics Data
When someone views a flipbook, we collect: page views, session ID (anonymous), device type, browser, operating system, country (from IP geolocation — we do not store IP addresses), and referrer URL.
2.4 Lead Capture Data
Data submitted through lead capture forms in flipbooks (name, email, phone, custom fields). This data is collected on behalf of the flipbook owner, who is the data controller for their leads.
2.5 Payment Data
Stripe processes all payments. We do not store credit card numbers. We receive your Stripe customer ID and subscription status from Stripe.
2.6 Cookies
We use essential cookies for authentication (Supabase session cookies). We do not use advertising or tracking cookies. No cookie consent banner is required for essential-only cookies under GDPR, but we disclose their use here.
3. Legal Basis for Processing
| Data | Legal Basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b)) |
| Content data | Contract performance (Art. 6(1)(b)) |
| Analytics data | Legitimate interest (Art. 6(1)(f)) |
| Lead capture data | Consent of the lead (Art. 6(1)(a)) |
| Payment data | Contract performance (Art. 6(1)(b)) |
| AI processing | Contract performance (Art. 6(1)(b)) — you initiate AI features |
4. AI Data Processing
When you use AI features (alt-text generation, visual translation, chatbot, SEO generation, analytics insights), relevant portions of your content are sent to AI models via the Vercel AI Gateway. Processing occurs on-demand when you trigger the feature.
We do not use your content to train AI models. AI providers process your data solely to generate the requested output. Vercel AI Gateway acts as a routing layer and does not store your content.
5. Third-Party Services
| Service | Purpose | Data Region |
|---|---|---|
| Supabase | Database, authentication | EU |
| Cloudflare R2 | File storage (PDFs, pages, logos) | EU/US |
| Stripe | Payment processing | US (EU SCCs) |
| Vercel | Application hosting | US (EU SCCs) |
| Vercel AI Gateway | AI model routing | US (EU SCCs) |
6. International Transfers
Your primary data (database, authentication) is stored in the EU via Supabase. Some processing occurs in the US through Vercel, Stripe, and AI providers. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives adequate protection.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure.
- Content data: Retained while your account is active. Deleted within 30 days of account closure or content deletion.
- Anonymous flipbooks: Automatically deleted 7 days after creation.
- Analytics data: Retained for 24 months, then aggregated and anonymized.
- Lead capture data: Retained until the flipbook owner deletes it or closes their account.
- Payment records: Retained for 7 years as required by Spanish tax law.
- AI usage logs: Retained for 12 months for billing and quota tracking.
8. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate personal data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18): Restrict processing in certain circumstances.
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact legal@flipebooks.com. We will respond within 30 days.
9. Data Security
We protect your data with encryption in transit (TLS) and at rest. API keys are stored as SHA-256 hashes. Passwords are hashed with bcrypt. Access to production systems is restricted to authorized personnel.
10. Children
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at aepd.es, or with the supervisory authority in your EU member state.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or an in-app notice at least 30 days before taking effect.
13. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at legal@flipebooks.com.