Privacy Policy
Introduction
We, TalesBox LTD [Company Registration Number: 16520307], Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, are committed to protecting your personal data and your right to privacy.
This policy explains how we collect, use, store, and protect your personal information in accordance with the principles of the General Data Protection Regulation (GDPR) of the European Union.
Data Controller
TalesBox LTD acts as the Data Controller for your personal information.
Contact Information:
Company Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: hello@talesbox.co.uk
Phone: +44 0203 987 6728
Types of Data We Collect
At this stage, we may collect the following types of personal data:
- Full name.
- Contact information (email address, phone number, postal address).
- IP address and browser information.
- Product or service usage history.
- Information obtained through electronic surveys.
- Other personal data necessary solely for the proper functioning of the website, for improving user experience, and for carrying out direct or indirect marketing activities.
Information Received from Google APIs When you choose to register or log in using your Google Account, we access the following information based on your permissions:
- Basic Profile Information: Your name, email address, and profile picture.
- Authentication Data: Tokens required to verify your identity.
Limited Use Policy: TalesBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell your Google user data to third parties.
- We only receive confirmation of payment (transaction ID, status) and limited metadata (e.g., last 4 digits of a card) to facilitate customer support.
- Stripe's use of your personal data is governed by the Stripe Privacy Policy.
Purposes and Legal Basis for Data Processing
We process your personal data for the following purposes:
Contract Performance:
To deliver and provide our services to you.
Legitimate Interest:
For marketing activities (including any direct or indirect marketing actions that may contain promotional elements).
To improve and enhance our products and services.
Consent:
To send personalized offers or communications based on your explicit consent.
Legal Obligation
To comply with tax, accounting, or other regulatory requirements.
Data Retention Period
We will retain your personal data only for as long as necessary to fulfill the purposes outlined above (and/or any related company purposes stated in this document) or for the period required by applicable law. This includes, but is not limited to, the following:
User Accounts:
User accounts and associated information are retained for as long as the account remains active.
Data may be stored for an additional one (1) year after deactivation, allowing the user to restore the account if desired. The user has the right to request deletion of their account at any time, whether the account is active or inactive.
Usage History:
1.2.1 Usage history (including any activity performed on the website) is retained for as long as the account remains active. After account deletion, such data may be retained for a maximum of three (3) years for security and legal compliance purposes.
The user has the right to request deletion of usage history at any time, whether the account is active or inactive.
In the case of an active account, requesting deletion of usage history will automatically result in account termination and contract cancellation.
In the case of an inactive account, requesting deletion of usage history will lead to data removal within a reasonable timeframe, once the request is verified and approved by the company.
1.2.2 Marketing Data:
Marketing-related data (such as email subscription lists and similar information) may be retained for the same period specified in subsection 1.2.1 of this section.
1.3 User Requests for Account Deletion, History Removal, and Similar Actions:
Any user request for account deletion, activity history removal, or similar actions must be submitted to the company's official email address: hello@talesbox.co.uk.
The request must be sent from the same email address registered in the company's database. Otherwise, the company reserves the right to use or request any additional means necessary to verify the user's identity, or the user may alternatively use the Deactivation button provided on the platform.
1.3.1 Requests sent via email will be reviewed and fulfilled as quickly as possible and within a reasonable timeframe, while using the Deactivation button will result in immediate account deactivation.
1.3.2 The user will be notified of the decision via the same email address used for communication with the company, or via a newly verified contact email provided after identity confirmation.
Data Sharing and International Transfer
Data Sharing
Your data may be shared with third parties, without requiring your additional consent, for the following purposes:
1.2 Service Providers
1.2.1 Service Providers acting as Data Processors:
The company may engage third-party service providers who act as data processors. TalesBox ensures that each data processing agreement includes:
1.2.1.1 A clearly defined purpose and scope of the data processing activities.
1.2.1.2 The distribution of responsibilities for data protection and compliance.
1.2.1.3 Appropriate technical and organizational security measures that the processor must implement.
1.2.2 Contract Performance Purposes:
Data may be shared with service providers or third parties when necessary to perform or fulfill a contract, for example, to deliver a service, maintain functionality, or enhance user experience.
Such sharing is limited to what is strictly necessary for service delivery, both for the present and for future improvement of user experience.
Whenever personal data is transferred outside the United Kingdom or the European Economic Area (EEA), TalesBox ensures that such transfers are carried out using appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized mechanisms
1.2.3 Legitimate Interest
If there is a legitimate interest and the sharing of data with service providers does not infringe upon the rights and freedoms of the user, TalesBox may share such data in accordance with GDPR principles and data minimization requirements.
1.2.4 Legal Obligation / Legal Right
In all other cases where data sharing is required or permitted by law, TalesBox may disclose personal data without obtaining additional consent from the user.
1.3 TalesBox Transparency Principle
Upon your written request, which must be sent to our official email address, hello@talesbox.co.uk, TalesBox will provide clear information regarding:
1. Which third parties are authorized to access or receive your data, and
2 . The specific purposes for which such data transfers are made.
