Wonderleaf — Privacy Policy
Last updated: 2026-06-01
Operator: Wonderleaf, LLC (a Delaware limited liability company)
Contact: [email protected]
1. What we collect, why, and how long
| Data | Source | Purpose | Retention |
|---|---|---|---|
| User account row (email address, auth provider, Google display name when provided, parental-controls setting) | Sign-up (magic link or Google OAuth) | Account identifier, sign-in, transactional email, personalize UI | Until account deletion + 90 days |
| 13+ age self-attestation (the "I'm 13 or older" checkbox) | Sign-up | One-time eligibility gate to create an account | Used at sign-up to allow/deny account creation; not stored as a profile field |
Authentication/session data (wl_sid, magic-link tokens, OAuth subject, user agent, IP on session row) |
Browser, magic link, Google OAuth | Keep you signed in, secure auth, abuse prevention | Session cookie 30 days; magic-link tokens expire after 15 minutes; session records until expiry/account deletion, subject to security/legal retention |
| Subscription, starter-book, and custom-book ledger metadata (Stripe customer/subscription IDs when paid billing is enabled, plan, status, period end, monthly custom books used, starter-book balance, and any historical invite or bonus balances) | Account activity; Stripe webhooks | Enforce plan limits, starter books, paid billing, refunds, and renewals | Until account deletion, plus tax, billing, security, and legal retention where required |
| Generated books (slug, scenes, prompts, prose, images, preview/claim state) | Your interactions and AI pipeline | Provide the service; show in your private library — the books you generate are private to your account and are not published to, or searchable in, the public Wonderleaf library; allow anonymous-session books to be claimed within 24h | Until you delete the book OR delete your account, plus 30 days; unclaimed anonymous-session claim window is 24h |
| Per-scene feedback, per-book preferences, and QC decisions | Your interactions and Wonderleaf QC pipeline | Improve image selection, quality review, brand-IP safety, and support | Same as books, unless needed longer for safety, abuse prevention, or legal records |
| Cost ledger entries (model, kind, timing, token counts, estimated cost) | AI processing pipeline | Monitor service cost and reliability | Operational logs retained as needed for cost, reliability, and audit records |
First-party analytics events (page_view, turnstile_shown, signup, book_completed, anon_book_generated) |
Browser and server events | Measure funnel health and abuse; referrer is scrubbed to origin-only before storage; page-view analytics include location.pathname only, so route identifiers such as book slugs or invite-code paths may appear |
Operational analytics retained as needed for product, reliability, and abuse-prevention records |
| Stripe payment data (payment method details and receipts controlled by Stripe when paid billing is enabled) | Stripe billing | Payment processing, subscription updates, and refund support | Stripe holds payment records; Wonderleaf holds Stripe IDs/pointers until account deletion, plus tax, billing, security, and legal retention where required |
| Historical beta survey responses, if any (favorite/least favorite book, comments, willingness-to-pay response, made-for tags, historical reward timestamps) | Retired in-app beta survey | Preserve beta feedback and historical grant audit trail | Until account deletion or until no longer needed for audit/support |
| Invite-code redemption metadata (invite code, user ID, redemption time) | Invite redemption flow | Apply invite benefits and prevent duplicate invite grants | Until account deletion or until no longer needed for audit/support |
| Cloudflare Turnstile challenge tokens and IP verification data | Browser challenge token and request IP | Verify anonymous preview/invite traffic and reduce abuse | Challenge tokens are not stored in the application database after verification |
| Semantic question cache entries when enabled (question, normalized question, embedding, book slug, cache timestamps/hit count) | Question-cache pipeline | Reuse similar question results and monitor cache behavior | Until the cache entry is retired or deleted |
We do not track you across other websites. We do not sell your data.
We do not use your data to train AI models. We do not run third-party
advertising trackers.
Analytics are first-party only. Client-side events are limited to
page_view and turnstile_shown; server-only events are limited to
signup, book_completed, and anon_book_generated. Referrers are
scrubbed to origin-only on the client and server. Page-view analytics
include location.pathname only (no query strings), so route identifiers
such as book slugs or invite-code paths may appear in analytics.
2. AI processing — important specifics
Wonderleaf generates books by sending parts of your input to third-party
AI models, including Google's Gemini API / AI Studio image model for image
generation and image quality review:
- Your question text is sent to a large language model for prose
generation - Generated prose and structured book fields (the draft text, scene
descriptions, and image descriptions the models produce in earlier stages)
are sent on to the prose and image models for the remaining generation and
quality-review stages - The image_prompt fields (constructed automatically from your
question and the model's prose) are sent to the Gemini image model
for image generation - Generated images are sent back to a Gemini model for brand-IP and
quality review - A numeric embedding of your question is computed by an AI model to
find similar previously-answered questions (semantic cache), when enabled
Google's Gemini API / AI Studio terms govern Google's handling of image
model requests. Where Wonderleaf uses paid Gemini API services, Google's
terms state that prompts and responses are handled under the paid-services
data terms. Generated content is stored on Wonderleaf-controlled
infrastructure (Cloud Run + Cloud Storage).
Wonderleaf does not sell model inputs or outputs. Neither your questions,
your generated books, nor any other user data are used to train, fine-tune, or
improve any AI model — by Wonderleaf or by our subprocessors on our behalf.
Third-party model providers handle submitted data under their own service terms
and privacy notices.
