Privacy Policy

Effective Date: February 26, 2026

Good Creator LLC ("MyPaperPop," "we," "us," or "our") operates the MyPaperPop website and service at mypaperpop.com. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our service.

Data Controller: Good Creator LLC, 1401 21st ST #15039, Sacramento, CA 95811, USA. Email: [email protected]

By using MyPaperPop, you agree to the collection and use of information in accordance with this policy. If you are in the European Economic Area (EEA), United Kingdom (UK), Canada, or India, please see the region-specific sections below for additional rights and disclosures.

1. Information We Collect

Account Information (via Google OAuth)

When you sign in with Google, we receive and store:

• Your name
• Email address
• Profile picture URL
• Google account ID

Content You Provide

• Text prompts — descriptions you type to generate coloring pages
• Chat messages — conversations with our AI assistant to refine your prompts
• Generated images — the coloring page sketches created from your prompts
• Uploaded photos — if you use the "Color & Show" feature, photos you upload of your colored-in pages

Color & Show (Uploaded Photos)

If you use the "Color & Show" feature, you can upload a photo of a colored-in page. When you upload a photo:

• Your photo is stored in our cloud storage (Railway S3-compatible storage in the USA)
• We process the photo automatically: crop white borders, enhance colors and contrast, resize to a standard resolution
• We generate a side-by-side "before & after" composite image combining the original sketch with your colored version
• A unique public link (/showcase/[token]) is created. Anyone with this link can view the before/after comparison
• The composite image may appear in social media previews (Open Graph / Twitter Card) when the showcase link is shared

Uploaded photos and composites persist even if you delete the associated conversation — they are only permanently deleted when you delete your account (or by removing the colored photo from the conversation). No AI models are trained on your uploaded photos. We recommend ensuring uploaded photos do not contain faces, personal addresses, or other identifying information, as showcase pages are publicly accessible to anyone with the link.

Payment Information

If you purchase a credit pack, payment is processed by Stripe. We store your Stripe customer ID and purchase history. We do not store your credit card number, bank account, or other payment credentials — Stripe handles this directly.

Automatically Collected Information

• IP address
• Browser type and device information
• Activity logs (sign-in events, account actions)
• Pages visited and interactions (via analytics, if you consent — see Section 4)

2. Lawful Basis for Processing (EEA/UK Users)

If you are located in the EEA or UK, we process your personal data under the following legal bases:

3. How We Use Your Information

• Provide the service — generate coloring pages from your prompts, store your conversations and images, process uploaded photos (crop, enhance, generate before/after composites)
• Process payments — handle credit pack purchases through Stripe
• Enforce quotas — track usage to apply free and paid tier limits
• Improve security — detect and prevent unauthorized access or abuse
• Analytics — understand how the service is used to improve it (only with your consent where required by law)
• Communicate with you — respond to support requests or account-related notices

4. Cookies and Tracking Technologies

Essential Cookies (No Consent Required)

We use the following cookies that are strictly necessary for the service to function:

• session — JWT authentication token (httpOnly, secure, 24-hour expiry)
• oauth_state — CSRF protection during Google sign-in (httpOnly, 10-minute expiry)
• pending_redirect / pending_priceId — preserves checkout intent during sign-in (httpOnly, 10-minute expiry)
• pending_referral — captures referral code from invite links (httpOnly, 1-hour expiry)
• cookie_consent — stores your cookie consent preferences (1-year expiry)

Analytics Cookies (Consent Required)

With your consent, we use PostHog, a product analytics platform, to understand how people use MyPaperPop so we can improve the service. PostHog may set the following cookies:

• ph_* — anonymous session and user identification for product analytics

PostHog analytics are only loaded after you give consent via our cookie banner. You can change your consent preferences at any time by clicking "Cookie Settings" in the footer of any page. We do not use advertising cookies or share analytics data with advertisers.

5. Third-Party Services

We share data with the following third-party services as necessary to operate MyPaperPop:

We do not sell your personal information to third parties. We do not share data with advertising networks or data brokers.

6. International Data Transfers

MyPaperPop is operated from the United States. If you are accessing the service from outside the United States — including from the EEA, UK, Canada, or India — your personal data will be transferred to and processed in the United States, where our servers and third-party service providers are located.

For EEA and UK users, these transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by other appropriate safeguards as required under the GDPR. By using the service, you acknowledge and consent to the transfer of your data to the United States.

