FeaturesHow It WorksPricingFAQ

Privacy Policy

How we collect, use, and protect your personal information.

Last updated: April 1, 2026

§ 1. Data Controller

The data controller is Arkadiusz Rosiak, conducting business under the name Vartari Arkadiusz Rosiak, ul. Wawrzyńca Engeströma 10, 60-571 Poznań, NIP (tax ID): 7822891454, REGON: 387891967 (hereinafter: "Controller").

Contact for data protection matters:

  1. email: contact@fablele.com
  2. post: ul. Wawrzyńca Engeströma 10, 60-571 Poznań
  3. phone: +48 575 820 965

The Controller has not appointed a Data Protection Officer.

§ 2. What Data We Collect

2.1. Account Data

When you register, we collect:

  1. your email address,
  2. your password (stored exclusively in encrypted form).

We do not collect names, postal addresses, phone numbers or identity document details.

2.2. User Content

When using the Application, you create and store:

  1. universes (names, descriptions, parameters),
  2. characters (names, appearance and trait descriptions),
  3. stories (titles, plots, page text),
  4. AI-generated illustrations.

This content may contain personal data of third parties (e.g. names of children for whom stories are created). The Controller processes this data solely for the purpose of providing the Service and does not analyse its content.

2.3. Technical and Analytics Data

We automatically collect:

  1. IP address,
  2. browser type and version,
  3. operating system,
  4. data about your interactions with the Application (pages visited, elements clicked, time spent on pages),
  5. device identifiers.

Analytics data is collected using PostHog (see section 5).

2.4. Payment Data

Payments are processed by Paddle (see section 5), which acts as the Merchant of Record. The Controller does not collect or store credit card numbers, bank account numbers or other payment details. The Controller receives from Paddle only transaction confirmations (transaction ID, amount, date, purchased product).

2.5. Data Transmitted to AI Providers

In order to generate content and illustrations, the following data is transmitted to AI model providers:

  1. character descriptions,
  2. story plots and parameters,
  3. universe parameters,
  4. art style instructions.

This data is transmitted solely for the purpose of fulfilling the generation request and is not used for training AI models.

2.6. Newsletter Subscriber Data

Newsletter subscription is a separate, free-of-charge service available both to Account holders and to unregistered visitors. To provide this service, the Controller collects:

  1. the email address provided in the sign-up form,
  2. the date and time of sign-up together with the IP address and User-Agent of the browser (to document the moment consent was given),
  3. a unique confirmation token used in the double opt-in mechanism, and the date and time it was used,
  4. the subscription status (pending confirmation, active, unsubscribed) and the date of any unsubscription,
  5. engagement data for newsletter messages (opens, link clicks) collected via PostHog (see section 5).

Data of subscribers who are not registered users of the Application is processed solely to provide the newsletter service and is not linked with Account data, unless the subscriber registers an Account using the same email address.

§ 3. Purposes and Legal Bases

3.1. Performance of the Agreement (Article 6(1)(b) GDPR)

We process account data and user content for the purpose of:

  1. creating and maintaining your Account,
  2. enabling you to create universes, characters and stories,
  3. generating content and illustrations using AI,
  4. sharing stories via public links (when you choose to share them),
  5. processing payments and managing Credits,
  6. sending transactional messages (account verification, password reset, purchase confirmations).

3.2. Legitimate Interest of the Controller (Article 6(1)(f) GDPR)

We process technical data for the purpose of:

  1. ensuring the security of the Application and protection against abuse,
  2. diagnosing technical issues,
  3. monitoring the performance and availability of the Application,
  4. monitoring AI operations (costs, token usage, latency) using Langfuse.

3.3. Consent (Article 6(1)(a) GDPR)

On the basis of your consent, we process data for the purpose of:

  1. analytics and improvement of the Application (PostHog analytics cookies, Meta Pixel and Conversions API),
  2. sending the newsletter and other marketing communications to the email address provided, including measuring subscriber engagement (opens and clicks) — in this respect the Controller relies simultaneously on:
    1. consent within the meaning of Article 6(1)(a) GDPR,
    2. consent to receive commercial information by electronic means within the meaning of Article 10(2) of the Polish Act of 18 July 2002 on the Provision of Electronic Services,
    3. consent to the use of telecommunications terminal equipment and automated calling systems for direct marketing within the meaning of Article 398(1) of the Polish Act of 12 July 2024 — Electronic Communications Law,
  3. building audiences for advertising on Meta platforms (Custom Audiences, Lookalike Audiences) by transmitting to Meta hashed (SHA-256) email addresses of newsletter subscribers; raw email addresses are not transmitted to Meta in plaintext.

