Wonderleaf — Privacy Policy
DRAFT v0 — 2026-05-08. NOT YET REVIEWED BY COUNSEL. Privacy policies
are jurisdiction-sensitive (CCPA, GDPR, COPPA, UK ADC). This draft
captures the actual data flows so a privacy-focused attorney can
turn it into a compliant document. Do not link from a public page
until reviewed.
Last updated: 2026-05-13
Operator: Wonderleaf, LLC (a Delaware limited liability company)
Contact: privacy@wonderleaf.app [VERIFY MAILBOX]
1. What we collect, why, and how long
| Data | Source | Purpose | Retention |
|---|---|---|---|
| User account row (email address, birth date for 13+ check, auth provider, Google display name when provided, parental-controls setting) | Sign-up (magic link or Google OAuth) | Account identifier, sign-in, eligibility check, transactional email, personalize UI | Until account deletion + 90 days |
Authentication/session data (wl_sid, magic-link tokens, OAuth subject, user agent, IP on session row) |
Browser, magic link, Google OAuth | Keep you signed in, secure auth, abuse prevention | Session cookie 30 days; magic-link tokens expire after 15 minutes; session records until expiry/account deletion [VERIFY DATA INVENTORY] |
| Subscription, gift, and Wonders ledger metadata (planned Stripe customer/subscription IDs when paid billing is enabled, plan, status, period end, Wonders used, gift balance) | Account activity; planned Stripe webhooks are not yet enabled [VERIFY DATA INVENTORY] [NEEDS COUNSEL] | Enforce plan limits and gift balances; planned paid billing, refunds, and renewals are not yet enabled [VERIFY DATA INVENTORY] [NEEDS COUNSEL] | Until account deletion + 7 years for tax records when applicable [VERIFY DATA INVENTORY] [NEEDS COUNSEL] |
| Generated books (slug, scenes, prompts, prose, images, preview/claim state) | Your interactions and AI pipeline | Provide the service; show in your library; allow anonymous-session books to be claimed within 24h | Until you delete the book OR delete your account, plus 30 days; unclaimed anonymous-session claim window is 24h |
| Per-scene feedback, per-book preferences, and QC decisions | Your interactions and Wonderleaf QC pipeline | Improve image selection, quality review, brand-IP safety, and support | Same as books [VERIFY DATA INVENTORY] |
| Cost ledger entries (model, kind, timing, token counts, estimated cost) | AI processing pipeline | Monitor service cost and reliability | Operational logs [VERIFY DATA INVENTORY] |
First-party analytics events (page_view, turnstile_shown, signup, book_completed, anon_book_generated) |
Browser and server events | Measure funnel health and abuse; referrer is scrubbed to origin-only before storage; page-view analytics include location.pathname only, so route identifiers such as book slugs or invite-code paths may appear until paths are scrubbed [VERIFY DATA INVENTORY] |
Events table; retention [VERIFY DATA INVENTORY] |
| Stripe payment data (planned payment method details and receipts controlled by Stripe; paid billing is not yet enabled) | Planned Stripe billing [VERIFY DATA INVENTORY] [NEEDS COUNSEL] | Planned payment processing, subscription updates, and refund support are not yet enabled [VERIFY DATA INVENTORY] [NEEDS COUNSEL] | Stripe will hold the payment record if billing is enabled; Wonderleaf will hold Stripe IDs/pointers [VERIFY DATA INVENTORY] [NEEDS COUNSEL] |
| Beta survey responses (favorite/least favorite book, comments, willingness-to-pay response, made-for tags, survey reward timestamps) | In-app beta survey | Collect beta feedback and award survey Wonders | Until account deletion [VERIFY DATA INVENTORY] |
| Invite-code redemption metadata (invite code, user ID, redemption time) | Invite redemption flow | Apply invite Wonders and prevent duplicate invite grants | Until account deletion [VERIFY DATA INVENTORY] |
| Prose-only usage audit entries (user ID, book slug, timestamp) | Prose-only generation flow | Audit prose-only usage and service limits | Until account deletion [VERIFY DATA INVENTORY] |
| Cloudflare Turnstile challenge tokens and IP verification data | Browser challenge token and request IP | Verify anonymous preview/invite traffic and reduce abuse | Not stored in the application database after verification [VERIFY DATA INVENTORY] |
| Semantic question cache entries when enabled (question, normalized question, embedding, book slug, cache timestamps/hit count) | Question-cache pipeline | Reuse similar question results and monitor cache behavior | Cache retention [VERIFY DATA INVENTORY] |
We do not track you across other websites. We do not sell your data.
We do not run third-party advertising trackers.
