EnglishDeutschFrançaisEspañolItaliano

Privacy Policy

Last updated: March 2026

Introduction and Data Controller

This Privacy Policy explains how Scribbly ("Scribbly", "we", "our", or "us"), a company registered in Switzerland, collects, uses, and protects your personal data when you use our mobile-first web application for preserving children's artwork.

Data Controller:
Scribbly
Florastrasse 21, 8008 Zürich, Switzerland
Email: info@scribbly.art

Scribbly complies with the Swiss Federal Act on Data Protection (nFADP/revDSG), which came into force on September 1, 2023, as well as the EU General Data Protection Regulation (GDPR) for users located in the European Union and European Economic Area.

Where this policy refers to "personal data," it means any information relating to an identified or identifiable natural person. The nFADP and GDPR provide you with specific rights regarding your personal data, which are detailed in the "Your Rights" section below.

Data We Collect

We collect and process the following categories of personal data:

  • Account Data: When you create an account using email/password, Google sign-in, or Apple sign-in, we collect your email address, display name, and (if provided via OAuth) profile picture. This data is necessary to create and maintain your account.
  • Children's Information: Names and optional birthdates of children you add to the app. This data is stored by you, the parent or legal guardian, and is used solely to organize and personalize your family's artwork gallery.
  • Artwork Data: Uploaded images of artwork, along with associated titles, stories, notes, creation dates, and optional location information that you choose to provide.
  • Order Data: Shipping addresses provided when ordering printed photobooks or art print products.
  • Payment Data: Payment processing is handled by Stripe. We do not store your credit card numbers, CVV codes, or other sensitive payment details. Stripe provides us only with transaction confirmations and the last four digits of your card for reference.

We process your personal data based on the following legal grounds:

  • Contract Necessity (Art. 6(1)(b) GDPR / Art. 31 nFADP): Processing necessary for providing our services, including storing your artwork, creating books, and fulfilling print orders.
  • Consent (Art. 6(1)(a) GDPR / Art. 31 nFADP): Where you have given explicit consent, such as for marketing communications or optional features like location tagging. You may withdraw consent at any time.
  • Legitimate Interest (Art. 6(1)(f) GDPR / Art. 31 nFADP): For service improvement, security measures, fraud prevention, and technical support, where our interests do not override your fundamental rights.

Third-Party Services

We share your personal data with the following trusted third-party service providers who process data on our behalf:

  • Cloudflare R2: Secure storage of your uploaded artwork images using S3-compatible object storage with access controls to ensure only authorized users can view content.
  • Anthropic: AI-powered features such as title suggestions, story generation, and image analysis using Claude language models. Artwork images may be sent to Anthropic for visual analysis; no other personally identifiable information is shared.
  • Stripe: Secure payment processing for print orders. Stripe is PCI-DSS Level 1 certified, the highest level of payment security compliance.
  • Gelato: Print fulfillment partner for photobook printing and shipping. Your shipping address is shared with Gelato solely for order delivery purposes.
  • Apple Push Notification service (APNs): Push notification delivery for iOS devices.
  • Firebase Cloud Messaging (FCM): Push notification delivery for Android devices. Google operates under approved data protection mechanisms for international transfers.
  • Resend: Transactional email delivery (order confirmations, account notifications). Only your email address is shared.
  • PostHog: Privacy-friendly product analytics and error tracking. Basic analytics run in cookieless mode (legitimate interest). Enhanced analytics with cross-session identification are only activated after you accept cookies. PostHog data is hosted in the EU.

All third-party processors are contractually bound to process data only as instructed by us and to implement appropriate security measures.

Error & Crash Monitoring

We use PostHog to monitor application errors and crashes in order to maintain the stability and reliability of Scribbly. This is essential for identifying and fixing technical issues quickly.

Data collected for error monitoring:

  • Error messages and stack traces (technical debugging information)
  • Device type, operating system, and browser version
  • General performance metrics (page load times, API response times)

Data NOT collected:

  • Your name, email address, or other personal identifiers
  • Artwork images or content
  • Children's information
  • Payment or billing details

Error monitoring data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nFADP) in maintaining a stable and reliable application. This processing is minimal, does not involve personal identifiers, and does not require your consent. Error data is retained for 90 days and then automatically deleted.

International Data Transfers

Your personal data may be transferred to and processed in countries outside of Switzerland and the European Economic Area (EEA), including the United States, where some of our service providers operate.

For such transfers, we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • Swiss-recognized adequacy decisions or equivalent transfer mechanisms
  • Binding Corporate Rules where applicable

You may request a copy of the applicable safeguards by contacting us at info@scribbly.art.

Data Retention

We retain your personal data for as long as your account remains active and as necessary to provide our services.

Upon account deletion:

  • Your personal data, including uploaded artwork images and associated information, is permanently deleted immediately
  • Data required for legal compliance or legitimate business purposes (e.g., order records for tax purposes) may be retained as required by law

Children's Privacy

Scribbly is designed for parents and legal guardians to store and preserve their children's artwork. We do not knowingly collect personal data directly from children.

All information about children (names, birthdates, artwork) is provided and managed by the parent or legal guardian who creates and controls the account. The account holder may invite family members to view and contribute artwork for shared children; however, only the account holder can modify or delete child profiles.

If you believe that a child under 16 has provided us with personal data without parental consent, please contact us immediately at info@scribbly.art, and we will take steps to delete such information.

AI Processing Disclosure

Scribbly uses artificial intelligence to enhance your experience:

  • Background Removal: Server-side AI processing to isolate artwork from backgrounds in uploaded images. The image is processed on our servers and the result is returned to your device.
  • Title and Story Suggestions: Optional AI-generated suggestions for artwork titles and stories based on the artwork image you provide, powered by Anthropic Claude. Artwork images are sent to Anthropic's API for analysis.

Important: These AI features are assistive tools only. No automated decision-making that produces legal effects or significantly affects you is performed. All final decisions about your content remain with you.

Your Rights

Under the Swiss nFADP and the EU GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request information about what personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
  • Right to Restrict Processing: Request limitation of processing under certain circumstances
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, please contact us at info@scribbly.art. We will respond within 30 days.

Right to Lodge a Complaint: You have the right to file a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact your local data protection authority.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • Encryption at Rest: Your data is encrypted when stored on our servers and cloud infrastructure
  • Access Controls: Strict access controls ensure that only authorized personnel can access personal data
  • Regular Security Audits: We regularly review and update our security practices

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes that significantly affect how we process your personal data, we will notify you via email before the changes take effect. Minor changes may be posted on our website without direct notification.

We encourage you to review this Privacy Policy periodically. Your continued use of Scribbly after any changes indicates your acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us:

Scribbly
Florastrasse 21, 8008 Zürich, Switzerland
Email: info@scribbly.art

We are committed to addressing your concerns and will respond to inquiries within a reasonable timeframe.