Consent to the newsletter is given via a double opt-in mechanism — completion of the sign-up form and clicking a unique confirmation link sent to the email address provided. All consents are voluntary, given separately, and may be withdrawn at any time (see section 8). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

3.4. Legal Obligations (Article 6(1)(c) GDPR)

We process data to the extent necessary to fulfil legal obligations, in particular:

  1. maintaining tax and accounting records,
  2. fulfilling users' rights under the GDPR,
  3. responding to requests from public authorities.

§ 4. AI and Data Processing

  1. The Application uses AI models provided through the OpenRouter platform to generate story text and illustrations. The specific model may change without an update to this Policy — access to all models takes place through the same data processor (OpenRouter).
  2. Data transmitted to AI providers includes only the content necessary to generate the requested result (character descriptions, plots, art style parameters). Your email address, password and other identifying data are not transmitted to AI providers.
  3. The Controller exclusively uses models made available through OpenRouter in Zero Data Retention (ZDR) mode. This means that AI model providers do not retain input or output data after the generation is completed, nor use such data to train AI models. Information about ZDR mode is published by OpenRouter at openrouter.ai/docs/guides/features/zdr.
  4. Generated content (text and illustrations) is stored on the Controller's servers (AWS, EU region) and associated with your Account.
  5. The Controller uses Langfuse to monitor AI operations (tracking token usage, costs, latency and response quality). Langfuse may process fragments of prompts submitted to AI models.

§ 5. Third-Party Data Sharing

The Controller uses the following data processors (sub-processors):

  1. Amazon Web Services (AWS), EU region (Frankfurt, eu-central-1) — Application hosting, file storage (S3), delivery of transactional email and the newsletter (SES), content delivery network (CloudFront).
  2. MongoDB Atlas, EU region (Frankfurt, eu-central-1) — database storing account data and user content.
  3. OpenRouter (USA) — intermediary providing access to AI models; user data (character descriptions, plots, art style parameters) is transmitted for the purpose of content generation. OpenRouter relies on its own sub-processors that are AI model providers — the current list of models and OpenRouter's privacy policy are published at openrouter.ai/models and openrouter.ai/privacy.
  4. PostHog (USA, cloud) — analytics tool collecting data about user interactions with the Application and with newsletter messages (opens and link clicks).
  5. Meta Platforms Ireland Ltd. (Ireland) — provider of Meta Pixel and the Conversions API used to measure advertising campaign performance on Facebook and Instagram, build remarketing audiences and report conversions (e.g. waitlist signups). In addition, the Controller transmits hashed (SHA-256) email addresses of newsletter subscribers to Meta to build Custom Audiences and Lookalike Audiences. With respect to event data transmitted via Meta Pixel and the Conversions API, the Controller and Meta Ireland are joint controllers within the meaning of Article 26 GDPR under Meta's Controller Addendum (Meta Controller Addendum). With respect to subscriber email lists transmitted to Meta as part of the Custom Audiences feature, Meta acts as a processor on behalf of the Controller in accordance with the Meta Customer List Custom Audiences Terms. Meta Pixel, CAPI and the subscriber list export are only activated after the relevant consent has been given.
  6. Langfuse (Germany, cloud) — AI operations monitoring tool (tracking prompts, tokens, costs).
  7. Paddle (United Kingdom) — payment processor acting as Merchant of Record; Paddle is an independent data controller for payment data. Paddle's privacy policy is available at paddle.com.

The Controller may share personal data with public authorities where required by law.

§ 6. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA) to the following entities:

  1. OpenRouter (USA) — on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission. OpenRouter is responsible for any onward transfers to its own sub-processors (AI model providers) under its own safeguards (SCCs or the EU-US Data Privacy Framework, as applicable).
  2. PostHog (USA) — on the basis of Standard Contractual Clauses (SCCs).
  3. Paddle (United Kingdom) — on the basis of the European Commission's adequacy decision for the United Kingdom.