1.4 Law Enforcement and Legal Requirements
Personal data may be disclosed to law enforcement authorities or other public bodies when required by law, regulation, or court order, and only to the extent necessary to comply with such legal obligations.
1.5 Data Sharing with Business Partners
Data may be shared with business partners, investors, or parties related to company ownership (for example, as part of a due diligence process) only when a valid legal basis exists, such as legitimate interest or contract performance, and only when such sharing does not infringe upon the rights and freedoms of the user.
During registration, the user acknowledges that agreeing to these Terms also includes the possibility of limited data sharing for the purposes mentioned above.
In all cases, TalesBox ensures the security and confidentiality of the shared data, processing only the minimum amount of information necessary for the stated purpose.
TalesBox reserves the right to share limited data, under legitimate interest, with partners (for example, investors or potential buyers of the company). Such sharing is conducted only in an anonymized and aggregated form (where individual users cannot be identified) or in an encrypted form with appropriate security safeguards.
Any such data sharing will be assessed under a Data Protection Impact Assessment (DPIA) where required, to ensure full compliance with GDPR's legitimate interest balancing test.
1.5.2.3 Legal Grounds for Data Sharing
Consent:
The user provides explicit, informed, and voluntary consent for their data to be shared with partners.
Clarity:
During registration, users are clearly informed that, prior to completing registration, they must agree to the website's Terms and Conditions, including the provisions outlined in this section.
Informed:
Throughout the registration process, users are explicitly informed about the requirement to review and accept the Terms and Conditions in advance, as indicated within the registration form module.
Voluntary:
By proceeding with registration, users voluntarily express their consent to these Terms and Conditions, both for the website as a whole and specifically for this section regarding data sharing.
Contract Performance:
If data sharing is necessary for the performance of a contract with the user (for example, to provide services or ensure proper system functionality), TalesBox has the right to share such data with relevant parties without obtaining separate consent from the user.
Data will only be shared to the extent strictly necessary and exclusively with third parties directly involved in providing the service (e.g., technical providers, payment processors, hosting platforms, etc.).
Legal Obligation:
If data sharing is required to comply with legal obligations for instance, at the request of law enforcement authorities or other regulatory bodies, the company reserves the right to disclose the relevant data.
Public Interest:
Data may be shared when necessary to protect or fulfill public interest objectives.
Legitimate Interest:
The company or certain third parties may have a legitimate interest in processing or sharing personal data when it is essential for service improvement, technical maintenance, or ensuring legal protection. In such cases, TalesBox will first assess that this legitimate interest does not override the fundamental rights and freedoms of the user. Data sharing will always be limited, risk-minimized, and protected through appropriate security mechanisms.
Users are informed in advance about the possibility of such data processing and may object to it at any time. Each objection will be reviewed and addressed on a case-by-case basis.
Transparency and Information:
Transparency is one of TalesBox's core principles. Therefore, upon your written request, sent to our official email address hello@talesbox.co.uk, we will provide information regarding:
1. Which parties have access to or receive your data; and
2. What measures are in place to ensure the security and protection of your personal information.
International Data Transfers:
Our servers are located in the United States of America. When personal data is transferred internationally, we use Standard Contractual Clauses (SCCs) and implement additional security safeguards in accordance with GDPR requirements, UK data protection laws, and applicable international data protection standards.
Data Security
We implement appropriate technical and organizational measures to protect your personal data, including but not limited to the following:
Data Encryption During Transmission and Storage
Encryption During Transmission: Your personal data is protected during transfer using secure encryption protocols such as TLS/SSL. This ensures that data is transmitted in encrypted form between our servers and your device, minimizing the risk of unauthorized access.
Encryption During Storage: When storing data, we use advanced encryption algorithms to ensure that your information remains protected even in the unlikely event of unauthorized access to our databases. This guarantees that only authorized personnel can access personal data.
Strict Access Control
Restricted Direct Access: Only those employees who need access to personal data to perform their job duties are granted such access. Access rights are role-based and limited strictly to what is necessary for each task.
1.2.1 Authentication Mechanisms
We use multi-factor authentication (MFA) and strong password policies to ensure that access to data is granted only to authorized individuals. These mechanisms significantly enhance system security and reduce the risk of breaches.
1.2.2 Access Logging and Monitoring
All access attempts and data usage activities are recorded in dedicated access logs, which are regularly reviewed. This allows for the early detection of suspicious activity and timely response to potential incidents.
1.3 Regular Security Audits
1.3.1 Internal and External Audits:
We conduct regular internal and external security audits to evaluate the overall protection level of our systems. These audits include assessments of network infrastructure, databases, applications, and other system components.
1.3.2 Vulnerability Detection:
Any vulnerabilities identified during audits are promptly analyzed and remediated. We continuously review and update our security policies to ensure alignment with the latest best practices.
