Privacy Policy
Last updated: April 19, 2026
This Privacy Policy explains how Flipebooks ("we," "us") collects, uses, stores, and protects your personal data when you use flipebooks.com ("Service"). We are based in Spain and comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.
1. Data Controller
Flipebooks is the data controller for personal data collected through the Service. Contact: legal@flipebooks.com.
2. Data We Collect
2.1 Account Data
When you register, we collect your email address and name. If you sign in with Google, we receive your name, email, and profile picture from Google.
2.2 Content Data
PDFs you upload, flipbook configurations, extracted text, AI-generated alt-text, translations, and chatbot interactions.
2.3 Analytics Data
When someone views a flipbook, we collect: page views, session ID (anonymous), device type, browser, operating system, country (from IP geolocation β we do not store IP addresses), and referrer URL.
2.4 Lead Capture Data
Data submitted through lead capture forms in flipbooks (name, email, phone, custom fields). This data is collected on behalf of the flipbook owner, who is the data controller for their leads.
2.5 Payment Data
Stripe processes all payments. We do not store credit card numbers. We receive your Stripe customer ID and subscription status from Stripe.
2.6 Cookies and Similar Technologies
We use only cookies and browser storage strictly necessary to provide our services. We do not use advertising, cross-site tracking, or profiling cookies. Under GDPR and the ePrivacy Directive, no cookie consent banner is required for strictly necessary storage and first-party user preferences.
Cookies set by flipebooks.com
| Name | Purpose | Duration |
|---|---|---|
sb-<project>-auth-token | Keeps you signed in (Supabase authentication) | Session with automatic refresh |
flipebooks_anon_session | Lets you return to a flipbook uploaded without an account | 7 days |
flipebook_access_<id> | Your access token for a password-protected flipbook | 24 hours |
Local storage and session storage
| Key | Purpose |
|---|---|
theme-mode (localStorage) | Remembers your dark or light theme preference |
flipebooks_pwa_install_dismissed (localStorage) | Remembers that you dismissed the install-as-app prompt |
flipebooks_viewer_session (sessionStorage) | Anonymous per-tab ID used only for first-party, aggregated visit analytics; cleared when you close the tab |
Third-party services
- Plausible Analytics: cookieless, first-party, GDPR-compliant audience measurement. No personal data leaves the EU. No consent required.
- Sentry (production only): error tracking. Session replays on errors mask all text and inputs and block media by default, so personal data is not captured. Legal basis: legitimate interest (Art. 6(1)(f)) for service reliability and security.
- Stripe: loaded only when you start a checkout. Stripe may set its own cookies on the checkout page (hosted on stripe.com). Governed by Stripe's privacy policy.
- Google Sign-In: loaded only if you click "Sign in with Google." Google sets cookies on its own domains.
Embedded flipbooks on your website
When you embed a flipbook on a third-party site using our /embed/[slug] URL, the embed iframe is served from flipebooks.com and any cookies it sets are governed by this Privacy Policy. You remain responsible for cookie consent on the site where the flipbook is embedded.
3. Legal Basis for Processing
| Data | Legal Basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b)) |
| Content data | Contract performance (Art. 6(1)(b)) |
| Analytics data | Legitimate interest (Art. 6(1)(f)) |
| Lead capture data | Consent of the lead (Art. 6(1)(a)) |
| Payment data | Contract performance (Art. 6(1)(b)) |
| AI processing | Contract performance (Art. 6(1)(b)) β you initiate AI features |
4. AI Data Processing
When you use AI features (alt-text generation, visual translation, chatbot, SEO generation, analytics insights), relevant portions of your content are sent to AI models via the Vercel AI Gateway. Processing occurs on-demand when you trigger the feature.
We do not use your content to train AI models. AI providers process your data solely to generate the requested output. Vercel AI Gateway acts as a routing layer and does not store your content.
5. Third-Party Services
| Service | Purpose | Data Region |
|---|---|---|
| Supabase | Database, authentication | EU |
| Cloudflare R2 | File storage (PDFs, pages, logos) | EU/US |
| Stripe | Payment processing | US (EU SCCs) |
| Vercel | Application hosting | US (EU SCCs) |
| Vercel AI Gateway | AI model routing | US (EU SCCs) |
6. International Transfers
Your primary data (database, authentication) is stored in the EU via Supabase. Some processing occurs in the US through Vercel, Stripe, and AI providers. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives adequate protection.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure.
- Content data: Retained while your account is active. Deleted within 30 days of account closure or content deletion.
- Anonymous flipbooks: Automatically deleted 7 days after creation.
- Analytics data: Retained for 24 months, then aggregated and anonymized.
- Lead capture data: Retained until the flipbook owner deletes it or closes their account.
- Payment records: Retained for 7 years as required by Spanish tax law.
- AI usage logs: Retained for 12 months for billing and quota tracking.
8. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate personal data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18): Restrict processing in certain circumstances.
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact legal@flipebooks.com. We will respond within 30 days.
9. Data Security
We protect your data with encryption in transit (TLS) and at rest. API keys are stored as SHA-256 hashes. Passwords are hashed with bcrypt. Access to production systems is restricted to authorized personnel.
10. Children
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia EspaΓ±ola de ProtecciΓ³n de Datos β AEPD) at aepd.es, or with the supervisory authority in your EU member state.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or an in-app notice at least 30 days before taking effect.
13. Contact
For questions about this Privacy Policy or to exercise your data rights, contact us at legal@flipebooks.com.