Privacy Policy
How we handle your photos and personal data.
Last updated: 30 May 2026
This policy is written to reflect Turtle and Sun's actual setup. Items in highlighted text are placeholders for Ivo to confirm before launch. Consider a short review by a Swedish data-protection lawyer.
2. What data we collect
3. Why we use it & legal bases
4. Your uploaded photos
5. Who we share data with (sub-processors)
6. International transfers
7. How long we keep data
8. Your rights
9. Cookies & analytics
10. Children
11. Changes & contact
1. Who we are
Turtle and Sun is a service operated by 3doc AB (org.nr 556723-1864), Fleminggatan 15, 112 26 Stockholm, Sweden. We are the data controller responsible for the personal data described here. You can reach us any time at hello@turtleandsun.com.
2. What data we collect
- Photos you upload — the images you submit to be transformed into a Loveogram, and the Loveograms we generate from them.
- Email address — so we can deliver your Loveogram and send order confirmations.
- Order & payment data — what you bought, amount, currency, and payment status. Card details are entered directly with our payment provider (Stripe); we never see or store your full card number.
- Technical & security data — your IP address, browser/device information, and request logs, recorded to operate the service and to detect and prevent abuse and fraud.
- Usage analytics — aggregated, cookieless page-visit statistics (see section 9).
3. Why we use it & legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and deliver your Loveogram; manage your order and account | Performance of a contract (6.1.b) |
| Process payments and issue receipts | Contract (6.1.b) and legal obligation — accounting (6.1.c) |
| Keep accounting records | Legal obligation — Swedish Bokföringslagen (6.1.c) |
| Security, fraud and abuse prevention (incl. IP logging) | Legitimate interest (6.1.f) |
| Cookieless analytics to understand and improve the site | Legitimate interest (6.1.f) |
| Respond to your messages and support requests | Legitimate interest (6.1.f) |
4. Your uploaded photos
To create your Loveogram, the photo you upload is sent to our AI generation provider (fal.ai) for processing, and the resulting image or video is stored so we can deliver and, if needed, re-send it to you. We use your photos only to provide the service you ordered. We do not sell them, and we do not use them to advertise without your separate, explicit permission.
You are responsible for the photos you upload — see our Terms of Service. Please only upload photos you have the right to use, and only photos of people who have agreed to it.
Reviews you submit
If you leave a review, we store your rating, text, any photo you add, and the name/town you choose to display. We publish a review and its photo on our website or social channels only if you tick the consent box — and you confirm that anyone shown in a review photo has agreed to it (and, for a child, that you are the parent or guardian). You can ask us to remove a published review at any time by emailing hello@turtleandsun.com.
5. Who we share data with (sub-processors)
We use a small set of trusted providers to run the service. Each processes data only on our instructions:
| Provider | Purpose | Data involved |
|---|---|---|
| fal.ai | AI image & video generation | Uploaded photos, generated media |
| Stripe | Payment processing | Payment & card data, email, IP |
| Resend | Sending email (delivery, receipts) | Email address, order info, Loveogram link |
| Cloudflare (R2 + CDN) | Media storage and site delivery/proxy | Generated media, IP, technical data |
| Railway | Application & database hosting | All service data (hosted) |
| Plausible Analytics | Cookieless traffic statistics | Aggregated, non-identifying usage data |
| Sentry | Error/crash tracking to fix bugs | Technical error data, IP |
We may also disclose data where required by law, or to protect our rights, safety, or property.
6. International transfers
Some of these providers are based outside the EU/EEA (for example in the United States). Where data is transferred outside the EU/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can contact us for more detail on a specific provider.
7. How long we keep data
- Uploaded photos & generated Loveograms: kept while needed to deliver and re-deliver your order, and routinely deleted after 12 months of inactivity — or sooner on request.
- Technical/security logs (incl. IP addresses): 90 days.
- Order & accounting records: 7 years, as required by the Swedish Bookkeeping Act (Bokföringslagen).
- Email/support correspondence: as long as needed to handle your request and a reasonable period after.
8. Your rights
Under the GDPR you have the right to: access your data; correct it; have it erased; restrict or object to processing; data portability; and to withdraw any consent you have given. To exercise any of these, email hello@turtleandsun.com and we will respond within one month.
If you believe we have mishandled your data, you can lodge a complaint with the Swedish supervisory authority, the Integritetsskyddsmyndigheten (IMY) — www.imy.se.
9. Cookies & analytics
Our analytics provider (Plausible) is privacy-friendly and does not use cookies or collect personal data, so no cookie consent banner is required for it. When you make a purchase, Stripe may set cookies that are strictly necessary to process the payment securely and prevent fraud.
10. Children
Turtle and Sun is intended for adults. We do not knowingly collect personal data from children. If you upload a photo that includes a child, you confirm you are the parent or guardian, or have the permission of the parent or guardian.
11. Changes & contact
We may update this policy from time to time; the "last updated" date above shows the latest version. For any privacy question or request, write to hello@turtleandsun.com.