1.3.4 Penetration Testing:
We perform regular penetration tests to identify potential vulnerabilities or cyberattack risks and take preventive measures accordingly.
1.4 Staff Training on Data Protection
1.4.1 Regular Training:
Our employees receive regular training on data protection and privacy. This includes understanding GDPR requirements, internal data security policies, recognizing phishing attempts, and other essential security practices.
1.4.2 Awareness Programs:
We organize awareness campaigns to ensure all employees understand the importance of data protection and adhere to best practices.
1.4.3 Educational Resources:
Our employees have continuous access to learning materials and resources that help them strengthen their knowledge and skills in data protection and information security.
Your Rights
In accordance with the principles of the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:
1.1 Right of Access
1.1.1 You have the right to obtain information about what personal data is held about you, who processes it, and how it is used.
1.1.2 Request Process: You may request a copy of your personal data, which will be provided in a clear and easily understandable format. This information must include the purposes of processing, categories of data, recipients of the data, and the data retention periods.
1.1.3 Timeframe: The company will respond to your request within one (1) month. In cases of complexity, this period may be extended to two (2) months, but you will be informed of the reason for any delay.
1.2 Right to Rectification
1.2.1 You have the right to request the correction or update of your personal data if it is inaccurate or incomplete.
1.2.2 Process: You must submit a request providing sufficient information to demonstrate that the existing data is inaccurate. The organization is obligated to correct or update the data as soon as possible.
1.2.3 Timeframe: Rectification should be carried out promptly, and normally within one month. If necessary, this may be extended to two months, with prior notice to the user.
1.2.4 Right to Erasure (“Right to be Forgotten”)
1.2.4.1 You have the right to request the deletion of your personal data in specific cases.
1.2.4.2 When applicable: This right may be exercised if:
The data has been unlawfully processed,
The data is no longer necessary for the purposes for which it was collected, or
You object to the processing of your personal data.
1.2.4.3 Exceptions: The right to erasure does not apply where:
Data retention is required for compliance with legal obligations, or
Processing is necessary for public interest purposes.
1.3 Right to Restrict Processing
1.3.1 You have the right to request the restriction of processing in certain situations, for example, if you contest the accuracy of your data or are awaiting a decision on a deletion request.
1.3.2 Restriction: During restriction, your data may only be stored and will not be used for any other purpose, except with your consent or to comply with legal obligations.
1.3.3 When applicable: A Restriction may apply if you object to processing based on legitimate interests, or while the accuracy of your data is being verified.
1.3.4 Activating data restriction will automatically result in your account being placed in an inactive status.
1.4 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that your data be transferred to another organization.
Scope: This right applies to data you have provided to the organization and that is processed automatically based on consent or contractual necessity.
Process: The organization must transfer the data directly to another controller, where technically feasible and reasonable.
1.5 Right to Object
You have the right to object to the processing of your personal data in specific circumstances; for example, for direct marketing purposes or when data is processed under legitimate interest.
When applicable: You may object at any time, and the organization must cease processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms.
Marketing: If you object to processing for direct marketing, such processing must stop immediately.
1.5.4 Exercising your right to object will automatically result in your account being switched to inactive status.
1.5.5 To exercise any of your rights, please contact us at: hello@talesbox.co.uk
Withdrawal of Consent
If your data is processed based on consent, you may withdraw that consent at any time.
By registering on our website, you acknowledge and agree to the possibility of data processing as described. To withdraw your consent, please contact us at our official email address: hello@talesbox.co.uk. Withdrawal of consent will automatically result in your account being placed in an inactive status.
Compliance with Local Legislation
We recognize and respect applicable local data protection laws within the United Kingdom and adhere to relevant international standards.
Changes to This Policy
We may update or amend this policy periodically. The latest version will always be available on our website.
Complaints
If you have any concerns or complaints about the processing of your personal data, please contact us.
You also have the right to lodge a complaint with the relevant supervisory authority.
Transitional Provisions
We strive to comply with international data protection standards, including the laws and regulations of the European Union and the United Kingdom. While this policy may not detail every specific legal provision (e.g., Standard Contractual Clauses - SCCs), we ensure that all international data transfers are conducted securely and in full compliance with applicable regulations.
If you have any questions or concerns regarding this policy or believe that it does not fully comply with a specific legal requirement, please contact us at hello@talesbox.co.uk. We are open to reviewing and implementing any necessary updates or corrections as needed.
We respect your legal rights regarding the management of your personal data and handle all user requests in accordance with the GDPR and relevant data protection legislation.
When sharing data with third parties, we take all reasonable measures to ensure their compliance with data protection laws and the security of your information. However, TalesBox shall not be held responsible for any unlawful actions by third parties that are beyond its control, except where such actions result directly from our own negligence or breach of contract.
Contact Us
If you have any questions, please contact us:
Email: hello@talesbox.co.uk
Phone: +44 0203 987 6728
Company Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
If you believe that your data is being processed improperly, you have the right to contact the relevant supervisory authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: +44 303 123 1113