Data Processing Agreement

Last updated: February 24, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fabula ("Processor", "we", "us") and you ("Controller", "you") and sets out the terms under which we process personal data on your behalf when you use the Fabula service ("Service").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data carried out by Fabula in connection with the Service.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, and deletion.
  • Data Controller: You, the user of the Service, who determines the purposes and means of processing personal data.
  • Data Processor: Fabula, which processes personal data on behalf of the Controller.
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
  • Data Subject: The individual whose personal data is processed.

3. Data Processor Identity

Fabula operates as the Data Processor. We process personal data solely to provide the Service as described in our Terms of Service and Privacy Policy. We do not process personal data for any purpose other than delivering the Service and fulfilling our contractual obligations to you.

4. Categories of Personal Data

The following categories of personal data are processed in connection with the Service:

  • Account Data: Email address, display name, and hashed password (managed by Supabase Auth).
  • Child's Name: If provided for story personalization, the child's name is used only within the story generation prompt sent to Claude. It is not stored separately in our database.
  • Story Content: Stories are stored only when the user explicitly saves them. Unsaved stories are not retained on our servers.
  • Usage Data: Monthly story generation and save counts for plan enforcement.
  • Payment Data: Stripe customer ID and subscription status. We do not store credit card numbers or bank details.
  • Technical Data: IP address, browser type, and request timestamps in server logs for security and performance monitoring.

5. Sub-processors

We use the following sub-processors to deliver the Service. Each sub-processor has been selected for their GDPR compliance and data protection standards:

  • Supabase: Database hosting and user authentication. Data is stored in the EU region. Supabase acts as a sub-processor for account data, saved stories, and usage records.
  • Amazon Web Services (AWS): Infrastructure hosting. All services run in the eu-central-1 (Frankfurt) region. AWS acts as a sub-processor for request processing and server logs.
  • Stripe: Payment processing. Stripe handles all payment card data directly and acts as an independent data controller for payment information. We receive only customer IDs and subscription status.

We will notify you of any intended changes to sub-processors by updating this DPA. You may object to a new sub-processor by contacting us within 30 days of the update.

6. Data Retention

  • Account Data: Retained for the duration of your active account. Deleted within 30 days of account closure.
  • Saved Stories: Retained until you delete them or close your account.
  • Usage Data: Monthly counters are reset at the start of each billing cycle. Historical usage records are deleted with the account.
  • Server Logs: Retained for up to 90 days for security and debugging purposes, then automatically purged.
  • Payment Records: Retained by Stripe in accordance with their data retention policy and applicable financial regulations.

7. Security Measures

We implement the following technical and organizational measures to protect personal data:

  • Encryption in Transit: All data is transmitted over HTTPS/TLS. No unencrypted connections are accepted.
  • Encryption at Rest: Database storage is encrypted at rest via Supabase (AES-256). AWS infrastructure uses encrypted storage volumes.
  • Authentication: JWT-based authentication with asymmetric key validation (ES256) via Supabase JWKS endpoint.
  • Access Control: Row Level Security (RLS) is enabled on all database tables. Users can only access their own data.
  • Secrets Management: API keys and credentials are stored in AWS Secrets Manager, never in source code or environment variables in production.
  • No Advertising or Tracking: We do not use advertising cookies or third-party tracking scripts.
  • Minimal Data Collection: We collect only the data necessary to provide the Service.

8. Data Subject Rights

Under the GDPR, data subjects have the following rights. We will assist you in responding to data subject requests:

  • Right of Access: Data subjects may request a copy of all personal data we hold about them.
  • Right to Rectification: Data subjects may request correction of inaccurate personal data.
  • Right to Erasure: Data subjects may request deletion of their personal data. Upon request, we will delete all account data, saved stories, and usage records within 30 days.
  • Right to Restriction: Data subjects may request restriction of processing in certain circumstances.
  • Right to Data Portability: Data subjects may request their data in a structured, commonly used, machine-readable format (JSON).
  • Right to Object: Data subjects may object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@fabula.click. We will respond within 30 days.

9. International Transfers

All primary data processing occurs within the European Union. Our infrastructure is hosted in AWS eu-central-1 (Frankfurt, Germany) and Supabase operates in the EU region.

Stripe may process payment data in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission. No other personal data is transferred outside the EEA.

10. Breach Notification

In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 GDPR. The notification will include:

  • The nature of the breach, including categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects
  • Contact details for obtaining further information

11. Governing Law

This DPA is governed by the laws of Italy and the GDPR. Any disputes arising from this DPA shall be resolved in the competent courts of Italy.

12. Contact

For questions about this Data Processing Agreement or to exercise data subject rights, contact us at privacy@fabula.click.