In each case, the Controller applies appropriate safeguards in accordance with Chapter V of the GDPR.

§ 7. Data Retention

  1. Account data and user content — for the duration of the Account. After Account deletion, data is archived for 30 days and then permanently deleted.
  2. Analytics data (PostHog) — for a period of 12 months from the date of collection.
  3. AI operations data (Langfuse) — for a period of 90 days from the date of collection.
  4. Payment transaction data — for the period required by tax and accounting legislation (5 years from the end of the tax year in which the transaction was made).
  5. Marketing consents and email addresses of newsletter subscribers — until consent is withdrawn or unsubscription from the newsletter.
  6. Records of consent (including sign-up and double opt-in confirmation logs, IP address, User-Agent, timestamps) — for a period of 3 years from the date of withdrawal of consent or unsubscription, in order to demonstrate lawfulness of processing (Article 7(1) GDPR).
  7. Security logs — for a period of 90 days.

§ 8. Your Rights

Under the GDPR, you have the following rights:

  1. Right of access — you may obtain information about what data we process and receive a copy of it.
  2. Right to rectification — you may request the correction of inaccurate or the completion of incomplete data.
  3. Right to erasure ("right to be forgotten") — you may request the deletion of your data. You can do this yourself by deleting your Account in the Application.
  4. Right to restriction of processing — you may request the restriction of processing in certain circumstances.
  5. Right to data portability — you may download your data in JSON format (data export function in the Application).
  6. Right to object — you may object to the processing of your data based on the Controller's legitimate interest.
  7. Right to withdraw consent — you may withdraw your consent to data processing (e.g. analytics, marketing) at any time without affecting the lawfulness of prior processing. You may withdraw your consent to the newsletter by clicking the "Unsubscribe" link available in every newsletter message, through your Account settings (if you are a registered user) or by contacting the Controller.
  8. Right to lodge a complaint — you have the right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

To exercise any of the above rights, please contact the Controller at: contact@fablele.com. The Controller shall respond without undue delay, and no later than 30 days from receipt of the request.

§ 9. Cookies

  1. The Application uses the following categories of cookies:
    1. Essential — required for the proper functioning of the Application (authentication, session maintenance). These do not require consent.
    2. Functional — remember your preferences (language, colour theme). These do not require consent.
    3. Analytics — collect data about how you use the Application (PostHog) and measure the effectiveness of advertising campaigns on Meta platforms (Meta Pixel). These require your consent.
  2. You may manage your cookie preferences at any time using the cookie settings available in the Application.
  3. Disabling essential cookies may prevent you from using the Application properly.

§ 10. Children's Privacy

  1. The Application is intended for persons aged 13 and over. Persons under 18 should obtain the consent of their legal guardian before registering an Account.
  2. The Controller does not knowingly collect personal data directly from children under 13 years of age.
  3. Content created in the Application (stories, characters) may contain children's data (e.g. names), but this data is entered and managed exclusively by an adult user or a user aged 13 or over with parental consent.
  4. If the Controller becomes aware that it is processing the data of a child under 13 without the consent of a legal guardian, it will promptly delete such data.

§ 11. UK Provisions

  1. This section applies to users who are habitually resident in the United Kingdom.
  2. The personal data of UK residents is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The legal bases and user rights described in this Policy apply correspondingly under UK law.
  3. Transfers of personal data of UK residents outside the United Kingdom are carried out on the basis of appropriate safeguards under the UK GDPR, including the International Data Transfer Agreement (IDTA) or the UK Addendum to Standard Contractual Clauses.
  4. UK residents have the right to lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, ico.org.uk.

§ 12. Changes to This Policy

  1. The Controller reserves the right to amend this Privacy Policy to reflect changes in the law, changes in data processing practices or changes in the Application's functionalities.
  2. Users will be informed of material changes to this Privacy Policy by email or by a notification in the Application, with at least 14 days' advance notice.
  3. Continued use of the Application after the amended Privacy Policy takes effect constitutes acceptance of the changes.