LilybeeLilybee

Privacy Notice

Last updated: 2026-05-03

This Privacy Notice explains what personal data Lilybee collects, why we collect it, how long we keep it, and what rights you have. We have written it in plain language because we believe you deserve to understand exactly what happens to your data — and your child's data.

If you have questions not answered here, email hello@lilybee.app. We will respond within 2 business days.

Who we are

Lilybee is the data controller for the personal data described in this notice. You can reach us at hello@lilybee.app.

What data we collect

When you place an order with Lilybee, we collect the following categories of data:

Contact and order data

  • Your email address (used to deliver your order and send transactional messages).
  • Your order details (what you ordered, when, and the delivery status).

Uploaded content

  • A photo of your child's drawing.
  • A short audio clip of your child's voice.

These two files are the heart of what you are asking us to process. They are treated with particular care — see the Children's Data section below.

Payment metadata

  • Payment status and a reference ID from Stripe (our payment processor).
  • We do not store your full card number, CVV, or any sensitive payment details — these remain with Stripe.

Technical data

  • Your IP address and user-agent string (the information your browser sends automatically with every request).
  • Basic server request logs (timestamps, pages visited, error codes).

We do not collect your name, phone number, or postal address at this time. We do not run behavioural tracking or advertising profiles.

Why we collect this data

We process your data for the following purposes:

  • Fulfilling your order — we need your uploaded drawing and audio clip to create the animated video, and your email address to deliver it.
  • Transactional email — order confirmation, delivery notification, and any follow-up needed to resolve issues with your order.
  • Service security and abuse prevention — IP addresses and logs help us detect and block attempts to misuse the service.
  • Accounting and legal compliance — order metadata is retained for the period required by EU accounting and tax rules (see Retention below).

We do not use your data for marketing to third parties. We do not sell or rent your data to anyone.

Children's data

This section is especially important. Please read it.

Lilybee's service involves processing audio and images that may include minors — specifically, the drawings and voice recordings of children. We take this responsibility seriously.

  • You are responsible for having the authority to upload. By uploading a drawing or voice recording, you confirm that you are the parent or legal guardian of the child involved (or have written consent from the child's parent/guardian). We rely on your representation; we cannot independently verify the identity of the child.
  • We do not directly collect data from children. Children do not create accounts, submit forms, or interact with the Lilybee website. All data is submitted by an adult on the child's behalf.
  • We do not market to children and we do not build profiles of children. The child's drawing and voice clip are used solely to render and deliver your specific order.
  • We do not share children's data with third parties for any purpose other than rendering the video (see Sub-processors below). The AI rendering vendor processes the uploaded files to generate the animation and does not retain them beyond that task.
  • Retention is short — see the Retention section below. Uploaded drawings and audio are deleted 90 days after delivery.

If you believe a child's data has been submitted without proper authority, please email hello@lilybee.app immediately and we will investigate and delete the data as appropriate.

How we store your data

Firebase / Google Cloud (EU region eur3 — Belgium/Netherlands) All uploaded files and order data are stored in Firebase, hosted in Google Cloud's EU multi-region (eur3). This means your data does not leave the European Union as part of our primary storage.

Stripe Payment data is processed and stored by Stripe. Stripe is a certified PCI DSS Level 1 service provider. Their privacy policy is at https://stripe.com/privacy.

Resend Transactional emails (order confirmation, delivery) are sent via Resend. Resend processes your email address to deliver these messages.

AI rendering vendor Your uploaded drawing and audio clip are sent to the AI rendering vendor we use to generate animated videos. This vendor processes the files to create your animation. We select vendors that agree to process data only for the purpose of fulfilling the task, not to train models on your child's content or retain files beyond rendering. We will update this notice once the vendor is confirmed.

Retention

We keep your data for only as long as necessary:

DataHow long we keep it
Uploaded drawing and audio clipDeleted 90 days after order delivery
Animated video (output file)Deleted 90 days after order delivery
Email address + order metadataRetained for 7 years (EU accounting requirements)
Server request logsRolled and deleted after 90 days
Payment metadata (Stripe reference)Retained for 7 years alongside order metadata

After the 90-day window, your uploaded content is permanently deleted from our systems and from Firebase storage. We cannot recover it after that point.

Cookies

At this stage, Lilybee uses essential cookies only:

  • A session cookie that stores your cookie consent choice (whether you clicked "Accept all" or "Essential only"). This is purely functional — it prevents the banner from appearing on every page visit. No analytics data is attached to it.

We do not currently run any analytics, advertising, or tracking cookies. If we add optional analytics in the future, we will ask for your consent through the cookie banner first and update this notice.

Sharing your data

We do not sell, rent, or share your personal data with third parties for marketing purposes. The only parties who have access to your data are:

  • Stripe — to process your payment.
  • Resend — to send you transactional emails.
  • Firebase / Google Cloud — to store your files and order data.
  • The AI rendering vendor — to generate your animated video from the uploaded files.
  • Law enforcement or regulators — if we are legally required to disclose data by a court order or applicable law.

All sub-processors are selected for their compliance with GDPR and their data protection standards.

Your rights under GDPR

If you are based in the European Union (or the UK), you have the following rights regarding your personal data:

  • Right of access — you can ask us for a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") — you can ask us to delete your data. We will comply unless we are required by law to retain it (e.g., accounting records).
  • Right to data portability — you can ask us to provide your data in a machine-readable format.
  • Right to object — you can object to processing based on our legitimate interests.
  • Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.
  • Right to withdraw consent — where we process data based on your consent, you can withdraw that consent at any time.

At this stage, all rights requests are handled manually by emailing hello@lilybee.app. We aim to respond within 30 days as required by GDPR. In your email, please include your order email address so we can locate your data.

You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Lilybee is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (the Berlin Commissioner for Data Protection and Freedom of Information), but you may also contact the data protection authority in your country of residence.

Processing activityLegal basis
Fulfilling your order (rendering + delivery)Performance of a contract (Art. 6(1)(b) GDPR)
Transactional emailPerformance of a contract (Art. 6(1)(b) GDPR)
Retaining order + accounting recordsLegal obligation (Art. 6(1)(c) GDPR)
Security loggingLegitimate interests (Art. 6(1)(f) GDPR)
Cookie consent choiceConsent (Art. 6(1)(a) GDPR)

Changes to this notice

We may update this Privacy Notice as the service evolves. When we do, we update the "Last updated" date at the top. Significant changes will be communicated by email to the address on your most recent order.

Contact

For any privacy-related questions or to exercise your rights:

Email: hello@lilybee.app

We aim to respond within 2 business days for general questions, and within 30 days for formal rights requests.