Analytics are first-party only. Client-side events are limited to
page_view and turnstile_shown; server-only events are limited to
signup, book_completed, and anon_book_generated. Referrers are
scrubbed to origin-only on the client and server. Page-view analytics
include location.pathname only (no query strings), so route identifiers
such as book slugs or invite-code paths may appear in analytics until those
paths are explicitly scrubbed. [VERIFY DATA INVENTORY]
2. AI processing — important specifics
Wonderleaf generates books by sending parts of your input to third-party
AI models, including Google Cloud Vertex AI for image generation and
image quality review:
- Your question text is sent to a large language model for prose
generation [VERIFY DATA INVENTORY] - The image_prompt fields (constructed automatically from your
question and the model's prose) are sent to the Gemini Image model
for image generation - Generated images are sent BACK to a Gemini Flash QC model for
brand-IP and quality review
Google Cloud's terms govern Google's handling of the Vertex AI data.
As a Google Cloud customer, Wonderleaf has configured that integration
so that:
- Your data is not used to train Google's models (per Google
Cloud's customer-data terms)
- Outputs are not shared with other Wonderleaf users
- Generated content is stored on Wonderleaf-controlled infrastructure
(Cloud Run + Cloud Storage), not on Google's general AI service
We do not retain raw model API logs longer than 30 days. [VERIFY DATA INVENTORY]
3. Where your data lives
| Component | Location | Provider |
|---|---|---|
| Application servers | Google Cloud Run, us-central1 |
Google Cloud |
| Database | Cloud SQL Postgres wonderleaf-prod:us-central1:wonderleaf-db, us-central1 |
Google Cloud |
| Generated book files and images | Google Cloud Storage, us-central1; mounted at /mnt/books in production and served from /book/<slug>/... |
Google Cloud |
| Email delivery | Resend (or SendGrid) [VERIFY DATA INVENTORY] | Resend / Twilio [VERIFY DATA INVENTORY] |
| Planned paid billing, not yet enabled [VERIFY DATA INVENTORY] [NEEDS COUNSEL] | Stripe US | Stripe |
| AI model inference | Google Vertex AI, us-central1 for image generation/QC; prose provider [VERIFY DATA INVENTORY] |
Google Cloud / [VERIFY DATA INVENTORY] |
Data may briefly transit other regions during routing but persistent
storage is us-central1 only.
4. Your rights
You can request access, deletion, correction, or subscription help by
emailing privacy@wonderleaf.app [VERIFY MAILBOX]. In-app export, account
deletion, email-change, and Stripe Customer Portal controls are not yet
live. [VERIFY DATA INVENTORY] [NEEDS COUNSEL]
For California residents (CCPA), EU/UK residents (GDPR), or other
jurisdictions with additional data-subject rights, email
privacy@wonderleaf.app [VERIFY MAILBOX] and we will respond within
30 days. Attorney to insert jurisdiction-specific procedures.
5. Children
Wonderleaf is not directed to children under 13. Account holders must
be 13 or older. Adults may generate books to read with children, but
the account data, prompts, books, and settings are associated with the
adult account holder. We do not knowingly allow children under 13 to
create accounts. If you believe a child under 13 has signed up, email
privacy@wonderleaf.app [VERIFY MAILBOX] and we will delete the account
within 7 days.
6. Cookies
We use essential cookies: wl_sid for signed-in sessions and wl_anon
for anonymous preview/invite flows. We also use browser localStorage for
first-party UI state (UI preferences, invite-code carry-through during
signup, an analytics session identifier). We do not use third-party
analytics cookies or advertising trackers. [VERIFY DATA INVENTORY]
7. Security
- All traffic is HTTPS (TLS 1.2+)
- Sign-in uses passwordless magic link (15-min token TTL, single-use)
or Google OAuth (PKCE) - No passwords stored. Session cookies use opaque random identifiers
checked server-side - If paid billing is enabled, Stripe handles payment card data (PCI-DSS
Level 1). Paid billing is not yet enabled. [VERIFY DATA INVENTORY]
[NEEDS COUNSEL] - Database backups encrypted at rest (Google-managed encryption keys)
- We monitor for unauthorized access and will notify affected users
and applicable regulators within 72 hours of confirming a material
breach (matches GDPR Art. 33 timeline)
8. Changes
We will notify you of material changes via email at least 30 days
before they take effect.
9. Contact
Privacy questions: privacy@wonderleaf.app [VERIFY MAILBOX]
Data deletion / access requests: privacy@wonderleaf.app [VERIFY MAILBOX]
Address:
Wonderleaf, LLC
c/o Legalinc Corporate Services Inc.
131 Continental Drive, Suite 305
Newark, DE 19713
United States
Attorney review checklist:
- [ ] Add CCPA disclosures (sale/share opt-out, sensitive PI, right to limit) — required for any CA user
- [ ] Add GDPR lawful basis statements + DPA contact + EU representative if applicable
- [ ] Add COPPA or UK ADC compliance language given the children-adjacent use case
- [ ] Confirm cookie banner requirements for EU users (likely waivable since we use only essential cookies, but verify)
- [ ] Add Stripe + Resend + Google Cloud as named subprocessors with links to their DPAs
- [ ] Decide and disclose retention period for Vertex AI inference logs (Google's default + our extension)