These legal pages are provided in English only. Last updated: November 2026.

Privacy policy

This policy explains what personal data ANONYME.IO (the "Publisher") collects when you use autobiographai.com and the Autobiographai application (the "Service"), why we collect it, how long we keep it, with whom we share it, and the rights you have under the European General Data Protection Regulation (GDPR) and the French Data Protection Act.

1. Data controller

The data controller is ANONYME.IO, SAS (Société par Actions Simplifiée), RCS Paris 898 463 559, registered office at 6 Place Léon Blum, 75011 Paris, France.

For any question about this policy or to exercise your rights, please contact us at hello@autobiographai.com.

2. Personal data we collect

2.1 Account data

  • Email address (required to create and recover the account).
  • Display name or pseudonym (optional).
  • Hashed password (we never store the plaintext password).
  • Year of birth and language preference, used to adapt the questionnaire.

2.2 Story content

  • Your free-text answers to the biographer’s questions, organised by decade.
  • Photographs and documents you choose to upload as memory aids.
  • The AI-generated drafts of your biography and the illustrated comic.
  • Edits, annotations and version history you create on your biography.

2.3 Loved-ones contributions

When you invite a relative or friend to submit a testimony, they provide their name and a short message. We process their contribution on your behalf solely to attach it to your biography. Contributors may withdraw their testimony at any time by following the link in their confirmation email.

2.4 Payment data

  • Billing name and country.
  • Payment method information (card brand, last four digits, expiry month). Full card numbers are processed by our payment provider Stripe, Inc. and never stored on our servers.
  • Order history (purchases, gift packs, refunds).

2.5 Technical data

  • IP address, browser type and version, operating system, device type and language preference.
  • Usage logs (pages visited, timestamps, errors) for security and product analytics.
  • Cookies and similar technologies, see section 7 below.

3. Purposes and legal bases

PurposeLegal basis (GDPR Art. 6)
Creating and operating your accountPerformance of the contract (Art. 6.1.b)
Running the AI biographer interview and generating your biographyPerformance of the contract (Art. 6.1.b)
Sending transactional emails (account, receipts, exports)Performance of the contract (Art. 6.1.b)
Processing payments and managing refundsPerformance of the contract (Art. 6.1.b) and legal obligation (Art. 6.1.c)
Securing the Service and preventing fraudOur legitimate interest (Art. 6.1.f)
Audience analytics and product improvementYour consent (Art. 6.1.a), collected via our cookie banner
Marketing communications (newsletter, product updates)Your consent (Art. 6.1.a), revocable at any time
Complying with legal obligations (accounting, response to lawful requests)Legal obligation (Art. 6.1.c)

We do not perform automated decision-making producing legal effects on you within the meaning of Article 22 of the GDPR. The AI biographer is an assisted creative tool, not a decision system.

We do not use your Story content to train third-party foundation models. The AI sub-processors we use process your inputs solely to generate the output you requested, under contractual no-training commitments.

4. How long we keep your data

CategoryRetention
Active account and Story contentFor as long as your account remains active.
Inactive account (no login for 36 months)We notify you, then delete the account if no response within 30 days.
Account deleted by you30 days in a recoverable archive (to allow export), then permanent deletion.
Server logs and security events12 months.
Billing and accounting records10 years (French Commercial Code, Article L123-22).
Analytics eventsUp to 14 months, anonymised.

5. Sub-processors

We rely on a small set of sub-processors to operate the Service: Google Cloud for application hosting, Anthropic for AI biographer interview and text generation, Stripe for payment processing, SendGrid for transactional and marketing emails, and Google LLC (Google Analytics) for anonymised audience analytics, consent-gated.

6. International transfers

Some of our sub-processors are located outside the European Economic Area. For each such transfer, we rely on the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) and, where applicable, on supplementary measures such as encryption in transit and at rest.

7. Cookies and similar technologies

We use a minimal set of cookies. Strictly necessary cookies (session, security, language preference) are set without consent. Audience and marketing cookies (Google Analytics 4, etc.) are only set after you opt in via the cookie banner displayed on your first visit. You can change your choice at any time by clicking the "Cookies" link in the footer or by clearing your browser cookies.

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access, obtain a copy of the personal data we hold about you.
  • Right to rectification, correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"), request deletion of your data, subject to legal retention obligations.
  • Right to restrict processing in specific cases set out in Article 18.
  • Right to data portability, receive your data in a structured, commonly used, machine-readable format.
  • Right to object to processing based on our legitimate interest, and to direct marketing at any time.
  • Right to withdraw consent at any time for processing based on consent.
  • Post-mortem instructions (Article 85 of the French Data Protection Act), define the fate of your data after your death.

To exercise any of these rights, please write to hello@autobiographai.com from the email address associated with your account, or by post to 6 Place Léon Blum, 75011 Paris, France. We will respond within one month.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, via https://www.cnil.fr/en/plaintes.

9. Security

We implement technical and organisational measures designed to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encryption in transit (TLS 1.2+) and at rest, principle of least privilege, periodic access reviews, vulnerability monitoring, and employee training. In the event of a personal data breach likely to result in a high risk to your rights, we will notify you and the supervisory authority in accordance with Articles 33 and 34 of the GDPR.

10. Children

The Service is not directed at children under the age of fifteen (15). We do not knowingly collect personal data from children below that age without verifiable parental consent. If you believe a child has provided us with personal data without authorisation, please contact us so we can delete it.

11. Changes to this policy

We may update this policy to reflect changes to the Service, our practices or applicable law. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be communicated to active Users by email at least thirty (30) days before they take effect.