7. Data Retention

We retain your data for the following periods:

When you delete your account, all conversations, messages, generated images, and uploaded photos (including composites) are permanently deleted from our database and storage. Your user record is removed.

8. Your Privacy Rights

8a. All Users

Regardless of your location, you can:

• Delete your account and all associated data from the Account settings page
• Delete individual conversations and their generated images
• Change your cookie consent preferences at any time
• Contact us to request information about the data we hold about you

8b. California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Right to Know — Request what personal information we collect, use, and disclose about you, including the categories of personal information, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete — Request deletion of your personal information. You can delete your account from the Account settings page, which removes all your data.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive PI — We do not use sensitive personal information for purposes beyond what is necessary to provide the service.
• Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.

Categories of Personal Information Collected (as defined by CCPA): Identifiers (name, email, IP address, Google ID); Commercial information (purchase history); Internet or electronic network activity (browsing history, interactions); Inferences drawn from the above.

How to Exercise Your Rights: Email us at [email protected] with the subject line "CCPA Request." We will verify your identity by matching the email address on your request with the email address associated with your account. You may also designate an authorized agent to submit a request on your behalf by providing written authorization.

We will respond to verifiable requests within 45 days.

8c. European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15) — Request a copy of your personal data.
• Right to Rectification (Art. 16) — Request correction of inaccurate data.
• Right to Erasure (Art. 17) — Request deletion of your personal data. You can do this from the Account settings page.
• Right to Restrict Processing (Art. 18) — Request that we limit the processing of your data.
• Right to Data Portability (Art. 20) — Request a machine-readable copy of the data you provided to us.
• Right to Object (Art. 21) — Object to processing based on legitimate interest.
• Right to Withdraw Consent — Where processing is based on consent (e.g., analytics), you may withdraw consent at any time via the cookie settings.
• Right to Lodge a Complaint (Art. 77) — You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise these rights, email us at [email protected] with the subject line "GDPR Request." We will respond within 30 days.

8d. Canada (PIPEDA and Quebec Law 25)

If you are in Canada, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Quebec's Law 25:

• Right to Access — Request access to your personal information held by us.
• Right to Correction — Request correction of inaccurate or incomplete information.
• Right to Withdraw Consent — Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
• Right to File a Complaint — File a complaint with the Office of the Privacy Commissioner of Canada (OPC) or, for Quebec residents, the Commission d'accès à l'information du Québec (CAI).

Your personal data is transferred to and stored in the United States. By using our service, you consent to this transfer. To exercise your rights, email us at [email protected] with the subject line "PIPEDA Request."

8e. India (Digital Personal Data Protection Act, 2023)

If you are in India, you have the following rights under the Digital Personal Data Protection Act, 2023 (DPDPA):

• Right to Access — Request a summary of your personal data and processing activities.
• Right to Correction and Erasure — Request correction of inaccurate data or deletion of your data.
• Right to Grievance Redressal — You may raise a grievance with us. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
• Right to Nominate — You may nominate another person to exercise your rights in the event of your death or incapacity.

Data Fiduciary: Good Creator LLC, 1401 21st ST #15039, Sacramento, CA 95811, USA.

Your personal data is transferred to and processed in the United States. By using our service, you consent to this cross-border transfer of your data. To exercise your rights or file a grievance, email us at [email protected] with the subject line "DPDPA Request."

9. Children's Privacy

MyPaperPop is a tool designed for parents and teachers to create coloring pages for children. The service is not directed at, and is not intended to be used by, children under the age of 13 (or under 16 in the EEA/UK, or under 18 in India).

We do not knowingly collect personal information from children under the applicable minimum age in their jurisdiction. If you believe a child has provided us with personal information, please contact us at [email protected] and we will promptly delete that information.

10. Data Security

We implement reasonable security measures to protect your data, including:

• Encrypted JWT sessions with httpOnly, secure cookies
• CSRF protection on authentication flows
• Time-limited signed URLs for image access
• Server-side ownership checks on all data operations
• HTTPS encryption for all data in transit

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authorities as required by applicable law. For EEA/UK users, we will notify the relevant data protection authority within 72 hours of becoming aware of a qualifying breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Effective Date" above. For material changes that affect how we process your data, we will provide prominent notice (such as a banner on the site or an email notification) before the changes take effect. Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

• Email: [email protected]
• Company: Good Creator LLC
• Address: 1401 21st ST #15039, Sacramento, CA 95811, USA