3. Where your data lives
| Component | Location | Provider |
|---|---|---|
| Application servers | Google Cloud Run, us-central1 |
Google Cloud |
| Database | Cloud SQL Postgres, us-central1 |
Google Cloud |
| Generated book files and images | Google Cloud Storage, us-central1; served from /book/<slug>/... |
Google Cloud |
| Email delivery | Resend | Resend |
| Paid billing and subscriptions | Stripe US | Stripe |
| AI model inference | Gemini API / AI Studio for image generation/QC; third-party prose provider(s) where configured | Google; Anthropic/OpenAI where configured |
Data may briefly transit other regions during routing but persistent
storage is us-central1 only.
Subprocessors. We use the following subprocessors; each handles only the
data needed for its function, under its own data-protection terms. No
subprocessor uses your data to train AI models on Wonderleaf's behalf.
| Subprocessor | Purpose | Data |
|---|---|---|
| Google Cloud (incl. Gemini API / AI Studio) | Hosting, database, file storage; AI image generation + quality review | Account & usage data; question text; image prompts (derived from your question and generated prose); generated images for quality/brand-IP review; question embeddings for semantic caching |
| Anthropic | AI prose generation | Question text; generated draft prose and structured book fields (image/scene descriptions) for multi-stage generation and review |
| OpenAI (where configured) | AI prose generation (alternate provider) | Question text; generated draft prose and structured book fields (alternate provider) |
| Stripe | Payments & subscription billing | Billing identifiers; payment method held by Stripe |
| Resend | Transactional email (magic links, receipts) | Email address |
| Cloudflare Turnstile | Bot / abuse prevention for anonymous traffic | Challenge token, request IP |
4. Your rights and choices
You can review, request changes to, or request deletion of your personal
information — or get subscription help — by emailing [email protected].
We respond to verified requests within a reasonable time.
Wonderleaf is offered only to users in the United States. We do not
direct the service to, and do not intend to make it available in, the
European Union, the United Kingdom, or other regions outside the United
States. If you are located outside the United States, please do not use
Wonderleaf.
California (CalOPPA). This policy identifies the categories of personally
identifiable information we collect and the third parties we may share it with
(Sections 1 and 3), the process to review and change your information (email us
above), how we notify you of material changes (Section 8), and its effective
date (top of this policy). Do Not Track: some browsers send a "Do Not Track"
signal. Wonderleaf does not track users across third-party websites and does not
serve third-party advertising; we do not separately respond to Do Not Track
signals.
5. Children
Wonderleaf is a mixed-audience service: its content is family-friendly and
may appeal to children, but it is not primarily directed to children under
13, and account holders must be 13 or older. Adults may generate books to
read with children, but
the account data, prompts, books, and settings are associated with the
adult account holder — we do not create a separate profile for, or
knowingly collect personal information directly from, a supervised child.
We do not knowingly allow children under 13 to create accounts. If you
believe a child under 13 has signed up, email [email protected] and
we will delete the account within 7 days.
Children's-data retention. Any data generated during a supervised
minor's session — the questions asked and books made under the adult's
account — is collected only to provide the service, is retained on the
same schedule as the adult account holder's data (see Section 1), and is
deleted when the adult deletes the book or the account (plus a short
operational window). We do not retain such data longer than reasonably
necessary for the purpose for which it was collected.
5a. Child-safety records
If a prompt seeking sexual content involving a minor is refused, or a
published book is flagged for child-safety review, Wonderleaf records the
refused prompt or flagged-book reference, a hashed IP address, and a
timestamp, and handles such records as confidential — restricting access and
using them solely for safety, abuse-prevention, and any legally-required
reporting to the National Center for Missing & Exploited Children (NCMEC) and
law enforcement. They are not used for advertising or any other commercial
purpose.
6. Cookies
We use essential cookies: wl_sid for signed-in sessions and wl_anon
for anonymous preview/invite flows. We also use browser localStorage for
first-party UI state (UI preferences, invite-code carry-through during
signup, an analytics session identifier). We do not use third-party
analytics cookies or advertising trackers.
7. Security
- All traffic is HTTPS (TLS 1.2+)
- Sign-in uses passwordless magic link (15-min token TTL, single-use)
or Google OAuth (PKCE) - No passwords stored. Session cookies use opaque random identifiers
checked server-side - Stripe handles payment card data for paid billing (PCI-DSS Level 1).
Wonderleaf stores Stripe IDs and subscription metadata, not raw cards. - Database backups encrypted at rest (Google-managed encryption keys)
- We monitor for unauthorized access. If a breach occurs, we follow the
notification process described immediately below.
Data breach notification
This section follows California's data-breach notification law
(Cal. Civ. Code § 1798.82). If Wonderleaf discovers that unencrypted personal
information has been, or is reasonably believed to have been, acquired by an
unauthorized person,
Wonderleaf will notify affected residents whose information was involved.
Notice to affected California residents will be provided within 30 calendar
days of discovery of the breach. If the breach affects more than 500
California residents, Wonderleaf will also notify the California Attorney
General within 15 calendar days after notifying affected residents. Notice
will be provided in the most expedient time possible to residents of other
states in accordance with applicable state law. Notification may be delayed
only (i) if a law enforcement agency determines that notification would
impede a criminal investigation, or (ii) as reasonably necessary to determine
the scope of the breach and restore the integrity of the data system. Notice
will include the categories of personal information involved, the date or
estimated date range of the breach, a general description of the incident,
and steps Wonderleaf has taken in response.
8. Changes
We will notify you of material changes via email at least 30 days
before they take effect.
9. Contact
Privacy questions: [email protected]
Data deletion / access requests: [email protected]
Address:
Wonderleaf, LLC
c/o Legalinc Corporate Services Inc.
131 Continental Drive, Suite 305
Newark, DE 19713
United States