How long does it take?

From payment to finished PDF usually 10–25 minutes — depending on book type.

Can we change the book?

Yes. Three revisions are included, additional revisions cost €9.90 each.

What happens to my child's photos?

Photos are used solely for image consistency in the book, stored in the EU and deleted automatically after delivery.

Do I get a printed copy?

Yes. At checkout you choose between the digital PDF for instant download and a printed softcover or hardcover, shipped to your door. For print you pick the shipping method: standard (usually 1–3 weeks), tracked (approx. 7–12 business days) or express (approx. 5–8 business days). All times are estimates, not a binding commitment.

Which languages do you support?

Books and UI are currently available in German and English.

Do you use cookies or tracking?

Only strictly necessary cookies (login session, language choice, chat state). No advertising or tracking cookies, no third-party pixels. Our analytics are cookieless — which is why we don't need a cookie banner. Details in the privacy policy.

Privacy · Heldenflug

German is the binding contractual language. This English version is a service translation for convenience.

1. Controller

The controller for the processing of personal data on https://heldenflug.de is:

Tiamat UG (haftungsbeschränkt)
An der Strusbek 12
22926 Ahrensburg
Germany
Email: {{KONTAKT_EMAIL}}

Represented by the managing director Ansgar Holtmann.

2. A word up front

With Heldenflug we build a product in which you entrust us with personal data — your name, your child's name, sometimes a photo. We take that seriously and handle this data as sparingly as possible. This policy describes in detail what we do and why.

3. What data we process

3.1 Access data when visiting the website

When you visit our website, your browser automatically transmits technical data to our server, which we store in log files: shortened IP address, date and time, requested page, transferred data volume, browser type and language, operating system, referrer URL.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest — secure operation). Retention: 7 days, then automatic deletion.

3.2 Account data (when you create a parent account)

Email address, display name, encrypted password (bcrypt hash), registration and last-login dates, email verification status.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). Retention: for as long as the account exists.

3.3 Data from the concept chat (ordering a book)

Your input about your child and story (name, age, favourite topics, character, favourite animal), optionally a photo of your child (see 3.4), the generated concept, and your revision requests.

Legal basis: Art. 6 (1) (b) GDPR. Retention: until at most 30 days after order completion; order records (title, price, invoice data) are archived 10 years pursuant to § 257 HGB / § 147 AO.

3.4 Photo of your child — special care

If you optionally upload a photo of your child:

Processing solely to generate the illustrations
Storage exclusively on servers in the European Union ({{HOSTING_ORT}})
Automatic deletion 30 days after delivery of the finished book — no retention as training data, no sharing for model training

Legal basis: Art. 6 (1) (a) GDPR (your explicit consent on upload) + Art. 9 (2) (a) GDPR.

You provide consent as the legal guardian. You can have the photo deleted at any time; if you request deletion, the affected book can no longer be generated — the order is cancelled and any payment refunded.

3.5 Payment data

Payment is processed via Stripe (see 5.1). We do not process or store card data ourselves — only the Stripe transaction ID and invoice data.

Legal basis: Art. 6 (1) (b) and (c) GDPR. Retention: 10 years pursuant to § 257 HGB.

3.6 Communication data (support emails)

Your email address, message content, date and time. Legal basis: Art. 6 (1) (f) GDPR. Retention: until the request is closed, max. 12 months.

4. AI-assisted processing — transparency under the EU AI Act

Heldenflug uses AI models (large language models and image generators) to create book content and illustrations from your input.

What the AI does: proposes a concept, writes the story text and generates the illustrations.
What the AI does NOT do: it does not train further on your data or your child's photo — we have contractually excluded this.
Your control: you review and approve the concept before production; 3 revisions are included, then €5 each.
Labelling: generated content is not labelled "AI-generated" inside the book; we communicate the AI creation transparently on the website and in this policy.

5. Processors (third parties processing data on your behalf)

We use the following providers. A data-processing agreement under Art. 28 GDPR exists for each. For providers outside the EU/EEA we use EU standard contractual clauses (Art. 46 GDPR).

5.1 Stripe — payment processing

Stripe Payments Europe, Ltd. (Ireland) / Stripe, Inc. (USA). Data: payment data, transaction ID, invoice data. https://stripe.com/privacy

5.2 Anthropic — AI language model

Anthropic PBC, San Francisco, USA. Data: your text input in the concept chat. Processed with a "no training on data" clause. https://www.anthropic.com/legal/privacy

5.3 AI image generator — illustrations and cover

WaveSpeed AI (USA) / Black Forest Labs GmbH (Germany, FLUX models). Data: story-text excerpts as image prompts, optionally a photo of your child.

5.4 Resend — transactional emails

Resend, Inc., San Francisco, USA. Data: your email address and the transactional message content.

5.5 Signalyr — marketing analytics

Tiamat UG (haftungsbeschränkt), An der Strusbek 12, 22926 Ahrensburg. Pseudonymised usage data, cookieless, no plaintext IP storage. Hosted in Germany; data stays within Tiamat's infrastructure.

5.6 Hosting

{{HOSTING_PROVIDER}}, {{HOSTING_ORT}} (EU / Germany). A data-processing agreement is in place.

6. Cookies and comparable technologies

We use functional cookies / local storage for your login session (cookie heldenflug_customer), language choice and concept-chat state. No tracking cookies, no third-party cookies, no advertising pixels. Signalyr operates cookieless.

Legal basis: Art. 6 (1) (f) GDPR / § 25 (2) TDDDG (strictly necessary). No consent banner is therefore required.

7. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7 (3)) and to lodge a complaint with a supervisory authority (Art. 77) — for Tiamat that is the ULD Schleswig-Holstein, Holstenstraße 98, 24103 Kiel (https://www.datenschutzzentrum.de). Contact: {{KONTAKT_EMAIL}}. We respond within 30 days.

8. Data security

We use TLS encryption (HTTPS) for all connections, bcrypt password hashing, SSH-key authentication, a firewall, and Content-Security-Policy headers.

9. Changes to this policy

We update this policy when our processing practices change. We notify you of material changes by email. Last updated: 29.05.2026.