PagePrinted
Last updated · 22 May 2026sha256 · f0f0be1627e0

Privacy Notice

A real notice in real sentences. Written to be read, not to satisfy a checklist.

Table of contents
  1. · I · Who controls your data
  2. · II · What we collect
  3. · III · Why we are allowed to
  4. · IV · Who else touches it
  5. · V · Transfers outside the EEA
  6. · VI · How long we keep it
  7. · VII · Your rights under the GDPR
  8. · VIII · Children
  9. · IX · Complaints to Datatilsynet
  10. · X · Talk to us

We collect as little about you as we can get away with while still running a working bookshop, and we tell you in this notice exactly what we collect, why, and how to take it back. This page is your copy of the EU General Data Protection Regulation (GDPR) Article 13/14 notice — written for humans, not auditors.

· I ·Who controls your data

The data controller — the party legally responsible for decisions about how your data is processed — is Klokk Nettablering, a Norwegian sole proprietorship (org-nr 821 466 962) registered at Bjørkhaugen 3, 6012 Ålesund, Norway. PagePrinted Studio is a service operated by Klokk Nettablering; there is no separate corporate entity. The operator and the controller are the same person.

· II ·What we collect

We split data into five buckets, each handled differently. We give you the bucket name in plain language and the GDPR Article-30 processing-activity label in parentheses, so if a lawyer ever reads this, they know what to look for.

  • Sign-in (account administration): email address, a hashed password if you chose one, a session token. Stored as long as your account exists.
  • Manuscript & illustration (service delivery): the text you wrote, the prompts you typed, the images we generated for you, the cover you picked. Stored as long as your account exists plus the print-fulfillment retention window for reprints.
  • Payment (billing & accounting): country code, tax-relevant address, last four digits of the card, a Stripe customer ID. We never see your full card number. Retained for five years to comply with the Norwegian Bookkeeping Act (bokføringsloven § 13).
  • Shipping (order fulfillment): your name, postal address, optionally a phone number for the courier. Shared with Lulu, who in turn shares it with the carrier. Deleted from our systems thirty days after delivery is confirmed — Lulu’s own retention is governed by their privacy notice.
  • Telemetry (security & service quality): coarse page-view counts, error reports, the IP address that issued the request (kept ninety days, then aggregated and dropped). We do not run third-party advertising trackers. Ever.

· III ·Why we are allowed to

Every processing activity above has a specific GDPR Article 6 lawful basis:

  • Sign-in, manuscript, shipping, and core service delivery — Art 6(1)(b), performance of a contract with you.
  • Payment retention — Art 6(1)(c), legal obligation under the Norwegian Bookkeeping Act.
  • Telemetry, error reporting, fraud prevention — Art 6(1)(f), legitimate interest in running a safe service. We have documented the balancing test; ask us for it at [s…@p…] and we will send the PDF.
  • Marketing email (only if you opt in) — Art 6(1)(a), consent, withdrawable at any time from the email footer.

· IV ·Who else touches it

Running a workshop with a hand-press and a small AI atelier means the work passes through a few partners. Each one has signed a Data Processing Agreement that binds them to the same standard of care you’d expect from us:

  • Anthropic, PBC (San Francisco, USA) — the model behind manuscript generation (Claude Sonnet family). Prompts and completions; zero-retention data-processing addendum in effect.
  • OpenAI, L.L.C. (San Francisco, USA) — the model behind illustration generation (gpt-image-2). Image prompts and generated images; API-default 30-day retention, no training on our traffic.
  • Stripe Payments Europe, Limited (Dublin, Ireland) — payment processing. Card data, billing address, tax status.
  • Lulu Press, Inc. (Morrisville, USA) — on-demand printing and global shipping. Manuscript PDF, cover PDF, shipping address.
  • AWS SES (operated by Amazon Web Services EMEA SARL, Luxembourg) — outbound transactional email.
  • Cloudflare, Inc. (San Francisco, USA) — edge network, DDoS protection, TLS termination. Sees request metadata but not decrypted form content; processed under their EU DPF certification.

We don’t add subprocessors quietly. When the list above changes, the new sha256 fingerprint of this page changes too, and account holders are emailed at least thirty days before the new processor sees any data.

· V ·Transfers outside the EEA

Several of our subprocessors are in the United States. Transfers rely on the EU-US Data Privacy Framework where the processor is certified, and on the European Commission’s Standard Contractual Clauses (2021/914, Module Two) where they are not — plus supplementary measures (encryption in transit, zero-retention API contracts, processor-side EU-data-only options where offered). The transfer-impact assessments are available on request; we keep them next to the DPAs.

· VI ·How long we keep it

Default retention windows: account data — for the life of the account, deleted thirty days after you delete the account. Manuscript and image data — same. Payment-related records — five years from the end of the tax year of the transaction, per the Norwegian Bookkeeping Act. Shipping data — thirty days after delivery confirmation. Telemetry — ninety days raw, aggregated thereafter. Marketing-consent records — for as long as the consent is active, plus three years to defend against complaints.

· VII ·Your rights under the GDPR

Articles 15 through 22 give you a specific set of rights, and we honour each one of them — most are self-service, the rest by email:

  • Art 15 — access. Download everything we hold on you at /account/export. JSON + ZIP, signed, within minutes.
  • Art 16 — rectification. Edit your account at /account/profile; email us for anything that page can’t reach.
  • Art 17 — erasure. Delete your account at /account/delete; we complete the deletion within thirty days, except for accounting records we are legally required to keep.
  • Art 18 — restriction. Email [p…@p…] to pause processing while a dispute is open.
  • Art 20 — portability. The export at /account/export is already machine-readable JSON; this is your portability right exercised by default.
  • Art 21 — object. Object to legitimate-interest processing (mostly telemetry) by writing to us. We will stop unless we have an overriding ground; we will tell you which.
  • Art 22 — automated decisions. We use an automated classifier to flag prompts that may violate Section VII of the Terms. The decision is not solely automated — a human reviews every classifier-triggered block within 24 hours. You can challenge the outcome by email and a different human will review.

· VIII ·Children

The studio is intended for users aged 16 and over. We do not knowingly collect personal data from anyone younger. If you are a parent or guardian and you believe your child has used the studio, email [p…@p…] and we will delete the account and its data on a same-day basis.

· IX ·Complaints to Datatilsynet

If you think we have mishandled your data, please write to us first at [p…@p…]. If we don’t fix it to your satisfaction, you have the right under GDPR Art 77 to lodge a complaint with a supervisory authority. The Norwegian one is Datatilsynet: Postboks 458 Sentrum, 0105 Oslo, Norway, phone +47 22 39 69 00, email [p…@d…], web datatilsynet.no. EU residents may complain to their own national authority instead.

· X ·Talk to us

Privacy questions go to [p…@p…]. Anything else goes to [s…@p…]. There is no chatbot in front of either inbox.